FFIEC Cybersecurity Assessment Tool

Transcription

1 All About the ew FFIEC Cybersecurity Assessment Tool June 22, 2016 Susan Orr Consulting, Ltd. 1 FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Board Users Guide Inherent Risk Profile Cybersecurity Maturity Additional Resources Mapping to FFIEC IT Examination Handbook Mapping to IST Cybersecurity Framework Glossary 2

2 Overview Use of the FFIEC Tool is no mandatory but strongly recommended Developing a Cyber Assessment is mandatory When completed, develop an Action Plan to achieve Desired Target State OCC is performing an Assessment during the IT examination FDIC, FRB will review Assessment you completed Expectations are that all institutions will be Baseline initially ot to replace current risk management process Cyber risk programs are to build on current Information Security Program including Information Security/Cyber Security Risk Assessment, Incident Response, BCP, Outsourced Third Party Risk Management Use on enterprise-wide basis and when introducing new products and services 3 Information Security Cyber Security Information/Cyber Security Risk Assessment BCP Incident Response Outsourcing Admin, Tech, Physical Controls Preventative Detective Corrective Controls 4

3 Completing the Assessment Part One: Inherent Risk Profile Part Two: Cybersecurity Maturity 5 Inherent Risk Profile Technologies and Connection Types Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics External Threats 6

4 Risk Levels Least Minimal Moderate Significant Most 7 8

5 Type a quote here. Johnny Appleseed 9 Total Total

6 11 12

7 Total Total Total

8 Inherent Risk Profile by Category Category Inherent Risk Technologies and Connection Types Minimal Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics Moderate Minimal Least External Threats Minimal 15 Overall Inherent Risk

9 Cybersecurity Maturity 5 Domains Cyber Risk Management and Oversight Threat Intelligence and Collaboration Cybersecurity Controls External Dependency Management Cyber Incident Management and Resilience 17 FFIEC Cybersecurity Assessment Tool 18

10 19 FFIEC Cybersecurity Assessment Tool IT Strategic Plan 20

11 21 22

12 23 24

13 25 26

14 27 28

15 eed to discuss and document Training 29 30

16 31 32

17 ` 33 34

18 ot Shared, Strong Password Controls Timely A 35 36

19 37 38

20 A A A A A A A A A A 39 40

21 41 42

22 A 43 44

23 Develop a flow chart Topology should show this 45 46

24 47 48

25 49 50

26 51 52

27 53 54

28 55 Domain 1 Cyber Maturity Level 56

29 Domain 2 Cyber Maturity Level 57 Domain 3 Cyber Maturity Level 58

30 Domain 4 Cyber Maturity Level 59 Domain 5 Cyber Maturity Level 60

31 Risk /Maturity Relationship Domain 1 Cyber Risk Management Cybersecurity Maturity Level for Domain 1 Innovative Advanced Intermediate Inherent Risk Levels Least Minimal Moderate Significant Most Evolving Baseline 61 Cybersecurity Maturity Level for Domain 2 Risk /Maturity Relationship Domain 2 Threat Intelligence and Collaboration Innovative Advanced Intermediate Inherent Risk Levels Least Minimal Moderate Significant Most Evolving Baseline 62

32 Cybersecurity Maturity Level for Domain 3 Risk /Maturity Relationship Domain 3 Cyber Security Controls Innovative Advanced Intermediate Inherent Risk Levels Least Minimal Moderate Significant Most Evolving Baseline 63 Cybersecurity Maturity Level for Domain 4 Risk /Maturity Relationship Domain 4 Cyber Security Controls Innovative Advanced Intermediate Inherent Risk Levels Least Minimal Moderate Significant Most Evolving Baseline 64

33 Risk /Maturity Relationship Domain 5 Cyber Security Controls Cybersecurity Maturity Level for Domain 5 Innovative Advanced Intermediate Inherent Risk Levels Least Minimal Moderate Significant Most Evolving Baseline 65 66

34 Desired Target State Desired Overall Target State: Evolving 67 Summary Completion of an Assessment is mandatory, using the CAT is not Examiners stated they will complete at next exam if you haven t Cybersecurity Program integrated with Information Security Role of Board and CEO Develop a plan to conduct the Assessment Lead employee efforts during the Assessment Set target state of preparedness = to Board risk appetite Review, approve, and support plans to address risk management and control weaknesses Analyze and present results for executive oversight, including key stakeholders and the Board, or an appropriate Board committee. 68

35 Susan Orr Consulting, Ltd Dan Heldmann TTS Upcoming Webinars June 23, Lending to Local Government Units June 28, HMDA: A Summary of the ew Final Rules June 28, Handling Social Security - Representative Payee Accounts July 6, Federal Benefit Payments Garnishment Requirements July 7, Entering the World of Consumer Lending - 3 Part Series July 7, Entering the World of Consumer Lending - Part 1 69