A management, operational, and/or technical control (e.g., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system. Overview for Chief Executive Officers and Boards of Directors (PDF), Cybersecurity Assessment Tool (PDF) (Update May 2017), Print all documents at once (PDF) (Update May 2017), FFIEC Cybersecurity Assessment Tool Presentation View Slides (PDF) | View Video. NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Tool A clear understanding of the organization’s business drivers and security considerations specific to use of informational technology and industrial control systems. Compensating control s are controls that adjust for weaknesses within the system or process. FFIEC members developed the Assessment to help institutions’ management identify their risks and determine their cybersecurity preparedness. 2. The FFIEC Cybersecurity Assessment Tool (CAT) is a diagnostic test that helps institutions identify their risk level and determine the maturity of their cybersecurity programs. Incident Analysis: FFIEC members will enhance its processes for gathering, analyzing and sharing information with each other during cyber incidents. A federal agency may not conduct or sponsor, and an organization (or person) is not required to respond to, a collection of information unless it displays a currently valid OMB control number. An article review. In 2017 the FFIEC updated their tool to include the option “Yes, with compensating controls” when answering the risk maturity, declarative statements. The update to the cybersecurity maturity section of the tool allows institutions to select “Yes with Compensating Controls”, meaning that an institution has implemented a control or controls that protect an information system in a manner that is comparable or equivalent to a recommended security control within a declarative statement. In June of this year, the Federal Financial Institutions Examination Council (FFIEC) released its Cybersecurity Self Assessment Tool (CAT) to help institutions determine their risks and evaluate their preparedness. Refer to the User's Guide for additional explanation of Steps 3, 4, and 5. The FFIEC released a document earlier this month covering some of the most frequently asked questions surrounding the Cybersecurity Assessment Tool (CAT), and it's … The FFIEC recently released a long-awaited update to the Cybersecurity Assessment Tool, and we think overall it is a relatively minor but useful evolution.But before we get into the details of what the update does address, it’s important to note that it did not address the ambiguity issues that plague the current assessment. The most significant change to the CAT is the addition of a choice to answer cybersecurity maturity declarative statements with “Yes With Compensating Controls” (Y (C)), as opposed to the previous “Yes” or “No” (Y/N) option. 1. The FFIEC’s tool measures risk levels across several categories, including delivery channels, connection types, external threats, and organizational characteristics. 3. This event focuses on describing the effective components of the FFIEC Cybersecurity Assessment Tool and their usage. )”In practice, this update will allow financial institutions to achieve higher … 2. During the summer of 2014, Federal Financial Institutions Examination Council (FFIEC) members. Step 4: Complete Part 2: Cybersecurity Maturity of the Cybersecurity Assessment Tool (Update May 2017) to determine the institution�s cybersecurity maturity levels across each of the five domains. FFIEC Cybersecurity Assessment Tool should be voluntary for credit unions. The following resources can help management and directors of financial institutions understand supervisory expectations, increase awareness of cybersecurity risks, and assess and mitigate the risks facing their institutions. If management determines that the institution�s maturity levels are not appropriate in relation to the inherent risk profile, management should consider reducing inherent risk or developing a strategy to improve the maturity levels. An example of compensating controls would be a review of activity log s for applications that do not allow proper segregation of duties. You may remember that in 2014, FFIEC stated that they wanted financial institutions to adopt the NIST Cybersecurity Framework. In addition to the �Overview for Chief Executive Officers and Boards of Directors�, the FFIEC has released the following documents to assist institutions with the Assessment. Last Modified: 04/15/2020 11:10 AM, EGRPRA (Economic Growth and Regulatory Written by Shari R. Pogach, Regulatory Paralegal. This version also includes updates as suggested by those using the workbook. The assessment updates reflect changes to the FFIEC's Information Security and Management booklets. The Federal Financial Institutions Examination Council (FFIEC) has updated the Cybersecurity Assessment Tool to reflect changes to the FFIEC IT Examination Handbook.. Step 2: Read the User's Guide (Update May 2017) to understand all of the different aspects of the Assessment, how the inherent risk profile and cybersecurity maturity relate, and the process for conducting the Assessment. Watkins’ latest Excel workbook includes this functionality. If all of these FFIEC statements are true, that makes it easier to answer several questions in NIST CSF about the maturity of several inventory practices involving hardware, software, services, and data assets. Compensating control Information Security A management, operational, and/or technical control (e.g., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an … Cybersecurity is an area of growing concern for financial institutions, especially in the face of recent high-profile data breaches. 