FFIEC Cyber Security Assessment Tool Overview and Key Considerations
Overview of FFIEC Cybersecurity Assessment Tool
Agenda Overview of assessment tool Review inherent risk profile categories Review domain 1-5 for cyber security maturity Summary of risk/maturity relationships Overview of use case performed Final thoughts Q&A
Benefits to Institutions Identifying factors contributing to and determining the institution s overall cyber risk Assessing the institution's cybersecurity preparedness. Evaluating whether the institutions cybersecurity preparedness is aligned with its risks Determining risk management practices and controls that could be taken to achieve the institutions desired state of cyber preparedness Informing risk management strategies.
Not just for Finance! Don t tune out if your not in the financial services sector!! Throughout the presentation you can see that risk assessment and preparedness is a major theme in any industry. Feel free to ask particular questions about your company and industry.
Inherent Risk Profile
Inherent Risk Profile Categories Technologies and Connection Types Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics External Threats
Inherent Risk Profile Risk Levels
Inherent Risk Profile Excerpt
Inherent Risk Profile Technologies and Connection Types Internet service providers Third party connections Internal vs outsourced hosted systems Wireless access points Network devices EOL Systems Cloud services Personal Devices
Inherent Risk Profile Online and mobile products and services delivery channels Delivery Channels ATM operations
Inherent Risk Profile Online/Mobile Products and Technology Services Credit and debit cards P2P payments ACH Wire transfers Wholesale payments Remote deposit Treasury and trust Global remittances Correspondent banking Merchant acquiring activities
Inherent Risk Profile Organizational Characteristics Mergers and acquisitions Direct employees and contractors IT environment Business presence and locations of operations and data centers
Inherent Risk Profile
Inherent risk Reponses Best Practice Automate Answers using existing solutions to: Track in real time areas such as: Asset inventory Third party connections Transaction data
Cybersecurity Maturity Assessment
Cybersecurity Maturity Overview
Cybersecurity Maturity Domain Coverage
Domain 1 Cyber Risk Management & Oversight Governance Risk Management Resources Training and Culture
Domain 2 Threat Intelligence and Collaboration Threat Intelligence Monitoring and Analyzing Information Sharing
Domain 3 Cyber Security Controls Preventative Infrastructure management Access and asset management Device/endpoint security Secure coding practices Detective Threat and vulnerability detection Anomalous behavior activity detection Event detection Corrective Patch management Remediation
Domain 4 External Dependency Management Connections Identifications Monitoring Management of external connections and data flows to third parties Relationship Management Due diligence Contracts Ongoing monitoring
Domain 5 Cyber Incident Management and Response Incident Resilience Planning & Strategy Detection, Response, & Mitigation Escalation & Reporting
Risk Maturity Relationship
Risk Maturity Matrix
National Bank Case Study
ABC National Bank Business Profile Background 13000+ employees 1000+ banking locations HQ in Central US Est. 1967 Banking Operations Branch Banking Commercial Banking Consumer Lending Investment Advisors Current State EOL systems still in use, no upgrade plan Mobile banking applications and some BYOD Previous security incidents external phishing attempts and ATM s being infected with malware IT Security Director has left the Bank
Inherent Risk Score Inherent Risk Score 507.69 legend <=200 201-400 401-600 601-800 801-1000 Category Data Weights Points Least Minimal Moderate Significant Most Technologies and connection Types 1 14 0 8 4 2 0 Delivery Channels 1 3 0 0 1 2 0 Organizational Characteristics 1 7 1 0 6 0 0 Online/Mobile Products and Technological Services 1 14 3 3 8 0 0 External Threats 1 1 0 0 1 0 0 Totals 5 39 4 11 20 4 0 10.26 % 28.21% 51.28% 10.26% 0.00%
Cybersecurity Maturity Assessment
FFIEC Recap of Steps Taken for Use Case Inherent Risk Profile Low Inherent Risk Minimal Inherent Risk Moderate Inherent Risk Significant Inherent Risk Most Inherent Risk Cybersecurity Maturity Domain 1: Cyber Risk Management & Oversight Domain 2: Threat Intelligence & Collaboration Domain 3: Cybersecurity Controls Domain 4: External Dependency Management Domain 5: Cyber Incident Management and Resilience
