What is the FFIEC Cybersecurity Assessment Tool?

Image

The FFIEC Cybersecurity Assessment Tool (CAT) is a diagnostic test designed to help institutions identify risks and gauge cybersecurity preparedness. The tool is primarily for financial and non-depository institutions, enabling organizations to make risk-driven security decisions informed by regular cybersecurity assessments and standardized risk measurement criteria. While it is voluntary, financial institutions have expressed concern that failing to use it could result in falling short of compliance standards. In this article, we will explore what the FFIEC CAT is, as well as how and why you should use it.

How does the FFIEC Cybersecurity Assessment Tool work?

Using the NIST Cybersecurity Framework, the CAT builds a quantifiable picture of an organization's risk with a two-part survey. They are:

Inherent Risk Profile:

This part of the survey establishes an organization's current level of risk. Cybersecurity inherent risk is the threat level posed by:

• Organizational Characteristics – For example, the number of direct employees, users with elevated security privileges, or changes in security staff.  
• Delivery Channels – Assessors measure risk in this category across websites, web and mobile apps, and ATMs. The more diverse or numerous an organization's delivery channels, the higher the inherent risk.
• Technologies and Connection Types – Inherent risk varies between technology types and the networks they connect to. Among other things, assessors will scrutinize the number of unsecured connections, connections from third parties and ISPs, and whether the organization outsources hosting or handles it internally.
• External Threats – The number and types of attacks an organization suffers.
• Online/Mobile Products and Technology Services – Different technology products and services present different levels of risk. Organizations will examine, for example, payment and transaction services such as wire transfers or person-to-person payments. 

Once an organization completes the profile, it can rank its inherent risk into one of the following categories:

• Least inherent risk
• Minimal inherent risk
• Moderate inherent risk
• Significant inherent risk
• Most inherent risk

Cybersecurity Maturity Assessment:

The second part of the survey gauges the maturity of an organization's existing cybersecurity program, assigning values in the following five domains:

• Cyber Risk Management and Oversight – This section assesses an organization's oversight of cybersecurity risk management. It determines, for example, the quality of policies, strategy, culture and training, risk management programs, and staffing and budgeting.
• Threat Intelligence and Collaboration – In this domain, managers explore and grade an organization's ability to uncover, analyze, and share findings on evolving threats.
• Cybersecurity Controls – This domain establishes the maturity of existing controls to protect infrastructure, assets, and information through constant, automated monitoring and protection from detective, preventative and corrective perspectives.
• External Dependency Management – In this case, management assesses how well an organization manages and oversees third-party relationships and any external connections with access to enterprise information and technology assets. 
• Cyber Incident Management Resilience – This domain assesses an organization's preparedness for cyber threats.

How to use the FFIEC Cybersecurity Assessment Tool

To get the most out of the FFIEC Cybersecurity Assessment Tool, organizations should adhere to the following best practices:

• Take a methodical approach – Organizations should use the CAT as intended, reading the overview and user guide, then completing the Inherent Risk Profile and Cybersecurity Maturity assessment before finally interpreting and analyzing the results.
• Rank maturity – For each domain, assessors should rate the institution's maturity according to one of the following categories:
  • Baseline
  • Evolving
  • Intermediate
  • Advanced
  • Innovative
• Run assessments enterprise-wide – Organizations should use the CAT comprehensively, using the Inherent Risk Profile results to understand security policies, procedures, and controls and how to improve them.
• Use CAT before launching new products, services, and initiatives – When an organization undergoes a period of change or innovation, its risk profile will likely shift. Run CAT before you implement any changes that could alter your risk profile.

Why use the FFIEC Cybersecurity Assessment Tool?

Aside from providing you with the insight required to understand and improve your organization's risk level and security program, the FFIEC CAT is most useful for ensuring compliance. Cybersecurity regulations for financial institutions are some of the most stringent in the world, and, particularly for larger organizations, meeting requirements is an unenviable task. The FFIEC Cybersecurity Assessment Tool helps organizations take a structured, methodical approach to compliance, easing the pain of cybersecurity audits.

Other benefits include the ability to:

• Proactively identify risk
• Understand the depth and breadth of cyber risk
• Gauge threat preparedness
• Improve security programs and processes based on risk levels
• Repeatedly and quantifiably assess risk preparedness over time

The FFIEC Cybersecurity Awareness Tool is an invaluable resource for financial and non-depository institutions looking to improve their cybersecurity posture and adhere to compliance standards. It allows organizations to gain insight into their entire environment and the risk each element poses and assess and improve the quality of their cybersecurity programs accordingly.

To learn more about the main regulations financial services organizations need to comply with and tips to go beyond simple compliance for powerful cybersecurity using security configuration management (SCM) and file integrity monitoring (FIM), you can read our latest guide: https://www.tripwire.com/resources/guides/financial-services-cybersecurity-regulations

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.