Presentation is loading. Please wait.

Presentation is loading. Please wait.

FFIEC Cyber Security Assessment Tool

Published byWarren Carroll Modified over 8 years ago

Similar presentations

Presentation on theme: "FFIEC Cyber Security Assessment Tool"— Presentation transcript:

1 FFIEC Cyber Security Assessment Tool
Overview and Key Considerations Hi Good Morning to everyone in I'm Jenny Allen, I have worked in the financial services information security and risk management functions for over 5 years. Previously worked at a Global investment bank as a business information security officer and also worked at a Large auto financing company as a third party security risk assessor. I have much experience with FFIEC and their handbooks from these previous positions. Now I am a information security specialist at Bit9, have been working here for almost a year . I help customers with compliance and best practice security initiatives.

2 Agenda Overview of assessment tool
Review inherent risk profile categories Review domain 1-5 for cyber security maturity Summary of risk/maturity relationships Overview of use case performed Final thoughts Q&A

3 Overview of FFIEC Cybersecurity Assessment Tool
As of July 1st the Federal Financial Institutions Examination Council (FFIEC), in conjunction with the National Institute Standards of Technology (NIST) developed the Cybersecurity Assessment Tool to help financial institutions identify their risks and determine their cybersecurity preparedness. Banks can use the assessment tool’s inherent risk profile to categorize their risk from areas of most concern to least. Once their inherent risks are identified they can rank their cyber security maturity level from having the bare baseline of security essentials to being proactive and innovative. The FFIEC stated that the assessment also provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time, The release of the cybersecurity assessment is another sign regulators are concerned about the level of readiness at banks. The tool was released after a pilot program last year in which examiners from the financial regulatory agencies conducted cybersecurity assessments at 500 community financial institutions as part of their regular exams.

4 Benefits to Institutions
Identifying factors contributing to and determining the institution’s overall cyber risk Assessing the institution's cybersecurity preparedness. Evaluating whether the institutions cybersecurity preparedness is aligned with its risks Determining risk management practices and controls that could be taken to achieve the institutions desired state of cyber preparedness Informing risk management strategies. So why should financial services use the CAT? For these reasons here. Identifying factors contributing to and determining the institution’s overall cyber risk – So Knowing your intuitions exposure and risk appetite Assessing the institution's cybersecurity preparedness. – How well will you be able to defend against an attack and what steps have you gone through to test against known threats. Evaluating whether the institutions cybersecurity preparedness is aligned with its risks - Are you prepared for threats you have identified? Determining risk management practices and controls that could be taken to achieve the institutions desired state of cyber preparedness. Making sure management has established procedures in case of an incident. Informing risk management strategies. Do organizations know or understand managements risk appetite and is training reflecting that?

5 Not just for Finance! Don’t tune out if your not in the financial services sector!! Throughout the presentation you can see that risk assessment and preparedness is a major theme in any industry. Feel free to ask particular questions about your company and industry.

6 Inherent Risk Profile So now lets dive into the first section of the assessment tool the inherent risk profile

7 Inherent Risk Profile Categories
Technologies and Connection Types Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics External Threats Inherent risk profile identifies the amount of risk posed to a bank by the types, volume, and complexity of the bank’s technologies and connections, delivery channels, products and services, organizational characteristics, and external threats this is notwithstanding the bank’s risk-mitigating controls. The Initial step is completing the inherent risk profile, which is a list of questions targeted at these 5 categories that we’ll review over the next slides. It is important to have the most accurate up to date information when completing this assessment. Management should not guess the answers; the inability to accurately complete the assessment is vulnerability in of itself. An example would be not knowing the number of personal devices allowed to connect to the corporate network at any point in time. Or one of the more difficult answers to determine; the number of third parties, including number of organizations and number of individuals from vendors and subcontractors, with access to internal systems (e.g., virtual private network, modem, intranet, direct connection). This assessment will provide insight if your organization can provide accurate and time sensitive responses to existing inherent risks.

