FFIEC Cyber Security Assessment Tool

Overview and Key Considerations

Overview of FFIEC Cybersecurity Assessment Tool

Agenda

Overview of assessment tool

Review inherent risk profile categories

Review domain 1-5 for cyber security maturity

Summary of risk/maturity relationships

Overview of use case performed

Final thoughts Q&A

Benefits to Institutions

• Identifying factors contributing to and determining the institution’s overall cyber

risk

• Assessing the institution's cybersecurity preparedness.

• Evaluating whether the institutions cybersecurity preparedness is aligned with its

risks

• Determining risk management practices and controls that could be taken to

achieve the institutions desired state of cyber preparedness

• Informing risk management strategies.

Not just for Finance!

• Don’t tune out if your not in the financial services sector!!

• Throughout the presentation you can see that risk assessment and preparedness

is a major theme in any industry. Feel free to ask particular questions about your

company and industry.

Inherent Risk Profile

Inherent Risk Profile Categories

• Technologies and Connection Types

• Delivery Channels

• Online/Mobile Products and Technology Services

• Organizational Characteristics

• External Threats

Inherent Risk Profile – Risk Levels

Inherent Risk Profile Excerpt

Inherent Risk Profile

• Technologies and Connection Types

• Internet service providers

• Third party connections

• Internal vs outsourced hosted

systems

• Wireless access points

• Network devices

• EOL Systems

• Cloud services

• Personal Devices

Inherent Risk Profile

Online and mobile products and services delivery channels

Delivery Channels

ATM operations

Inherent Risk Profile

• Online/Mobile Products and

Technology Services

• Credit and debit cards

• P2P payments

• ACH

• Wire transfers

• Wholesale payments

• Remote deposit

• Treasury and trust

• Global remittances

• Correspondent banking

• Merchant acquiring activities

Inherent Risk Profile

• Organizational Characteristics

• Mergers and acquisitions

• Direct employees and contractors

• IT environment

• Business presence and locations of

operations and data centers

Inherent Risk Profile

Automate Answers using existing solutions to:

Inherent risk Reponses Best Practice

Track in real time areas such as:

• Asset inventory

• Third party connections

• Transaction data

Cybersecurity Maturity

Assessment

Cybersecurity Maturity Overview

Cybersecurity Maturity Domain Coverage

Cyber Risk Management & Oversight

Domain 1

Governance

Risk Management

Resources

Training and Culture

Domain 2

• Threat Intelligence and Collaboration

Threat Intelligence

Monitoring and Analyzing

Information Sharing

Domain 3

• Cyber Security Controls

Preventative

• Infrastructure management

• Access and asset management

• Device/endpoint security

• Secure coding practices

Detective

• Threat and vulnerability detection

• Anomalous behavior activity detection

• Event detection

Corrective

• Patch management

• Remediation

Domain 4

External Dependency Management

Connections

• Identifications

• Monitoring

• Management of external connections and data flows to third parties

Relationship Management

• Due diligence

• Contracts

• Ongoing monitoring

Domain 5

• Cyber Incident Management and

Response

• Incident Resilience

Planning & Strategy

• Detection, Response, &

Mitigation

• Escalation & Reporting

Risk Maturity Relationship

Risk Maturity Matrix

National Bank Case Study

ABC National Bank Business Profile

Background Banking Operations

13000+ employees

1000+ banking

locations

HQ in Central US

Est. 1967

Branch Banking

Commercial Banking

Consumer Lending

Investment Advisors

Current State

EOL systems still in use, no upgrade plan

Mobile banking applications and some BYOD

Previous security incidents – external phishing

attempts and ATM’s being infected with malware

IT Security Director has left the Bank

Inherent Risk Score

Inherent Risk Score

507.69

legend

<=200 201-400 401-600 601-800 801-1000

Category Weights Data Points Least Minimal Moderate Significant Most

Technologies and connection Types 1 14 0 8 4 2 0

Delivery Channels 1 3 0 0 1 2 0 Organizational Characteristics 1 7 1 0 6 0 0 Online/Mobile Products and Technological Services 1 14 3 3 8 0 0

External Threats 1 1 0 0 1 0 0

Totals 5 39 4 11 20 4 0

10.26% 28.21% 51.28% 10.26% 0.00%

Cybersecurity Maturity Assessment

Low Inherent Risk

Minimal Inherent Risk

Moderate Inherent Risk

Significant Inherent Risk

Most Inherent Risk

Inherent Risk Profile

FFIEC Recap of Steps Taken for Use Case

Domain 1: Cyber Risk Management & Oversight

Domain 2: Threat Intelligence & Collaboration

Domain 3: Cybersecurity Controls

Domain 4: External Dependency Management

Domain 5: Cyber Incident Management and Resilience

Cybersecurity Maturity

Maturity Achieved Against Defined Targets – ABC Bank 81.06%

Domain Desired Target %Achieved Maturity Achieved Statements Least Minimal Moderate Significant Most Cyber Risk

