1. FFIEC Cybersecurity Assessment Tool
Timothy Segerson, , Deputy Director
Office of Examination & Insurance
FFIEC Cybersecurity Assessment Tool

2. Agenda Background – Why Now Tool Overview Mechanics of the Tool
Uses and Benefits
Next Steps for NCUA
Utah Cybersecurity Session

3. Continuing saga of lost sensitive data
Every event enhances criminals ability to cross reference personal information.
Cyber risk management is a volatile and fluid environment
Utah Cybersecurity Session

4. Congressional Scrutiny
Utah Cybersecurity Session

5. Critical Infrastructure Overview
US Critical Infrastructure
Chemical - DHS
Defense Industrial Base - DOD
Commercial Facilities - DHS
Emergency Services - DHS
Communications - DHS
Energy - DOE
Critical Manufacturing - DHS
Financial Services - Treasury
Dams - DHS
Food & Agriculture – DHS&DOA&HHS
Transportation Systems – DHS&DOT
Water and Wastewater Systems - EPA
Government Facilities – DHS &GSA
Healthcare & Public Health - HHS
Information Technology - DHS
Nuclear Reactors, Materials, Waste - DHS
FBIIC
FFIEC
TFOS
CCIWG
Legend
FBIIC Chair
FFIEC Members
Other FBIIC Members
Ongoing Cyber Security Initiative
Cyber Security is a Key Subset of the Critical Infrastructure for most Sectors
Utah Cybersecurity Session

6. Important on Multiple Levels
Consumers – Trust in institutions is critical for it all to work
Employees/Officials – A credit union’s most valuable asset may be targets.
Organization – Integrity and Reputation of your business is essential for success.
Industry – CU = links in critical financial system chain
Utah Cybersecurity Session

7. The FFIEC Response
Cybersecurity and Critical Infrastructure Working Group (CCIWG)
Permanent FFIEC working group established in June to address Cybersecurity
Coordinate enhanced Cybersecurity efforts across FFIEC agencies.
CCIWG Reports to Council via Task Force on Supervision.
Utah Cybersecurity Session

8. Increasing Risk to Credit Unions
Threat Environment
Increasing Risk to Credit Unions
Utah Cybersecurity Session

9. Changing Threat Environment
Utah Cybersecurity Session

10. Proliferation of Connectivity
Utah Cybersecurity Session

11. Growing Connectivity
Shodan August 2014
Utah Cybersecurity Session

12. Connectivity Another View
Shodan August 2014
Utah Cybersecurity Session

13. Connectivity Another View
Shodan August 2014
Utah Cybersecurity Session

14. Connectivity Another View
Shodan August 2014
Utah Cybersecurity Session

15. Connectivity Another View
Shodan August 2014
Utah Cybersecurity Session

16. Growing Vulnerabilities
Heartbleed and Shellshock are recent vulnerabilities triggering FFIEC alerts to the industry with an emphasis on timely patch management.
25 year trend demonstrates the increasing number of threats.
High risk vulnerabilities have been expansive in scope and danger (e.g Heartbleed and BASH).
Utah Cybersecurity Session

17. A Big Part of the Problem Legacy Systems
What is old may not always be new, but when it comes to hacking, it's still effective.
44 percent of known breaches in 2014 came from vulnerabilities that were between two and four years old. 
Utah Cybersecurity Session

18. Zero Day and Beyond
Unpatched Vulnerabilities and Exploits exposed – Second order/third order impacts.
Company used them to successfully spy for clients
No known US institution implications, but large European institutions affected
Utah Cybersecurity Session

19. Staying Current Attack vector continues to vary and change up.
Small/medium businesses can be choice targets
Tools get more sophisticated are continually monetized as software for sale on Dark Web.
Darkreading.com
Databreachtoday.com
Utah Cybersecurity Session

20. DD4BC
Utah Cybersecurity Session

21. Impact of Cyber Threats
Stolen Database of Customer Accounts & Credentials
$40 million stolen from one institution
Core product intellectual property stolen
Limited customer access to online banking
INSIDER: Data theft through internal access
ORGANIZED CRIME: ATM Cash Out, wire fraud
NATION-STATE: Spear phishing to install malware
HACKTIVIST: Distributed Denial of Service
Financial & Public Confidence
Utah Cybersecurity Session