8 Inherent Risk Profile – Risk Levels
To complete the questionnaire responses you will need to pick a response from Least –Minimal-Moderate-Significant-Most for each section pertaining to one of the previous 5 categories. Guidance is given in the questionnaire as to industry thresholds you would ornately fall into depending on what types of financial services your organization is performing.

9 Inherent Risk Profile Excerpt
Here we can see an excerpt of the inherent risk questionnaire. For this particular category Technologies and connection types we have the guidance provided for each risk level. If I had between connections for my institutions total number of internet service providers I would choose Moderate Risk level for this criteria.

10 Inherent Risk Profile Technologies and Connection Types
Internet service providers Third party connections Internal vs outsourced hosted systems Wireless access points Network devices EOL Systems Cloud services Personal Devices Technologies and Connection Types: This category includes the number of Internet service provider (ISP) and third-party connections, whether systems are hosted internally or outsourced, the number of unsecured connections, the use of wireless access, volume of network devices, end-of-life systems, extent of cloud services, and use of personal devices. There are risks associated with third party providers for connections and storage services. An institution must also have a third party risk assessment procedure in place to be able to accurately depict their inherent risk. The more devices connected to the network increases inherent risk, thus having an approval and monitoring system around all devices will enhance the institutions maturity. Known vulnerabilities for end of life systems include; being incompliant for not having a patch management system, vulnerability with un-hardened systems, and costly maintenance.

11 Inherent Risk Profile Delivery Channels
Online and mobile products and services delivery channels ATM operations Delivery Channels: Inherent risk increases as the variety and number of delivery channels increases. This category addresses whether products and services are available through online and mobile delivery channels and the extent of automated teller machine (ATM) operations. More e-commerce and online payment applications are available than ever before. With these increasing platforms for consumer purchases and banking transactions opens more vectors for advanced attacks on both personal as well as financial information, such as personal identification name and address and bank account and credit card information. ATM’s pose an external threat to banks that are not able to monitor them for malware injections or other malicious attached device attacks. It’s imperative to have an alert system for any intrusions into ATM fixed function application and unapproved devices.

12 Inherent Risk Profile Online/Mobile Products and Technology Services
Credit and debit cards P2P payments ACH Wire transfers Wholesale payments Remote deposit Treasury and trust Global remittances Correspondent banking Merchant acquiring activities Online/Mobile Products and Technology Services: This category includes various payment services, such as debit and credit cards, person-to-person payments, originating automated clearing house (ACH), retail wire transfers, wholesale payments, merchant remote deposit capture, treasury services and clients and trust services, global remittances, correspondent banking, and merchant acquiring activities. This category also includes consideration of whether the institution provides technology services to other organizations. Financial intuitions should weigh inherent risk from accepting payments in house versus outsourcing them; also align this type of service with PCI compliance as well as for the financial services regulations. Credit card data should be isolated from the corporate network and monitored in real time for anomalous behavior and advanced threats.

13 Inherent Risk Profile Organizational Characteristics
Mergers and acquisitions Direct employees and contractors IT environment Business presence and locations od operations and data centers Organizational Characteristics: This category considers organizational characteristics, such as mergers and acquisitions, number of direct employees and cybersecurity contractors, changes in security staffing, the number of users with privileged access, changes in information technology (IT) environment, locations of business presence, and locations of operations and data centers. People account for a large portion of inadvertently creating risk in a company by the lack of security training. Therefore Privileged account access should be limited and tight supervision should be placed on administrators. A financial institution should consider operations and changes to the business environment when measuring cyber security inherent risk.

14 Inherent Risk Profile External Threats: The volume and type of attacks (attempted or successful) affect an institution’s inherent risk exposure. This category considers the volume and sophistication of the attacks targeting the institution. Some factors to consider are similar intuitions that have had breaches or security incidents. Those threat factors that were used against those competitors will provide a stepping-stone for known vulnerabilities common to the industry such as. Hactivists : which aim to cause maximum disruption and embarrassment to their victims. Criminal techniques include SQL injection and DOS denial of service attacks Organized Crime: motivated by financial gain. These criminals are becoming more sophisticated using blended techniques to steal credit card information and other sensitive data for money on the black market Nation state: Targeted attacks and will not back down. There was a Verizon 2015 report stating 95% of these attacks were related to phishing.

