FFIEC Cyber Security Assessment Tool Overview and Key Considerations.
-
Upload
warren-carroll -
Category
Documents
-
view
232 -
download
0
Transcript of FFIEC Cyber Security Assessment Tool Overview and Key Considerations.
![Page 1: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/1.jpg)
FFIEC Cyber Security Assessment ToolOverview and Key Considerations
![Page 2: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/2.jpg)
Agenda
Overview of assessment toolReview inherent risk profile categoriesReview domain 1-5 for cyber security maturitySummary of risk/maturity relationshipsOverview of use case performedFinal thoughts Q&A
![Page 3: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/3.jpg)
Overview of FFIEC Cybersecurity Assessment Tool
![Page 4: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/4.jpg)
Benefits to Institutions
Identifying factors contributing to and determining the institution’s overall cyber risk
Assessing the institution's cybersecurity preparedness.
Evaluating whether the institutions cybersecurity preparedness is aligned with its risks
Determining risk management practices and controls that could be taken to achieve the institutions desired state of cyber preparedness
Informing risk management strategies.
![Page 5: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/5.jpg)
Not just for Finance!
Don’t tune out if your not in the financial services sector!!
Throughout the presentation you can see that risk assessment and preparedness is a major theme in any industry. Feel free to ask particular questions about your company and industry.
![Page 6: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/6.jpg)
Inherent Risk Profile
![Page 7: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/7.jpg)
Inherent Risk Profile Categories
Technologies and Connection Types
Delivery Channels
Online/Mobile Products and Technology Services
Organizational Characteristics
External Threats
![Page 8: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/8.jpg)
Inherent Risk Profile – Risk Levels
![Page 9: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/9.jpg)
Inherent Risk Profile Excerpt
![Page 10: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/10.jpg)
Technologies and Connection Types
Inherent Risk Profile
Internet service providersThird party connectionsInternal vs outsourced hosted systemsWireless access points Network devicesEOL Systems Cloud servicesPersonal Devices
![Page 11: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/11.jpg)
Delivery Channels
ATM operations
Inherent Risk Profile
Online and mobile products and services delivery channels
![Page 12: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/12.jpg)
Online/Mobile Products and Technology Services
Inherent Risk Profile
Credit and debit cardsP2P paymentsACHWire transfersWholesale paymentsRemote depositTreasury and trustGlobal remittancesCorrespondent bankingMerchant acquiring activities
![Page 13: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/13.jpg)
Organizational Characteristics
Inherent Risk Profile
Mergers and acquisitions
Direct employees and contractors
IT environment
Business presence and locations od operations and data centers
![Page 14: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/14.jpg)
Inherent Risk Profile
![Page 15: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/15.jpg)
Cybersecurity Maturity Assessment
![Page 16: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/16.jpg)
Cybersecurity Maturity Overview
Cybersecurity maturity is evaluated in five domains: Domain 1 - Cyber Risk Management and Oversight, Domain 2 - Threat Intelligence and Collaboration, Domain 3 - Cybersecurity Controls,Domain 4 - External Dependency Management, Domain 5 -Cyber Incident Management and Resilience.
Each domain has five levels of maturity: baseline, evolving, intermediate, advanced, and innovative.