22. Changing Threat Landscape
Exploit Toolkits
For Sale
APT
Advanced or Persistent
Neither Advanced nor Persistent
Well funded, organized and capable of compromising at will
Major exfiltration, disruption and damage
Capable of advanced attacks, less funding, less organization
Least organized and least funded. Shear numbers could strip mine vulnerabilities especially in unprepared institutions
Lower level threats – large and growing numbers - advanced tools
APT/Nation States – Act like criminals and hacktivists
Hacktivists - Act like terrorists and criminals
Criminals (Guns for Hire i.e. Nation States/hacktivists)
Increasing Risk Increasing Cost
Utah Cybersecurity Session

23. Some Recent Examples $80 million FICU victim of Cryptowall
($500 us bitcoin to get data systems released)
Other small FICUs (refused ransom, wiped the box and restored data successfully)
$60 million FICU victim of Acct takeover
Corp CU recognized unusual transaction and halted auto wire pending human confirmation.
Medium institution(s) ID theft, tax return fraud with false identities
Medium institution data exfiltration
DD4BC
Website Defacement
Utah Cybersecurity Session

24. Growing Exposure Unique Attributes Increase Attractiveness
Rising Community Institution Exposure
Lower Skills = Growing Attack #s
Lower Costs = Lower Return Targets
Unique Attributes Increase Attractiveness
Reliance on Outsourced Providers & 3rd Parties
Utah Cybersecurity Session

25. US Credit Union Current Scope of Exposure
12/31/2014
FICUs %
Website
5049
81%
Transactional
4411
71%
Internet Access
6068
98%
Wireless Network
1483
24%
Members
46,788,777
47%
Increasing Points of Attack
Many Less Sophisticated Shops
Nearly 100% with Some level of Risk Exposure
6,206 Credit Unions
$1.2 Trillion Assets
Average Assets $187 Million
50% (3,103) of FICUs are smaller than $26 Million in Consolidated Assets (median assets = $25.4 million)
Utah Cybersecurity Session

26. Cybersecurity Assessment History
June 2013: FFIEC CCIWG established
June 2014: FFIEC pilots Cybersecurity Assessment exam work program
Informed Strategic Vision/Objectives (
Observations Report Issued
Target Statements and Guidance
3rd Party Service Providers
June 2015: CCIWG releases financial institution Cybersecurity Assessment Tool
Utah Cybersecurity Session

27. Strong Industry Foundation and Benchmark
Comprehensive with a Relevant and Cross Referenced Foundation
Cybersecurity
Assessment
Tool
NIST Cybersecurity Framework
FFIEC IT Handbook and Guidance
Public & Industry Guidance and Models
Effective Cyber Risk Management
Common Structure to:
Communicate between Board and Management
Communicate Throughout Organization
Communicate with Service Providers
Common Structure to:
Identify strengths and weaknesses (gaps)
Optimize your cybersecurity Investment
Evaluate Existing and New Products, Services and Vendors
Utah Cybersecurity Session

28. Other Source Guidance & Models
U.K. Prudential Regulation Authority 2014 cybersecurity assessment
Canada’s Office of Superintendent of Financial Institutions cybersecurity assessment
Department of Energy’s Cybersecurity Capability Maturity Model Program (C2M2)
Capability Maturity Model (CMM)
Payment Card Industry Data Security Standard (PCI DSS)
Many others including SEC, FINRA, and NY DFI
Utah Cybersecurity Session

29. Cyber Risk Management Practice
Utah Cybersecurity Session

30. Year of the Data Breach – A Moving “Target”
Some dubbed 2013 the year of the data breach after the Target breach.
Then came 2014:
Home Depot: POS system compromise allowed breach of 56 million payment card numbers and 53 million addresses.
JPMorgan Chase: Hack affecting more than 50% of all households in the United States, personal information of 76 million households and 7 million businesses compromised.
iCloud: Hackers leaked private images of many famous celebrities.
Sony Pictures: Hackers stole intellectual, corporate, and personal information from Sony Pictures’ computer networks in retaliation for the movie “The Interview.”
Then came 2015 (YTD):
Anthem: 80 million insured
Premera Blue Cross: 11 million insured
OPM: over 20 million federal employees
Hacking Team
Utah Cybersecurity Session

