Overview of the FFIEC Cybersecurity Assessment Tool

This tool helps you assess your

  • Inherent Risk Profile; and
  • Cybersecurity Maturity.

This tool:

  • Is not exactly a risk assessment, but it kind of is, on a high level.
  • Asks if you have done a risk assessment; a full-blown risk-assessment will be more detailed than the risk profile section of this tool.
  • Is good for helping you ramp up your security.
  • Provides various benchmarks for security, and helps you determine which one you should be shooting for.
  • Is a great “take stock of our current status” resource.
  • Is a great place to start.

The inherent risk profileis an 8-page grid of activities, services, or products and possible risk levels spread across 5 categories. The categories and their number of activities, services, or products are:

  • Technologies and connection types: 14
  • Delivery channels: 3
  • Online/mobile products and technology services: 14
  • Organizational characteristics: 7
  • External threats: 1

For each activity, service, or product, you simply select a statement that best describes your level of risk. Each statement is defined in a certain risk level:

  • Least
  • Minimal
  • Moderate
  • Significant
  • Most

You can then use the grid to determine your level of risk in each category, and overall.

The Cybersecurity Maturityis a 39-page grid that seeks to help you identify your level of maturity in 5 domains.

  • Cyber Risk Management and Oversight
  • Threat Intelligence and Collaboration
  • Cybersecurity Controls
  • External Dependency Management
  • Cyber Incident Management and Resilience

There are 5 levels of maturity:

  • Baseline
  • Evolving
  • Intermediate
  • Advanced
  • Innovative

To determine your overall level of maturity for each domain, compare your credit union’s performance in relation to several “assessment factors”. Each assessment factor has a set of declarative statements for each level of maturity. All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level.

The assessment factors for each domain are:

  • Cyber risk management and oversight:
  • Oversight
  • Strategy/policies
  • IT Asset Management
  • Risk management program
  • Risk assessment
  • Audit
  • Staffing
  • Training
  • Culture
  • Threat intelligence and collaboration
  • Threat intelligence and information
  • Monitoring and analyzing
  • Information sharing
  • Cybersecurity controls
  • Infrastructure management
  • Access and data management
  • Device/end-point security
  • Secure coding
  • Threat and vulnerability detection
  • Anomalous activity detection
  • Event detection
  • Patch management
  • Remediation
  • External dependency management
  • Connections
  • Due diligence
  • Contracts
  • Ongoing monitoring
  • Cyber incident management and resilience
  • Planning
  • Testing
  • Detection
  • Response and mitigation
  • Escalation and reporting

Once the assessment is done, a credit union should analyze results. In general, as inherent risk rises, an institution’s maturity levels should increase. If management determines that the institution’s maturity levels are not appropriate in relation to the inherent risk profile, management should consider reducing inherent risk or developing astrategy to improve the maturity levels.Assessment factors serve as an excellent guide for how to increase maturity.

Everything you need or need to know is on the FFIEC’s website: