FFIEC Cybersecurity Assessment Tool

Similar documents
FFIEC Cybersecurity Assessment Tool

Cybersecurity Assessment Tool

Emerging Issues: Cybersecurity. Directors College 2015

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

2017 IT Examination Preparedness. Iowa Bankers 2017 Technology Conference October 24, 2017

Interpreting the FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

FDIC InTREx What Documentation Are You Expected to Have?

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Cybersecurity and Examinations

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Headline Verdana Bold

Table of Contents. Sample

Security Driven Compliance

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016

Cybersecurity- A Regulatory Perspective. Robert J. Lipot, CRISC Senior Financial Institutions Examiner Department of Business Oversight

NCUA IT Exam Focus. By Tom Schauer, Principal CliftonLarsonAllen

Global Statement of Business Continuity

Cyber Security Principles Mobile Devices Security Hazards And Threats 2nd Edition Computer Security

Cybersecurity and Data Protection Developments

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

NERC Staff Organization Chart Budget 2019

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

DHS Election Task Force Updates. Geoff Hale, Elections Task Force

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

Cybersecurity. Securely enabling transformation and change

NERC Staff Organization Chart Budget 2019

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

Defensible and Beyond

Must Have Items for Your Cybersecurity or IT Budget in 2018

Risk Assessment and other Defensive Security Measures

Cybersecurity and the Board of Directors

David Fletcher Co-Principal Investigator Western Management & Consulting LLC Albuquerque, NM

GUIDANCE NOTE ON CYBERSECURITY

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Why you should adopt the NIST Cybersecurity Framework

NW NATURAL CYBER SECURITY 2016.JUNE.16

Certified in the Governance of Enterprise IT Training - Brochure

The value of visibility. Cybersecurity risk management examination

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Public Safety Canada. Audit of the Business Continuity Planning Program

Cyber Risks in the Boardroom Conference

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

CompTIA Project+ (2009 Edition) Certification Examination Objectives

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Aboriginal Affairs and Northern Development Canada. Internal Audit Report Summary. Audit of Information Technology Security.

Rethinking Information Security Risk Management CRM002

Driving Global Resilience

Influence and Implementation

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

CISO MASTERCLASS FOR SENIOR EXECUTIVES 2 DAYS

Cyber Partnership Blueprint: An Outline

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

FISMA Cybersecurity Performance Metrics and Scoring

Information Security Officer (ISO) Education

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

CYBERSECURITY RISK ASSESSMENT

Intelligent Building and Cybersecurity 2016

Defense Security Service. Strategic Plan Addendum, April Our Agency, Our Mission, Our Responsibility

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

NERC Staff Organization Chart Budget 2018

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Department of Management Services REQUEST FOR INFORMATION

Cyber Secure Dashboard Cyber Insurance Portfolio Analysis of Risk (CIPAR) Cyber insurance Legal Analytics Database (CLAD)

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

Cybersecurity The Evolving Landscape

Session 5: Business Continuity, with Business Impact Analysis

Turning Risk into Advantage

General Framework for Secure IoT Systems

Department of Homeland Security Updates

Technology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 04/12/2017

MNsure Privacy Program Strategic Plan FY

State Governments at Risk: State CIOs and Cybersecurity. CSG Cybersecurity and Privacy Policy Academy November 2, 2017

Sample Exam Privacy & Data Protection Foundation

How to Assess the Financial Impact of Cyber Risk

Implementing Executive Order and Presidential Policy Directive 21

Electricity Sub-Sector Coordinating Council Charter FINAL DISCUSSION DRAFT 7/9/2013

Cyber Security Program

Cybersecurity in Higher Ed

Defensible Security DefSec 101

SOC for cybersecurity

THE ISACA CURACAO CHAPTER IS ORGANIZING FOLLOWING INFORMATION SECURITY AND TECHNOLOGY SESSIONS ON MAY 15-MAY :

BRING EXPERT TRAINING TO YOUR WORKPLACE.

Peer Collaboration The Next Best Practice for Third Party Risk Management

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Ontario Energy Board Cyber Security Framework

The Deloitte-NASCIO Cybersecurity Study Insights from

Continuity of Business

Are Traditional Disaster Recovery Plans Still Relevant? Bobby Williams, MBCP, MBCI Director, IT Resiliency Planning Fidelity Investments

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

March 6, Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices

Transcription:

All About the ew FFIEC Cybersecurity Assessment Tool June 22, 2016 Susan Orr Consulting, Ltd. 1 FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Board Users Guide Inherent Risk Profile Cybersecurity Maturity Additional Resources Mapping to FFIEC IT Examination Handbook Mapping to IST Cybersecurity Framework Glossary 2

