FFIEC Cybersecurity Assessment Tool

Transcription

1 All About the ew FFIEC Cybersecurity Assessment Tool August 25, 2015 Susan Orr Consulting, Ltd. FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Board Users Guide Inherent Risk Profile Cybersecurity Maturity Additional Resources Mapping to FFIEC IT Examination Handbook Mapping to IST Cybersecurity Framework Glossary 1

2 Overview ot mandatory but strongly recommended o single expected level for an Institution ot to replace current risk management process Cyber risk programs are to build on current Information Security Program, including Information Security/Cyber Security Risk Assessment, Incident Response, BCP, Outsourced Third Party Risk Management Use on enterprise-wide basis and when introducing new products and services Information Security Cyber Security Information/Cyber Security Risk Assessment BCP Incident Response Outsourcing Admin, Tech, Physical Controls Preventative Detective Corrective Controls 2

3 Completing the Assessment Part One: Inherent Risk Profile Part Two: Cybersecurity Maturity Inherent Risk Profile Technologies and Connection Types Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics External Threats 3

4 Risk Levels Least Minimal Moderate Significant Most 4

5 Type a quote here. Johnny Appleseed Total Total

6 6

7 Total Total Total

8 Inherent Risk Profile by Category Category Inherent Risk Technologies and Connection Types Minimal Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics Moderate Minimal Least External Threats Minimal Overall Inherent Risk

9 Cybersecurity Maturity 5 Domains Cyber Risk Management and Oversight Threat Intelligence and Collaboration Cybersecurity Controls External Dependency Management Cyber Incident Management and Resilience FFIEC Cybersecurity Assessment Tool 9

10 FFIEC Cybersecurity Assessment Tool IT Strategic Plan 10

11 11

12 12

13 13

14 14

15 eed to discuss and document Training 15

16 16

17 ` 17

18 ot Shared, Strong Password Controls Timely A 18

19 19

20 A A A A A A A A A A 20

21 21

22 A 22

23 Develop a flow chart Topology should show this 23

24 24

25 25

26 26

27 27

28 Domain 1 Cyber Maturity Level 28

29 Domain 2 Cyber Maturity Level Domain 3 Cyber Maturity Level 29

30 Domain 4 Cyber Maturity Level Domain 5 Cyber Maturity Level 30

31 Risk /Maturity Relationship Domain 1 Cyber Risk Management Inherent Risk Levels Least Minimal Moderate Significant Most Cybersecurity Maturity Level for Domain 1 Innovative Advanced Intermediate Evolving Baseline Risk /Maturity Relationship Domain 2 Threat Intelligence and Collaboration Inherent Risk Levels Least Minimal Moderate Significant Most Cybersecurity Maturity Level for Domain 2 Innovative Advanced Intermediate Evolving Baseline 31

32 Risk /Maturity Relationship Domain 3 Cyber Security Controls Inherent Risk Levels Least Minimal Moderate Significant Most Cybersecurity Maturity Level for Domain 3 Innovative Advanced Intermediate Evolving Baseline Risk /Maturity Relationship Domain 4 Cyber Security Controls Inherent Risk Levels Least Minimal Moderate Significant Most Cybersecurity Maturity Level for Domain 4 Innovative Advanced Intermediate Evolving Baseline 32

33 Risk /Maturity Relationship Domain 5 Cyber Security Controls Inherent Risk Levels Least Minimal Moderate Significant Most Cybersecurity Maturity Level for Domain 5 Innovative Advanced Intermediate Evolving Baseline Summary Completion not mandatory Examiners stated they will complete at next exam if you haven t Cybersecurity Program integrated with Information Security Role of Board and CEO Develop a plan to conduct the Assessment Lead employee efforts during the Assessment Set target state of preparedness = Board risk appetite Review, approve, and support plans to address risk management and control weaknesses Analyze and present results for executive oversight, including key stakeholders and the Board, or an appropriate Board committee. 33

34 Susan Orr Consulting, Ltd Kyle Bennett TTS Upcoming Webinars August 27 th - Appraisal Review for Residential Mortgage Decisions September 3 rd - RC-C Loan Coding and Related RC-R Reporting September 9 th - Sixty (60) Critical Steps for Handling Delinquent Boxes September 9 th - How Loans Get Repaid: Cashflow, Collateral, and Personal Guarantees September 10 th - Controlling the Risks of Power of Attorney Documents September 10 th Opening Deposit Accounts Online: CIP, CDD, W-9, Signature Cards and More Regulatory Issues September 11 th BSA Series: Completing CTR & SAR Reports Line by Line September 14 th Avoid the Big Mistakes and Get Commitment September 15 th Do s and Don t s of Checks: How to Avoid Loss September 16 th Best-Ever Compliance Checklists for Commercial Loans 34