15 Cybersecurity Maturity Assessment
SO now that we have covered the inherent risk profile lets move on to the second half of the assessment process which is the Cyber security Maturity assessment

16 Cybersecurity Maturity Overview
Cybersecurity maturity is evaluated in five domains: Domain 1 - Cyber Risk Management and Oversight, Domain 2 - Threat Intelligence and Collaboration, Domain 3 - Cybersecurity Controls, Domain 4 - External Dependency Management, Domain 5 -Cyber Incident Management and Resilience. Each domain has five levels of maturity: baseline, evolving, intermediate, advanced, and innovative. Cybersecurity maturity is evaluated in five domains: Cyber Risk Management and Oversight, Threat Intelligence and Collaboration, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management and Resilience. Each domain has five levels of maturity: baseline, evolving, intermediate, advanced, and innovative. The domains include assessment factors and contributing components. Within each component, declarative statements describe activities supporting the assessment factor at each maturity level. Management determines which declarative statements best fit the current practices of the institution. All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level. While management can determine the institution’s maturity level in each domain, the Assessment is not designed to identify an overall cybersecurity maturity level. For example being innovative in Domain 1 and Baseline in Domain2 would not average to intermediate overall maturity level. A bank’s appropriate cybersecurity maturity levels depend on its inherent risk profile.

17 Cybersecurity Maturity Domain Coverage
Here we see each of the 5 domain sub categores Domain1 : Governance – risk – people and security training and culture Domain 2; Is about real time threat detection and monitoring while being able to share and utilize aggregated threat information. Domain 3: Preventative detective and corrective controls are currently in place Domain4: Third party security controls and reviews Domain 5: incedent management, repsonse and reporting. We can see the Maturity domains cover a wide variety of controls through out the assessment.

18 Domain 1 Cyber Risk Management & Oversight Governance Risk Management
Resources Training and Culture Wish we could all have security and IT Governance in a box but these are the areas you’ll need to have the appropriate controls in place to achieve innovative maturity for Cyber risk management and overisight. Governance strategies for maintaining policy and oversight in cybersecurity initiatives. Governance of critical business assets for financial services should include inventory assessment for applicable assets and maintenance of policies for protecting them against advanced threats. Baseline activities are management’s discussion on risks related to critical infrastructure while an innovative maturity level activity would be that there is a committee to verify managements actions’ for mitigating risks around said critical infrastructure. Policies should be updated and enforcement should be verified, as well as establishing formal IT asset management inventory with real time accuracy and classification management. These are necessary for being considered innovative in governance maturity. Risk Management Financial institutions should have assigned officers for risk management and responsibility for critical business assets. The risk management function identifies and analyzes commonalities in cyber events that occur both at the institution and across other sectors to enable more predictive risk management. There should be a process is in place to analyze the financial impact that a cyber incident at the institution may have across the financial sector. Organizations should establish a risk management program that performs real time risk assessments and audit functionality. For innovative mature category, risk assessments should be updated in real time as changes to the inherent risk profile occur, new applicable standards are released or updated, and new exposures are anticipated. The institution uses information from risk assessments to predict threats and drive real-time responses. Advanced or automated analytics offer predictive information and real-time risk metrics. Also under the risk management section is the need for Institutions to have internal audit teams to identify gaps in existing security measures. Automated audit reporting for external audits is essential for preparedness and accuracy. Resources include staffing, tools, and budgeting processes to ensure the institution’s staff or external resources have knowledge and experience that agree with the institution’s risk profile. Cybersecurity staffing should include proper training and industry news seminars for up to date trends and threat monitoring. Training and Culture includes the employee training and customer awareness programs contributing to an organizational culture that emphasizes the mitigation of cybersecurity threats. Having a security awareness program and testing its effectiveness will enhance overall security culture.