Overview Use of the FFIEC Tool is no mandatory but strongly recommended Developing a Cyber Assessment is mandatory When completed, develop an Action Plan to achieve Desired Target State OCC is performing an Assessment during the IT examination FDIC, FRB will review Assessment you completed Expectations are that all institutions will be Baseline initially ot to replace current risk management process Cyber risk programs are to build on current Information Security Program including Information Security/Cyber Security Risk Assessment, Incident Response, BCP, Outsourced Third Party Risk Management Use on enterprise-wide basis and when introducing new products and services 3 Information Security Cyber Security Information/Cyber Security Risk Assessment BCP Incident Response Outsourcing Admin, Tech, Physical Controls Preventative Detective Corrective Controls 4

Completing the Assessment Part One: Inherent Risk Profile Part Two: Cybersecurity Maturity 5 Inherent Risk Profile Technologies and Connection Types Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics External Threats 6

Risk Levels Least Minimal Moderate Significant Most 7 8

Type a quote here. Johnny Appleseed 9 Total 6 7 1 0 0 Total 0 0 2 1 0 10

11 12

Total 6 6 1 1 0 13 Total 4 3 0 0 0 Total 0 1 0 0 0 14

Inherent Risk Profile by Category Category Inherent Risk Technologies and Connection Types Minimal Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics Moderate Minimal Least External Threats Minimal 15 Overall Inherent Risk 16 17 4 2 0 16

Cybersecurity Maturity 5 Domains Cyber Risk Management and Oversight Threat Intelligence and Collaboration Cybersecurity Controls External Dependency Management Cyber Incident Management and Resilience 17 FFIEC Cybersecurity Assessment Tool 18

19 FFIEC Cybersecurity Assessment Tool IT Strategic Plan 20

21 22

23 24

25 26

27 28

eed to discuss and document Training 29 30

31 32

` 33 34

ot Shared, Strong Password Controls Timely A 35 36

37 38

A A A A A A A A A A 39 40

41 42

A 43 44

Develop a flow chart Topology should show this 45 46

47 48

49 50

51 52

53 54

55 Domain 1 Cyber Maturity Level 56

Domain 2 Cyber Maturity Level 57 Domain 3 Cyber Maturity Level 58

Domain 4 Cyber Maturity Level 59 Domain 5 Cyber Maturity Level 60

Risk /Maturity Relationship Domain 1 Cyber Risk Management Cybersecurity Maturity Level for Domain 1 Innovative Advanced Intermediate Inherent Risk Levels Least Minimal Moderate Significant Most Evolving Baseline 61 Cybersecurity Maturity Level for Domain 2 Risk /Maturity Relationship Domain 2 Threat Intelligence and Collaboration Innovative Advanced Intermediate Inherent Risk Levels Least Minimal Moderate Significant Most Evolving Baseline 62

Cybersecurity Maturity Level for Domain 3 Risk /Maturity Relationship Domain 3 Cyber Security Controls Innovative Advanced Intermediate Inherent Risk Levels Least Minimal Moderate Significant Most Evolving Baseline 63 Cybersecurity Maturity Level for Domain 4 Risk /Maturity Relationship Domain 4 Cyber Security Controls Innovative Advanced Intermediate Inherent Risk Levels Least Minimal Moderate Significant Most Evolving Baseline 64

Risk /Maturity Relationship Domain 5 Cyber Security Controls Cybersecurity Maturity Level for Domain 5 Innovative Advanced Intermediate Inherent Risk Levels Least Minimal Moderate Significant Most Evolving Baseline 65 66

Desired Target State Desired Overall Target State: Evolving 67 Summary Completion of an Assessment is mandatory, using the CAT is not Examiners stated they will complete at next exam if you haven t Cybersecurity Program integrated with Information Security Role of Board and CEO Develop a plan to conduct the Assessment Lead employee efforts during the Assessment Set target state of preparedness = to Board risk appetite Review, approve, and support plans to address risk management and control weaknesses Analyze and present results for executive oversight, including key stakeholders and the Board, or an appropriate Board committee. 68

Susan Orr Consulting, Ltd www.susanorrconsulting.com 630.499.0276 susan@susanorrconsulting.com Dan Heldmann TTS 800-831-0678 www.bankwebinars.com info@ttstrain.com Upcoming Webinars June 23, 2016 - Lending to Local Government Units June 28, 2016 - HMDA: A Summary of the ew Final Rules June 28, 2016 - Handling Social Security - Representative Payee Accounts July 6, 2016 - Federal Benefit Payments Garnishment Requirements July 7, 2016 - Entering the World of Consumer Lending - 3 Part Series July 7, 2016 - Entering the World of Consumer Lending - Part 1 69

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback