ffiec cyber security assessment tool overview and key considerations
TRANSCRIPT
FFIEC Cyber Security Assessment ToolOverview and Key Considerations
Agenda
Overview of assessment toolReview inherent risk profile categoriesReview domain 1-5 for cyber security maturitySummary of risk/maturity relationshipsOverview of use case performedFinal thoughts Q&A
Overview of FFIEC Cybersecurity Assessment Tool
Benefits to Institutions
Identifying factors contributing to and determining the institution’s overall cyber risk
Assessing the institution's cybersecurity preparedness.
Evaluating whether the institutions cybersecurity preparedness is aligned with its risks
Determining risk management practices and controls that could be taken to achieve the institutions desired state of cyber preparedness
Informing risk management strategies.
Not just for Finance!
Don’t tune out if your not in the financial services sector!!
Throughout the presentation you can see that risk assessment and preparedness is a major theme in any industry. Feel free to ask particular questions about your company and industry.
Inherent Risk Profile
Inherent Risk Profile Categories
Technologies and Connection Types
Delivery Channels
Online/Mobile Products and Technology Services
Organizational Characteristics
External Threats
Inherent Risk Profile – Risk Levels
Inherent Risk Profile Excerpt
Technologies and Connection Types
Inherent Risk Profile
Internet service providersThird party connectionsInternal vs outsourced hosted systemsWireless access points Network devicesEOL Systems Cloud servicesPersonal Devices
Delivery Channels
ATM operations
Inherent Risk Profile
Online and mobile products and services delivery channels
Online/Mobile Products and Technology Services
Inherent Risk Profile
Credit and debit cardsP2P paymentsACHWire transfersWholesale paymentsRemote depositTreasury and trustGlobal remittancesCorrespondent bankingMerchant acquiring activities
Organizational Characteristics
Inherent Risk Profile
Mergers and acquisitions
Direct employees and contractors
IT environment
Business presence and locations od operations and data centers
Inherent Risk Profile
Cybersecurity Maturity Assessment
Cybersecurity Maturity Overview
Cybersecurity maturity is evaluated in five domains: Domain 1 - Cyber Risk Management and Oversight, Domain 2 - Threat Intelligence and Collaboration, Domain 3 - Cybersecurity Controls,Domain 4 - External Dependency Management, Domain 5 -Cyber Incident Management and Resilience.
Each domain has five levels of maturity: baseline, evolving, intermediate, advanced, and innovative.
Cybersecurity Maturity Domain Coverage
Cyber Risk Management & Oversight
Domain 1
Governance
Risk Management
Resources
Training and Culture
Threat Intelligence and Collaboration
Domain 2
Threat Intelligence
Monitoring and Analyzing
Information Sharing
Cyber Security Controls
Domain 3
Preventative•Infrastructure management•Access and asset management•Device/endpoint security•Secure coding practices
Detective•Threat and vulnerability detection•Anomalous behavior activity detection•Event detection
Corrective
•Patch management •Remediation
External Dependency Management
Domain 4
Connections•Identifications•Monitoring•Management of external connections and data flows to third parties
Relationship Management•Due diligence•Contracts•Ongoing monitoring
Cyber Incident Management and Response
Domain 5
Incident Resilience Planning & Strategy
Detection, Response, & Mitigation
Escalation & Reporting
Risk Maturity Relationship
Risk Maturity Matrix
National Bank Case Study
ABC National Bank Business Profile
Background Banking Operations
5000+ employees 1000+ banking locations HQ in Central US Est. 1967
Branch Banking Commercial Banking Consumer Lending Investment Advisors
Current State EOL systems still in use, no upgrade plan Mobile banking applications and some BYOD Previous security incidents -phishing attempts and internal
hacking attempts via ATM’s being infected with malware IT Security Director has left the Bank
Inherent Risk Score
Inherent Risk Score
507.69
legend
<=200 201-400 401-600 601-800
801-1000
Category WeightsData Points Least Minimal Moderate Significant Most
Technologies and connection Types 1 14 0 8 4 2 0
Delivery Channels 1 3 0 0 1 2 0Organizational Characteristics 1 7 1 0 6 0 0
Online/Mobile Products and Technological Services 1 14 3 3 8 0 0
External Threats 1 1 0 0 1 0 0
Totals 5 39 4 11 20 4 0
10.26% 28.21% 51.28% 10.26% 0.00%
Cybersecurity Maturity Assessment
Maturity Achieved Against Defined Targets81.06%
Domain Desired Target %Achieved Maturity Achieved Statements Least Minimal Moderate Significant MostCyber Risk
Management and Oversight
Intermediate 64.89% Innovative 1 15 6.67% 6.67%Advanced 5 32 15.63% 15.63% 15.63%Intermediate 7 29 24.14% 24.14% 24.14% Evolving 23 34 67.65% 67.65% 67.65%
Baseline 31 31100.00
%100.00
% Threat
Intelligence and
Collaboration
Intermediate 88.46% Innovative 0 8 0.00% 0.00%Advanced 2 11 18.18% 18.18% 18.18%Intermediate 8 11 72.73% 72.73% 72.73%
Evolving 7 7100.00
%100.00
% 100.00%
Baseline 8 8100.00
%100.00
% Cyber Security
ControlsIntermediate 80.62% Innovative 2 20 10.00% 10.00%
Advanced 5 25 20.00% 20.00% 20.00%Intermediate 23 39 58.97% 58.97% 58.97% Evolving 30 39 76.92% 76.92% 76.92%
Baseline 51 51100.00
%100.00
% External
Dependency Management
Intermediate 86.84% Innovative 0 7 0.00% 0.00%Advanced 3 7 42.86% 42.86% 42.86%Intermediate 6 9 66.67% 66.67% 66.67% Evolving 11 13 84.62% 84.62% 84.62%
Baseline 16 16100.00
%100.00
% Cyber Incident Management and Resilience
Intermediate 84.48% Innovative 1 10 10.00% 10.00%Advanced 3 15 20.00% 20.00% 20.00%Intermediate 15 21 71.43% 71.43% 71.43% Evolving 17 20 85.00% 85.00% 85.00%
Baseline 17 17100.00
%100.00
%
Being Innovative in Cybersecurity Maturity
Key Considerations While Using the CAT
Real time detection and response
Always be updating for changes
Automatic metrics and reporting
Threat analytics that matter
Baseline risk measurement
Not just for Finance!
Industry’s can use the tool to fit their inherent risk profile by changing the criteria that best fits them.
Eg, healthcare can tailor their inherent risk based on the nature of health services provided, number of devices connected to the network including medical devices, the number of sensitive patient files, and number of medical services locations as a start .
Same goes for the cyber security assessment maturity questionnaire, you can tailor the questionnaire using the controls for HIPAA, PCI, and NIST and any other standard that pertains to your industry.
Questions & Answers