The Federal Financial Institutions Examination
Council (FFIEC) Cybersecurity Assessment Tool was released June 30, 2015.
The Assessment is designed to help financial institutions and regulators
determine the inherent risk exposure to a cybersecurity attack, and measure
“Cybersecurity Maturity.” Designed for
financial institutions of all sizes, the Assessment incorporates concepts and
principles contained in the FFIEC
IT Examination Handbook. Core documents include an overview for Chief
Executive Officers and the Board of Directors, User Guide, Inherent Risk
Assessment, and Cybersecurity Maturity evaluation. Additional information
and documentation is located at following link: http://www.ffiec.gov/cyberassessmenttool.htm
There are two parts to the Assessment designed
to help management evaluate inherent risk, measure security preparedness, and
identify gaps in controls:
- FFIEC Cyber Inherent Risk Profile – this document assists determining your risk exposure to cybersecurity attack, based on the ‘risk that the institution’s activities, services, and products pose to the institution.’
- FFIEC Cyber Mapped to FFIEC Handbook – this document assists in determining your current state of cybersecurity preparedness represented by maturity levels across five domains. This document helps determine whether your institution has adequate controls to prevent and respond to a cybersecurity attack.
The Assessment is designed for use by
institutions of all sizes, and provides a straight-forward and adaptable
approach. By reviewing the inherent risk
and maturity levels across all of the domains, the FFIEC states that management
can determine whether the bank’s maturity levels are appropriate in relation to
its risks. If not, the bank may take action either to reduce the risk or
increase the level of maturity.
While the use of
the Assessment is optional for institutions, examiners will use the Assessment
to supplement exam work to gain a more complete understanding of an
institution’s inherent risk, risk management practices, and controls related to
cybersecurity. Examiners will begin using the Assessment in late 2015.
Additional information can be found on the OCC website: www.occ.treas.gov
Solution
The severity and impact of cyber threats have
changed the landscape in which financial institutions of all sizes and
complexities operate. Breaches of
customer data, credit card information, employee and customer authentication
credentials, etc., are becoming more commonplace. It is critical that financial institutions maintain a formal process for managing cyber
risks that informs
management and boards of directors. The Cybersecurity Assessment Tool is designed
to support and enhance the following elements of an institution’s overall
cybersecurity risk management program:
- Identify, measure, mitigate and monitor risks
- Develop risk management processes commensurate with your institution’s level of risk and complexity
- Align IT strategy with business strategy and account for how risks will be managed both now and in the future
- Create a governance process to ensure ongoing awareness and accountability
No comments:
Post a Comment