19 Domain 2 Threat Intelligence and Collaboration Threat Intelligence
Monitoring and Analyzing Information Sharing Threat intelligence the process of identification, tracking, and predictability of cyber capabilities. An innovative mature institution has a threat analysis system that automatically correlates threat data to specific risks and then takes risk-based automated actions while alerting management. The institution is investing in the development of new threat intelligence and collaboration mechanisms (e.g., technologies, business processes) that will transform how information is gathered and shared. New technologies for open source data analytics can provide quicker and the most up to date threat intelligence. Monitoring and Analyzing how an institution monitors threats and what analysis may be performed to identify and remediate vulnerabilities tied to the targeted threats. . Integrating with other threat intelligence sources and systems is the best holistic approach for monitoring and alerting for advanced threats. Automatic alerting that is meaningful and compelling can narrow your scope from traditional log mining techniques that typically produce many false positives. Information Sharing encompasses establishing relationships with peers and information-sharing forums and how threat information is communicated to those groups as well as internal stakeholders. Sharing cyber threat intelligence with business units in real time including the potential financial and operational impact of inaction is key towards becoming more innovative mature. A system should automatically inform management of the level of business risk specific to the institution and the progress of recommended steps taken to mitigate the risks.

20 Domain 3 Cyber Security Controls
Preventative Infrastructure management Access and asset management Device/endpoint security Secure coding practices Detective Threat and vulnerability detection Anomalous behavior activity detection Event detection Corrective Patch management Remediation Preventative: The controls for preventative security measures include infrastructure management, access and asset management, device/endpoint security, and secure coding practices. Innovative institutions are maintaining risk scores for all of their infrastructure assets and updates in real time based on threats, vulnerabilities, or operational changes. An institution should have a process for managing customer, employee, and third-party authentication and access. There should also be a mix of encryption and authentication for sensitive transactions and information. Endpoint protection is critical as that’s where data resides and is the most prized possession from a malicious attack. To protect the golden jewels there should be a centralized end-point management tool that provides fully integrated patch, configuration, and vulnerability management, while also being able to detect malware upon arrival to prevent a security incident and/or attack. Secure coding practices are essential for limiting vulnerabilities found in new software and, automated tools in the development environment should actively scan software code so that security weaknesses can be resolved immediately during the design phase. Detective: Activities performed for detective controls include: threat and vulnerability detection, anomalous behavior activity detection, and event detection. Having a central console that consolidates and provides alerts in real time about both insider and outsider threats would help an organization qualify as Innovative for detective threat and vulnerability measures. There should be automatic alerts when anomalous behavior or security events occur. The reporting features from the detective solution should provide traceability of the entire timeline of any security event and respond with corrective actions in seconds. Corrective: Patch management and remediation are considered corrective controls. To achieve Innovative status there should be a formal process in place to acquire, test, and rapidly deploy software patches based on criticality, and systems should be configured to retrieve patches automatically. Remediation steps are key to get all systems back to acceptable levels for operations and resolved from a security incident. The institution should be able to remediate systems damaged by zero-day attacks to maintain current recovery time objectives. Remediation is only effective if it happens quickly – otherwise, the intended damage is done. Remediation steps after vulnerability scans, pen tests, risk assessments, and security incidents, should all be in real-time to achieve Innovative maturity.

21 Relationship Management
Domain 4 External Dependency Management Connections Identifications Monitoring Management of external connections and data flows to third parties Relationship Management Due diligence Contracts Ongoing monitoring Connections: Includes the identification, monitoring, and management of external connections and data flows to third parties. To be considered Innovative, an institution should maintain a monitoring tool that records involvement with third parties via inbound/outbound connections, web portals, or other means of data transfer, this tool should also have alerts for incidents such as unauthorized access attempts and anomalous behavior. Relationship Management: Includes due diligence, contracts, and ongoing monitoring to help ensure controls that complement the institution’s cybersecurity program. Third party risk assessment teams and management should conduct the proper due diligence when selecting third parties that have some kind of elevated data access privilege. Diagraming how they receive, store, process, transmit, and ultimately delete the information they are given access to is an essential step of third party risk management. Contract language should be structured to secure critical assets and require performance baselines from vendors and contractors.

