Fill - Free fillable 5P1d ITS FFIEC CAT-Assess P-60 March 2018 PDF form

Paperwork Reduction Act (PRA) – OMB Control No. 1557-0328; Expiration date: August 31, 2019

The above OMB Control Number and expiration date pertain to a requirement of the Paperwork Reduction

Act and its implementing regulation that a federal agency may not conduct or sponsor, and a person (or

organization) is not required to respond to, a collection of information unless it displays a currently valid

OMB control number and, if appropriate, an expiration date. See 44 USC 3506(c)(1)(B) and 5 CFR

1320.5(b)(2)(i), 1320.8(b)(1).

FFIEC

Cybersecurity Assessment Tool

June 2015

FFIEC Cybersecurity Assessment Tool Contents

June 2015 i

Contents

Contents ........................................................................................................................................... i

User’s Guide ................................................................................................................................... 1

Overview ..................................................................................................................................... 1

Background ................................................................................................................................. 2

Completing the Assessment ........................................................................................................ 2

Part One: Inherent Risk Profile ............................................................................................... 3

Part Two: Cybersecurity Maturity .......................................................................................... 5

Interpreting and Analyzing Assessment Results..................................................................... 8

Resources .................................................................................................................................. 10

Inherent Risk Profile ..................................................................................................................... 11

Cybersecurity Maturity ................................................................................................................. 19

Domain 1: Cyber Risk Management and Oversight ................................................................. 19

Domain 2: Threat Intelligence and Collaboration .................................................................... 30

Domain 3: Cybersecurity Controls ........................................................................................... 34

Domain 4: External Dependency Management ........................................................................ 47

Domain 5: Cyber Incident Management and Resilience .......................................................... 51

Additional Resources

Overview for Chief Executive Officers and Boards of Directors

Appendix A: Mapping Baseline Statements to FFIEC IT Examination Handbook

Appendix B: Mapping Cybersecurity Assessment Tool to NIST Cybersecurity Framework

Appendix C: Glossary

FFIEC Cybersecurity Assessment Tool User’s Guide

June 2015 1

User’s Guide

Overview

In light of the increasing volume and sophistication of cyber threats, the Federal Financial

Institutions Examination Council

1

(FFIEC) developed the Cybersecurity Assessment Tool

(Assessment), on behalf of its members, to help institutions identify their risks and determine

their cybersecurity maturity.

The content of the Assessment is consistent with the principles of the FFIEC Information

Technology Examination Handbook (IT Handbook) and the National Institute of Standards and

Technology (NIST) Cybersecurity Framework,

2

as well as industry accepted cybersecurity

practices. The Assessment provides institutions with a repeatable and measureable process to

inform management of their institution’s risks and cybersecurity preparedness.

The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. The

Inherent Risk Profile identifies the institution’s inherent risk before implementing controls. The

Cybersecurity Maturity includes domains, assessment factors, components, and individual

declarative statements across five maturity levels to identify specific controls and practices that

are in place. While management can determine the institution’s maturity level in each domain,

the Assessment is not designed to identify an overall cybersecurity maturity level.

To complete the Assessment, management first assesses the institution’s inherent risk profile

based on five categories:

• Technologies and Connection Types

• Delivery Channels

• Online/Mobile Products and Technology Services

• Organizational Characteristics

• External Threats

Management then evaluates the institution’s Cybersecurity Maturity level for each of five

domains:

• Cyber Risk Management and Oversight

• Threat Intelligence and Collaboration

• Cybersecurity Controls

• External Dependency Management

• Cyber Incident Management and Resilience

1

The FFIEC comprises the principals of the following: The Board of Governors of the Federal Reserve System,

Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the

Currency, Consumer Financial Protection Bureau, and State Liaison Committee.

2

A mapping is available in Appendix B: Mapping Cybersecurity Assessment Tool to the NIST Cybersecurity

Framework. NIST reviewed and provided input on the mapping to ensure consistency with Framework principles

and to highlight the complementary nature of the two resources.

FFIEC Cybersecurity Assessment Tool User’s Guide

June 2015 2

By reviewing both the institution’s inherent risk profile and maturity levels across the domains,

management can determine whether its maturity levels are appropriate in relation to its risk. If

not, the institution may take action either to reduce the level of risk or to increase the levels of

maturity. This process is intended to complement, not replace, an institution’s risk management

process and cybersecurity program.

Background

The Assessment is based on the cybersecurity assessment that the FFIEC members piloted in

2014, which was designed to evaluate community institutions’ preparedness to mitigate cyber

risks. NIST defines cybersecurity as “the process of protecting information by preventing,

detecting, and responding to attacks.” As part of cybersecurity, institutions should consider

managing internal and external threats and vulnerabilities to protect infrastructure and

information assets. The definition builds on information security as defined in FFIEC guidance.

Cyber incidents can have financial, operational, legal, and reputational impact. Recent high-

profile cyber attacks demonstrate that cyber incidents can significantly affect capital and

earnings. Costs may include forensic investigations, public relations campaigns, legal fees,

consumer credit monitoring, and technology changes. As such, cybersecurity needs to be

integrated throughout an institution as part of enterprise-wide governance processes, information

security, business continuity, and third-party risk management. For example, an institution’s

cybersecurity policies may be incorporated within the information security program. In addition,

cybersecurity roles and processes referred to in the Assessment may be separate roles within the

security group (or outsourced) or may be part of broader roles across the institution.

Completing the Assessment

The Assessment is designed to provide a measurable and repeatable process to assess an

institution’s level of cybersecurity risk and preparedness. Part one of this Assessment is the

Inherent Risk Profile, which identifies an institution’s inherent risk relevant to cyber risks. Part

two is the Cybersecurity Maturity, which determines an institution’s current state of

cybersecurity preparedness represented by maturity levels across five domains. For this

Assessment to be an effective risk management tool, an institution may want to complete it

periodically and as significant operational and technological changes occur.

Cyber risk programs build upon and align existing information security, business continuity, and

disaster recovery programs. The Assessment is intended to be used primarily on an enterprise-

wide basis and when introducing new products and services as follows:

• Enterprise-wide. Management may review the Inherent Risk Profile and the declarative

statements to understand which policies, procedures, processes, and controls are in place

enterprise-wide and where gaps may exist. Following this review, management can

determine appropriate maturity levels for the institution in each domain or the target state for

Cybersecurity Maturity. Management can then develop action plans for achieving the target

state.

• New products, services, or initiatives. Using the Assessment before launching a new

product, service, or initiative can help management understand how these might affect the

institution’s inherent risk profile and resulting desired maturity levels.

FFIEC Cybersecurity Assessment Tool User’s Guide

June 2015 3

Part One: Inherent Risk Profile

Part one of the Assessment identifies the institution’s inherent risk. The Inherent Risk Profile

identifies activities, services, and products organized in the following categories:

• Technologies and Connection Types. Certain types of connections and technologies may

pose a higher inherent risk depending on the complexity and maturity, connections, and

nature of the specific technology products or services. This category includes the number of

Internet service provider (ISP) and third-party connections, whether systems are hosted

internally or outsourced, the number of unsecured connections, the use of wireless access,

volume of network devices, end-of-life systems, extent of cloud services, and use of personal

devices.

• Delivery Channels. Various delivery channels for products and services may pose a higher

inherent risk depending on the nature of the specific product or service offered. Inherent risk

increases as the variety and number of delivery channels increases. This category addresses

whether products and services are available through online and mobile delivery channels and

the extent of automated teller machine (ATM) operations.

• Online/Mobile Products and Technology Services. Different products and technology

services offered by institutions may pose a higher inherent risk depending on the nature of

the specific product or service offered. This category includes various payment services, such

as debit and credit cards, person-to-person payments, originating automated clearing house

(ACH), retail wire transfers, wholesale payments, merchant remote deposit capture, treasury

services and clients and trust services, global remittances, correspondent banking, and

merchant acquiring activities. This category also includes consideration of whether the

institution provides technology services to other organizations.

• Organizational Characteristics. This category considers organizational characteristics, such

as mergers and acquisitions, number of direct employees and cybersecurity contractors,

changes in security staffing, the number of users with privileged access, changes in

information technology (IT) environment, locations of business presence, and locations of

operations and data centers.

• External Threats. The volume and type of attacks (attempted or successful) affect an

institution’s inherent risk exposure. This category considers the volume and sophistication of

the attacks targeting the institution.

Risk Levels

Risk Levels incorporate the type, volume, and complexity of the institution’s operations and

threats directed at the institution. Inherent risk does not include mitigating controls.

FFIEC Cybersecurity Assessment Tool User’s Guide

June 2015 4

Select the most appropriate inherent risk level for each activity, service, or product within each

category. The levels range from Least Inherent Risk to Most Inherent Risk (Figure 1) and

incorporate a wide range of descriptions. The risk levels provide parameters for determining the

inherent risk for each category. These parameters are not intended to be rigid but rather

instructive to assist with assessing a risk level within each activity, service, or product. For

situations where the risk level falls between two levels, management should select the higher risk

level.

Figure 1: Inherent Risk Profile Layout

Category: Technologies and

Connection Types

Risk Levels

Least Minimal Moderate Significant Most

Total number of Internet service provider

(ISP) connections (including branch

connections)

No connections Minimal complexity (1–

20 connections)

Moderate complexity

(21–100 connections)

Significant complexity

(101–200 connections)

Substantial complexity

(>200 connections)

Unsecured external connections, number

of connections not users (e.g., file transfer

protocol (FTP), Telnet, rlogin)

None Few instances of

unsecured

connections (1–5)

Several instances of

unsecured connections

(6–10)

Significant instances of

unsecured connections

(11–25)

Substantial instances of

unsecured connections

(>25)

Wireless network access No wireless access Separate access

points for guest

wireless and corporate

wireless

Guest and corporate

wireless network access

are logically separated;

limited number of users

and access points (1–

250 users; 1–25 access

points)

Wireless corporate

network access;

significant number of

users and access points

(251–1,000 users; 26–

100 access points)

Wireless corporate

network access; all

employees have

access; substantial

number of access

points (>1,000 users;

>100 access points)

Determine Inherent Risk Profile

Management can determine the institution’s overall Inherent Risk Profile based on the number of

applicable statements in each risk level for all activities (Figure 2). For example, when a majority

of activities, products, or services fall within the Moderate Risk Level, management may

determine that the institution has a Moderate Inherent Risk Profile. Each category may, however,

pose a different level of inherent risk. Therefore, in addition to evaluating the number of

instances that an institution selects for a specific risk level, management may also consider

evaluating whether the specific category poses additional risk.

Figure 2: Inherent Risk Summary

Risk Levels

Least Minimal Moderate Significant Most

Number of Statements Selected in Each

Risk Level

Based on Individual Risk Levels

Selected, Assign an Inherent Risk Profile

Least Minimal Moderate Significant Most

The following includes definitions of risk levels.

• Least Inherent Risk. An institution with a Least Inherent Risk Profile generally has very

limited use of technology. It has few computers, applications, systems, and no connections.

The variety of products and services are limited. The institution has a small geographic

footprint and few employees.

• Minimal Inherent Risk. An institution with a Minimal Inherent Risk Profile generally has

limited complexity in terms of the technology it uses. It offers a limited variety of less risky

products and services. The institution’s mission-critical systems are outsourced. The

institution primarily uses established technologies. It maintains a few types of connections to

customers and third parties with limited complexity.

• Moderate Inherent Risk. An institution with a Moderate Inherent Risk Profile generally

uses technology that may be somewhat complex in terms of volume and sophistication. The

Risk Levels

Activity,

Service, or

Product

FFIEC Cybersecurity Assessment Tool User’s Guide

June 2015 5

institution may outsource mission-critical systems and applications and may support

elements internally. There is a greater variety of products and services offered through

diverse channels.

• Significant Inherent Risk. An institution with a Significant Inherent Risk Profile generally

uses complex technology in terms of scope and sophistication. The institution offers high-

risk products and services that may include emerging technologies. The institution may host

a significant number of applications internally. The institution allows either a large number

of personal devices or a large variety of device types. The institution maintains a substantial

number of connections to customers and third parties. A variety of payment services are

offered directly rather than through a third party and may reflect a significant level of

transaction volume.

• Most Inherent Risk. An institution with a Most Inherent Risk Profile uses extremely

complex technologies to deliver myriad products and services. Many of the products and

services are at the highest level of risk, including those offered to other organizations. New

and emerging technologies are utilized across multiple delivery channels. The institution may

outsource some mission-critical systems or applications, but many are hosted internally. The

institution maintains a large number of connection types to transfer data with customers and

third parties.

Part Two: Cybersecurity Maturity

After determining the Inherent Risk Profile, the institution transitions to the Cybersecurity

Maturity part of the Assessment to determine the institution’s maturity level within each of the

following five domains:

• Domain 1: Cyber Risk Management and Oversight

• Domain 2: Threat Intelligence and Collaboration

• Domain 3: Cybersecurity Controls

• Domain 4: External Dependency Management

• Domain 5: Cyber Incident Management and Resilience

Domains, Assessment Factors, Components, and Declarative Statements

Within each domain are assessment factors and contributing components. Under each

component, there are declarative statements describing an activity that supports the assessment

factor at that level of maturity. Table 1 provides definitions for each domain and the underlying

assessment factors.

FFIEC Cybersecurity Assessment Tool User’s Guide

June 2015 6

Table 1: Domains and Assessment Factors Defined

Domains and Assessment Factors Defined

Domain 1

Cyber Risk Management and Oversight

Cyber risk management and oversight addresses the board of directors’ (board’s) oversight and management’s

development and implementation of an effective enterprise-wide cybersecurity program with comprehensive policies

and procedures for establishing appropriate accountability and oversight.

Assessment

Factors

Governance

includes oversight, strategies, policies, and IT asset management to implement an

effective governance of the cybersecurity program.

Risk Management includes a risk management program, risk assessment process, and audit

function to effectively manage risk and assess the effectiveness of key controls.

Resources include staffing, tools, and budgeting processes to ensure the institution’s staff or

external resources have knowledge and experience commensurate with the institution’s risk profile.

Training and Culture includes the employee training and customer awareness programs

contributing to an organizational culture that emphasizes the mitigation of cybersecurity threats.

Domain 2

Threat Intelligence and Collaboration

Threat intelligence and collaboration includes processes to effectively discover, analyze, and understand cyber

threats, with the capability to share information internally and with appropriate third parties.

Assessment

Factors

Threat Intelligence refers to the acquisition and analysis of information to identify, track, and

predict cyber capabilities, intentions, and activities that offer courses of action to enhance decision

making.

Monitoring and Analyzing refers to how an institution monitors threat sources and what analysis

may be performed to identify threats that are specific to the institution or to resolve conflicts in the

different threat intelligence streams.

Information Sharing encompasses establishing relationships with peers and information-sharing

forums and how threat information is communicated to those groups as well as internal

stakeholders.

Domain 3

Cybersecurity Controls

Cybersecurity controls are the practices and processes used to protect assets, infrastructure, and information by

strengthening the institution’s defensive posture through continuous, automated protection and monitoring.

Assessment

Factors

Preventative Controls deter and prevent cyber attacks and include infrastructure management,

access management, device and end-point security, and secure coding.

Detective Controls include threat and vulnerability detection, anomalous activity detection, and

event detection, may alert the institution to network and system irregularities that indicate an

incident has or may occur.

Corrective Controls are utilized to resolve system and software vulnerabilities through patch

management and remediation of issues identified during vulnerability scans and penetration testing.

Domain 4

External Dependency Management

External dependency management involves establishing and maintaining a comprehensive program to oversee and

manage external connections and third-party relationships with access to the institution’s technology assets and

information.

Assessment

Factors

Connections incorporate the identification, monitoring, and management of external connections

and data flows to third parties.

Relationship Management includes due diligence, contracts, and ongoing monitoring to help

ensure controls complement the institution’s cybersecurity program.

FFIEC Cybersecurity Assessment Tool User’s Guide

June 2015 7

Domain 5

Cyber Incident Management and Resilience

Cyber incident management includes establishing, identifying, and analyzing cyber events; prioritizing the

institution’s containment or mitigation; and escalating information to appropriate stakeholders. Cyber resilience

encompasses both planning and testing to maintain and recover ongoing operations during and following a cyber

incident.

Assessment

Factors

Incident Resilience Planning & Strategy

incorporates resilience planning and testing into existing

business continuity and disaster recovery plans to minimize service disruptions and the destruction

or corruption of data.

Detection, Response, & Mitigation refers to the steps management takes to identify, prioritize,

respond to, and mitigate the effects of internal and external threats and vulnerabilities.

Escalation & Reporting ensures key stakeholders are informed about the impact of cyber

incidents, and regulators, law enforcement, and customers are notified as required.

Each maturity level includes a set of declarative

statements that describe how the behaviors,

practices, and processes of an institution can

consistently produce the desired outcomes.

The Assessment starts at the Baseline maturity

level and progresses to the highest maturity, the

Innovative level (Figure 3). Table 2 provides

definitions for each of the maturity levels, which

are cumulative.

Table 2: Maturity Levels Defined

Maturity Levels Defined

Baseline

Baseline maturity is characterized by minimum expectations required by law and regulations or

recommended in supervisory guidance. This level includes compliance-driven objectives.

Management has reviewed and evaluated guidance.

Evolving

Evolving maturity is characterized by additional formality of documented procedures and policies

that are not already required. Risk-driven objectives are in place. Accountability for cybersecurity is

formally assigned and broadened beyond protection of customer information to incorporate

information assets and systems.

Intermediate

Intermediate maturity is characterized by detailed, formal processes. Controls are validated and

consistent. Risk-management practices and analysis are integrated into business strategies.

Advanced

Advanced maturity is characterized by cybersecurity practices and analytics that are integrated

across lines of business. Majority of risk-management processes are automated and include

continuous process improvement. Accountability for risk decisions by frontline businesses is

formally assigned.

Innovative

Innovative maturity is characterized by driving innovation in people, processes, and technology for

the institution and the industry to manage cyber risks. This may entail developing new controls, new

tools, or creating new information-sharing groups. Real-time, predictive analytics are tied to

automated responses.

Figure 3: Cybersecurity Maturity Levels

Innovative

Advanced

Intermediate

Evolving

Baseline

FFIEC Cybersecurity Assessment Tool User’s Guide

June 2015 8

Completing the Cybersecurity Maturity

Each domain and maturity level has a set of declarative statements organized by assessment

factor. To assist the institution’s ability to follow common themes across maturity levels,

statements are categorized by components. The components are groups of similar declarative

statements to make the Assessment easier to use (Figure 4).

Figure 4: Cybersecurity Maturity

Domain 1: Cyber Risk Management and Oversight

Assessment Factor: Governance

Y, N

OVERSIGHT

Baseline

Designated members of management are held accountable by the board or an appropriate board committee for implementing and

managing the information security and business continuity programs. (FFIEC Information Security Booklet, page 3)

Information security risks are discussed in management meetings when prompted by highly visible cyber events or regulatory

alerts. (FFIEC Information Security Booklet

, page 6)

Management provides a written report on the overall status of the information security and business continuity programs to the

board or an appropriate board committee at least annually. (FFIEC Information Security Booklet

, page 5)

The budgeting process includes information security related expenses and tools. (FFIEC E-Banking Booklet, page 20)

Management considers the risks posed by other critical infrastructures (e.g., telecommunications, energy) to the institution. (FFIEC

Business Continuity Planning Booklet, page J-12)

Evolving

At least annually, the board or an appropriate board committee reviews and approves the institution’s cybersecurity program.

Management is responsible for ensuring compliance with legal and regulatory requirements related to cybersecurity.

Cybersecurity tools and staff are requested through the budget process.

There is a process to formally discuss and estimate potential expenses associated with cybersecurity incidents as part of the

budgeting process.

Management determines which declarative statements best fit the current practices of the

institution. All declarative statements in each maturity level, and previous levels, must be

attained and sustained to achieve that domain’s maturity level. While management can

determine the institution’s maturity level in each domain, the Assessment is not designed to

identify an overall cybersecurity maturity level.

Management may determine that a declarative statement has been sufficiently sustained based on

proven results. Certain declarative statements may not apply to all institutions if the product,

service, or technology is not offered or used. Declarative statements that may not be applicable

to all institutions are clearly designated and would not affect the determination of the specific

maturity level.

Interpreting and Analyzing Assessment Results

Management can review the institution’s Inherent Risk Profile in relation to its Cybersecurity

Maturity results for each domain to understand whether they are aligned.

Table 3 depicts the relationship between an institution’s Inherent Risk Profile and its domain

Maturity Levels, as there is no single expected level for an institution. In general, as inherent risk

rises, an institution’s maturity levels should increase. An institution’s inherent risk profile and

maturity levels will change over time as threats, vulnerabilities, and operational environments

change. Thus, management should consider reevaluating its inherent risk profile and

cybersecurity maturity periodically and when planned changes can affect its inherent risk profile

(e.g., launching new products or services, new connections).

Maturity

Level

Domain

Assessment

Factor

Declarative

Statement

Component

FFIEC Cybersecurity Assessment Tool User’s Guide

June 2015 9

Table 3: Risk/Maturity Relationship

Inherent Risk Levels

Least Minimal Moderate Significant Most

Cybersecurity Maturity Level for Each

Domain

Innovative

Advanced

Intermediate

Evolving

Baseline

If management determines that the institution’s maturity levels are not appropriate in relation to

the inherent risk profile, management should consider reducing inherent risk or developing a

strategy to improve the maturity levels. This process includes

• determining target maturity levels.

• conducting a gap analysis.

• prioritizing and planning actions.

• implementing changes.

• reevaluating over time.

• communicating the results.

Management can set target maturity levels for each domain or across domains based on the

institution’s business objectives and risk appetite. Management can conduct a gap analysis

between the current and target maturity levels and initiate improvements based on the gaps. Each

declarative statement can represent a range of strategies and processes that have enterprise-wide

impact. For example, declarative statements not yet attained provide insights for policies,

processes, procedures, and controls that may improve risk management in relation to a specific

risk or the institution’s overall cybersecurity preparedness.

Using the maturity levels in each domain, management can identify potential actions that would

increase the institution’s overall cybersecurity preparedness. Management can review declarative

statements at maturity levels beyond what the institution has achieved to determine the actions

needed to reach the next level and implement changes to address gaps. Management’s periodic

reevaluations of the inherent risk profile and maturity levels may further assist the institution in

maintaining an appropriate level of cybersecurity preparedness. In addition, management may

also seek an independent validation, such as by the internal audit function, of the institution’s

Assessment process and findings.

FFIEC Cybersecurity Assessment Tool User’s Guide

June 2015 10

The Assessment results should be communicated to the chief executive officer (CEO) and board.

More information and questions to consider are contained in the “Overview for Chief Executive

Officers and Boards of Directors.”

Resources

In addition to the “Overview for Chief Executive Officers and Boards of Directors,” the FFIEC

has released the following documents to assist institutions with the Cybersecurity Assessment

Tool.

• Appendix A: Mapping Baseline Statements to FFIEC IT Examination Handbook

• Appendix B: Mapping Cybersecurity Assessment Tool to NIST Cybersecurity Framework

• Appendix C: Glossary

FFIEC Cybersecurity Assessment Tool Inherent Risk Profile

June 2015 11

Inherent Risk Profile

Category: Technologies and

Connection Types

Risk Levels

Least Minimal Moderate Significant Most

Total number of Internet service

provider (ISP) connections (including

branch connections)

No connections Minimal complexity

(1–20 connections)

Moderate complexity

(21–100 connections)

Significant

complexity (101–200

connections)

Substantial complexity

(>200 connections)

Unsecured external connections,

number of connections not users

(e.g., file transfer protocol (FTP),

Telnet, rlogin)

None Few instances of

unsecured

connections (1–5)

Several instances of

unsecured

connections (6–10)

Significant instances

of unsecured

connections (11–25)

Substantial instances of

unsecured connections

(>25)

Wireless network access No wireless access Separate access

points for guest

wireless and

corporate wireless

Guest and corporate

wireless network

access are logically

separated; limited

number of users and

access points (1–250

users; 1–25 access

points)

Wireless corporate

network access;

significant number of

users and access

points (251–1,000

users; 26–100

access points)

Wireless corporate

network access; all

employees have access;

substantial number of

access points (>1,000

users; >100 access

points)

Personal devices allowed to connect

to the corporate network

None Only one device type

available; available

to <5% of

employees

(staff, executives,

managers); e-mail

access only

Multiple device types

used; available to

<10% of employees

(staff, executives,

managers) and

board; e-mail access

only

Multiple device types

used; available to

<25% of authorized

employees (staff,

executives,

managers) and

board; e-mail and

some applications

accessed

Any device type used;

available to >25% of

employees (staff,

executives, managers)

and board; all

applications accessed

Third parties, including number of

organizations and number of

individuals from vendors and

subcontractors, with access to

internal systems (e.g., virtual private

network, modem, intranet, direct

connection)

No third parties and

no individuals from

third parties with

access to systems

Limited number of

third parties (1–5)

and limited number

of individuals from

third parties (<50)

with access; low

complexity in how

they access systems

Moderate number of

third parties (6–10)

and moderate

number of individuals

from third parties

(50–500) with

access; some

complexity in how

they access systems

Significant number of

third parties (11–25)

and significant

number of individuals

from third parties

(501–1,500) with

access; high level of

complexity in terms

of how they access

systems

Substantial number of

third parties (>25) and

substantial number of

individuals from third

parties (>1,500) with

access; high complexity

in how they access

systems

For each risk, click your profile category. The form will tally on page 18.

✔

FFIEC Cybersecurity Assessment Tool Inherent Risk Profile

June 2015 12

Category: Technologies and

Connection Types

Risk Levels

Least Minimal Moderate Significant Most

Wholesale customers with dedicated

connections

None Few dedicated

connections

(between 1–5)

Several dedicated

connections

(between 6–10)

Significant number of

dedicated

connections

(between 11–25)

Substantial number of

dedicated connections

(>25)

Internally hosted and developed or

modified vendor applications

supporting critical activities

No applications Few applications

(between 1–5)

Several applications

(between 6–10)

Significant number of

applications

(between 11–25)

Substantial number of

applications and

complexity (>25)

Internally hosted, vendor-developed

applications supporting critical

activities

Limited applications

(0–5)

Few applications (6–

30)

Several applications

(31–75)

Significant number of

applications (76–200)

Substantial number of

applications and

complexity (>200)

User-developed technologies and

user computing that support critical

activities (includes Microsoft Excel

spreadsheets and Access databases

or other user-developed tools)

No user-developed

technologies

1–100 technologies 101–500

technologies

501–2,500

technologies

>2,500 technologies

End-of-life (EOL) systems No systems

(hardware or

software) that are

past EOL or at risk of

nearing EOL within 2

years

Few systems that are

at risk of EOL and

none that support

critical operations

Several systems that

will reach EOL within

2 years and some

that support critical

operations

A large number of

systems that support

critical operations at

EOL or are at risk of

reaching EOL in 2

years

Majority of critical

operations dependent

on systems that have

reached EOL or will

reach EOL within the

next 2 years or an

unknown number of

systems that have

reached EOL

Open Source Software (OSS) No OSS Limited OSS and

none that support

critical operations

Several OSS that

support critical

operations

Large number of

OSS that support

critical operations

Majority of operations

dependent on OSS

Network devices (e.g., servers,

routers, and firewalls; include

physical and virtual)

Limited or no network

devices (<250)

Few devices (250–

1,500)

Several devices

(1,501–25,000)

Significant number of

devices (25,001–

50,000)

Substantial number of

devices (>50,000)

Third-party service providers storing

and/or processing information that

support critical activities (Do not have

access to internal systems, but the

institution relies on their services)

No third parties that

support critical

activities

1–25 third parties

that support critical

activities

26–100 third parties

that support critical

activities

101–200 third parties

that support critical

activities; 1 or more

are foreign-based

>200 third parties that

support critical activities;

1 or more are foreign-

based

✔

FFIEC Cybersecurity Assessment Tool Inherent Risk Profile

June 2015 13

Category: Technologies and

Connection Types

Risk Levels

Least Minimal Moderate Significant Most

Cloud computing services hosted

externally to support critical activities

No cloud providers Few cloud providers;

private cloud only (1–

3)

Several cloud

providers (4–7)

Significant number of

cloud providers (8–

10); cloud-provider

locations used

include international;

use of public cloud

Substantial number of

cloud providers (>10);

cloud-provider locations

used include

international; use of

public cloud

Category: Delivery Channels

Risk Levels

Least Minimal Moderate Significant Most

Online presence (customer) No Web-facing

applications or social

media presence

Serves as an

informational Web

site or social media

page (e.g., provides

branch and ATM

locations and

mark

eting materials)

Serves as a delivery

channel for retail

online banking; may

communicate to

customers through

social media

Serves as a delivery

channel for

wholesale

customers; may

include retail account

origination

Internet applications

serve as a channel to

wholesale customers to

manage large value

assets

Mobile presence None SMS text alerts or

notices only;

browser-based

access

Mobile banking

application for retail

customers (e.g., bill

payment, mobile

check capture,

internal transfers

only)

Mobile banking

application includes

external transfers

(e.g., for corporate

clients, recurring

external transactions)

Full functionality,

including originating new

transactions (e.g., ACH,

wire)

Automated Teller Machines (ATM)

(Operation)

No ATM services ATM services offered

but no owned

machines

ATM services

managed by a third

party; ATMs at local

and regional

branches; cash

reload services

outsourced

ATM services

managed internally;

ATMs at U.S.

branches and retail

locations; cash

reload services

outsourced

ATM services managed

internally; ATM services

provided to other

financial institutions;

ATMs at domestic and

international branches

and retail locations;

cash reload services

managed internally

✔

FFIEC Cybersecurity Assessment Tool Inherent Risk Profile

June 2015 14

Category: Online/Mobile Products

and Technology Services

Risk Levels

Least Minimal Moderate Significant Most

Issue debit or credit cards Do not issue debit or

credit cards

Issue debit and/or

credit cards through

a third party; <10,000

cards outstanding

Issue debit or credit

cards through a third

party; between

10,000–50,000 cards

outstanding

Issue debit or credit

cards directly;

between 50,000–

100,000 cards

outstanding

Issue debit or credit

cards directly; >100,000

cards outstanding; issue

cards on behalf of other

financial institutions

Prepaid cards Do not issue prepaid

cards

Issue prepaid cards

through a third party;

<5,000 cards

outstanding

Issue prepaid cards

through a third party;

5,000–10,000 cards

outstanding

Issue prepaid cards

through a third party;

10,001–20,000 cards

outstanding

Issue prepaid cards

internally, through a

third party, or on behalf

of other financial

institutions; >20,000

cards outstanding

Emerging payments technologies

(e.g., digital wallets, mobile wallets)

Do not accept or use

emerging payments

technologies

Indirect acceptance

or use of emerging

payments

technologies

(customer use may

affect deposit or

credit account)

Direct acceptance or

use of emerging

payments

technologies; partner

or co-brand with non-

bank providers;

limited transaction

volume

Direct acceptance or

use of emerging

payments

technologies; small

transaction volume;

no foreign payments

Direct acceptance of

emerging payments

technologies; moderate

transaction volume

and/or foreign payments

Person-to-person payments (P2P) Not offered Customers allowed

to originate

payments; used by

<1,000 customers or

monthly transaction

volume is <50,000

Customers allowed to

originate payments;

used by 1,000–5,000

customers or monthly

transaction volume is

between 50,000–

100,000

Customers allowed

to originate

payments; used by

5,001–10,000

customers or monthly

transaction volume is

between 100,001–

1 million

Customers allowed to

request payment or to

originate payment; used

by >10,000 customers

or monthly transaction

volume >1 million

Originating ACH payments No ACH origination Originate ACH

credits; daily volume

<3% of total assets

Originate ACH debits

and credits; daily

volume is 3%–5% of

total assets

Sponsor third-party

payment processor;

originate ACH debits

and credits with daily

volume 6%–25% of

total assets

Sponsor nested third-

party payment

processors; originate

debits and credits with

daily volume that is

>25% of total assets

Originating wholesale payments (e.g.,

CHIPS)

Do not originate

wholesale payments

Daily originated

wholesale payment

volume <3% of total

assets

Daily originated

wholesale payment

volume 3%–5% of

total assets

Daily originated

wholesale payment

volume 6%–25% of

total assets

Daily originated

wholesale payment

volume >25% of total

assets

✔

FFIEC Cybersecurity Assessment Tool Inherent Risk Profile

June 2015 15

Category: Online/Mobile Products

and Technology Services

Risk Levels

Least Minimal Moderate Significant Most

Wire transfers Not offered In person wire

requests only;

domestic wires only;

daily wire volume

<3% of total assets

In person, phone,

and fax wire

requests; domestic

daily wire volume

3%–5% of total

assets; international

daily wire volume

<3% of total assets

Multiple request

channels (e.g.,

online, text, e-mail,

fax, and phone); daily

domestic wire

volume 6%–25% of

total assets; daily

international wire

volume 3%–10% of

total assets

Multiple request

channels (e.g., online,

text, e-mail, fax, and

phone); daily domestic

wire volume >25% of

total assets; daily

international wire

volume >10% of total

assets

Merchant remote deposit capture

(RDC)

Do not offer Merchant

RDC

<100 merchant

clients; daily volume

of transactions is

<3% of total assets

100–500 merchant

clients; daily volume

of transactions is

3%–5% of total

assets

501–1,000 merchant

clients; daily volume

of transactions is

6%–25% of total

assets

>1,000 merchant clients;

daily volume of

transactions is >25% of

total assets

Global remittances Do not offer global

remittances

Gross daily

transaction volume is

<3% of total assets

Gross daily

transaction volume is

3%–5% of total

assets

Gross daily

transaction volume is

6%–25% of total

assets

Gross daily transaction

volume is >25% of total

assets

Treasury services and clients No treasury

management

services are offered

Limited services

offered; number of

clients is <1,000

Services offered

include lockbox, ACH

origination, and

remote deposit

capture; number of

clients is between

1,000–10,000

Services offered

include accounts

receivable solutions

and liquidity

management;

number of clients is

between 10,001–

20,000

Multiple services offered

including currency

services, online

investing, and

investment sweep

accounts; number of

clients is >20,000

Trust services Trust services are not

offered

Trust services are

offered through a

third-party provider;

assets under

management total

<$500 million

Trust services

provided directly;

portfolio of assets

under management

total $500 million–

$999 million

Trust services

provided directly;

assets under

management total

$1 billion–$10 billion

Trust services provided

directly; assets under

management total

>$10 billion

Act as a correspondent bank

(Interbank transfers)

Do not act as a

correspondent bank

Act as a

correspondent bank

for <100 institutions

Act as a

correspondent bank

for 100–250

institutions

Act as a

correspondent bank

for 251–500

institutions

Act as a correspondent

bank for >500

institutions

✔

FFIEC Cybersecurity Assessment Tool Inherent Risk Profile

June 2015 16

Category: Online/Mobile Products

and Technology Services

Risk Levels

Least Minimal Moderate Significant Most

Merchant acquirer (sponsor

merchants or card processor activity

into the payment system)

Do not act as a

merchant acquirer

Act as a merchant

acquirer; <1,000

merchants

Act as a merchant

acquirer; outsource

card payment

processing; 1,000–

10,000 merchants

Act as a merchant

acquirer and card

payment processor;

10,001–100,000

merchants

Act as a merchant

acquirer and card

payment processor;

>100,000 merchants

Host IT services for other

organizations (either through joint

systems or administrative support)

Do not provide IT

services for other

organizations

Host or provide IT

services for affiliated

organizations

Host or provide IT

services for up to 25

unaffiliated

organizations

Host or provide IT

services for 26–50

unaffiliated

organizations

Host or provide IT

services for >50

unaffiliated

organizations

Category: Organizational

Characteristics

Risk Levels

Least Minimal Moderate Significant Most

Mergers and acquisitions (including

divestitures and joint ventures)

None planned Open to initiating

discussions or

actively seeking a

merger or acquisition

In discussions with

at least 1 party

A sale or acquisition

has been publicly

announced within the

past year, in

negotiations with 1 or

more parties

Multiple ongoing

integrations of

acquisitions are in

process

Direct employees (including

information technology and

cybersecurity contractors)

Number of

employees totals <50

Number of

employees totals 50–

2,000

Number of

employees totals

2,001–10,000

Number of employees

totals 10,001–50,000

Number of employees is

>50,000

Changes in IT and information

security staffing

Key positions filled;

low or no turnover of

personnel

Staff vacancies exist

for non-critical roles

Some turnover in

key or senior

positions

Frequent turnover in

key staff or senior

positions

Vacancies in senior or

key positions for long

periods; high level of

employee turnover in IT

or information security

Privileged access (Administrators–

network, database, applications,

systems, etc.)

Limited number of

administrators;

limited or no external

administrators

Level of turnover in

administrators does

not affect operations

or activities; may

utilize some external

administrators

Level of turnover in

administrators

affects operations;

number of

administrators for

individual systems or

applications exceeds

what is necessary

High reliance on

external

administrators;

number of

administrators is not

sufficient to support

level or pace of

change

High employee turnover

in network

administrators; many or

most administrators are

external (contractors or

vendors); experience in

network administration

is limited

✔

FFIEC Cybersecurity Assessment Tool Inherent Risk Profile

June 2015 17

Category: Organizational

Characteristics

Risk Levels

Least Minimal Moderate Significant Most

Changes in IT environment (e.g.,

network, infrastructure, critical

applications, technologies supporting

new products or services)

Stable IT

environment

Infrequent or minimal

changes in the IT

environment

Frequent adoption of

new technologies

Volume of significant

changes is high

Substantial change in

outsourced provider(s)

of critical IT services;

large and complex

changes to the

environment occur

frequently

Locations of branches/business

presence

1 state 1 region 1 country 1–20 countries >20 countries

Locations of operations/data centers 1 state 1 region 1 country 1–10 countries >10 countries

Category: External Threats

Risk Levels

Least Minimal Moderate Significant Most

Attempted cyber attacks No attempted attacks

or reconnaissance

Few attempts

monthly (<100); may

have had generic

phishing campaigns

received by

employees and

customers

Several attempts

monthly (100– 500);

phishing campaigns

targeting employees

or customers at the

institution or third

parties supporting

critical activities; may

have experienced an

attempted Distributed

Denial of Service

(DDoS) attack within

the last year

Significant number of

attempts monthly

(501–100,000); spear

phishing campaigns

targeting high net

worth customers and

employees at the

institution or third

parties supporting

critical activities;

Institution specifically

is named in threat

reports; may have

experienced multiple

attempted DDoS

attacks within the last

year

Substantial number of

attempts monthly

(>100,000); persistent

attempts to attack senior

management and/or

network administrators;

frequently targeted for

DDoS attacks

✔

FFIEC Cybersecurity Assessment Tool Inherent Risk Profile

June 2015 18

Total

Risk Levels

Least Minimal Moderate Significant Most

Number of Statements Selected in

Each Risk Level

Based on Individual Risk Levels

Selected, Assign an Inherent Risk

Profile

Least Minimal Moderate Significant Most

12

24

1

0

2

Chad D.

Marley

Digitally signed by

Chad D. Marley

Date: 2018.02.01

13:41:41 -07'00'

Inherent Risk Profile is ready for Management Risk Assignment and Signature

FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity: Domain 1

June 2015 19

Cybersecurity Maturity

Domain 1: Cyber Risk Management and Oversight

Assessment Factor: Governance

Y, N

OVERSIGHT

Baseline

Designated members of management are held accountable by the board

or an appropriate board committee for implementing and managing the

information security and business continuity programs. (

FFIEC

Information Security Booklet, page 3)

Information security risks are discussed in management meetings when

prompted by highly visible cyber events or regulatory alerts. (

FFIEC

Information Security Booklet, page 6)

Management provides a written report on the overall status of the

information security and business continuity programs to the board or an

appropriate board committee at least annually. (

FFIEC Information

Security Booklet, page 5)

The budgeting process includes information security related expenses

and tools. (FFIEC E-Banking Booklet

, page 20)

Management considers the risks posed by other critical infrastructures

(e.g., telecommunications, energy) to the institution. (

FFIEC Business

Continuity Planning Booklet, page J-12)

Evolving

At least annually, the board or an appropriate board committee reviews

and approves the institution’s cybersecurity program.

Management is responsible for ensuring compliance with legal and

regulatory requirements related to cybersecurity.

Cybersecurity tools and staff are requested through the budget process.

There is a process to formally discuss and estimate potential expenses

associated with cybersecurity incidents as part of the budgeting process.

Intermediate

The board or an appropriate board committee has cybersecurity

expertise or engages experts to assist with oversight responsibilities.

The standard board meeting package includes reports and metrics that

go beyond events and incidents to address threat intelligence trends and

the institution’s security posture.

The institution has a cyber risk appetite statement approved by the board

or an appropriate board committee.

Cyber risks that exceed the risk appetite are escalated to management.

The board or an appropriate board committee ensures management’s

✔

Oversight

✔

FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity: Domain 1

June 2015 20

annual cybersecurity self-assessment evaluates the institution’s ability to

meet its cyber risk management standards.

The board or an appropriate board committee reviews and approves

management’s prioritization and resource allocation decisions based on

the results of the cyber assessments.

The board or an appropriate board committee ensures management

takes appropriate actions to address changing cyber risks or significant

cybersecurity issues.

The budget process for requesting additional cybersecurity staff and

tools is integrated into business units’ budget processes.

Advanced

The board or board committee approved cyber risk appetite statement is

part of the enterprise-wide risk appetite statement.

Management has a formal process to continuously improve cybersecurity

oversight.

The budget process for requesting additional cybersecurity staff and

tools maps current resources and tools to the cybersecurity strategy.

Management and the board or an appropriate board committee hold

business units accountable for effectively managing all cyber risks

associated with their activities.

Management identifies root cause(s) when cyber attacks result in

material loss.

The board or an appropriate board committee ensures that

management’s actions consider the cyber risks that the institution poses

to the financial sector.

Innovative

The board or an appropriate board committee discusses ways for

management to develop cybersecurity improvements that may be

adopted sector-wide.

The board or an appropriate board committee verifies that management’s

actions consider the cyber risks that the institution poses to other critical

infrastructures (e.g., telecommunications, energy).

✔

FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity: Domain 1

June 2015 21

STRATEGY/ POLICIES

Baseline

The institution has an information security strategy that integrates

technology, policies, procedures, and training to mitigate risk. (

FFIEC

Information Security Booklet, page 3)

The institution has policies commensurate with its risk and complexity

that address the concepts of information technology risk management.

(FFIEC Information Security Booklet

, page, 16)

The institution has policies commensurate with its risk and complexity

that address the concepts of threat information sharing. (

FFIEC E-

Banking Booklet, page 28)

The institution has board-approved policies commensurate with its risk

and complexity that address information security. (

FFIEC Information

Security Booklet, page 16)

The institution has policies commensurate with its risk and complexity

that address the concepts of external dependency or third-party

management. (FFIEC Outsourcing Booklet

, page 2)

The institution has policies commensurate with its risk and complexity

that address the concepts of incident response and resilience. (

FFIEC

Information Security Booklet, page 83)

All elements of the information security program are coordinated

enterprise-wide. (FFIEC Information Security Booklet

, page 7)

Evolving

The institution augmented its information security strategy to incorporate

cybersecurity and resilience.

The institution has a formal cybersecurity program that is based on

technology and security industry standards or benchmarks.

A formal process is in place to update policies as the institution’s inherent

risk profile changes.

Intermediate

The institution has a comprehensive set of policies commensurate with

its risk and complexity that address the concepts of threat intelligence.

Management periodically reviews the cybersecurity strategy to address

evolving cyber threats and changes to the institution’s inherent risk

profile.

The cybersecurity strategy is incorporated into, or conceptually fits within,

the institution’s enterprise-wide risk management strategy.

Management links strategic cybersecurity objectives to tactical goals.

A formal process is in place to cross-reference and simultaneously

update all policies related to cyber risks across business lines.

✔

Strategy/Policies

✔

FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity: Domain 1

June 2015 22

Advanced

The cybersecurity strategy outlines the institution’s future state of

cybersecurity with short-term and long-term perspectives.

Industry-recognized cybersecurity standards are used as sources during

the analysis of cybersecurity program gaps.

The cybersecurity strategy identifies and communicates the institution’s

role as a component of critical infrastructure in the financial services

industry.

The risk appetite is informed by the institution’s role in critical

infrastructure.

Management is continuously improving the existing cybersecurity

program to adapt as the desired cybersecurity target state changes.

Innovative

The cybersecurity strategy identifies and communicates the institution’s

role as it relates to other critical infrastructures.

IT ASSET MANAGEMENT

Baseline

An inventory of organizational assets (e.g., hardware, software, data, and

systems hosted externally) is maintained. (

FFIEC Information Security

Booklet, page 9)

Organizational assets (e.g., hardware, systems, data, and applications)

are prioritized for protection based on the data classification and

business value. (FFIEC Information Security Booklet

, page 12)

Management assigns accountability for maintaining an inventory of

organizational assets. (FFIEC Information Security Booklet

, page 9)

A change management process is in place to request and approve

changes to systems configurations, hardware, software, applications,

and security tools. (FFIEC Information Security Booklet

, page 56)

Evolving

The asset inventory, including identification of critical assets, is updated

at least annually to address new, relocated, re-purposed, and sunset

assets.

The institution has a documented asset life-cycle process that considers

whether assets to be acquired have appropriate security safeguards.

The institution proactively manages system EOL (e.g., replacement) to

limit security risks.

Changes are formally approved by an individual or committee with

appropriate authority and with separation of duties.

✔

IT Asset Mgmt

✔

FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity: Domain 1

June 2015 23

Intermediate

Baseline configurations cannot be altered without a formal change

request, documented approval, and an assessment of security

implications.

A formal IT change management process requires cybersecurity risk to

be evaluated during the analysis, approval, testing, and reporting of

changes.

Advanced

Supply chain risk is reviewed before the acquisition of mission-critical

information systems including system components.

Automated tools enable tracking, updating, asset prioritizing, and custom

reporting of the asset inventory.

Automated processes are in place to detect and block unauthorized

changes to software and hardware.

The change management system uses thresholds to determine when a

risk assessment of the impact of the change is required.

Innovative

A formal change management function governs decentralized or highly

distributed change requests and identifies and measures security risks

that may cause increased exposure to cyber attack.

Comprehensive automated enterprise tools are implemented to detect

and block unauthorized changes to software and hardware.

Assessment Factor: Risk Management

RISK MANAGEMENT

PROGRAM

Baseline

An information security and business continuity risk management

function(s) exists within the institution. (

FFIEC Information Security

Booklet, page 68)

Evolving

The risk management program incorporates cyber risk identification,

measurement, mitigation, monitoring, and reporting.

Management reviews and uses the results of audits to improve existing

cybersecurity policies, procedures, and controls.

Management monitors moderate and high residual risk issues from the

cybersecurity risk assessment until items are addressed.

✔

Risk Mgmt

Prog

Baseline

Achieved

FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity: Domain 1

June 2015 24

Intermediate

The cybersecurity function has a clear reporting line that does not

present a conflict of interest.

The risk management program specifically addresses cyber risks beyond

the boundaries of the technological impacts (e.g., financial, strategic,

regulatory, compliance).

Benchmarks or target performance metrics have been established for

showing improvements or regressions of the security posture over time.

Management uses the results of independent audits and reviews to

improve cybersecurity.

There is a process to analyze and assign potential losses and related

expenses, by cost center, associated with cybersecurity incidents.

Advanced

Cybersecurity metrics are used to facilitate strategic decision-making and

funding in areas of need.

Independent risk management sets and monitors cyber-related risk limits

for business units.

Independent risk management staff escalates to management and the

board or an appropriate board committee significant discrepancies from

business unit’s assessments of cyber-related risk.

A process is in place to analyze the financial impact cyber incidents have

on the institution’s capital.

The cyber risk data aggregation and real-time reporting capabilities

support the institution’s ongoing reporting needs, particularly during

cyber incidents.

Innovative

The risk management function identifies and analyzes commonalities in

cyber events that occur both at the institution and across other sectors to

enable more predictive risk management.

A process is in place to analyze the financial impact that a cyber incident

at the institution may have across the financial sector.

FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity: Domain 1

June 2015 25

RISK ASSESSMENT

Baseline

A risk assessment focused on safeguarding customer information

identifies reasonable and foreseeable internal and external threats, the

likelihood and potential damage of threats, and the sufficiency of policies,

procedures, and customer information systems. (

FFIEC Information

Security Booklet, page 8)

The risk assessment identifies internet-based systems and high-risk

transactions that warrant additional authentication controls. (

FFIEC

Information Security Booklet, page 12)

The risk assessment is updated to address new technologies, products,

services, and connections before deployment. (

FFIEC Information

Security Booklet, page 13)

Evolving

Risk assessments are used to identify the cybersecurity risks stemming

from new products, services, or relationships.

The focus of the risk assessment has expanded beyond customer

information to address all information assets.

The risk assessment considers the risk of using EOL software and

hardware components.

Intermediate

The risk assessment is adjusted to consider widely known risks or risk

management practices.

Advanced

An enterprise-wide risk management function incorporates cyber threat

analysis and specific risk exposure as part of the enterprise risk

assessment.

Innovative

The risk assessment is updated in real time as changes to the risk profile

occur, new applicable standards are released or updated, and new

exposures are anticipated.

The institution uses information from risk assessments to predict threats

and drive real-time responses.

Advanced or automated analytics offer predictive information and real-

time risk metrics.

Risk Assessment

FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity: Domain 1

June 2015 26

AUDIT

Baseline

Independent audit or review evaluates policies, procedures, and controls

across the institution for significant risks and control issues associated

with the institution's operations, including risks in new products, emerging

technologies, and information systems. (FFIEC Audit Booklet

, page 4)

The independent audit function validates controls related to the storage or

transmission of confidential data. (FFIEC Audit Booklet

, page 1)

Logging practices are independently reviewed periodically to ensure

appropriate log management (e.g., access controls, retention, and

maintenance). (FFIEC Operations Booklet

, page 29)

Issues and corrective actions from internal audits and independent

testing/assessments are formally tracked to ensure procedures and

control lapses are resolved in a timely manner. (

FFIEC Information

Security Booklet, page 6)

Evolving

The independent audit function validates that the risk management

function is commensurate with the institution’s risk and complexity.

The independent audit function validates that the institution’s threat

information sharing is commensurate with the institution’s risk and

complexity.

The independent audit function validates that the institution’s

cybersecurity controls function is commensurate with the institution’s risk

and complexity.

The independent audit function validates that the institution’s third-party

relationship management is commensurate with the institution’s risk and

complexity.

The independent audit function validates that the institution’s incident

response program and resilience are commensurate with the institution’s

risk and complexity.

Intermediate

A formal process is in place for the independent audit function to update

its procedures based on changes to the institution’s inherent risk profile.

The independent audit function validates that the institution’s threat

intelligence and collaboration are commensurate with the institution’s risk

and complexity.

The independent audit function regularly reviews management’s cyber

risk appetite statement.

Independent audits or reviews are used to identify gaps in existing

security capabilities and expertise.

✔

Audit

FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity: Domain 1

June 2015 27

Advanced

A formal process is in place for the independent audit function to update

its procedures based on changes to the evolving threat landscape across

the sector.

The independent audit function regularly reviews the institution’s cyber

risk appetite statement in comparison to assessment results and

incorporates gaps into the audit strategy.

Independent audits or reviews are used to identify cybersecurity

weaknesses, root causes, and the potential impact to business units.

Innovative

A formal process is in place for the independent audit function to update

its procedures based on changes to the evolving threat landscape across

other sectors the institution depends upon.

The independent audit function uses sophisticated data mining tools to

perform continuous monitoring of cybersecurity processes or controls.

Assessment Factor: Resources

STAFFING

Baseline

Information security roles and responsibilities have been identified.

(FFIEC Information Security Booklet

, page 7)

Processes are in place to identify additional expertise needed to improve

information security defenses. (

FFIEC Information Security Work

Program, Objective I: 2-8)

Evolving

A formal process is used to identify cybersecurity tools and expertise that

may be needed.

Management with appropriate knowledge and experience leads the

institution's cybersecurity efforts.

Staff with cybersecurity responsibilities have the requisite qualifications to

perform the necessary tasks of the position.

Employment candidates, contractors, and third parties are subject to

background verification proportional to the confidentiality of the data

accessed, business requirements, and acceptable risk.

Intermediate

The institution has a program for talent recruitment, retention, and

succession planning for the cybersecurity and resilience staffs.

Advanced

The institution benchmarks its cybersecurity staffing against peers to

identify whether its recruitment, retention, and succession planning are

commensurate.

Dedicated cybersecurity staff develops, or contributes to developing,

integrated enterprise-level security and cyber defense strategies.

✔

Staffing

FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity: Domain 1

June 2015 28

Innovative

The institution actively partners with industry associations and academia

to inform curricula based on future cybersecurity staffing needs of the

industry.

Assessment Factor: Training and Culture

TRAINING

Baseline

Annual information security training is provided. (FFIEC Information

Security Booklet, page 66)

Annual information security training includes incident response, current

cyber threats (e.g., phishing, spear phishing, social engineering, and

mobile security), and emerging issues. (

FFIEC Information Security

Booklet, page 66)

Situational awareness materials are made available to employees when

prompted by highly visible cyber events or by regulatory alerts. (

FFIEC

Information Security Booklet, page 7)

Customer awareness materials are readily available (e.g., DHS’

Cybersecurity Awareness Month materials). (

FFIEC E-Banking Work

Program, Objective 6-3)

Evolving

The institution has a program for continuing cybersecurity training and

skill development for cybersecurity staff.

Management is provided cybersecurity training relevant to their job

responsibilities.

Employees with privileged account permissions receive additional

cybersecurity training commensurate with their levels of responsibility.

Business units are provided cybersecurity training relevant to their

particular business risks.

The institution validates the effectiveness of training (e.g., social

engineering or phishing tests).

Intermediate

Management incorporates lessons learned from social engineering and

phishing exercises to improve the employee awareness programs.

Cybersecurity awareness information is provided to retail customers and

commercial clients at least annually.

Business units are provided cybersecurity training relevant to their

particular business risks, over and above what is required of the

institution as a whole.

The institution routinely updates its training to security staff to adapt to

new threats.

✔

Training

FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity: Domain 1

June 2015 29

Advanced

Independent directors are provided with cybersecurity training that

addresses how complex products, services, and lines of business affect

the institution's cyber risk.

Innovative

Key performance indicators are used to determine whether training and

awareness programs positively influence behavior.

CULTURE

Baseline

Management holds employees accountable for complying with the

information security program. (FFIEC Information Security Booklet

, page

7)

Evolving

The institution has formal standards of conduct that hold all employees

accountable for complying with cybersecurity policies and procedures.

Cyber risks are actively discussed at business unit meetings.

Employees have a clear understanding of how to identify and escalate

potential cybersecurity issues.

Intermediate

Management ensures performance plans are tied to compliance with

cybersecurity policies and standards in order to hold employees

accountable.

The risk culture requires formal consideration of cyber risks in all

business decisions.

Cyber risk reporting is presented and discussed at the independent risk

management meetings.

Advanced

Management ensures continuous improvement of cyber risk cultural

awareness.

Innovative

The institution leads efforts to promote cybersecurity culture across the

sector and to other sectors that they depend upon.

✔

Culture

Baseline

Achieved

FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity: Domain 2

June 2015 30

Domain 2: Threat Intelligence and Collaboration

Assessment Factor: Threat Intelligence

Y,N

THREAT INTELLIGENCE AND INFORMATION

Baseline

The institution belongs or subscribes to a threat and vulnerability

information sharing source(s) that provides information on threats (e.g.,

Financial Services Information Sharing and Analysis Center [FS-ISAC],

U.S. Computer Emergency Readiness Team [US-CERT]). (

FFIEC E-

Banking Work Program, page 28)

Threat information is used to monitor threats and vulnerabilities. (FFIEC

Information Security Booklet, page 83)

Threat information is used to enhance internal risk management and

controls. (FFIEC Information Security Booklet

, page 4)

Evolving

Threat information received by the institution includes analysis of tactics,

patterns, and risk mitigation recommendations.

Intermediate

A formal threat intelligence program is implemented and includes

subscription to threat feeds from external providers and internal sources.