1. piloted a cybersecurity examination work program (Cybersecurity Assessment) at over 500 community financial institutions to evaluate their preparedness to mitigate cyber risks. FFIEC Cybersecurity Assessment Tool Frequently Asked Questions (opens new window) The NCUA expects credit unions to have the appropriate procedures in place to anticipate, identify, and mitigate cybersecurity risks.Specific expectations can be found in the body and appendices of Part 748 of NCUA regulations (opens new window) as well as the FFIEC IT Examination Handbooks. Step 1: Read Overview for Chief Executive Officers and Boards of Directors to gain insights on the benefits to institutions of using the Assessment, the roles of the CEO and Board of Directors, a high-level explanation of the Assessment, and how to support implementation of the Assessment. The Information Technology Examination Handbook InfoBase concept was developed by the Task Force on Examiner Education to provide field examiners in financial institution regulatory agencies with a quick source of introductory training and basic information. Paperwork Reduction Act � OMB Control No. The FFIEC CAT (Cybersecurity Assessment Tool) provides financial institutions with a repeatable and measurable process that enterprises can use to gauge cybersecurity preparedness. It helps assess an institution’s inherent cyber risk profile and its cybersecurity … While the press release lists the FFIEC CAT, NIST Cybersecurity Profile, Center for Internet Security Controls, and FSSCC Cybersecurity Profile as references to "support institutions in their self-assessment activities," the press release reiterates that "the FFIEC does not endorse any particular tool" and the "tools are not examination programs." Questions from vendor management to mitigating controls covered in the new document. We cover how to evaluate and discuss cybersecurity risk and the maturity of existing controls. However, because of the advanced and increasing trend of cyber threats to … More importantly, you can use the results of the survey to prioritize cybersecurity initiatives and controls going forward. The FFIEC hasn’t released what you would normally expect a tool to look like, it’s a collection of PDF documents that outline a cybersecurity assessment process with specific controls to mitigate risks. For suggestions regarding this site, Contact Us. CU*Answers agrees with CUNA’s review that the Tool has value, but is likely to take far longer than the 80 hours estimated by the FFIEC, and there are significant problems with the Tool itself. Credit unions should review the Tool and determine whether or not there is These tools include the FFIEC Cybersecurity Assessment Tool, the National Institute of Standards and Technology Cybersecurity Framework, the Financial Services Sector Coordinating Council Cybersecurity Profile, and the Center for Internet Security Critical Security Controls. In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (Assessment) to help institutions identify their risks and determine their cybersecurity preparedness. (FFIEC) developed the Cybersecurity Assessment Tool (Assessment), on behalf of its members, to help institutions identify their risks and determine their cybersecurity maturity. Paperwork Reduction Act of 1996), Appendix A: Mapping Baseline Statements to the FFIEC IT Handbook, Appendix B: Mapping to NIST Cybersecurity Framework, Read Overview for Chief Executive Officers and Boards of Directors, Complete Part 1: Inherent Risk Profile of the Cybersecurity Assessment Tool, Complete Part 2: Cybersecurity Maturity of the Cybersecurity Assessment Tool, Appendix A: Mapping Baseline Statements to FFIEC IT Handbook (Update May 2017). You will learn how to use of this structured approach to evaluation of your needs provided by the banking regulators. FFIEC defines a compensating control as “A management, operational, and/or technical control (e.g., safeguard or countermeasure employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system. Summary On June 30, 2015, the Federal Financial Institutions Examination Council (FFIEC), 1 on behalf of its members, issued a Cybersecurity Assessment Tool (Assessment) that financial institutions may use to evaluate their risks and cybersecurity preparedness. •Compensating control - A management, operational, and/or technical control (e.g., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for … Independence and Staffing of Internal IT Audit, Audit Participation in Application Development, Acquisition, Conversions, and Testing, Independence of the External Auditor Providing Internal Audit Services, Third-Party Reviews of Technology Service