Overview and Key
Considerations

Agenda
Overview of assessment tool
Review inherent risk profile categories
Review domain 1-5 for cyber security maturity
Summary of risk/maturity relationships
Overview of use case performed
Final thoughts Q&A

Overview of FFIEC Cybersecurity Assessment Tool

Benefits to Institutions
Identifying factors contributing to and determining the institution’s overall cyber risk
Assessing the institution's cybersecurity preparedness.
Evaluating whether the institutions cybersecurity preparedness is aligned with its risks
Determining risk management practices and controls that could be taken to achieve the institutions desired state of cyber preparedness
Informing risk management strategies.

Not just for Finance!
Don’t tune out if your not in the financial services sector!!
Throughout the presentation you can see that risk assessment and preparedness is a major theme in any industry. Feel free to ask particular questions about your company and industry.

Inherent Risk Profile Categories
Technologies and Connection Types
Delivery Channels
Online/Mobile Products and Technology Services
Organizational Characteristics
External Threats

Inherent Risk Profile – Risk Levels

Inherent Risk Profile Excerpt

Inherent Risk Profile
Technologies and Connection Types
Internet service providers
Third party connections
Internal vs outsourced hosted systems
Wireless access points
Network devices
EOL Systems
Cloud services
Personal Devices

Inherent Risk Profile
Delivery Channels
Online and mobile products and services delivery channels
 ATM operations

Inherent Risk Profile
Online/Mobile Products and
Technology Services
Credit and debit cards
P2P payments
ACH
Wire transfers
Wholesale payments
Remote deposit
Treasury and trust
Global remittances
Correspondent banking
Merchant acquiring activities

Inherent Risk Profile
Organizational Characteristics
Mergers and acquisitions
Direct employees and contractors
IT environment
Business presence and locations od operations and data centers

Inherent Risk Profile

Cybersecurity Maturity Overview
Cybersecurity maturity is evaluated in five domains:
Domain 1 - Cyber Risk Management and Oversight,
Domain 2 - Threat Intelligence and Collaboration,
Domain 3 - Cybersecurity Controls,
Domain 4 - External Dependency Management,
Domain 5 -Cyber Incident Management and Resilience.
Each domain has five levels of maturity: baseline, evolving, intermediate, advanced, and innovative.

Cybersecurity Maturity Domain Coverage

Domain 1
Cyber Risk Management &
Oversight
Governance
Risk Management
Resources
Training and Culture

Domain 2
Threat Intelligence and
Collaboration
 Threat Intelligence
 Monitoring and Analyzing
 Information Sharing

Domain 3
Cyber Security Controls
Preventative
• Infrastructure management
• Access and asset management
• Device/endpoint security
• Secure coding practices
Detective
• Threat and vulnerability detection
• Anomalous behavior activity detection
• Event detection
Corrective
• Patch management
• Remediation

Domain 4
External Dependency
Management

Domain 5
Cyber Incident Management and
Response
Incident Resilience Planning &
Strategy
Detection, Response, &
Mitigation
Escalation & Reporting

Risk Maturity Matrix

ABC National Bank Business Profile
Background
 5000+ employees
 1000+ banking locations
 HQ in Central US
 Est. 1967
Banking Operations
 Branch Banking
 Commercial Banking
 Consumer Lending
 Investment Advisors
Current State
 EOL systems still in use, no upgrade plan
 Mobile banking applications and some BYOD
 Previous security incidents -phishing attempts and internal hacking attempts via ATM’s being infected with malware
 IT Security Director has left the Bank

Inherent Risk Score
Inherent Risk Score
507.69
legend
Category
Technologies and connection Types
Delivery Channels
Organizational
Characteristics
Online/Mobile Products and Technological
Services
<=200 201-400 401-600 601-800
Data
Weights Points Least Minimal Moderate Significant
1
1
1
1
14
3
7
14
0
0
1
3
8
0
0
3
4
1
6
8
External Threats
Totals
1
5
1 0 0 1
39 4 11 20
10.26
% 28.21% 51.28%
2
2
0
0
0
4
10.26%
801-
1000
Most
0
0
0
0.00%
0
0
0

Cybersecurity Maturity Assessment

Maturity Achieved Against Defined Targets
81.06%
Domain
Cyber Risk
Management and Oversight
Desired Target %Achieved Maturity Achieved Statements Least Minimal Moderate Significant Most
Intermediate 64.89% Innovative 1 15 6.67% 6.67%
Advanced
Intermediate
5
7
32
29 24.14%
15.63%
24.14%
15.63% 15.63%
24.14%
Evolving 23
Threat
Intelligence and
Collaboration
Baseline
Intermediate 88.46% Innovative
Advanced
Intermediate
31
0
2
8
34 67.65% 67.65% 67.65%
31
100.00
%
100.00
%
8
11
11 72.73%
0.00% 0.00%
18.18% 18.18% 18.18%
72.73% 72.73%
Cyber Security
Controls
Intermediate 80.62%
Evolving
Baseline
Innovative
Advanced
Intermediate
Evolving
7
8
2
5
23
30
7
100.00
%
100.00
%
100.00
% 100.00%
100.00
% 8
20
25
39
20.00%
10.00% 10.00%
20.00% 20.00%
58.97% 58.97% 58.97%
39 76.92% 76.92% 76.92%
100.00
100.00
External
Dependency
Management
Cyber Incident
Management and Resilience
Baseline
Intermediate 86.84% Innovative
Advanced
Intermediate
Evolving
Baseline
Intermediate 84.48% Innovative
Advanced
51
0
3
6
11
16
1
3
16
10
15
51
7
7
9
% %
42.86%
0.00% 0.00%
42.86% 42.86%
66.67% 66.67% 66.67%
13 84.62% 84.62% 84.62%
100.00
%
100.00
%
20.00%
10.00% 10.00%
20.00% 20.00%

Key Considerations While Using the CAT
Being Innovative in Cybersecurity
Maturity
Real time detection and response
Always be updating for changes
Automatic metrics and reporting
Threat analytics that matter
Baseline risk measurement

Not just for Finance!
Industry’s can use the tool to fit their inherent risk profile by changing the criteria that best fits them.
Eg, healthcare can tailor their inherent risk based on the nature of health services provided, number of devices connected to the network including medical devices, the number of sensitive patient files, and number of medical services locations as a start .
Same goes for the cyber security assessment maturity questionnaire, you can tailor the questionnaire using the controls for HIPAA, PCI, and
NIST and any other standard that pertains to your industry.

Questions & Answers