22 Domain 5 Incident Resilience Planning & Strategy
Cyber Incident Management and Response Incident Resilience Planning & Strategy Detection, Response, & Mitigation Escalation & Reporting Incident Resilience Planning & Strategy: Incorporates resilience planning and testing into existing business continuity and disaster recovery plans to minimize service disruptions and the destruction or corruption of data. Baseline level organizations have identified roles and responsibilities, and have a communications plan in the event of an incident, whereas at Innovative institutions, the incident response plan is designed to ensure recovery from disruption of services, assurance of data integrity, and recovery of lost or corrupted data following a cybersecurity incident. The incident response process also includes detailed actions and rule-based triggers for automated response. Depending on the nature of an institution’s business, defined recovery time objectives and baseline for recovery should be stated in the planning documentation. Detection, Response, & Mitigation: Refers to the steps management takes to identify, prioritize, respond to, and mitigate the effects of internal and external threats and vulnerabilities. In an Innovative environment the organization is able to detect and block zero-day attempts and inform management and the incident response team in a timely fashion. Incident response teams should be able to trace a security incident through the entire process tree to see how it occurred and create future remediation action plans around the vulnerability that was exploited. Escalation & Reporting: Ensures key stakeholders are informed about the impact of cyber incidents, and that regulators, law enforcement, and customers are notified as required. A mechanism should be in place to ensure immediate notification of incidents to management and essential employees through multiple communication channels, with tracking and verification of receipt. Having a real time alert and reporting solution will allow for management to escalate critical events in a timely manner and possibly avoid lengthy public news articles and press from occurring if mitigated appropriately.

23 Risk Maturity Relationship
So now we have gone through the inherent risk profile and the cyber security maturity assessment its time to view your risk/maturity relationship and see how you pair off and perhaps what gaps you have to becoming innovative in your cyber security stance.

24 Risk Maturity Matrix The Risk Maturity relationship suggests that the lower you are for inherent risk the less mature you would be in cyber security. We will walk through the Matrix in the next section for the use case scenario. Once you have determined your inherent risk and completed the assessment questionnaire you can begin to graph your maturity level. This graphing of your maturity levels will show the areas of concern and those areas you are excelling in. From there, your next step may involve identifying those solutions that lower your inherent risk, , while improving your cyber security maturity to be more innovative (e.g. contracting  with a third party for processing secure credit card transactions will lower your inherent risk while maintaining a secure third party vendor selection process while improve your innovativeness for domain4). The FFIEC CAT spotlights the need for financial institutions to build cyber security risk programs into their existing frameworks for risk management. The Maturity matrix will allow organizations to concentrate on certain risk areas they know are not at the desired control levels while building a program to monitor and report on identified risks. Its important to update the CAT anytime changes occur to the inherent risk profile or the cybersecurity maturity assessment so that your matrix will reflect the most current state for risks compared to the controls you currently have in place.

25 National Bank Case Study
We have introduced the CAT and its sections now lets breifly review a case study depicting what a typical assessment might look like. This is a fictitious Bank but the case study was performed using real life data of other national banks.

26 ABC National Bank Business Profile
Background Banking Operations 5000+ employees 1000+ banking locations HQ in Central US Est. 1967 Branch Banking Commercial Banking Consumer Lending Investment Advisors Current State EOL systems still in use, no upgrade plan Mobile banking applications and some BYOD Previous security incidents -phishing attempts and internal hacking attempts via ATM’s being infected with malware IT Security Director has left the Bank Background ABC Bank is a National Bank with approximately employees with over 1000 banking locations and a corporate office headquarters in the central U.S. region. Established in the late 60’s the bank has grown and acquired other smaller regional banks in North America. Banking operations ABC operates through four segments: branch banking (deposit accounts and loans for consumers and small businesses), commercial banking (lending, leasing, and syndicated and trade finance for corporate clients), consumer lending (residential mortgages, home equity loans, and credit cards), and investment advisors (private banking, brokerage, and asset management). Current State Have some End of Life systems still in use, the bank has not yet made an upgrade plan mix of Windows XP and 2003. ATM’s, wire transfers, ACH, and mobile banking applications There has already been known security incidents in s to customers for phishing attempts and internal hacking attempts via ATM’s being infected with malware IT Security Director has left the Bank – leaving lack of governance and oversight initiatives or improvements to current policies