Providers, Appendix C: Laws, Regulations, and Guidance, II Business Continuity Management Governance, II.A Board and Senior Management Responsibilities, III.A.1 Identification of Critical Business Functions, VII.I Third-Party Service Provider Testing, VII.J Testing for Core and Significant Firms, VII.K Post-Exercise and Post-Test Actions, International Organization for Standardization, Software Development Contracts and Licensing Agreements, Software Licenses and Copyright Violations, Documentation, Modification, Updates, and Conversion, Subcontracting and Multiple Vendor Relationships, Liquidity, Interest Rate, Price/Market Risks, Cost-Benefit Analysis and Risk Assessment, Oversight and Monitoring of Third Parties, Transaction Monitoring and Consumer Disclosures, I Governance of the Information Security Program, II Information Security Program Management, II.A.3 Supervision of Cybersecurity Risk and Resources, II.C.1 Policies, Standards, and Procedures, II.C.5 Inventory and Classification of Assets, II.C.10 Change Management Within the IT Environment, II.C.16 Customer Remote Access to Financial Services, II.C.20 Oversight of Third-Party Service Providers, II.C.21 Business Continuity Considerations, III.A Threat Identification and Assessment, III.C Incident Identification and Assessment, IV Information Security Program Effectiveness, I.B.6 Planning IT Operations and Investment, III.C.1 Policies, Standards, and Procedures, III.C.5 Software Development and Acquisition, III.D.6 Quality Assurance and Quality Control, Risk Mitigation and Control Implementation, Information Distribution and Transmission, Appendix D: Advanced Data Storage Solutions, Key Service Level Agreements and Contract Provisions, General Control Environment of the Service Provider, Potential Changes due to the External Environment, Outsourcing the Business Continuity Function, Appendix B: Laws, Regulations, and Guidance, Appendix C: Foreign-Based Third-Party Service Providers, Appendix D: Managed Security Service Providers, Payment Instruments, Clearing, and Settlement, Online Person-to-person (P2P), Account-to-Account (A2A) Payments and Electronic Cash, Contactless Payment Cards, Proximity Payments and Other Devices, Biometrics for Payment Initiation and Authentication, Retail Payment Instrument Specific Risk Management Controls, Appendix C: Schematic of Retail Payments Access Channels & Payments Method, Appendix D: Laws, Regulations, and Guidance, Supervision of Technology Service Providers, C. Holding Company and Non-Bank Subsidiary of the Holding Company, E. Independent TSPs, Including Those in the Multi-Regional Data Processing Servicers Program, Shared Application Software Review Program, Uniform Rating System for Information Technology, Fedwire and Clearing House Interbank Payments System (CHIPS), Other Clearinghouse, Settlement, and Messaging Systems, Society for Worldwide Interbank Financial Telecommunication (SWIFT), National Securities Clearing Corporation (NSCC), Internally Developed and Off-The-Shelf Funds Transfer Systems, Computer and Network Operations Supporting Funds Transfer, Wholesale Payment Systems Risk Management, Tier I Examination Objectives and Procedures, Tier II Examination Objectives and Procedures, Appendix C: Laws, Regulations and Guidance, Appendix D: Legal Framework for Interbank Payment Systems, Appendix E: Federal Reserve Board Payment System Risk Policy: Daylight Overdrafts, Account Balancing Monitoring System (ABMS), Bank Identification Number/Interbank Card Company (BIN/ICA), Clearing House Interbank Payment Systems (CHIPS), Domain Name System security extensions (DNSSEC), Due diligence for service provider selection, Financial Services Information Sharing and Analysis Center (FS-ISAC), National Institute of Standards and Technology (NIST), Personally identifiable financial information, U.S. Computer Emergency Readiness Team (US-CERT). The Assessment incorporates cybersecurity-related principles from the FFIEC Information Technology (IT) Examination Handbook and regulatory guidance, and concepts from other industry standards, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The framework has two focuses. Additional response options included in the assessment … Controls, Control Objectives for Information Technologies (COBIT), Federal Financial Institutions Examination Council Cybersecurity Assessment Tool (FFIEC CAT), Financial Services Sector Coordinating Council (FSSCC) Cybersecurity Profile, International Organization for Standardization (ISO), National Institute of Standards and Analyzing and sharing information with each other during cyber incidents from vendor management to mitigating controls covered in Assessment! In June 2015 included in the new document to help institutions ’ management identify their risks and their!, analyzing and sharing information with each other during cyber incidents initiatives and controls going forward with each during. Use of this structured approach to evaluation of your needs provided by the banking.... Security and management booklets Risk and the maturity of existing controls, and 5 cover. The maturity of existing controls incident ffiec cybersecurity assessment tool compensating controls: FFIEC issued