Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment

Setting a Path to Cybersecurity Maturity

In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed a Cybersecurity Assessment to help financial institutions identify their risks and determine their cybersecurity preparedness.

The Assessment provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time. The Assessment incorporates cybersecurity-related principles from the FFIEC Information Technology (IT) Examination Handbook and regulatory guidance, and concepts from other industry standards, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

For institutions using the Assessment, management will be able to enhance their oversight and management of the institution’s cybersecurity by doing the following:

  • Identifying factors contributing to and determining the institution’s overall cyber risk.
  • Assessing the institution’s cybersecurity preparedness.
  • Evaluating whether the institution’s cybersecurity preparedness is aligned with its risks.
  • Determining risk management practices and controls that are needed or need enhancement and actions to be taken to achieve the desired state.
  • Informing risk management strategies.
  • Mapping to the multi-sector NIST Cybersecurity Framework.

Sage’s Collaborative Approach

Every financial institution will be expected to complete this or an equivalent assessment. The assessment is complex and can be a daunting resource-intensive task. Sage’s collaborative approach ensures that the assessment process is effective, educational, and provides actionable outcomes.

The assessment is conducted workshop style. Upon completion of the workshop, Sage personnel analyze the responses and on behalf of the organization, complete the assessment. The draft report is submitted to the institution for review. Following review and comment, the final report (described in the deliverable section below) is provided. Upon request, Sage personnel will present the report to an Executive Committee or the Board of Directors.

The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. Upon completion of both parts, management can evaluate whether the institution’s inherent risk and preparedness are aligned.

Inherent Risk Profile

Inherent risk incorporates the type, volume, and complexity of the institution’s operations and threats directed at the institution. Inherent risk does not include mitigating controls. The Inherent Risk Profile includes descriptions of activities across risk categories with definitions for the least to most levels of inherent risk. The profile helps management determine exposure to risk that the institution’s activities, services, and products individually and collectively pose to the institution.

Cybersecurity Maturity

The Assessment’s second part is Cybersecurity Maturity, designed to help management measure the institution’s level of risk and corresponding controls. The levels range from Baseline to Innovative. Cybersecurity Maturity includes statements to determine whether an institution’s behaviors, practices, and processes can support cybersecurity preparedness within the following five domains:

  1. Cyber Risk Management and Oversight
  2. Threat Intelligence and Collaboration
  3. Cybersecurity Controls
  4. External Dependency Management
  5. Cyber Incident Management and Resilience

Reports and Recommendations

The outcome of the Sage’s FFIEC Cybersecurity Resilience Assessment includes:

  • Executive Synopsis that includes a Cybersecurity Maturity Dashboard
  • A comprehensive interactive report that includes:
    • Cybersecurity Maturity Dashboard
    • Inherent Risk Matrix
    • Domain Results (including documented responses to 494 declarative statements organized by domain and maturity level)
    • Target state roadmap by domain
    • Target state roadmap by maturity
    • Action plan
    • FFIEC Cybersecurity Assessment to NIST Cybersecurity Framework mapping

No one is immune to cyber-attacks

Are you struggling to find the time to effectively monitor your network for potential threats? Let nDiscovery do the detective work for you! We translate generic threat data into specific actionable intelligence – cutting through the noise so you can focus on what is truly important.

Learn More About nDiscovery