Management and Oversight

Intermediate 64.89% Innovative 1 15 6.67% 6.67% Advanced 5 32 15.63% 15.63% 15.63% Intermediate 7 29 24.14% 24.14% 24.14% Evolving 23 34 67.65% 67.65% 67.65%

Baseline 31 31 100.00

% 100.00

% Threat

Intelligence and

Collaboration

Intermediate 88.46% Innovative 0 8 0.00% 0.00% Advanced 2 11 18.18% 18.18% 18.18% Intermediate 8 11 72.73% 72.73% 72.73%

Evolving 7 7 100.00

% 100.00

% 100.00%

Baseline 8 8 100.00

% 100.00

% Cyber Security

Controls Intermediate 80.62% Innovative 2 20 10.00% 10.00%

Advanced 5 25 20.00% 20.00% 20.00% Intermediate 23 39 58.97% 58.97% 58.97% Evolving 30 39 76.92% 76.92% 76.92%

Baseline 51 51 100.00

% 100.00

% External

Dependency Management

Intermediate 86.84% Innovative 0 7 0.00% 0.00% Advanced 3 7 42.86% 42.86% 42.86% Intermediate 6 9 66.67% 66.67% 66.67% Evolving 11 13 84.62% 84.62% 84.62%

Baseline 16 16 100.00

% 100.00

% Cyber Incident Management and Resilience

Intermediate 84.48% Innovative 1 10 10.00% 10.00% Advanced 3 15 20.00% 20.00% 20.00% Intermediate 15 21 71.43% 71.43% 71.43% Evolving 17 20 85.00% 85.00% 85.00%

Baseline 17 17 100.00

% 100.00

%

Domain 1 - Governance, Risk, and Audit Solution capability desired - Visibility and Intelligence

• No Endpoint visibility • Limited Intelligence on oversight and audit functions

• Polling and scanning, basic manual risks assigned

Domain 2 - Threat Intelligence and Sharing Solution capability desired - Intelligence and Integration

• Limited Intelligence without any Integration • Alerts and logs are consolidated in a SIEM for integration, manually shared Threat Intelligence

Domain 3 - Preventive, Detective, and Corrective controls Solution capability desired - Detection, Prevention, and Response

• Detection: AV signatures Only detects known malware, extensive logs analysis

• Prevention: Relying on AV only stops known malware • Response: Reimage machines,

No root cause analysis

• Detection: Software and IP reputation data

• Prevention: Remove admin rights, Basic whitelisting

• Response: Manual root-cause and scope analysis, Post-mortem forensics

Domain 4 - Third Party Management Solution capability desired - Visibility and Detection

• No visibility into third party security or threats • No detection of security incidents spawned from third

party's

• Limited visibility into criticality of third party’s

• Still no detection of interactions or unauthorized attempts to obtain/change sensitive information

Domain 5 - Incident Response Solution capability desired - Detection and Response

• Detection: AV signatures Only detects known malware, extensive logs analysis

• Response: Reimage machines, No root cause analysis

• Detection: Software and IP reputation data

• Response: Manual root-cause and scope analysis, Post-mortem forensics

Domain Level Controls

Control Maturity Level Baseline Evolving

Inherent Risk Profile Level Low Minimal

Negative Security Approach

Risks exceed appetite they are escalated to management Policies include threat intelligence Baselines cannot be altered w/o formal change request Formal IT change management process Risk management includes financial strategic, regulatory, and compliance implications Benchmarks and target performance metrics are established Audits are used to identify gaps

Industry standards are used for the analysis of gaps Automated tools enable tracking, updating, asset prioritizing, and custom reporting of the asset inventory Automated processes are in place to detect and block unauthorized changes to software and hardware Risk assessments of changes in change management system Risk data aggregation and real time reporting capabilities support ongoing reporting Periodic audit process improvements based on threat landscape

Continuous monitoring of security controls KPI's determine training awareness influence Formal change management function governs decentralized or highly distributed change requests and measures security risks Automated enterprise tools are implemented to detect and block unauthorized changes to software and hardware

Formal threat Intelligence program is implemented and has external and internal source A read only central repository of cyber threat intelligence is maintained Profile of threats is created

