Pratum Blog

FFIEC Cybersecurity Assessment Tool

An effective risk management program is a critical component of organization’s overall information security. To be effective, an organization not only needs to understand the value of its assets, but also needs a framework to determine its risks, measure the level of maturity of its information security efforts, and determine its progress towards its security goals.

On 30 June 2015, an FFIEC press release announced the organization’s new cybersecurity assessment tool, which was designed “to help institutions identify their risks and assess their cybersecurity preparedness.” The assessment tool takes a “2x5” approach – there are two parts involved in its use, and each part uses five categories to frame the analysis involved. This leads to slightly different outcomes– the inherent risk analysis results in an overall inherent risk profile assigned to one of five levels, while the analysis of cybersecurity maturity results in a determination of maturity level for each of the five domains provided.

Determining an Inherent Risk Profile

Let’s break down the tool a bit. The first part focuses on helping an organization determine its inherent risk profile. To do this, the tool uses five analysis categories:

  1. Technologies and Connection Types
  2. Delivery Channels
  3. Online/Mobile Products and Technology Services
  4. Organization Characteristics
  5. External Threats

At the end of the analysis, the resulting inherent risk profile is assigned one of five potential levels:

  1. Least
  2. Minimal
  3. Moderate
  4. Significant
  5. Most

Determining Cybersecurity Maturity Levels

The second part focuses on determining a cybersecurity maturity level for each of five domains. Each domain has assessment factors to help scope the analysis required. The domains and assessment factors are:

  1. Domain 1: Cyber Risk Management and Oversight Assessment factors: Governance; Risk Management; Resources; Training and Culture
  2. Domain 2: Threat Intelligence and Collaboration Assessment factors: Threat Intelligence; Monitoring and Analyzing; Information Sharing
  3. Domain 3: Cybersecurity Controls Assessment factors: Preventative Controls; Detective Controls; Corrective Controls
  4. Domain 4: External Dependency Management Assessment factors: Connections; Relationship Management
  5. Domain 5: Cyber Incident Management and Resilience Assessment factors: Incident Resilience Planning and Strategy; Detection, Response, and Mitigation; Escalation and Reporting

The resulting analysis within each of the five domains leads to a maturity level. These are:

Baseline Level, Evolving Level, Intermediate Level, Advanced Level and Innovation Level

The tool does not provide an overall level of organizational cybersecurity maturity. Management should combine the results of the analysis with other information and analysis to make that determination.

As part of the overall information included with the tool, the FFIEC has provided a mapping of the tool’s baseline statements to the FFIEC IT Examination Handbook. The information also includes a Cybersecurity Assessment Tool-to-NIST Cyber Security Framework (CSF) mapping for those organizations that reference the CSF. Unfortunately, there is no extended mapping to the NIST 800-53 controls.

Finally, you should know that this new tool is not automated. There will be elbow-grease and hard work involved. However, if you are interested in a different approach to building your organization’s risk profile and understanding its cybersecurity maturity, and you like using 2x5s, this tool may be for you. To check it out yourself, visit the FFIEC’s website at: https://www.ffiec.gov/cyberassessmenttool.htm

ISSA Des Moines 2015 Secure Iowa Conference

The ISSA Des Moines Chapter is hosting its 4th Annual Secure Iowa Conference on October 7, 2015. Pratum is pleased to announce that we will be supporting this educational conference for a fourth consecutive year.

Secure Iowa is a one day conference that provides group and breakout sessions featuring professional speakers presenting on information security, IT risk management, compliance and privacy. This is a unique opportunity for security, privacy and audit professionals to gather for a time of learning and networking within Iowa’s borders. The conference will consist of both a management and technical track to ensure a broad appeal across the various levels of attendees.

One of the best parts about this great conference is that it is FREE, and there are a number of excellent door prizes being offered to attendees. Grand prizes include a Dell 4K monitor, Surface Pro 3 and MacBook Air. Don’t miss out on the excellent opportunity.

ISSA Secure Iowa Conference 2015 Grand Prizes

Event:

Secure Iowa Conference

Who Should Attend?

Anyone who is interested in information security, IT risk management, compliance and/or privacy

Date:

Wednesday, October 7, 2015

Time:

8:30 a.m. to 4:00 p.m.

Location:

FFA Enrichment Center
1055 SW Prairie Trail Parkway
Ankeny, Iowa 50023

One of the questions commonly asked of me is about the employment outlook for information security professionals. For starters, it’s fantastic. You’ll have no problem getting a job in information security, if you want it. This should not be confused with - You’ll have your pick of the perfect job in the industry you want, at the company of your choosing and with a salary only a king could scoff at. No, it means there are plenty of jobs. You’ll need to put in the time and effort to build the skillset and experience to be hired into your dream job. You just won’t have to tell your parents you’re moving back in because all of the information security positions have been eliminated in the latest round of corporate cuts.

The difference between Information Security and Information Assurance

I then immediately begin thinking about the difference between Information Security (InfoSec) and Information Assurance (IA). Information security is just like any other career field. There are multiple paths you can take within the field, depending on your interest. The skill sets needed to be effective in these two roles can be very different. Now certainly title isn't everything, and one company uses the term security where the other uses assurance. The US government is quite fond of the information assurance moniker. However, within the profession, we are starting to see a marked delineation between Information Security and Information Assurance. This is similar to the split of information security and information privacy.

InfoSec has traditionally been very technology focused. The daily operations of security applications and infrastructure such as firewall, intrusion prevention systems, counter hacking, etc. Penetration testing and vulnerability analysis of systems are other examples. Information Assurance has been more involved with assessing the overall risk of an organization's technology and working to mitigate that risk. While there is certainly a technology component, it's not a pronounced as with InfoSec.

The Need for Standardized Terminology

Perhaps I'm splitting hairs or focusing too much on semantics for some of you, but I see a real need to evaluate the terminology we use as our profession matures. We have seen the abstracting of privacy professionals from the security group. We are now beginning to see specialization within the InfoSec ranks, like we've seen in other technology professions. Some DBA (Database Administrator) professionals specialize in architecture, while others deal only with implementation and performance. I think we are seeing a similar maturity in the Information Security/Privacy/Assurance world. As more work is tossed our way and teams grow larger, it makes sense to specialize. Sometimes it's more fun too. Why perform all the policy development if you just love reading hexadecimal TCP dumps all day? There has to be somebody who loves all that "wordy" stuff, right?

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.