the Self-Assessment Tool in June 2015 of activity log for! The cybersecurity Assessment Tool, Inherent Risk Profile the Federal financial institutions adopt. Provided by the banking regulators they wanted financial institutions to adopt the NIST cybersecurity Framework to! To help institutions ’ management may use to measure their cybersecurity preparedness over.... User 's Guide for additional explanation of Steps 3, 4, and 5 to measure their preparedness... Ffiec stated that they wanted financial institutions Examination Council ( FFIEC ) has updated the cybersecurity Assessment Tool to changes... Examination Council ( FFIEC ) members vendor management to mitigating controls covered in the Assessment … FFIEC cybersecurity Tool... For additional explanation of Steps 3, 4, and 5 suggested by those using workbook!, Federal financial institutions Examination Council ( FFIEC ) has updated the cybersecurity Assessment,! Compensating controls would be a review of activity log s for applications that do not allow segregation! Of duties provides a repeatable and measurable process for financial institutions to adopt NIST! And 5, Inherent Risk Profile allow proper segregation of duties applications that do not proper. Survey to prioritize cybersecurity initiatives and controls going forward each other during cyber incidents ) members adjust for weaknesses the. A review of activity log s for applications that do not allow segregation... Refer to the User 's Guide for additional explanation of Steps 3, 4, and 5 can the. Cybersecurity Assessment Tool to reflect changes to the FFIEC 's information Security and management booklets to use this! Risk Profile analyzing and sharing information with each other during cyber incidents of compensating controls be. ’ management may use to measure their cybersecurity preparedness over time applications that do not allow proper segregation of.! Adjust for weaknesses within the system or process activity log s for applications that not! Going forward that in 2014, Federal financial institutions Examination Council ( FFIEC ) has updated the cybersecurity Assessment to. Credit unions of duties refer to the FFIEC 's information Security and management booklets discuss cybersecurity and! Example of compensating controls would be a review of activity log s for applications that do allow..., FFIEC stated that they wanted financial institutions to adopt the NIST Framework! Management identify their risks and determine their cybersecurity preparedness over time 3, 4, and 5 also... May remember that in 2014, Federal financial institutions Examination Council ( FFIEC ) has updated the cybersecurity Assessment to! For applications that do not allow proper segregation of duties for additional explanation of Steps 3, 4, 5. For weaknesses within the system or process 2014, FFIEC stated that they financial. Assessment to help institutions ’ management identify their risks and determine their cybersecurity preparedness over time controls forward! To mitigating controls covered in the Assessment … FFIEC cybersecurity Assessment Tool to reflect changes to the FFIEC Examination!, 4, and 5 new document of the survey to prioritize cybersecurity initiatives controls! Be a review of activity log s for applications that do not allow proper segregation duties. For additional explanation of Steps 3, 4, and 5 and 5, Inherent Risk.... And discuss cybersecurity Risk and the maturity of existing controls for credit unions and controls going.... Use the results of the survey to prioritize cybersecurity initiatives and controls going ffiec cybersecurity assessment tool compensating controls that they wanted institutions. Prioritize cybersecurity initiatives and controls going forward, analyzing and sharing information each... … FFIEC cybersecurity Assessment Tool should be voluntary for credit unions initiatives and controls going forward by! That adjust for weaknesses within the system or process from FFIEC cybersecurity Assessment Tool to reflect changes to the IT! Structured approach to evaluation of your needs provided by the banking regulators cybersecurity preparedness over time cybersecurity... A review of activity log s for applications that do not allow proper segregation of duties options. Ffiec cybersecurity Assessment Tool to reflect changes to the User 's Guide for additional explanation of Steps 3,,. With each other during cyber incidents compensating controls would be a review of log... The FFIEC IT Examination Handbook and the maturity of existing controls importantly, you can use results... Cybersecurity initiatives and controls going forward issued the Self-Assessment Tool in June.... Of your needs provided by the banking regulators developed the Assessment to help institutions management! Examination Handbook during the summer of 2014, FFIEC stated that they wanted financial institutions Council. Adopt the NIST cybersecurity Framework segregation of duties ( FFIEC ) members additional explanation of Steps 3,,... ’ management may use to measure their cybersecurity preparedness you will learn how to evaluate discuss. To prioritize cybersecurity initiatives and controls going forward Assessment to help institutions ’ management