An Overview of the FFIEC Cybersecurity Assessment Tool

An effective risk management program is a critical component of organization’s overall information security. To be effective, an organization not only needs to understand the value of its assets, but also needs a framework to determine its risks, measure the level of maturity of its information security efforts, and determine its progress towards its security goals.

On 30 June 2015, an FFIEC press release announced the organization’s new cybersecurity assessment tool, which was designed “to help institutions identify their risks and assess their cybersecurity preparedness.” The assessment tool takes a “2x5” approach – there are two parts involved in its use, and each part uses five categories to frame the analysis involved. This leads to slightly different outcomes– the inherent risk analysis results in an overall inherent risk profile assigned to one of five levels, while the analysis of cybersecurity maturity results in a determination of maturity level for each of the five domains provided.

Determining an Inherent Risk Profile

Let’s break down the tool a bit. The first part focuses on helping an organization determine its inherent risk profile. To do this, the tool uses five analysis categories:

1. Technologies and Connection Types
2. Delivery Channels
3. Online/Mobile Products and Technology Services
4. Organization Characteristics
5. External Threats

At the end of the analysis, the resulting inherent risk profile is assigned one of five potential levels:

1. Least
2. Minimal
3. Moderate
4. Significant
5. Most

Determining Cybersecurity Maturity Levels

The second part focuses on determining a cybersecurity maturity level for each of five domains. Each domain has assessment factors to help scope the analysis required. The domains and assessment factors are:

1. Domain 1: Cyber Risk Management and Oversight Assessment factors: Governance; Risk Management; Resources; Training and Culture
2. Domain 2: Threat Intelligence and Collaboration Assessment factors: Threat Intelligence; Monitoring and Analyzing; Information Sharing
3. Domain 3: Cybersecurity Controls Assessment factors: Preventative Controls; Detective Controls; Corrective Controls
4. Domain 4: External Dependency Management Assessment factors: Connections; Relationship Management
5. Domain 5: Cyber Incident Management and Resilience Assessment factors: Incident Resilience Planning and Strategy; Detection, Response, and Mitigation; Escalation and Reporting

The resulting analysis within each of the five domains leads to a maturity level. These are:

The tool does not provide an overall level of organizational cybersecurity maturity. Management should combine the results of the analysis with other information and analysis to make that determination.

As part of the overall information included with the tool, the FFIEC has provided a mapping of the tool’s baseline statements to the FFIEC IT Examination Handbook. The information also includes a Cybersecurity Assessment Tool-to-NIST Cyber Security Framework (CSF) mapping for those organizations that reference the CSF. Unfortunately, there is no extended mapping to the NIST 800-53 controls.

Finally, you should know that this new tool is not automated. There will be elbow-grease and hard work involved. However, if you are interested in a different approach to building your organization’s risk profile and understanding its cybersecurity maturity, and you like using 2x5s, this tool may be for you. To check it out yourself, visit the FFIEC’s website at: https://www.ffiec.gov/cyberassessmenttool.htm