Cybersecurity Assessment Tool

Similar documents
FFIEC Cybersecurity Assessment Tool

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Emerging Issues: Cybersecurity. Directors College 2015

FFIEC Cybersecurity Assessment Tool

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Interpreting the FFIEC Cybersecurity Assessment Tool

Headline Verdana Bold

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016

Table of Contents. Sample

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

FDIC InTREx What Documentation Are You Expected to Have?

Cybersecurity and Data Protection Developments

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Cybersecurity and Examinations

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

The University of Queensland

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

FFIEC Cybersecurity Assessment Tool

GUIDANCE NOTE ON CYBERSECURITY

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Cybersecurity & Privacy Enhancements

NERC Staff Organization Chart Budget 2019

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

Cybersecurity and the Board of Directors

NERC Staff Organization Chart Budget 2019

Cyber Risks in the Boardroom Conference

Cybersecurity- A Regulatory Perspective. Robert J. Lipot, CRISC Senior Financial Institutions Examiner Department of Business Oversight

CYBERSECURITY RISK ASSESSMENT

Electricity Sub-Sector Coordinating Council Charter FINAL DISCUSSION DRAFT 7/9/2013

Certified Information Security Manager (CISM) Course Overview

Threat and Vulnerability Assessment Tool

Rethinking Information Security Risk Management CRM002

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

SOC for cybersecurity

Avanade s Approach to Client Data Protection

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

AUDIT REPORT. Network Assessment Audit Audit Opinion: Needs Improvement. Date: December 15, Report Number: 2014-IT-03

The Water Sector Approach to Cybersecurity

THE POWER OF TECH-SAVVY BOARDS:

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Global Statement of Business Continuity

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Overview of the Federal Interagency Operational Plans

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Information for entity management. April 2018

NERC Staff Organization Chart Budget 2018

The Business Value of including Cybersecurity and Vendor Risk in ERM

Session 5: Business Continuity, with Business Impact Analysis

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Why you should adopt the NIST Cybersecurity Framework

NCUA IT Exam Focus. By Tom Schauer, Principal CliftonLarsonAllen

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Effective Cyber Incident Response in Insurance Companies

Security and Privacy Governance Program Guidelines

Turning Risk into Advantage

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

The value of visibility. Cybersecurity risk management examination

HPH SCC CYBERSECURITY WORKING GROUP

InfoSec Risks from the Front Lines

UNB S CYBERSECURITY PROGRAM

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Risk Advisory Academy Training Brochure

Building a BC/DR Control Library and Regulatory Response Program

Bringing Cybersecurity to the Boardroom Bret Arsenault

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Defense Security Service. Strategic Plan Addendum, April Our Agency, Our Mission, Our Responsibility

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

NCSF Foundation Certification

Defining the Challenges and Solutions. Resiliency Model. A Holistic Approach to Risk Management. Discussion Outline

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Building a Resilient Security Posture for Effective Breach Prevention

CISM Certified Information Security Manager

2017 IT Examination Preparedness. Iowa Bankers 2017 Technology Conference October 24, 2017

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

MNsure Privacy Program Strategic Plan FY

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

Cybersecurity. Securely enabling transformation and change

Larry Clinton President & CEO (703)

Cybersecurity Auditing in an Unsecure World

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets.

Cybersecurity in Government

Incident Response and Cybersecurity: A View from the Boardroom

Credit Card Data Compromise: Incident Response Plan

GLBA, information security and incident response a compliance perspective

Internal Controls Evaluation (ICE) Processing

NW NATURAL CYBER SECURITY 2016.JUNE.16

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

On the board s agenda US Cyber risk in the boardroom: Accelerating from acceptance to action

Transcription:

FederalDepasitlnsuranceCarparation ~~d 1~~i 5yreet ~lw,uuashinyoon, D.C.2d42~-990 Financial Institution Letter FIL-28-2015 JUIy 2, 2015 Cybersecurity Assessment Tool Summary: The FDIC, in coordination with the other members of the Federal Financial Institutions Examination Council (FFIEC), is issuing the FFIEC Cybersecurity Assessment Tool to help institutions identify their cybersecurity risks and determine their preparedness. Statement of Applicability to Institutions with Less than $1 Billion in Total Assets: This Financial Institution Letter (FIL) is applicable to all FDIC-supervised institutions. Suggested Distribution: FDIC-Supervised Banks.(Commercial and Savings) Suggested Routing: Chief Executive O~cer Chief Information Officer Chief Information Security Officer Attachments FFIEC Cybersecurity Assessment Tool Related Topics: FFIEC Cybersecurity Brochure, https://www.ffiec.gov/press/pdfiffiecc by erse curitybrochure.pdf FFIEC Cybersecurity Assessment General Observations, Highlights' The Cybersecurity Assessment Tool has been developed by the FFIEC members in response to requests from the industry for assistance in determining preparedness for cyber threats. Use of the Cybersecurity Assessment Tool is voluntary. The Cybersecurity Assessment Tool provides a way for institution management to assess an institution's inherent risk profile and cybersecurity maturity to inform risk management strategies.. The Cybersecurity Assessment Tool and a variety of SU pp 0I'~I11 g resources ~ 111CIUdl11 g an executive overview user's guide and instructional presentation, are available on the Cybersecurity Awareness page of the FFIEC.gov website at https://www.ffiec.gov/cybersecurity.htm. https://www.ffiec.aov/press/pdfiffiec Cyberse. Also available is a mapping curity of the Cybersecurity Assessment Observations pdf Assessment Tool to the Cybersecurity Framework' issued by the National Institute for Standards and Technology and a Contact: Marlene Roberts, Senior Examination Specialist, at marrobertscc~fdic.gov or (703) 254-0465. Note: FDIC financial institution lefters (FILs) may be accessed from the FDIC's Web site at https://fdic.gov/news/news/financial/2015/ mapping of the Baseline Statements of the Cybersecurity Assessment Tool to the FFIEC Information Technology _ Ha11db00k. FDIC examiners will discuss the Cybersecurity Assessment Tool with institution management during examinations to ensure awareness and assist with answers fo any questions. To receive FILs electronically, please visit The FDIC encourages institutions to comment on the https:~~www.fdic.aov~about~subscriptionsiti~.htmi. usability of the Cybersecurity Assessment Tool, including Paper copies of FDIC financial institution letters may be the estimated number of hours required to complete the obtained.through the FDIC's Public Information Center, Assessment, through a forthcoming Federal Register 3501 Fairfax Drive, E-1002, Arlington, VA 22226 (1- NOtICe. 877-275-3342 or 703-562-2200). FDIC-supervised institutions may direct questions on the FFIEC Cybersecurity Assessment Tool through https://fdicsurveys.co1.qualtrics.com/jfe/form/sv 4JgpIWX WB9Gjps1