Maturity Achieved Against Defined Targets ABC Bank 81.06% Domain Desired Target %Achieved Maturity Achieved Statements Least Minimal Moderate Significant Most Cyber Risk Intermediate 64.89% Innovative 1 15 6.67% 6.67% Management Advanced 5 32 15.63% 15.63% 15.63% and Oversight Intermediate 7 29 24.14% 24.14% 24.14% Evolving 23 34 67.65% 67.65% 67.65% 100.00 100.00 Threat Intelligence and Collaboration Cyber Security Controls Baseline 31 31 % % Intermediate 88.46% Innovative 0 8 0.00% 0.00% Advanced 2 11 18.18% 18.18% 18.18% Intermediate 8 11 72.73% 72.73% 72.73% Evolving 7 7 100.00 % 100.00 % 100.00% Baseline 8 8 100.00 % 100.00 % Intermediate 80.62% Innovative 2 20 10.00% 10.00% Advanced 5 25 20.00% 20.00% 20.00% Intermediate 23 39 58.97% 58.97% 58.97% Evolving 30 39 76.92% 76.92% 76.92% Baseline 51 51 100.00 % 100.00 % External Intermediate 86.84% Innovative 0 7 0.00% 0.00% Dependency Advanced 3 7 42.86% 42.86% 42.86% Management Intermediate 6 9 66.67% 66.67% 66.67% Evolving 11 13 84.62% 84.62% 84.62% Baseline 16 16 100.00 % 100.00 % Cyber Incident Intermediate 84.48% Innovative 1 10 10.00% 10.00%
Domain Level Controls Domain 1 - Governance, Risk, and Audit Solution capability desired - Visibility and Intelligence Domain 2 - Threat Intelligence and Sharing Solution capability desired - Intelligence and Integration Domain 3 - Preventive, Detective, and Corrective controls Solution capability desired - Detection, Prevention, and Response No Endpoint visibility Limited Intelligence on oversight and audit functions Polling and scanning, basic manual risks assigned Limited Intelligence without any Integration Alerts and logs are consolidated in a SIEM for integration, manually shared Threat Intelligence Detection: AV signatures Only detects known malware, extensive logs analysis Prevention: Relying on AV only stops known malware Response: Reimage machines, No root cause analysis Control Maturity Level Baseline Inherent Risk Profile Level Low Negative Security Approach Evolving Minimal Detection: Software and IP reputation data Prevention: Remove admin rights, Basic whitelisting Response: Manual root-cause and scope analysis, Post-mortem forensics Domain 4 - Third Party Management Solution capability desired - Visibility and Detection Domain 5 - Incident Response Solution capability desired - Detection and Response No visibility into third party security or threats No detection of security incidents spawned from third party's Detection: AV signatures Only detects known malware, extensive logs analysis Response: Reimage machines, No root cause analysis Limited visibility into criticality of third party s Still no detection of interactions or unauthorized attempts to obtain/change sensitive information Detection: Software and IP reputation data Response: Manual root-cause and scope analysis, Post-mortem forensics
Control Maturity Level Intermediate Advanced Innovative Inherent Risk Level Moderate Significant Most Risks exceed appetite they are escalated to management Policies include threat intelligence Baselines cannot be altered w/o formal change request Formal IT change management process Risk management includes financial strategic, regulatory, and compliance implications Benchmarks and target performance metrics are established Audits are used to identify gaps Industry standards are used for the analysis of gaps Automated tools enable tracking, updating, asset prioritizing, and custom reporting of the asset inventory Automated processes are in place to detect and block unauthorized changes to software and hardware Risk assessments of changes in change management system Risk data aggregation and real time reporting capabilities support ongoing reporting Periodic audit process improvements based on threat landscape Continuous monitoring of security controls KPI's determine training awareness influence Formal change management function governs decentralized or highly distributed change requests and measures security risks Automated enterprise tools are implemented to detect and block unauthorized changes to software and hardware Formal threat Intelligence program is implemented and has external and internal source A read only central repository of cyber threat intelligence