In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed a Cybersecurity Assessment to help financial institutions identify their risks and determine their cybersecurity preparedness.
The Assessment provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time. The Assessment incorporates cybersecurity-related principles from the FFIEC Information Technology (IT) Examination Handbook and regulatory guidance, and concepts from other industry standards, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
For institutions using the Assessment, management will be able to enhance their oversight and management of the institution’s cybersecurity by doing the following:
Every financial institution will be expected to complete this or an equivalent assessment. The assessment is complex and can be a daunting resource-intensive task. Sage’s collaborative approach ensures that the assessment process is effective, educational, and provides actionable outcomes.
The assessment is conducted workshop style. Upon completion of the workshop, Sage personnel analyze the responses and on behalf of the organization, complete the assessment. The draft report is submitted to the institution for review. Following review and comment, the final report (described in the deliverable section below) is provided. Upon request, Sage personnel will present the report to an Executive Committee or the Board of Directors.
The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. Upon completion of both parts, management can evaluate whether the institution’s inherent risk and preparedness are aligned.
Inherent risk incorporates the type, volume, and complexity of the institution’s operations and threats directed at the institution. Inherent risk does not include mitigating controls. The Inherent Risk Profile includes descriptions of activities across risk categories with definitions for the least to most levels of inherent risk. The profile helps management determine exposure to risk that the institution’s activities, services, and products individually and collectively pose to the institution.
The Assessment’s second part is Cybersecurity Maturity, designed to help management measure the institution’s level of risk and corresponding controls. The levels range from Baseline to Innovative. Cybersecurity Maturity includes statements to determine whether an institution’s behaviors, practices, and processes can support cybersecurity preparedness within the following five domains:
The outcome of the Sage’s FFIEC Cybersecurity Resilience Assessment includes:
There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”
A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.
Are you struggling to find the time to effectively monitor your network for potential threats? Let nDiscovery do the detective work for you! We translate generic threat data into specific actionable intelligence – cutting through the noise so you can focus on what is truly important.