January 25, 2017 by

FFIEC Cybersecurity Assessment Tool Maturity Level

The Cybersecurity Assessment Tool or Assessment has been issued by The Federal Financial Institutions Examination Council (FFIEC) for its members. This tool is made for banking institutions is used to evaluate a bank’s risk and cybersecurity readiness. The assessments give a process of measurement for their cybersecurity readiness over time. Consisting of two parts the Assessment is made of Inherent Risk Profile and Cybersecurity Maturity.  

Cybersecurity Maturity is designed to measure a banking institution’s level of risk and corresponding controls. Cybersecurity Maturity consists of five sub-levels of maturity: Baseline, Evolving, Intermediate, Advanced, and Innovative. It includes five domains to determine if the institution’s behaviors, practices, and process can support cybersecurity preparedness. The five domains include Cyber Risk Management and oversight, Threat Intelligence and Collaboration, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management and Resilience. 

Domain 1: Cyber Risk Management and Oversight: Oversees the board of director’s oversight and management’s development and implementation of an effective enterprise. The assessment factors focus on Governance, Risk Management, Resources, and Training and Culture.  

Domain 2: Threat Intelligence and Collaboration: The processes to positively discover, analyze, and understand threats with the ability to share information internally. The assessment factors include Threat Intelligence, Monitoring and Analyzing, and information Sharing. 

Domain 3: Cybersecurity Controls: Methods used to protect assets, infrastructure, and information by reinforcing the institution’s defenses by continuous protection and monitoring. Assessment factors target Preventative Controls, Detective Controls, and Corrective Controls. 

Domain 4: External Dependency Management: Establishes and maintains a comprehensive program to oversee external connections and external dependency’s with access to the bank’s assets and information. The assessment factors focus on Connections and Relationship Management. 

Domain 5: Cyber Incident Management and Resilience: Establishes, identifies, and analyses cyber events. Prioritizes the institution’s containment and escalates information to stakeholders. Cyber resilience involves planning and testing to maintain and recover ongoing operations. Assessment factors include Incident Resilience Planning and Strategy, Detection, Response, Mitigation, and Escalation and Reporting 

Each Domain starts at the Baseline maturity and gradually increases to Innovative.  

Baseline: At this level management reviews and evaluates guidelines 

Evolving: At this level, additional procedures and policies are set with risk driven objectives. Cybersecurity is increased to include information assets and systems. 

Intermediate: At this level, detailed processes occur, controls remain consistent, and risk-management is integrated into business strategies.  

Advanced: Cybersecurity is practices and analytics are included in all businesses. There is also continuous improvement in risk-management processes.   

Innovative: There is a driving innovation in the people, processes and technology in the institution in managing cyber risks, such as making new tools, new controls, or new information sharing groups. 

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Mapping the Cybersecurity Assessment Tool to the NIST Framework

In 2015, the Federal Financial Institutions Examination Council (FFIEC), an interagency body under...

Read more arrow_forward

FFIEC Risk Profile

The growing threat to cybersecurity has prompted the Federal Financial Institutions Examination...

Read more arrow_forward

US Government Banking Council Releases Cybersecurity Assessment Tool

The Federal Financial Institutions Examination Council (FFIEC), a formal government interagency body...

Read more arrow_forward