Threat Intelligence is automatically received from multiple sources in real time Threat Intelligence is used to update architecture and configuration standards

IT systems automatically detect configuration weaknesses based on Threat Intellgince and alert management Real time threat sharing Threat analysis systems correlates threat data to risks while taking automated actions and alerting management Invests in threat intelligence and collaboration mechanisms Combines all threat intelligence from mechanisms

Security controls for remote access Unauthorized code prevention tools Emails and attachments are automatically scanned to detect malware and blocked when it is present Tools for unauthorized data mining Tools to monitor security logs Audit logs are backed up to a centralized log server that is difficult to alter Event detection processes are tested as reliable

Anti-spoofing measures for forged IP addresses Automated tools proactively identifies high-risk behavior signaling on an employee who poses insider threat Automated tools detect unauthorized changes to critical system files, firewalls, IPS, IDS, or other security devices Real-time network monitoring and detection is implemented and incorporates sector wide event information Real time alerts are automatically sent when unauthorized software, hardware, or changes occur Tools are in place to actively correlate event information from multiple sources and send alerts based on established parameters Patch monitoring software is installed on all servers

Automated real time risk scores of infrastructure Centralized end-point management tool Real time risk scoring of threats Detection of insider threats and block activity in real time Remediation of systems damaged by zero-days

Controls verified to detect and prevent intrusions from third party connections Monitoring covers all external and internal connections

Maintain and improve security of external connections Detailed Diagram of data flow analysis

IR team notified when anomalous behavior and attack patterns or signatures are detected Detect infiltrations before attacker traverses across systems, Incidents detected in real time through automated processes and correlated events across the enterprise Networks and system alerts are correlated across business units to detect and prevent multifaceted attacks Early analysis of security events to minimize impact

Institution corrects root cause for problems discovered during testing Sophisticated and adaptive technologies are deployed that can detect an alert the incident response team of Specific tasks when threat indicators across the enterprise indicate potential external and internal threats Automated tools are implemented to provide specialized security monitoring based on the risk of the assets to detect and alert IR teams in real time, IR team collaborates with threat intelligence team during and incident, Detailed metrics, dashboards and/or scorecards outlining cyber events are provided to management.

IR plan ensures recovery from disruption, assurance of data integrity, and recovery of lost or corrupted data following an incident IR process includes detailed actions and rule based triggers for automated response Validated the ability to remediate systems damaged by zero day attacks to maintain RTO Detect and block zero day attacks and alert management and IR teams in real time Risk management of significant cyber incidents results in limited to no down time for critical services Mechanism in place to alert in real time incidents through multiple channels while tracking and verifying communication for audit

Control Maturity Level Intermediate Advanced Innovative

Inherent Risk Level Moderate Significant Most

Positive Security Approach

W/b9 +cb @ intermediate Maturity Achieved Against Intermediate Targets – with Proactive Security

92.98%

Domain Desired Target %Achieved Maturity Achieved Statements Least Minimal Moderate Significant Most Cyber Risk Management and Oversight

Intermediate 73.40% Innovative 7 15 46.67% 46.67%

Advanced 11 32 34.38% 34.38% 34.38%

Intermediate 9 29 31.03% 31.03% 31.03%

Evolving 29 34 85.29% 85.29% 85.29%

Baseline 31 31 100% 100% Threat Intelligence and Collaboration

Intermediate 100.00% Innovative 4 8 50.00% 50.00%

Advanced 5 11 45.45% 45.45% 45.45%

Intermediate 11 11 100% 100% 100% Evolving 7 7 100% 100% 100%

Baseline 8 8 100% 100% Cyber Security Controls

Intermediate 91.47% Innovative 8 20 40.00% 40.00%

Advanced 16 25 64.00% 64.00% 64.00%

Intermediate 32 39 82.05% 82.05% 82.05%

Evolving 35 39 89.74% 89.74% 89.74%

Baseline 51 51 100% 100% External Dependency Management

Intermediate 100.00% Innovative 0 6 0.00% 0.00%

Advanced 3 7 42.86% 42.86% 42.86%

Intermediate 9 9 100% 100% 100%

Evolving 13 13 100% 100% 100%

Baseline 16 16 100% 100% Cyber Incident Management and Resilience

Intermediate 100.00% Innovative 6 10 60.00% 60.00%

Advanced 8 15 53.33% 53.33% 53.33%

Intermediate 21 21 100% 100% 100%

Evolving 20 20 100% 100% 100% Baseline 17 17 100% 100%

Maturity Achieved Against Defined Targets – Status Quo

61.05%

Domain Desired Target %Achecived Maturity Achieved

Statements Least Minimal

Moderate

Significant Most

Cyber Risk Management and

Oversight

Innovative 47.52% Innovative 1 15 6.67% 6.67%

Advanced 5 32 15.63% 15.63% 15.63%

Intermediate 7 29 24.14% 24.14% 24.14%

Evolving 23 34 67.65% 67.65% 67.65%

Baseline 31 31 100.00% 100.00% Threat Intelligence and Collaboration

Innovative 55.56% Innovative 0 8 0.00% 0.00%

Advanced 2 11 18.18% 18.18% 18.18%

Intermediate 8 11 72.73% 72.73% 72.73%

Evolving 7 7 100.00% 100.00% 100.00%

Baseline 8 8 100.00% 100.00% Cyber Security

Controls Innovative 63.79% Innovative 2 20 10.00% 10.00%

Advanced 5 25 20.00% 20.00% 20.00%

Intermediate 23 39 58.97% 58.97% 58.97%

Evolving 30 39 76.92% 76.92% 76.92%

Baseline 51 51 100.00% 100.00% External

Dependency Management

Innovative 74.51% Innovative 0 6 0.00% 0.00%

Advanced 3 7 42.86% 42.86% 42.86%

Intermediate 6 9 66.67% 66.67% 66.67%

Evolving 13 13 100.00% 100.00% 100.00%

Baseline 16 16 100.00% 100.00% Cyber Incident

Managament and Resillence

Innovative 63.86% Innovative 1 10 10.00% 10.00%

Advanced 3 15 20.00% 20.00% 20.00%

Intermediate 15 21 71.43% 71.43% 71.43%

Evolving 17 20 85.00% 85.00% 85.00%

Baseline 17 17 100.00% 100.00%

W/b9 +cb @ innovative Maturity Achieved Against Innovative Targets – with Proactive Security

77.65%

Domain Desired Target %Achieved Maturity Achieved Statements Least Minimal Moderate Significant Most

Cyber Risk Management and Oversight

Innovative 61.70% Innovative 7 15 46.67% 46.67%

Advanced 11 32 34.38% 34.38% 34.38%

Intermediate 9 29 31.03% 31.03% 31.03%

Evolving 29 34 85.29% 85.29% 85.29%

Baseline 31 31 100% 100% Threat Intelligence and Collaboration

Innovative 77.78 Innovative 4 8 50.00% 50.00%

Advanced 5 11 45.45% 45.45% 45.45%

Intermediate 11 11 100% 100% 100% Evolving 7 7 100% 100% 100%

Baseline 8 8 100% 100% Cyber Security Controls

Innovative 81.61% Innovative 8 20 40.00% 40.00%

Advanced 16 25 64.00% 64.00% 64.00%

Intermediate 32 39 82.05% 82.05% 82.05%

Evolving 35 39 89.74% 89.74% 89.74%

Baseline 51 51 100% 100% External Dependency Management

Innovative 80.39% Innovative 0 6 0.00% 0.00%

Advanced 3 7 42.86% 42.86% 42.86%

Intermediate 9 9 100% 100% 100%

Evolving 13 13 100% 100% 100%

Baseline 16 16 100% 100% Cyber Incident Management and Resilience

Innovative 86.75% Innovative 6 10 60.00% 60.00%

Advanced 8 15 53.33% 53.33% 53.33%

Intermediate 21 21 100% 100% 100%

Evolving 20 20 100% 100% 100% Baseline 17 17 100% 100%

Key Considerations While Using the CAT

• Being Innovative in Cybersecurity

Maturity

• Real time detection and response

• Always be updating for changes

• Automatic metrics and reporting

• Threat analytics that matter

• Baseline risk measurement

How to use the CAT

Future of FFIEC

Present

• Examiners have begun using the handbook

• Criticism from FI’s of making a voluntary tool seem mandated.

• They do not track the NIST Cybersecurity Framework

• Declarative statements that are subjective in nature.

Future

• FFIEC took in feedback as a response to the accusations this January.

• The tool will be updated on a periodic basis.

• Publications from the FFIEC and OCC released stating the CAT could become mandatory if examiners do not see risk mitigations improvements from banks.

Not just for Finance!

• Industry’s can use the tool to fit their inherent risk profile by changing the criteria

that best fits them.

• Eg, healthcare can tailor their inherent risk based on the nature of health services

provided, number of devices connected to the network including medical devices,

the number of sensitive patient files, and number of medical services locations as

a start .

• Same goes for the cyber security assessment maturity questionnaire, you can

tailor the questionnaire using the controls for HIPAA, PCI, and NIST and any other

standard that pertains to your industry.

Questions?