On June 30, 2015, the Federal Financial Institutions Examination Council released a Cybersecurity Assessment Tool to help institutions identify their risks and assess their cybersecurity preparedness. The overall goal of the Assessment Tool is to provide institutions with a repeatable and measureable process to assess an institution's level of cybersecurity. The Assessment Tool is to be used primarily on an enterprise-wide basis and when introducing new products and services. The Assessment Tool consists of two components: (1) the Inherent Risk Profile; and (2) Cybersecurity Maturity.
The Inherent Risk Profile identifies activities, services, and products and organizes them into categories to determine the type, volume, and complexity of the institution's operations and threats directed at the institution. The categories include:
- Technologies and connection types
- Delivery channels
- Online/mobile products and technology services
- Organizational characteristics, and
- External threats
The institution's management can utilize these categories by inputting various levels of risk for the institution's activities, services, and products within each category. Management can then use those inputs to determine the institution's overall Inherent Risk for each category and determine if a specific category poses additional or significant risk.
After determining the Inherent Risk Profile, the institution will next determine its Cybersecurity Maturity level. This determination is made within five domains:
- Cyber risk management and oversight;
- Threat intelligence and collaboration;
- Cybersecurity controls;
- External dependency management; and
- Cyber incident management and resilience.
Each domain contains contributing components, where management will provide declarative statements indicating a particular maturity level. Management may then combine these statements to determine an overall maturity level.
Once the institution has completed both components of the Assessment Tool, it can review the Inherent Risk Profile in relation to the institution's Cybersecurity Maturity to determine whether the two components are aligned. This allows the institution to determine whether its maturity level is sufficient in relation to the institution's inherent risk profile. With this information, management can then work to either reduce the institution's inherent risk or develop a strategy to improve the institution's cybersecurity maturity level.
In summary, the Assessment Tool provides institutions with a mechanism that can:
- Assess the institution's risk of cyber threats,
- Assess the institution's abilities to combat those risks, and
- Allow management to develop appropriate and efficient strategies to protect the institution from cyber threats.