31. FFIEC Cybersecurity Assessment Tool
Objective To help institutions identify their risks and determine their cybersecurity maturity. The Assessment provides a repeatable and measureable process to inform management of their institution’s risks and cybersecurity preparedness.
Utah Cybersecurity Session

32. FFIEC Cybersecurity Assessment Tool
Consistent with the principles in
FFIEC Information Technology Examination Handbook (IT Handbook)
National Institute of Standards and Technology (NIST) Cybersecurity Framework
Industry accepted cybersecurity practices
In Appendix A you can see where we’ve mapped minimum supervisory expectations contained in the the FFIEC IT Examination Handbook to the Baseline statements in the Assessment.
And in Appendix B you will find where we’ve mapped the Assessment to the NIST Cybersecurity Framework
Utah Cybersecurity Session

33. FFIEC Cybersecurity Assessment Tool
Consists of two parts Part One: Inherent Risk Profile Part Two: Cybersecurity Maturity
The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity.
Utah Cybersecurity Session

34. FFIEC Cybersecurity Assessment Tool
Inherent Risk Profile Categories
Technologies and Connection Types
Delivery Channels
Online/Mobile Products and Technology Services
Organizational Characteristics
External Threats
To complete the Assessment, management first assesses the institution’s inherent risk profile based on five categories:
Technologies and Connection Types
Delivery Channels
Online/Mobile Products and Technology Services
Organizational Characteristics
External Threats
Within each of these categories are Activities, Products and Services
Utah Cybersecurity Session

35. FFIEC Cybersecurity Assessment Tool
Inherent Risk Profile Risk Levels Type, volume, and complexity of operations and threats directed at the institution
Least Inherent Risk
Minimal Inherent Risk
Moderate Inherent Risk
Significant Inherent Risk
Most Inherent Risk
Each activity, product or service within the categories of the inherent risk profile is assessed according to Risk Levels from Least to Most Inherent Risk. The Inherent Risk Profiles provides risk descriptions for each activity, product, or service according to the type, volume, and complexity of the institution’s operations and threats directed at the institution.
Management completing the inherent risk profile selects the most appropriate inherent risk level for each activity, service, or product within each category.
Utah Cybersecurity Session

36. Inherent Risk Profile Excerpt
FFIEC Cybersecurity Assessment Tool
Inherent Risk Profile Excerpt
Risk Levels
Activity, Service or Product
Category: Technologies and Connection Types
Risk Levels
Least
Minimal
Moderate
Significant
Most
Total number of internet service provider (ISP) connections (including branch connections)
No connections
Minimal complexity (1–20 connections)
Moderate complexity (21– 100 connections)
Significant complexity (101– 200 connections)
Substantial complexity (>200 connections)
Unsecured external connections, number of connections not users (e.g., file transfer prototype (FTP), Telnet, rlogin)
None
Few instances of unsecured connections (1– 5)
Several instances of unsecured connections (6– 10)
Significant instances of unsecured connections (11– 25)
Substantial instances of unsecured connections (>25)
Lets take a look at an excerpt:
(Walk through it)
Management can determine the institution’s overall Inherent Risk Profile based on the number of applicable statements in each risk level for all activities. For example, when a majority of activities, products, or services fall within the Moderate Risk Level, management may determine that the institution has a Moderate Inherent Risk Profile. Each category may, however, pose a different level of inherent risk. Therefore, in addition to evaluating the number of instances that an institution selects for a specific risk level, management may also consider evaluating whether the specific category poses additional risk.  
Utah Cybersecurity Session

37. FFIEC Cybersecurity Assessment Tool
Cybersecurity Maturity
Cyber Risk Management and Oversight
Threat Intelligence and Collaboration
Cybersecurity Controls
External Dependency Management
Cyber Incident Management and Response
The second part of the Assessment is Cybersecurity Maturity.
Once management understands the institution’s inherent risk both overall and in relation to specific activities, products and services, management can assess its level of cybersecurity maturity according to five risk areas, or what the Assessment refers to as “Domains.”
The five Domains are (read slide)
Utah Cybersecurity Session

38. FFIEC Cybersecurity Assessment Tool
Cybersecurity Maturity Domains Assessment Factors Components Declarative Statements
Within each of the five domains are assessment factors and contributing components. Under each component, there are declarative statements describing an activity that supports the assessment factor at that level of maturity.
Utah Cybersecurity Session

39. FFIEC Cybersecurity Assessment Tool
Domain
Assessment Factors 1
Cyber Risk Management & Oversight
Governance
Risk Management
Resources
Training and Culture 2
Threat Intelligence & Collaboration
Intelligence Sourcing
Monitoring and Analyzing
Information Sharing 3
Cybersecurity Controls
Preventative Controls
Detective Controls
Corrective Controls 4
External Dependency Management
Connections
Relationships Management 5
Cyber Incident Management & Resilience
Incident Resilience Planning and Strategy
Detection, Response and Mitigation
Escalation and Reporting
Here we show each of the five domains with the Assessment Factors.
(Read each Domain and their assessment factors and their definitions from the user guide)
Utah Cybersecurity Session

40. Cybersecurity Assessment Tool
Cybersecurity Maturity Excerpt
Assessment Factor
Domain
Declarative Statement
Domain 1: Cyber Risk Management and Oversight
Assessment Factor: Governance
Y, N
OVERSIGHT
Baseline
Designated members of management are held accountable by the board or an appropriate board committee for implementing and managing the information security and business continuity programs.
Information security risks are discussed in management meetings when prompted by highly visible cyber events or regulatory alerts.
Management provides a written report on the overall status of the information security and business continuity programs with the board or an appropriate committee of the board at least annually.
Budgeting process includes information security related expenses and tools.
Management considers the risks posed by other critical infrastructures (e.g., telecom, energy) to the institution.
Maturity Level
Component
Let’s walk through an example from the Assessment.
This slide shows the beginning of Domain1, Risk Management and Oversight. The name of the Domain appears at the top of the page. Just below this is the title of the first Assessment Factor within Domain 1, which is Governance. Down the left side is where you can find the Component, which here is “oversight.” The first column represents the maturity level, and to the right of that column are all of the statements associated at that level for this Component. As you move through the Assessment, there will be declarative statements at each level of maturity for each component under each Assessment Factor.
Utah Cybersecurity Session

41. FFIEC Cybersecurity Assessment Tool
Maturity Levels
Innovative
Advanced
Intermediate
Evolving
Baseline
Each maturity level includes a set of declarative statements that describe how the behaviors, practices, and processes of an institution can consistently produce the desired outcomes. Management determines which declarative statements best fit the current practices of the institution. All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level. While management can determine the institution’s maturity level in each domain, the Assessment is not designed to identify an overall cybersecurity maturity level.
The Assessment starts at the Baseline maturity level and progresses to the highest maturity, the Innovative level The maturity levels are cumulative.
Baseline
Baseline maturity is characterized by minimum expectations required by law and regulations or recommended in supervisory guidance. This level includes compliance-driven objectives. Management has reviewed and evaluated guidance.
Evolving
Evolving maturity is characterized by additional formality of documented procedures and policies that are not already required. Risk-driven objectives are in place. Accountability for cybersecurity is formally assigned and broadened beyond protection of customer information to incorporate information assets and systems.
Intermediate
Intermediate maturity is characterized by detailed, formal processes. Controls are validated and consistent. Risk-management practices and analysis are integrated into business strategies.
Advanced
Advanced maturity is characterized by cybersecurity practices and analytics that are integrated across the lines of businesses. Majority of risk-management processes are automated and include continuous process improvement. Accountability for risk decisions by frontline businesses is formally assigned.
Innovative
Innovative maturity is characterized by driving innovation in people, processes, and technology for the institution and the industry to manage cyber risks. This may entail developing new controls, new tools, or creating new information-sharing groups. Real-time, predictive analytics are tied to automated responses.
Utah Cybersecurity Session