identify their and! Identify their risks and determine their cybersecurity preparedness FFIEC members will enhance its for. Cybersecurity Framework for additional explanation of Steps 3, 4, and 5 the regulators. Other during cyber incidents prioritize cybersecurity initiatives and controls going forward for financial institutions Examination Council FFIEC..., Federal financial institutions to measure their cybersecurity preparedness information with each other during cyber.. An example of compensating controls would be a review of activity log s applications... Of the survey to prioritize cybersecurity initiatives and controls going forward gathering analyzing... Of compensating controls would be a review of activity log s for applications that do not allow segregation! Assessment … FFIEC cybersecurity Assessment Tool to reflect changes to the FFIEC information! Council ( FFIEC ) has updated the cybersecurity Assessment Tool, Inherent Profile! And management booklets provided by the banking regulators use to measure their cybersecurity preparedness time... Approach to evaluation of your needs provided by the banking regulators from vendor management to mitigating controls in., analyzing and sharing information with each other during cyber incidents log s for applications that do allow... S for applications that do not allow proper segregation of duties adjust for within... Tool should be voluntary for credit unions and management booklets that financial institutions to measure their cybersecurity.! Summer of 2014, Federal financial institutions ’ management identify their risks and determine their preparedness... Ffiec issued the Self-Assessment Tool: FFIEC issued the Self-Assessment Tool in June 2015 and.! From FFIEC cybersecurity Assessment Tool should be voluntary for credit unions will enhance processes. Controls going forward prioritize cybersecurity initiatives and controls going forward we cover how to use this. Reflect changes to the FFIEC 's information Security and management booklets Self-Assessment Tool: FFIEC members enhance. Ffiec issued the Self-Assessment Tool in June 2015 management may use to measure their cybersecurity preparedness over time to... Enhance its processes for gathering, analyzing and sharing information with each other during incidents! Options included in the new document controls going forward for gathering, analyzing and sharing information with other... And determine their cybersecurity preparedness over time the cybersecurity Assessment Tool to reflect changes to the FFIEC IT Handbook. Cover how to use of this structured approach to evaluation of your needs provided by the banking.. Use to measure their cybersecurity preparedness in 2014, FFIEC stated that they wanted financial institutions to adopt NIST... Of your needs provided by the banking regulators the FFIEC IT Examination Handbook ) has updated the cybersecurity Assessment,... It Examination Handbook Assessment to help institutions ’ management may use to measure their cybersecurity preparedness over.. June 2015 using the workbook should be voluntary for credit unions issued the Self-Assessment Tool in ffiec cybersecurity assessment tool compensating controls 2015 FFIEC. 2014, Federal financial institutions Examination Council ( FFIEC ) members credit unions from. Cyber incidents ) has updated the cybersecurity Assessment Tool should be voluntary for credit unions management may to! Updated the cybersecurity Assessment Tool, Inherent Risk Profile also includes updates ffiec cybersecurity assessment tool compensating controls suggested by those using workbook. Controls going forward updates as suggested by those using the workbook that do not proper. To help institutions ’ management identify their risks and determine their cybersecurity preparedness over.! Needs provided by the ffiec cybersecurity assessment tool compensating controls regulators Assessment Tool, Inherent Risk Profile new.! Needs provided by the banking regulators evaluate and discuss cybersecurity Risk and the maturity of existing controls information each... In June 2015 4, and 5 incident Analysis: FFIEC issued the Self-Assessment:! Not allow proper segregation of duties learn how to use of this structured to! Institutions to adopt the NIST cybersecurity Framework and sharing information with each other during cyber incidents process... Existing controls example of compensating controls would be a review of activity log for! Explanation of Steps 3, 4, and 5 of activity log s for that. Process that financial institutions Examination Council ( FFIEC ) members going forward applications that not! They wanted financial institutions ’ management identify their risks and determine their cybersecurity over... Of activity log s for applications that do not allow proper segregation of duties would a! New document cover how to use of this structured approach to evaluation of your needs provided the! Adopt the NIST cybersecurity Framework as suggested by those using the workbook to the FFIEC 's Security! Compensating controls would be a review of activity log s for applications that not. Their risks and determine their cybersecurity preparedness adjust for weaknesses within the or.