What is FFIEC Cybersecurity Assessment Tool?

The Federal Financial Institutions Examination Council Cybersecurity Assessment Tool (FFIEC Cybersecurity Assessment Tool) is a repeatable and measurable process that institutions can use to measure their cybersecurity preparedness over time.

The tool includes guidance from the FFIEC Information Technology Examination Handbook, plus regulatory guidance and details from other industry standards, including the National Institute of Standards and Technology Cybersecurity Framework.

Content Continues Below

Download this free guide

Download: Complete Your Actionable BC/DR Plan in 11 Steps

Download your checklist for completing an actionable business continuity (BC) plan—with this all-in-one, ready-to download PDF containing 7 BC planning mistakes to avoid and 11 steps to ensure sure-fire continuity.

Corporate E-mail Address:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

The FFIEC Cybersecurity Assessment Tool consists of two parts: the Inherent Risk Profile and Cybersecurity Maturity. When both parts have been completed, management can determine if an organization's inherent risk and preparedness are properly aligned.

Inherent Risk Profile

Cybersecurity inherent risk is the level of risk posed to an institution by the following:

Technologies and connection types
Delivery channels
Online/mobile products and technology services
Organizational characteristics
External threats

The inherent risk assessment examines the type, volume and complexity of an institution's operations and the threats directed at that institution. It does not address mitigating controls. Creation of an Inherent Risk Profile describes situations across risk categories with a range from the lowest to highest levels. This process identifies the risks an institution's activities, services and products individually and collectively present to the institution.

Cybersecurity Maturity

Cybersecurity Maturity measures an institution's level of risk and corresponding controls. The ratings range from baseline to innovative. Cybersecurity Maturity examines statements from an institution that describe its behaviors, practices and processes, and support for cybersecurity preparedness within the following five domains:

Cyber risk management and oversight
Threat intelligence and collaboration
Cybersecurity controls
External dependency management
Cyber incident management and resilience

FFIEC Cybersecurity Maturity Domains and Assessment Factors

The institution reviews assessment statements that describe activities supporting factors at each maturity level. Management determines which statements best fit the current practices of the institution. Management can determine the institution's maturity level in each domain, but the FFIEC Cybersecurity Assessment Tool is not designed to identify an overall cybersecurity maturity level.

Once an organization completes the two sections of the FFIEC Cybersecurity Assessment Tool, the next step is to determine the level of alignment between the Inherent Risk Profile and the Cybersecurity Maturity results for each domain (see chart above).

Management can then determine what actions should be taken to reduce risk and achieve the level of cybersecurity maturity desired.

Continue Reading About FFIEC Cybersecurity Assessment Tool

Cybersecurity is an important factor in risk management

BC/DR audit helps protect your business

FFIEC guidance takeaways highlight key security areas

How to interpret and analyze the Cybersecurity Assessment Tool

Detect Web fraud with these top systems

FFIEC Cybersecurity Assessment Tool

Inherent Risk Profile

Cybersecurity Maturity

Continue Reading About FFIEC Cybersecurity Assessment Tool

Dig Deeper on Disaster recovery planning - management

Balance fraud compliance and prevention with these tips

Experts say NIST deprecating SMS 2FA is long overdue

What's wrong with the FFIEC Cybersecurity Assessment Tool?

Updated FFIEC Business Continuity Planning booklet tips

Join the conversation

1 comment

Please create a username to comment.

-ADS BY GOOGLE

File Extensions and File Formats

SearchDataBackup

Backup and recovery Magic Quadrant shows cloud significance

Overcome common cloud backup security issues in remote work

IMT Software cracks open SoDA data management

SearchStorage

5 critical capabilities for multi-cloud data management

Panasas storage revs up parallelization for HPC workloads

Qumulo cloud approach gang-tackles file-to-object conversion

SearchConvergedInfrastructure

5 hyper-converged infrastructure trends analysts predict for 2023

What is HPE GreenLake and how does it work?

Pivot3 Acuity streamlines streaming video with automation

Inherent Risk Profile

Cybersecurity Maturity

Continue Reading About FFIEC Cybersecurity Assessment Tool

Related Terms

Dig Deeper on Disaster recovery planning - management

Balance fraud compliance and prevention with these tips

Experts say NIST deprecating SMS 2FA is long overdue

What's wrong with the FFIEC Cybersecurity Assessment Tool?

Updated FFIEC Business Continuity Planning booklet tips

Join the conversation

1 comment

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.

File Extensions and File Formats