~,. ~,~,a In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Councils (FFIEC) developed the Cybersecurity Assessment Tool (Assessment), on behalf of its members, to help institutions identify their risks and determine their cybersecurity preparedness. The Assessment provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time. The Assessment incorporates cybersecurity-related principles from the FFIEC Information Technology (IT) Examination Handbook and regulatory guidance, and concepts from other industry standards, including the National Institute of Standards and Technology (KIST) Cybersecurity Framework.2 ~er~efits ~to ~h~ ir~s~ituti~n For institutions using the Assessment, management will be able to enhance their oversight and management of the institution's cybersecurity by doing the following: Identifying factors contributing to and determining the institution's overall cyber risk. Assessing the institution's cybersecurity preparedness. Evaluating whether the institution's cybersecurity preparedness is aligned with its risks. Determining risk management practices and controls that are needed or need enhancement and actions to be taken to achieve the desired state: Informing risk management strategies. and oar c~~ ircr The role of the chief executive officer (CEO), with management's support, may include the responsibility to do the following: Develop a plan to conduct the Assessment. Lead employee efforts during the Assessment to facilitate timely responses from across the institution. Set the target state of cybersecurity preparedness that best aligns to the board of directors' (board) stated (or approved) risk appetite. Review, approve, and support plans to address risk management and control weaknesses. Analyze and present results for executive oversight, including lcey stakeholders and the board, or an appropriate board committee. I The FFIEC comprises the principals of the following: The Board of Governars of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Pt otection Bureau, and State Liaison Committee. ~ A mapping is available in Appendix B: Mapping Cybersecurity r~ssessma~t~ Tool to the NIST Cvbersecurify Framework. T]IST reviewed and provided input on the mapping to ensure consistency with Framework principles and to highlight the complementary nature of the two resources. June 2015

FFIEC Cybersecurity Assessment Toof Overview for CEOs and Boards of Qirectors Oversee the performance of ongoing monitoring to remain nimble and agile in addressing evolving areas of cybersecurity risk. Oversee changes to maintain or increase the desired cybersecurity preparedness. The role of the board, or an appropriate board committee, may include the responsibility to do. the following: Engage management in establishing the institution's vision, risk appetite, and overall strategic direction. Approve plans to use the Assessment. Review management's analysis of the Assessment results, inclusive of any reviews or opinions on the results issued by independent risk management or internal audit functions regarding those results. Review management's determination of whether the institution's cybersecurity preparedness is aligned with its risks. Review and approve plans to address any risk management or control weaknesses. Review the results of management's ongoing monitoring of the institution's exposure to and preparedness for cyber threats. r s ~, The Assessment consists of two parts: Inherent Rislc Profile and Cybersecurity Maturity. Upon completion of both parts, management can evaluate whether the institution's inherent risk and preparedness are aligned. Inherent Risk Profile Cybersecurity inherent risk is the level of risk posed to the institution by the following: Technologies and Connection Types Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics External Threats Inherent risk incorporates the type, volume, and complexity of the institution's operations and threats directed at the institution. Inherent risk does not include mitigating controls. The Inherent Rislc Profile includes descriptions of activities across risk categories with definitions for the least to most levels of inherent risk. The profile helps management determine exposure to risk that the institution's activities, services, and products individually and collectively pose to the institution. When each of the activities, sezvices, and products are assessed, management can review the results and determine the institution's overall inherent risk profile. June 2015 2

~ FFIEC Cybersecurity Assessment Tool Overview for CEOs and Boards of Directors Cybersecurity Maturity The Assessment's second part is Cybersecurity Maturity, designed to help management measure the institution's level of risk and corresponding controls. The levels range from baseline to innovative. Cybersecurity Maturity includes statements to detei~rnine whether an institution's,} ~ FiF ~~,~~~~ behaviors, practices, and processes can support ~ :-~=~---- cybersecuritypreparedness within the following ~ ~~ five domains: : n:~ <~' Cyber Rislc Management and Oversight ~, ; ~r~ ~'' Threat Intelligence and Collaboration ~ ; Cybersecurity Controls ri ~3 External Dependency Management G Cyber Incident Management and Resilience ~~,~~ t ~' The domains include assessment factors and contributing components. Within each component, declarative statements describe activities supporting the assessment factor at each maturity level. Management determines which declarative statements best fit the current practices of the institution. All declarative statements in each matut~ity level, and previous levels, must be attained and sustained to achieve that domain's matuf~ity level. While management can determine the institution's maturity level in each domain, the Assessment is not designed to identify an overall cybersecurity maturity level. The figure below provides the five domains and assessment factors. Governance Threat Intelligence Preventative Controls r;onnections Incident Resilience Planning and Stratea y Risk Management i Monitoring and Analyzing Detective Controls g Relationship ~ Detection, Management Response, and Mitigation - - Resources Information Sharing 1 Corrective Controls ~ - - e Escalation and Reporting Training and Culture June 2015 3