42. Determine Cybersecurity Investment
Inherent Risk Levels
Least
Minimal
Moderate
Significant
Most
Cybersecurity Maturity Level
for Each Domain
Innovative
Advanced
Intermediate
Evolving
Baseline
Utah Cybersecurity Session

43. Cyber Risk Management & Oversight
Cyber risk management and oversight addresses the board’s development and implementation of an effective enterprise wide cybersecurity program with comprehensive policies and procedures for establishing appropriate accountability and oversight.
Nine Components, 31 Baseline questions
Strategy/Policy
Audit
Staffing
IT Asset Management
Risk Assessment
Training
Oversight
Risk Management
Culture
Utah Cybersecurity Session

44. Threat Intelligence & Collaboration
Threat intelligence and collaboration includes processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties.
Three Components, 8 Baseline Statements
Threat Intelligence and Information
Monitoring and Analyzing
Information Sharing
Utah Cybersecurity Session

45. Cybersecurity Controls
Preventative Controls
Prevent a threat from exploiting an associated weakness. May be physical (door locks, card access) or logical (firewalls, antivirus, website filtering/whitelisting.
Detective Controls
Identify the presence of a vulnerability or threat. Includes scanning for vulnerabilities, intrusion detection or prevention systems, log monitoring, independent vulnerability assessments or pen tests
Corrective Controls
Assist with recovering from unwanted occurrences or mitigate the effects of a threat being manifested. Includes patch management and timely resolution of penetration test findings.
N/As for questions on Software Development, Wireless, Mobile Devices.
Ten Components, 51 Baseline questions 53
Utah Cybersecurity Session

46. External Dependency Management
External dependency management involves establishing and maintaining a comprehensive program to oversee external connections and third party relationships with access to the organization’s technology assets and information.
Four Components, 16 Baseline questions
Connections
Contracts
Due Diligence
Ongoing Monitoring
Utah Cybersecurity Session

47. Cyber Incident Management & Resilience
Cyber incident management includes establishing processes to identify and analyze cyber events, prioritize the organization’s response to contain or mitigate, and escalate information to appropriate stakeholders. Cyber resilience encompasses both planning and testing to maintain and recover ongoing operations during and following a cyber incident.
Five Components, 17 Baseline questions
Planning
Detection
Testing
Response & Mitigation
Escalation & Reporting
Utah Cybersecurity Session

48. FFIEC Cybersecurity Assessment Tool
Supporting Materials
User’s Guide
Overview for CEOs and Boards of Directors
Appendix A: Mapping Baseline Statements to FFIEC IT Handbook
Appendix B: Mapping Cybersecurity Assessment Tool to the NIST Cybersecurity Framework
Appendix C: Glossary
In addition to the Cybersecurity Assessment Tool, the FFIEC members have provided supporting documents available on the FFIEC Cybersecurity Awareness website. These include
A user’s guide to explain each part of the Assessment and provide a step-by-step process on how to use the Assessment at your institution
A document for CEOs and Boards of Directors explaining a the Assessment at a high-level and the benefits to institutions of using the Assessment, the roles of the CEO and Board of Directors and questions for them to consider at institutions using the Assessment.
A supporting appendix that maps the statements at the baseline maturity to certain cybersecurity concepts in the FFIEC IT Handbook
A supporting Appendix that maps the Assessment to the NIST Cybersecurity Framework, an informative framework for building the Assessment and for any type of organization.
A glossary of terms that are used in the Assessment.
Utah Cybersecurity Session

49. Benefits to Institutions
FFIEC Cybersecurity Assessment Tool
Benefits to Institutions
Identify Risk Drivers
Assess Level of Preparedness
Identify Misalignments in Risk
Determining Optimal Enhancements to Align
Informing Risk Management Strategies
Understanding Risk with Third Parties and Partners
Measuring and Monitoring Progress
Connect Strategic with Operational Functions
Read slide
Utah Cybersecurity Session

50. Some of the model mechanics
CAT Topics
Some of the model mechanics
Utah Cybersecurity Session

51. Comprehensive RM Process
Governance, Risk Management, Resources, Training & Culture
1) Cyber Risk Management & Oversight
Intelligence Gathering, Monitoring & Analyzing, Information Sharing
2) Threat intelligence & Collaboration
Preventative Controls, Detective Controls, Corrective Controls
3) Cybersecurity Controls
Connections, Relationships Management
4) External Dependency Management
Incident Resilience Planning/Strategy, Detection/Response/Mitigation, Escalation & Reporting
5) Cyber Incident Management & Resilience
Utah Cybersecurity Session