is maintained Profile of threats is created Threat Intelligence is automatically received from multiple sources in real time Threat Intelligence is used to update architecture and configuration standards IT systems automatically detect configuration weaknesses based on Threat Intellgince and alert management Real time threat sharing Threat analysis systems correlates threat data to risks while taking automated actions and alerting management Invests in threat intelligence and collaboration mechanisms Combines all threat intelligence from mechanisms Security controls for remote access Unauthorized code prevention tools Emails and attachments are automatically scanned to detect malware and blocked when it is present Tools for unauthorized data mining Tools to monitor security logs Audit logs are backed up to a centralized log server that is difficult to alter Event detection processes are tested as reliable Controls verified to detect and prevent intrusions from third party connections Monitoring covers all external and internal connections Anti-spoofing measures for forged IP addresses Automated tools proactively identifies high-risk behavior signaling on an employee who poses insider threat Automated tools detect unauthorized changes to critical system files, firewalls, IPS, IDS, or other security devices Real-time network monitoring and detection is implemented and incorporates Positive Security Approach sector wide event information Real time alerts are automatically sent when unauthorized software, hardware, or changes occur Tools are in place to actively correlate event information from multiple sources and send alerts based on established parameters Patch monitoring software is installed on all servers Maintain and improve security of external connections Automated real time risk scores of infrastructure Centralized end-point management tool Real time risk scoring of threats Detection of insider threats and block activity in real time Remediation of systems damaged by zero-days Detailed Diagram of data flow analysis IR team notified when anomalous behavior and attack patterns or signatures are detected Detect infiltrations before attacker traverses across systems, Incidents detected in real time through automated processes and correlated events across the enterprise Networks and system alerts are correlated across business units to detect and prevent multifaceted attacks Early analysis of security events to minimize impact Institution corrects root cause for problems discovered during testing Sophisticated and adaptive technologies are deployed that can detect an alert the incident response team of Specific tasks when threat indicators across the enterprise indicate potential external and internal threats Automated tools are implemented to provide specialized security monitoring based on the risk of the assets to detect and alert IR teams in real time, IR team collaborates with threat intelligence team during and incident, Detailed metrics, dashboards and/or scorecards outlining cyber events are provided to management. IR plan ensures recovery from disruption, assurance of data integrity, and recovery of lost or corrupted data following an incident IR process includes detailed actions and rule based triggers for automated response Validated the ability to remediate systems damaged by zero day attacks to maintain RTO Detect and block zero day attacks and alert management and IR teams in real time Risk management of significant cyber incidents results in limited to no down time for critical services Mechanism in place to alert in real time incidents through multiple channels while tracking and verifying communication for audit
Maturity Achieved Against Intermediate Targets with Proactive Security W/b9 +cb @ intermediate 92.98% Domain Desired Target %Achieved Maturity Achieved Statements Least Minimal Moderate Significant Most Cyber Risk Intermediate 73.40% Innovative 7 15 46.67% 46.67% Management Advanced 11 32 34.38% 34.38% 34.38% and Intermediate 9 29 31.03% 31.03% 31.03% Oversight Evolving 29 34 85.29% 85.29% 85.29% Threat Intelligence and Collaboration Cyber Security Controls External Dependency Management Cyber Incident Management and Resilience Baseline 31 31 100% 100% Intermediate 100.00% Innovative 4 8 50.00% 50.00% Advanced 5 11 45.45% 45.45% 45.45% Intermediate 11 11 100% 100% 100% Evolving 7 7 100% 100% 100% Baseline 8 8 100% 100% Intermediate 91.47% Innovative 8 20 40.00% 40.00% Advanced 16 25 64.00% 64.00% 64.00% Intermediate 32 39 82.05% 82.05% 82.05% Evolving 35 39 89.74% 89.74% 89.74% Baseline 51 51 100% 100% Intermediate 100.00% Innovative 0 6 0.00% 0.00% Advanced 3 7 42.86% 42.86% 42.86% Intermediate 9 9 100% 100% 100% Evolving 13 13 100% 100% 100% Baseline 16 16 100% 100% Intermediate 100.00% Innovative 6 10 60.00% 60.00% Advanced 8 15 53.33% 53.33% 53.33% Intermediate 21 21 100% 100% 100% Evolving 20 20 100% 100% 100% Baseline 17 17 100% 100%