FFIEC Cybersecurity Assessment Tool Overview far CEOs and Boards of Directors Management can review the institution's Inherent Risk Profile in relation to its Cybersecurity Maturity results for each domain to understand whether they are aligned. The following table depicts the relationship between an institution's Inherent Risk Profile and its domain Maturity Levels, as there is no single expected level for an institution. In general, as inherent risk rises, an institution's maturity levels should increase. An institution's inherent risk profile and maturity levels will change over time as threats, vulnerabilities, and operational environments change. Thus, management should consider reevaluating the institution's inherent risk profile and cybersecurity maturity periodically and when planned changes can affect its inherent risk profile (e.g., launching new products or services, new connections). Risk/Maturity Relationship Inherent Risk Levels Least Minimal Moderate Significant Most L ~` Innovative ~L ~ ~ 3> ~ ~ ~ L ~1~ ~ G1...0 ~ 3 ~ " Advanced Intermediate Evolving. ' ----._. - - _ ~ Baseline Management can_then decide what actions are needed either to affect the inherent risk profile or to achieve a desired state of maturity. On an ongoing basis, management may use the Assessment to identify changes to the institution's inherent risk profile when new threats arise or when considering changes to the business strategy, such as expanding operations, offering new products and services, or entering into new third-party relationships that support critical activities. Consequently, management can determine whether additional risk management practices or controls are needed to maintain or augment the institution's cybersecurity maturity.... - An essential part of implementing the Assessment is to validate the institution's process and findings and the effectiveness and sufficiency of the plans to address any identified weaknesses. The next section provides some questions to assist management and the board when using the Assessment. Cybersecurity Management & Oversight What are the potential cyber threats to the institution? Is the institution a direct target of attacks? Is the institution's cybersecurity preparedness receiving the appropriate level of time and attention from management and the board or an appropriate board committee? June 2015 4

~' FFIEC Cybersecurity Assessment Tooi Overview for CEOs and Baards of Directors Do the institution's policies and procedures demonstrate management's commitment to sustaining appropriate cybersecurity maturity levels? What is the ongoing process for gathering, monitoring, analyzing, and reporting risks? Who is accountable for assessing and managing the risks posed by changes to the business strategy or technology? Are the accountable individuals empowered with the authority to cant' out these responsibilities? Do the inherent risk profile and cybersecurity maturity levels meet management's business and risk management expectations? If there is misalignment, what are the proposed plans to bring them into alignment? How can management and the board, or an appropriate board committee, make this process part of the institution's enterprise-wide governance framework? Inherent Risk Profile What is the process for gathering and validating the information for the inherent risk profile and cybersecurity maturity? How can management and the board, or an appropriate board committee, support improvements to the institution's process for conducting the Assessment? What do the results of the Assessment mean to the institution as it looks at its overall risk profile? What are the institution's areas of highest inherent risk? Is management updating the institution's inherent risk profile to reflect changes in activities, services, and products? Cybersecurity Maturity How effective are the institution's risk management activities and controls identified in the Assessment? Are there more efficient or effective means for attaining or improving the institution's risk management and controls? What third parties does the institution rely on to support-critical activities? ~ What is the process to oversee third parties and understand their inherent risks and cybersecurity maturity? How does management validate the type and volume of attacks? Is the institution sharing threat information with peers, law enforcement, and critical third parties through information-sharing procedures? ~' FFIEC has developed the Assessment to assist management~and the board, or an appropriate board committee, in assessing their institution's cybersecurity.preparedness and risk. For more information and additional questions to consider, refer to the FFIE~` Cyhe~seeut~rty Assess~raent Ger~ef crl ObsetFvatzo~rs on the FFIEC's Web site. June 2015 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback