1 / 32

FFIEC Cyber Security Assessment Tool

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations. Agenda. Overview of assessment tool Review inherent risk profile categories Review domain 1-5 for cyber security maturity Summary of risk/maturity relationships Overview of use case performed Final thoughts Q&A.

hgrimes
Download Presentation

FFIEC Cyber Security Assessment Tool

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FFIEC Cyber Security Assessment Tool Overview and Key Considerations

  2. Agenda • Overview of assessment tool • Review inherent risk profile categories • Review domain 1-5 for cyber security maturity • Summary of risk/maturity relationships • Overview of use case performed • Final thoughts Q&A

  3. Overview of FFIEC Cybersecurity Assessment Tool

  4. Benefits to Institutions • Identifying factors contributing to and determining the institution’s overall cyber risk • Assessing the institution's cybersecurity preparedness. • Evaluating whether the institutions cybersecurity preparedness is aligned with its risks • Determining risk management practices and controls that could be taken to achieve the institutions desired state of cyber preparedness • Informing risk management strategies.

  5. Not just for Finance! • Don’t tune out if your not in the financial services sector!! • Throughout the presentation you can see that risk assessment and preparedness is a major theme in any industry. Feel free to ask particular questions about your company and industry.

  6. Inherent Risk Profile

  7. Inherent Risk Profile Categories • Technologies and Connection Types • Delivery Channels • Online/Mobile Products and Technology Services • Organizational Characteristics • External Threats

  8. Inherent Risk Profile – Risk Levels

  9. Inherent Risk Profile Excerpt

  10. Inherent Risk Profile Technologies and Connection Types Internet service providers Third party connections Internal vs outsourced hosted systems Wireless access points Network devices EOL Systems Cloud services Personal Devices

  11. Inherent Risk Profile Delivery Channels ATM operations Online and mobile products and services delivery channels

  12. Inherent Risk Profile Online/Mobile Products and Technology Services Credit and debit cards P2P payments ACH Wire transfers Wholesale payments Remote deposit Treasury and trust Global remittances Correspondent banking Merchant acquiring activities

  13. Inherent Risk Profile Organizational Characteristics Mergers and acquisitions Direct employees and contractors IT environment Business presence and locations od operations and data centers

  14. Inherent Risk Profile

  15. Cybersecurity Maturity Assessment

  16. CybersecurityMaturity Overview Cybersecuritymaturity is evaluated in five domains: Domain 1 - Cyber Risk Management and Oversight, Domain 2 - Threat Intelligence and Collaboration, Domain 3 - Cybersecurity Controls, Domain 4 - External Dependency Management, Domain 5 -Cyber Incident Management and Resilience. Each domain has five levels of maturity: baseline, evolving, intermediate, advanced, and innovative.

  17. Cybersecurity Maturity Domain Coverage

  18. Domain 1 Cyber Risk Management & Oversight Governance Risk Management Resources Training and Culture

  19. Domain 2 Threat Intelligence and Collaboration Threat Intelligence Monitoring and Analyzing Information Sharing

  20. Domain 3 Cyber Security Controls

  21. Domain 4 External Dependency Management

  22. Domain 5 Cyber Incident Management and Response Incident Resilience Planning & Strategy Detection, Response, & Mitigation Escalation & Reporting

  23. Risk Maturity Relationship

  24. Risk Maturity Matrix

  25. National Bank Case Study

  26. ABC National Bank Business Profile

  27. Inherent Risk Score

  28. Cybersecurity Maturity Assessment

  29. Key Considerations While Using the CAT Being Innovative in CybersecurityMaturity Real time detection and response Always be updating for changes Automatic metrics and reporting Threat analytics that matter Baseline risk measurement

  30. Not just for Finance! • Industry’s can use the tool to fit their inherent risk profile by changing the criteria that best fits them. • Eg, healthcare can tailor their inherent risk based on the nature of health services provided, number of devices connected to the network including medical devices, the number of sensitive patient files, and number of medical services locations as a start . • Same goes for the cyber security assessment maturity questionnaire, you can tailor the questionnaire using the controls for HIPAA, PCI, and NIST and any other standard that pertains to your industry.

  31. Questions & Answers

More Related