All About the ew FFIEC Cybersecurity Assessment Tool June 22, 2016 Susan Orr Consulting, Ltd. 1 FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Board Users Guide Inherent Risk Profile Cybersecurity Maturity Additional Resources Mapping to FFIEC IT Examination Handbook Mapping to IST Cybersecurity Framework Glossary 2
Overview Use of the FFIEC Tool is no mandatory but strongly recommended Developing a Cyber Assessment is mandatory When completed, develop an Action Plan to achieve Desired Target State OCC is performing an Assessment during the IT examination FDIC, FRB will review Assessment you completed Expectations are that all institutions will be Baseline initially ot to replace current risk management process Cyber risk programs are to build on current Information Security Program including Information Security/Cyber Security Risk Assessment, Incident Response, BCP, Outsourced Third Party Risk Management Use on enterprise-wide basis and when introducing new products and services 3 Information Security Cyber Security Information/Cyber Security Risk Assessment BCP Incident Response Outsourcing Admin, Tech, Physical Controls Preventative Detective Corrective Controls 4
Completing the Assessment Part One: Inherent Risk Profile Part Two: Cybersecurity Maturity 5 Inherent Risk Profile Technologies and Connection Types Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics External Threats 6
Risk Levels Least Minimal Moderate Significant Most 7 8
Type a quote here. Johnny Appleseed 9 Total 6 7 1 0 0 Total 0 0 2 1 0 10
11 12
Total 6 6 1 1 0 13 Total 4 3 0 0 0 Total 0 1 0 0 0 14
Inherent Risk Profile by Category Category Inherent Risk Technologies and Connection Types Minimal Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics Moderate Minimal Least External Threats Minimal 15 Overall Inherent Risk 16 17 4 2 0 16
Cybersecurity Maturity 5 Domains Cyber Risk Management and Oversight Threat Intelligence and Collaboration Cybersecurity Controls External Dependency Management Cyber Incident Management and Resilience 17 FFIEC Cybersecurity Assessment Tool 18
19 FFIEC Cybersecurity Assessment Tool IT Strategic Plan 20
21 22
23 24
25 26
27 28
eed to discuss and document Training 29 30
31 32
` 33 34
ot Shared, Strong Password Controls Timely A 35 36
37 38
A A A A A A A A A A 39 40
41 42
A 43 44
Develop a flow chart Topology should show this 45 46
47 48
49 50
51 52
53 54
55 Domain 1 Cyber Maturity Level 56
Domain 2 Cyber Maturity Level 57 Domain 3 Cyber Maturity Level 58
Domain 4 Cyber Maturity Level 59 Domain 5 Cyber Maturity Level 60
Risk /Maturity Relationship Domain 1 Cyber Risk Management Cybersecurity Maturity Level for Domain 1 Innovative Advanced Intermediate Inherent Risk Levels Least Minimal Moderate Significant Most Evolving Baseline 61 Cybersecurity Maturity Level for Domain 2 Risk /Maturity Relationship Domain 2 Threat Intelligence and Collaboration Innovative Advanced Intermediate Inherent Risk Levels Least Minimal Moderate Significant Most Evolving Baseline 62
Cybersecurity Maturity Level for Domain 3 Risk /Maturity Relationship Domain 3 Cyber Security Controls Innovative Advanced Intermediate Inherent Risk Levels Least Minimal Moderate Significant Most Evolving Baseline 63 Cybersecurity Maturity Level for Domain 4 Risk /Maturity Relationship Domain 4 Cyber Security Controls Innovative Advanced Intermediate Inherent Risk Levels Least Minimal Moderate Significant Most Evolving Baseline 64
Risk /Maturity Relationship Domain 5 Cyber Security Controls Cybersecurity Maturity Level for Domain 5 Innovative Advanced Intermediate Inherent Risk Levels Least Minimal Moderate Significant Most Evolving Baseline 65 66
Desired Target State Desired Overall Target State: Evolving 67 Summary Completion of an Assessment is mandatory, using the CAT is not Examiners stated they will complete at next exam if you haven t Cybersecurity Program integrated with Information Security Role of Board and CEO Develop a plan to conduct the Assessment Lead employee efforts during the Assessment Set target state of preparedness = to Board risk appetite Review, approve, and support plans to address risk management and control weaknesses Analyze and present results for executive oversight, including key stakeholders and the Board, or an appropriate Board committee. 68
Susan Orr Consulting, Ltd www.susanorrconsulting.com 630.499.0276 susan@susanorrconsulting.com Dan Heldmann TTS 800-831-0678 www.bankwebinars.com info@ttstrain.com Upcoming Webinars June 23, 2016 - Lending to Local Government Units June 28, 2016 - HMDA: A Summary of the ew Final Rules June 28, 2016 - Handling Social Security - Representative Payee Accounts July 6, 2016 - Federal Benefit Payments Garnishment Requirements July 7, 2016 - Entering the World of Consumer Lending - 3 Part Series July 7, 2016 - Entering the World of Consumer Lending - Part 1 69