27 Inherent Risk Score Inherent Risk Score 507.69 legend <=200 201-400
<=200 Category Weights Data Points Least Minimal Moderate Significant Most Technologies and connection Types 1 14 8 4 2 Delivery Channels 3 Organizational Characteristics 7 6 Online/Mobile Products and Technological Services External Threats Totals 5 39 11 20 10.26% 28.21% 51.28% 0.00% By adding the total data points and dividing each categories number of responses you get the % for each category shown here at the bottom. Here we see that the inherent risk score falls into the Moderate category with a score of We derived this calculation using responses that a typical national level bank would face from a inherent risk perspective. ABC National Bank’s inherent risk profile reveals that they have moderate cyber security risk based on the nature of operations and business transactions they perform. Some of the inherent risks checked off on the questionnaire were: Having e-banking and mobile banking applications, which increases inherent risk for obvious reasons but banks have to become innovative in securing these technologies as the increase in customer demand for them is still rising. Also, many National Banks have EOL systems still in place due to the large amount of infrastructure they have to maintain. Upgrades are costly and often cannot be budgeted for the foreseeable future. This leaves financial institutions with few options to secure these legacy systems. They can purchase support packages, which only provide critical patches and leave systems still vulnerable because moderate and low patches are not included. Also regulations such as PCI DSS require an up to date patch management system, which is not possible with an extended support package, so the institution faces a compliance audit failure. Further, the support packages are very costly, especially if used for an extended period. If financial institutions need to continue to use EOL systems they should incorporate a compensating control to mitigate the vulnerabilities. Such a solution should protect against all types of malware while only allowing set processes to run. Organizations should also isolate EOL systems from the main infrastructure while hardening them as much as possible.

28 Cybersecurity Maturity Assessment
Now lets review ABC’s Cyber security maturity assessment. This diagram does not have the chicken pocks but it shows where there is a blue dot it means ABC National scored an Evolving rank for cybersecurity maturity. Yellow is intermediate and green is advanced. They are mostly intermediate based on the data provided by the assessment. We walked through all the questions in the assessment and calculated the risk/maturity relationship which will show on the next slide. They are doing an adequate job here since their inherent risk was moderate we would expect an intermediate or higher maturity level for each category. Its important to note that where there is an evolving maturity level in the majority of domain 1 its becuase the business case suggesting lack of governance and oversight. With High IT director turnover comes the need for management direction and established risk policies and appetite. ABC National Bank will need to acquire some of those policies to advance in domain 1. For Domain 5 they were advanced in having a plan strategy, however it is one thing to make a plan and another to follow through with it, which is why we see intermediate levels for detection and response and escalation and reporting. Testing your incident management plans and procedures regularly and adapting to new threats is away to improve in your Domain 5 maturity level.

29 Maturity Achieved Against Defined Targets 81.06% Domain Desired Target
Statements Least Minimal Moderate Significant Most Cyber Risk Management and Oversight Intermediate 64.89% Innovative 1 15 6.67% Advanced 5 32 15.63% 7 29 24.14% Evolving 23 34 67.65% Baseline 31 100.00% Threat Intelligence and Collaboration 88.46% 8 0.00% 2 11 18.18% 72.73% Cyber Security Controls 80.62% 20 10.00% 25 20.00% 39 58.97% 30 76.92% 51 External Dependency Management 86.84% 3 42.86% 6 9 66.67% 13 84.62% 16 Cyber Incident Management and Resilience 84.48% 10 21 71.43% 17 85.00% Here is the Maturity Risk matrix we talked about earlier. You can use this matrix to define thresh holds that will be easily determined for Gaps and for when you move up in cybersecurity maturity. Since our inherent risk score came out moderate we selected the desired target to be intermediate for all domains. If we look at Domain 1 we matched to 65% achieved due to less than desirable responses. In each of the remaining 4 domains we scored 80% or higher demonstrating for those domains we are on par for controls due to the risks we have established in the first section of the CAT. This assessment tool is meant to be evolving with your institutions constantly changing threat landscape. You can set the Desired Targets for higher levels for advanced and innovative to level set your percentage achieved for those targets. The Key questions you want to answer are : How effective are the institution’s risk management activities and controls identified in the Assessment? • Are there more efficient or effective means for attaining or improving the institution’s risk management and controls? • What third parties does the institution rely on to support critical activities? • What is the process to oversee third parties and understand their inherent risks and cybersecurity maturity? • How does management validate the type and volume of attacks? • Is the institution sharing threat information with peers, law enforcement, and critical third parties through information-sharing procedures?