Domain Cyber Risk Management and Oversight Threat Intelligence and Collaboration Cyber Security Controls External Dependency Management Cyber Incident Managament and Resillence Maturity Achieved Against Defined Targets Status Quo 61.05% Achiev Stateme Moderat Significa Desired Target %Achecived Maturity ed nts Least Minimal e nt Most Innovative 47.52% Innovative 1 15 6.67% 6.67% Advanced 5 32 15.63% 15.63% 15.63% Intermediate 7 29 24.14% 24.14% 24.14% Evolving 23 34 67.65% 67.65% 67.65% Baseline 31 31 100.00% 100.00% Innovative 55.56% Innovative 0 8 0.00% 0.00% Advanced 2 11 18.18% 18.18% 18.18% Intermediate 8 11 72.73% 72.73% 72.73% Evolving 7 7 100.00% 100.00% 100.00% Baseline 8 8 100.00% 100.00% Innovative 63.79% Innovative 2 20 10.00% 10.00% Advanced 5 25 20.00% 20.00% 20.00% Intermediate 23 39 58.97% 58.97% 58.97% Evolving 30 39 76.92% 76.92% 76.92% Baseline 51 51 100.00% 100.00% Innovative 74.51% Innovative 0 6 0.00% 0.00% Advanced 3 7 42.86% 42.86% 42.86% Intermediate 6 9 66.67% 66.67% 66.67% Evolving 13 13 100.00% 100.00% 100.00% Baseline 16 16 100.00% 100.00% Innovative 63.86% Innovative 1 10 10.00% 10.00% Advanced 3 15 20.00% 20.00% 20.00% Intermediate 15 21 71.43% 71.43% 71.43% Evolving 17 20 85.00% 85.00% 85.00% Baseline 17 17 100.00% 100.00%
Maturity Achieved Against Innovative Targets with Proactive Security W/b9 +cb @ innovative 77.65% Domain Desired Target %Achieved Maturity Achieved Statements Least Minimal Moderate Significant Most Cyber Risk Innovative 61.70% Innovative 7 15 46.67% 46.67% Management Advanced 11 32 34.38% 34.38% 34.38% and Oversight Intermediate 9 29 31.03% 31.03% 31.03% Evolving 29 34 85.29% 85.29% 85.29% Baseline 31 31 100% 100% Threat Intelligence and Collaboration Cyber Security Controls External Dependency Management Cyber Incident Management and Resilience Innovative 77.78 Innovative 4 8 50.00% 50.00% Advanced 5 11 45.45% 45.45% 45.45% Intermediate 11 11 100% 100% 100% Evolving 7 7 100% 100% 100% Baseline 8 8 100% 100% Innovative 81.61% Innovative 8 20 40.00% 40.00% Advanced 16 25 64.00% 64.00% 64.00% Intermediate 32 39 82.05% 82.05% 82.05% Evolving 35 39 89.74% 89.74% 89.74% Baseline 51 51 100% 100% Innovative 80.39% Innovative 0 6 0.00% 0.00% Advanced 3 7 42.86% 42.86% 42.86% Intermediate 9 9 100% 100% 100% Evolving 13 13 100% 100% 100% Baseline 16 16 100% 100% Innovative 86.75% Innovative 6 10 60.00% 60.00% Advanced 8 15 53.33% 53.33% 53.33% Intermediate 21 21 100% 100% 100% Evolving 20 20 100% 100% 100% Baseline 17 17 100% 100%
Key Considerations While Using the CAT Being Innovative in Cybersecurity Maturity Real time detection and response Always be updating for changes Automatic metrics and reporting Threat analytics that matter Baseline risk measurement
How to use the CAT
Future of FFIEC Present Examiners have begun using the handbook Criticism from FI s of making a voluntary tool seem mandated. They do not track the NIST Cybersecurity Framework Declarative statements that are subjective in nature. Future FFIEC took in feedback as a response to the accusations this January. The tool will be updated on a periodic basis. Publications from the FFIEC and OCC released stating the CAT could become mandatory if examiners do not see risk mitigations improvements from banks.
Not just for Finance! Industry s can use the tool to fit their inherent risk profile by changing the criteria that best fits them. Eg, healthcare can tailor their inherent risk based on the nature of health services provided, number of devices connected to the network including medical devices, the number of sensitive patient files, and number of medical services locations as a start. Same goes for the cyber security assessment maturity questionnaire, you can tailor the questionnaire using the controls for HIPAA, PCI, and NIST and any other standard that pertains to your industry.
Questions?