What is FFIEC Cybersecurity Assessment Tool?

The Federal Financial Institutions Examination Council Cybersecurity Assessment Tool (FFIEC Cybersecurity Assessment Tool) is a repeatable and measurable process that institutions can use to measure their cybersecurity preparedness over time.

Download this free guide

Download: Complete Your Actionable BC/DR Plan in 11 Steps

Download your checklist for completing an actionable business continuity (BC) plan—with this all-in-one, ready-to download PDF containing 7 BC planning mistakes to avoid and 11 steps to ensure sure-fire continuity.

Corporate E-mail Address:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

The tool includes guidance from the FFIEC Information Technology Examination Handbook, plus regulatory guidance and details from other industry standards, including the National Institute of Standards and Technology Cybersecurity Framework.

The FFIEC Cybersecurity Assessment Tool consists of two parts: the Inherent Risk Profile and Cybersecurity Maturity. When both parts have been completed, management can determine if an organization's inherent risk and preparedness are properly aligned.

Inherent Risk Profile

Cybersecurity inherent risk is the level of risk posed to an institution by the following:

Technologies and connection types
Delivery channels
Online/mobile products and technology services
Organizational characteristics
External threats

The inherent risk assessment examines the type, volume and complexity of an institution's operations and the threats directed at that institution. It does not address mitigating controls. Creation of an Inherent Risk Profile describes situations across risk categories with a range from the lowest to highest levels. This process identifies the risks an institution's activities, services and products individually and collectively present to the institution.

Cybersecurity Maturity

Cybersecurity Maturity measures an institution's level of risk and corresponding controls. The ratings range from baseline to innovative. Cybersecurity Maturity examines statements from an institution that describe its behaviors, practices and processes, and support for cybersecurity preparedness within the following five domains:

Cyber risk management and oversight
Threat intelligence and collaboration
Cybersecurity controls
External dependency management
Cyber incident management and resilience

FFIEC Cybersecurity Maturity Domains and Assessment Factors

The institution reviews assessment statements that describe activities supporting factors at each maturity level. Management determines which statements best fit the current practices of the institution. Management can determine the institution's maturity level in each domain, but the FFIEC Cybersecurity Assessment Tool is not designed to identify an overall cybersecurity maturity level.

Once an organization completes the two sections of the FFIEC Cybersecurity Assessment Tool, the next step is to determine the level of alignment between the Inherent Risk Profile and the Cybersecurity Maturity results for each domain (see chart above).

Management can then determine what actions should be taken to reduce risk and achieve the level of cybersecurity maturity desired.

Continue Reading About FFIEC Cybersecurity Assessment Tool

Cybersecurity is an important factor in risk management

BC/DR audit helps protect your business

FFIEC guidance takeaways highlight key security areas

How to interpret and analyze the Cybersecurity Assessment Tool

Detect Web fraud with these top systems

Dig Deeper on Disaster recovery planning - management

Experts say NIST deprecating SMS 2FA is long overdue America's National Institute for Standards and Technology is advising the deprecation of using SMS-based two-factor authentication in order to improve security.

What's wrong with the FFIEC Cybersecurity Assessment Tool? The FFIEC Cybersecurity Assessment Tool has faced harsh criticism since its 2015 release. Expert Mike Chapple reviews the tool and how it can be improved.

Updated FFIEC Business Continuity Planning booklet tips The latest FFIEC BC handbook has made vendor resilience and cyber-resilience auditable issues. Even nonfinancial institutions should incorporate the handbook into their BC plans.

How is the NIST Cybersecurity Framework being received? The NIST Cybersecurity Framework gets mixed reviews, but it could be a good starting point for organizations looking to better manage cybersecurity.

What do organizations need to know about the final FFIEC guidance? The final FFIEC guidance covers a wide range of security subjects, but there are specific takeaways regarding authentication that enterprises should pay attention to.

FFIEC cloud computing risks document: Where's the beef? It seems the Federal Financial Institutions Examination Council could have done a little better with its cloud computing advisory. Earlier this month, the FFIEC issued a statement on outsourced ...

FFIEC Cybersecurity Assessment Tool

Inherent Risk Profile

Cybersecurity Maturity

Continue Reading About FFIEC Cybersecurity Assessment Tool

Dig Deeper on Disaster recovery planning - management

Join the conversation

1 comment

Please create a username to comment.

-ADS BY GOOGLE

File Extensions and File Formats

SearchDataBackup

Challenges with hybrid cloud backup and how to solve them

Major funding, SaaS trends top data backup news in 2019

Create an effective data backup strategy from scratch

SearchStorage

Amazon tech VP lays out ambitious AWS storage vision

Get to know storage-as-a-service providers and their offerings

Quobyte storage brings satellite imagery down to Earth

SearchConvergedInfrastructure

Pivot3, Scale Computing HCI appliances zoom in on AI, edge

How pay-as-you-go hyper-converged hardware pricing works

HCI storage adoption rises as array sales slip

Inherent Risk Profile

Cybersecurity Maturity

Continue Reading About FFIEC Cybersecurity Assessment Tool

Related Terms

Dig Deeper on Disaster recovery planning - management

Join the conversation

1 comment

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.

File Extensions and File Formats