30 Key Considerations While Using the CAT
Being Innovative in Cybersecurity Maturity Real time detection and response Always be updating for changes Automatic metrics and reporting Threat analytics that matter Baseline risk measurement Key Considerations: Innovative cyber security stance can only be maintained by using real time detection and response This is a point in time exercise so it’s important to constantly update the CAT whenever there is a change to either the inherent risk profile or the 5-cyber maturity domains. Using real time metrics and reporting will allow you to quickly diagram where you are in your cyber security stance Threat analytics is only as good as how you use it. Procuring solutions with aggregated threat data that can be deciphered and utilized for the most up to date watch lists will enhance your knowledge and response time. Use this tool as a baseline and discovery process, not an end al be all risk measurement. Working in conjunction with your existing risk assessment processes will help your institution streamline risk management processes for assessments and audit.

31 Not just for Finance! Industry’s can use the tool to fit their inherent risk profile by changing the criteria that best fits them. Eg, healthcare can tailor their inherent risk based on the nature of health services provided, number of devices connected to the network including medical devices, the number of sensitive patient files, and number of medical services locations as a start . Same goes for the cyber security assessment maturity questionnaire, you can tailor the questionnaire using the controls for HIPAA, PCI, and NIST and any other standard that pertains to your industry.

32 Questions & Answers

Download ppt "FFIEC Cyber Security Assessment Tool"

Similar presentations

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Auditing Corporate Information Security John R. Robles Tuesday, November 1, 2005 Tel: 787-647-396.

Auditing Corporate Information Security John R. Robles Tuesday, November 1, Tel:
Security Controls – What Works

Security Controls – What Works
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Travillon Consultants

Travillon Consultants
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Making Small Business Finance Profitable Peer Stein, Banking Advisory Group December 4, 2002 Key Lessons Learned about Applying New Technologies to SME.

Making Small Business Finance Profitable Peer Stein, Banking Advisory Group December 4, 2002 Key Lessons Learned about Applying New Technologies to SME.
Information Technology Audit

Information Technology Audit
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Lessons Learned in Smart Grid Cyber Security

Lessons Learned in Smart Grid Cyber Security
Did You Hear That Alarm? The impacts of hitting the information security snooze button.

Did You Hear That Alarm? The impacts of hitting the information security snooze button.
Staying Ahead of the Curve in Cyber Security Bill Chang CEO, SingTel Group Enterprise.

Staying Ahead of the Curve in Cyber Security Bill Chang CEO, SingTel Group Enterprise.
BITS Proprietary and Confidential © BITS 2003. Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
IT & Operations Management in Banks Bilgi Üniversitesi – March 2011.

IT & Operations Management in Banks Bilgi Üniversitesi – March 2011.
E-BANKING E-banking is defined as the automated delivery of new and traditional banking products and services directly to customers through electronic,

E-BANKING E-banking is defined as the automated delivery of new and traditional banking products and services directly to customers through electronic,
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Cyber Security: Now and.

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Cyber Security: Now and.
Why build a strategy? 7/15/2015 University of Wisconsin–Madison2 Options: Detection or Prevention Last strategic plan was five years old and never formally.

Why build a strategy? 7/15/2015 University of Wisconsin–Madison2 Options: Detection or Prevention Last strategic plan was five years old and never formally.
September 14, 2015. 2 David A. Reed Attorney at Law Reed & Jolly, PLLC (703) 675-9578.

September 14, David A. Reed Attorney at Law Reed & Jolly, PLLC (703)

Similar presentations

Ads by Google