![Page 17: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/17.jpg)
Cybersecurity Maturity Domain Coverage
![Page 18: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/18.jpg)
Cyber Risk Management & Oversight
Domain 1
Governance
Risk Management
Resources
Training and Culture
![Page 19: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/19.jpg)
Threat Intelligence and Collaboration
Domain 2
Threat Intelligence
Monitoring and Analyzing
Information Sharing
![Page 20: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/20.jpg)
Cyber Security Controls
Domain 3
Preventative•Infrastructure management•Access and asset management•Device/endpoint security•Secure coding practices
Detective•Threat and vulnerability detection•Anomalous behavior activity detection•Event detection
Corrective
•Patch management •Remediation
![Page 21: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/21.jpg)
External Dependency Management
Domain 4
Connections•Identifications•Monitoring•Management of external connections and data flows to third parties
Relationship Management•Due diligence•Contracts•Ongoing monitoring
![Page 22: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/22.jpg)
Cyber Incident Management and Response
Domain 5
Incident Resilience Planning & Strategy
Detection, Response, & Mitigation
Escalation & Reporting
![Page 23: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/23.jpg)
Risk Maturity Relationship
![Page 24: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/24.jpg)
Risk Maturity Matrix
![Page 25: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/25.jpg)
National Bank Case Study
![Page 26: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/26.jpg)
ABC National Bank Business Profile
Background Banking Operations
5000+ employees 1000+ banking locations HQ in Central US Est. 1967
Branch Banking Commercial Banking Consumer Lending Investment Advisors
Current State EOL systems still in use, no upgrade plan Mobile banking applications and some BYOD Previous security incidents -phishing attempts and internal
hacking attempts via ATM’s being infected with malware IT Security Director has left the Bank
![Page 27: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/27.jpg)
Inherent Risk Score
Inherent Risk Score
507.69
legend
<=200 201-400 401-600 601-800
801-1000
Category WeightsData Points Least Minimal Moderate Significant Most
Technologies and connection Types 1 14 0 8 4 2 0
Delivery Channels 1 3 0 0 1 2 0Organizational Characteristics 1 7 1 0 6 0 0
Online/Mobile Products and Technological Services 1 14 3 3 8 0 0
External Threats 1 1 0 0 1 0 0
Totals 5 39 4 11 20 4 0
10.26% 28.21% 51.28% 10.26% 0.00%
![Page 28: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/28.jpg)
Cybersecurity Maturity Assessment
![Page 29: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/29.jpg)
Maturity Achieved Against Defined Targets81.06%
Domain Desired Target %Achieved Maturity Achieved Statements Least Minimal Moderate Significant MostCyber Risk
Management and Oversight
Intermediate 64.89% Innovative 1 15 6.67% 6.67%Advanced 5 32 15.63% 15.63% 15.63%Intermediate 7 29 24.14% 24.14% 24.14% Evolving 23 34 67.65% 67.65% 67.65%
Baseline 31 31100.00
%100.00
% Threat
Intelligence and
Collaboration
Intermediate 88.46% Innovative 0 8 0.00% 0.00%Advanced 2 11 18.18% 18.18% 18.18%Intermediate 8 11 72.73% 72.73% 72.73%
Evolving 7 7100.00
%100.00
% 100.00%
Baseline 8 8100.00
%100.00
% Cyber Security
ControlsIntermediate 80.62% Innovative 2 20 10.00% 10.00%
Advanced 5 25 20.00% 20.00% 20.00%Intermediate 23 39 58.97% 58.97% 58.97% Evolving 30 39 76.92% 76.92% 76.92%
Baseline 51 51100.00
%100.00
% External
Dependency Management
Intermediate 86.84% Innovative 0 7 0.00% 0.00%Advanced 3 7 42.86% 42.86% 42.86%Intermediate 6 9 66.67% 66.67% 66.67% Evolving 11 13 84.62% 84.62% 84.62%
Baseline 16 16100.00
%100.00
% Cyber Incident Management and Resilience
Intermediate 84.48% Innovative 1 10 10.00% 10.00%Advanced 3 15 20.00% 20.00% 20.00%Intermediate 15 21 71.43% 71.43% 71.43% Evolving 17 20 85.00% 85.00% 85.00%
Baseline 17 17100.00
%100.00
%
![Page 30: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/30.jpg)
Being Innovative in Cybersecurity Maturity
Key Considerations While Using the CAT
Real time detection and response
Always be updating for changes
Automatic metrics and reporting
Threat analytics that matter
Baseline risk measurement
![Page 31: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/31.jpg)
Not just for Finance!
Industry’s can use the tool to fit their inherent risk profile by changing the criteria that best fits them.
Eg, healthcare can tailor their inherent risk based on the nature of health services provided, number of devices connected to the network including medical devices, the number of sensitive patient files, and number of medical services locations as a start .
Same goes for the cyber security assessment maturity questionnaire, you can tailor the questionnaire using the controls for HIPAA, PCI, and NIST and any other standard that pertains to your industry.
![Page 32: FFIEC Cyber Security Assessment Tool Overview and Key Considerations.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697c00d1a28abf838cc9739/html5/thumbnails/32.jpg)
Questions & Answers