52. Cybersecurity Maturity/Risk Relationship
Highest Maturity
Lowest Maturity
Highest Risk Institutions
Lowest Risk Institutions
Utah Cybersecurity Session

53. Additive Model Structure
INNOVATIVE
ADVANCED
Threat Analysis Team
Investment in Transformational Threat Intelligence Technology
INTERMEDIATE
Cyber Intelligence Model
Multi-source Real-Time Threat Intelligence
Threat Intel on Geopolitical Events
EVOLVING
Formal Threat Intelligence Program
Collection Protocols
Read-only repository
BASELINE
Analyze Tactics, Perform Risk Mitigation
Threat Info Source(s)
Active Monitoring
Enhance Risk Management
Items to review
• List of threat intelligence resources (e.g. industry groups, consortiums, threat and vulnerability reporting services). • Management reports on cyber intelligence. • Verify FI has conducted interviews with vendors as needed.
Utah Cybersecurity Session

54. FFIEC Cybersecurity Assessment Tool
Inherent Risk Levels
Least
Minimal
Moderate
Significant
Most
Cybersecurity Maturity Level for Each Domain
Innovative
Advanced
Intermediate
Evolving
Baseline
Elevated Investment
Optimal
Interpreting and Analyzing Assessment Results
Management can review the institution’s Inherent Risk Profile in relation to its Cybersecurity Maturity results for each domain to understand whether they are aligned.
This slide depicts the relationship between an institution’s Inherent Risk Profile and its domain Maturity Levels, as there is no single expected level for an institution. In general, as inherent risk rises, an institution’s maturity levels should increase. An institution’s inherent risk profile and maturity levels will change over time as threats, vulnerabilities, and operational environments change. Thus, management should consider reevaluating its inherent risk profile and cybersecurity maturity periodically and when planned changes can affect its inherent risk profile (e.g., launching new products or services, new connections).
Underinvestment
Utah Cybersecurity Session

55. FS-ISAC Basic Membership
Utah Cybersecurity Session

56. FS-ISAC Membership
Utah Cybersecurity Session

57. Summary of Assessment Process
Calibrate Risk Appetite
Identify Critical Functions/Vendors
Complete Inherent Risk Profile
Assess Maturity
Determine Target State
Develop Action Plan
Allocate Resources
Cybersecurity Investment
Adjust Program
Mitigate Cyber Risks
Involve Board of Directors Throughout
Ongoing reporting
Utah Cybersecurity Session

58. Assessment Process 1. Identify Critical Functions & Vendors
Maturity
7. Adjust
Program
8. Report
Progress To
Board
1. Identify Critical Functions & Vendors
2. Complete Inherent Risk Profile
Establish Risk Appetite
4. Determine Target State
6. Allocate
Resources
5. Develop Plan to Address Gaps
Utah Cybersecurity Session

59. Cyber Risk Mitigation Approaches
Change risk profile (streamline risk)
Increase Cybersecurity Investment (staff, infrastructure, services)
Increase Capital (accept the risk)
Alternative risk management approaches
Cyber Insurance (insure, what you can’t control)
Most Institutions will use most or all of these options in a combined risk management process.
Utah Cybersecurity Session

60. NCUA Implementation Timeline
12 month Industry Implementation
National outreach efforts through 3/31/16
No formal exam or evaluation using tool until 6/2016
Select webinars informing/training
12 month Exam Implementation
Staff Training
Tool and Exam Aid Development
Field Testing
System Development
Utah Cybersecurity Session

61. NCUA Support Support: CU_Cybersecurity@ncua.gov
Utah Cybersecurity Session

62. Helpful Web Resources
er-security-resources.aspx
csrc.nist.gov
ology
n-policy/cybersecurity
us/investigate/cyber
etservice.gov/ectf.shtml
Utah Cybersecurity Session

63. THank YOU FOR ATTENDING!
Utah Cybersecurity Session