I. INTRODUCTION
The federal banking agencies have released a free cyber security self-assessment tool to help financial institutions of all sizes identify the cyber risks they face and assess their preparedness.
The assessment includes a profile of inherent risks that is key to the characteristics of individual financial institutions, such as technology profile, product lines and size. This is followed by a self-assessment template for five dimensions of cybersecurity maturity and tips for evaluating and interpreting results. It also maps the maturity levels to the voluntary cybersecurity benchmarks developed by the National Institute of Standards and Technology.
The assessment will become part of cybersecurity exams this year; for example, the OCC had indicated that its examiners will begin incorporating it into exams in late 2015. The Federal Financial Institutions Examination Council (FFIEC) has indicated that it will update the assessment as the cyber risk environment evolves.
The cybersecurity assessment tool and a variety of supporting resources, including an executive overview user’s guide and instructional presentation, are available on the Cybersecurity Awareness page of the ffiec.gov website at http://www.ffiec.gov/cybersecurity.htm.
A. Inherent Risk Profile
The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. The Inherent Risk Profile identifies the institution’s inherent risk before implementing controls. The Cybersecurity Maturity includes domains, assessment factors, components, and individual declarative statements across five maturity levels to identify specific controls and practices that are in place. While management can determine the institution’s maturity level in each domain, the Assessment is not designed to identify an overall cybersecurity maturity level.
To complete the Assessment, management first assesses the institution’s inherent risk profile based on five categories:
B. Cybersecurity Maturity
Once the tool identifies the institution’s overall inherent risk and the threats associated with specific products, activities, or services, then Management can measure the institution’s Cybersecurity Maturity.
Part 2, the Cybersecurity Maturity Assessment, identifies the overall health, innovation, and effectiveness of an institution’s cybersecurity methods and practices. Depository institution cybersecurity operations are categorized into five domains, which are evaluated through a series of “assessment factors.” The five domains for the cybersecurity maturity assessment are:
Based on the results of the cybersecurity maturity assessment, the institution is categorized into one of several levels of maturity:
1. Baseline – institution adheres to the minimum expectations required by law and includes primarily client-driven objectives.
2. Evolving – institution implements additional formalities and documented procedures or policies that are not already required by law.
3. Intermediate – institution's cybersecurity system follows detail, formal processes and the controls are both validated and consistent. Further, risk management practices are integrated into a broad comprehensive strategy.
4. Advanced – institution's cybersecurity practices are well integrated across the business. In addition, the practices are automated and continue to improve.
5. Innovative – institution drives cybersecurity processes, development and technologies for the industry to manage cyber-risk. The development of new tools in real time predictive analytics are tied to automated responses.