The Federal Financial Institutions Examination Council Cybersecurity Assessment Tool (FFIEC Cybersecurity Assessment Tool) is a repeatable and measurable process that institutions can use to measure their cybersecurity preparedness over time.
The tool includes guidance from the FFIEC Information Technology Examination Handbook, plus regulatory guidance and details from other industry standards, including the National Institute of Standards and Technology Cybersecurity Framework.
The FFIEC Cybersecurity Assessment Tool consists of two parts: the Inherent Risk Profile and Cybersecurity Maturity. When both parts have been completed, management can determine if an organization's inherent risk and preparedness are properly aligned.
Inherent Risk Profile
Cybersecurity inherent risk is the level of risk posed to an institution by the following:
- Technologies and connection types
- Delivery channels
- Online/mobile products and technology services
- Organizational characteristics
- External threats
The inherent risk assessment examines the type, volume and complexity of an institution's operations and the threats directed at that institution. It does not address mitigating controls. Creation of an Inherent Risk Profile describes situations across risk categories with a range from the lowest to highest levels. This process identifies the risks an institution's activities, services and products individually and collectively present to the institution.
Cybersecurity Maturity measures an institution's level of risk and corresponding controls. The ratings range from baseline to innovative. Cybersecurity Maturity examines statements from an institution that describe its behaviors, practices and processes, and support for cybersecurity preparedness within the following five domains:
- Cyber risk management and oversight
- Threat intelligence and collaboration
- Cybersecurity controls
- External dependency management
- Cyber incident management and resilience
The institution reviews assessment statements that describe activities supporting factors at each maturity level. Management determines which statements best fit the current practices of the institution. Management can determine the institution's maturity level in each domain, but the FFIEC Cybersecurity Assessment Tool is not designed to identify an overall cybersecurity maturity level.
Once an organization completes the two sections of the FFIEC Cybersecurity Assessment Tool, the next step is to determine the level of alignment between the Inherent Risk Profile and the Cybersecurity Maturity results for each domain (see chart above).
Management can then determine what actions should be taken to reduce risk and achieve the level of cybersecurity maturity desired.