Protocols are implemented for collecting information from industry peers

and government.

A read-only, central repository of cyber threat intelligence is maintained.

Advanced

A cyber intelligence model is used for gathering threat information.

Threat intelligence is automatically received from multiple sources in real

time.

The institution’s threat intelligence includes information related to

geopolitical events that could increase cybersecurity threat levels.

Innovative

A threat analysis system automatically correlates threat data to specific

risks and then takes risk-based automated actions while alerting

management.

The institution is investing in the development of new threat intelligence

and collaboration mechanisms (e.g., technologies, business processes)

that will transform how information is gathered and shared.

✔

Threat Intel & Info

✔

click to sign

signature

click to edit

click to sign

signature

click to edit

click to sign

signature

click to edit

click to sign

signature

click to edit

click to sign

signature

click to edit

FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity: Domain 3

June 2015 40

Advanced

Employees’ and third parties’ devices (including mobile) without the latest

security patches are quarantined and patched before the device is

granted access to the network.

Confidential data and applications on mobile devices are only accessible

via a secure, isolated sandbox or a secure container.

Innovative

A centralized end-point management tool provides fully integrated patch,

configuration, and vulnerability management, while also being able to

detect malware upon arrival to prevent an exploit.

SECURE CODING

Baseline

Developers working for the institution follow secure program coding

practices, as part of a system development life cycle (SDLC), that meet

industry standards. (FFIEC Information Security Booklet

, page 56)

The security controls of internally developed software are periodically

reviewed and tested. (*N/A if there is no software development.) (

FFIEC

Information Security Booklet, page 59)

The security controls in internally developed software code are

independently reviewed before migrating the code to production. (*N/A if

there is no software development.) (

FFIEC Development and Acquisition

Booklet, page 2)

Intellectual property and production code are held in escrow. (*N/A if

there is no production code to hold in escrow.) (

FFIEC Development and

Acquisition Booklet, page 39)

Evolving

Security testing occurs at all post-design phases of the SDLC for all

applications, including mobile applications. (*N/A if there is no software

development.)

Intermediate

Processes are in place to mitigate vulnerabilities identified as part of the

secure development of systems and applications.

The security of applications, including Web-based applications connected

to the Internet, is tested against known types of cyber attacks (e.g., SQL

injection, cross-site scripting, buffer overflow) before implementation or

following significant changes.

Software code executables and scripts are digitally signed to confirm the

software author and guarantee that the code has not been altered or

corrupted.

A risk-based, independent information assurance function evaluates the

security of internal applications.

Advanced

Vulnerabilities identified through a static code analysis are remediated

before implementing newly developed or changed applications into

production.

All interdependencies between applications and services have been

Secure Coding

FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity: Domain 3

June 2015 41

identified.

Independent code reviews are completed on internally developed or

vendor-provided custom applications to ensure there are no security

gaps.

Innovative

Software code is actively scanned by automated tools in the development

environment so that security weaknesses can be resolved immediately

during the design phase.

Assessment Factor: Detective Controls

THREAT AND VULNERABILITY DETECTION

Baseline

Independent testing (including penetration testing and vulnerability

scanning) is conducted according to the risk assessment for external-

facing systems and the internal network. (

FFIEC Information Security

Booklet, page 61)

Antivirus and anti-malware tools are used to detect attacks. (FFIEC

Information Security Booklet, page 55)

Firewall rules are audited or verified at least quarterly. (FFIEC Information

Security Booklet, page 82)

E-mail protection mechanisms are used to filter for common cyber threats

(e.g., attached malware or malicious links). (

FFIEC Information Security

Booklet, page 39)

Evolving

Independent penetration testing of network boundary and critical Web-

facing applications is performed routinely to identify security control gaps.

Independent penetration testing is performed on Internet-facing

applications or systems before they are launched or undergo significant

change.

Antivirus and anti-malware tools are updated automatically.

Firewall rules are updated routinely.

Vulnerability scanning is conducted and analyzed before

deployment/redeployment of new/existing devices.

Processes are in place to monitor potential insider activity that could lead

to data theft or destruction.

Intermediate

Audit or risk management resources review the penetration testing scope

and results to help determine the need for rotating companies based on

the quality of the work.

E-mails and attachments are automatically scanned to detect malware

and are blocked when malware is present.

✔

Threat & Vuln Detect

✔

FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity: Domain 3

June 2015 42

Advanced

Weekly vulnerability scanning is rotated among environments to scan all

environments throughout the year.

Penetration tests include cyber attack simulations and/or real-world

tactics and techniques such as red team testing to detect control gaps in

employee behavior, security defenses, policies, and resources.

Automated tool(s) proactively identifies high-risk behavior signaling an

employee who may pose an insider threat.

Innovative

User tasks and content (e.g., opening an e-mail attachment) are

automatically isolated in a secure container or virtual environment so that

malware can be analyzed but cannot access vital data, end-point

operating systems, or applications on the institution’s network.

Vulnerability scanning is performed on a weekly basis across all

environments.

ANOMALOUS ACTIVITY DETECTION

Baseline

The institution is able to detect anomalous activities through monitoring

across the environment. (FFIEC Information Security Booklet

, page 32)

Customer transactions generating anomalous activity alerts are monitored

and reviewed. (FFIEC Wholesale Payments Booklet

, page 12)

Logs of physical and/or logical access are reviewed following events.

(FFIEC Information Security Booklet

, page 73)

Access to critical systems by third parties is monitored for unauthorized or

unusual activity. (FFIEC Outsourcing Booklet

, page 26)

Elevated privileges are monitored. (FFIEC Information Security Booklet,

page 19)

Evolving

Systems are in place to detect anomalous behavior automatically during

customer, employee, and third-party authentication.

Security logs are reviewed regularly.

Logs provide traceability for all system access by individual users.

Thresholds have been established to determine activity within logs that

would warrant management response.

Anomalous Act Detect

✔

FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity: Domain 3

June 2015 43

Intermediate

Online customer transactions are actively monitored for anomalous

behavior.

Tools to detect unauthorized data mining are used.

Tools actively monitor security logs for anomalous behavior and alert

within established parameters.

Audit logs are backed up to a centralized log server or media that is

difficult to alter.

Thresholds for security logging are evaluated periodically.

Anomalous activity and other network and system alerts are correlated

across business units to detect and prevent multifaceted attacks (e.g.,

simultaneous account takeover and DDoS attack).

Advanced

An automated tool triggers system and/or fraud alerts when customer

logins occur within a short period of time but from physically distant IP

locations.

External transfers from customer accounts generate alerts and require

review and authorization if anomalous behavior is detected.

A system is in place to monitor and analyze employee behavior (network

use patterns, work hours, and known devices) to alert on anomalous

activities.

An automated tool(s) is in place to detect and prevent data mining by

insider threats.

Tags on fictitious confidential data or files are used to provide advanced

alerts of potential malicious activity when the data is accessed.

Innovative

The institution has a mechanism for real-time automated risk scoring of

threats.

The institution is developing new technologies that will detect potential

insider threats and block activity in real time.

✔

FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity: Domain 3

June 2015 44

EVENT DETECTION

Baseline

A normal network activity baseline is established. (FFIEC Information

Security Booklet, page 77)

Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert

management to potential attacks. (FFIEC Information Security Booklet

,

page 78)

Processes are in place to monitor for the presence of unauthorized users,

devices, connections, and software. (

FFIEC Information Security Work

Program, Objective II: M-9)

Responsibilities for monitoring and reporting suspicious systems activity

have been assigned. (FFIEC Information Security Booklet

, page 83)

The physical environment is monitored to detect potential unauthorized

access. (FFIEC Information Security Booklet

, page 47)

Evolving

A process is in place to correlate event information from multiple sources

(e.g., network, application, or firewall).

Intermediate

Controls or tools (e.g., data loss prevention) are in place to detect

potential unauthorized or unintentional transmissions of confidential data.

Event detection processes are proven reliable.

Specialized security monitoring is used for critical assets throughout the

infrastructure.

Advanced

Automated tools detect unauthorized changes to critical system files,

firewalls, IPS, IDS, or other security devices.

Real-time network monitoring and detection is implemented and

incorporates sector-wide event information.

Real-time alerts are automatically sent when unauthorized software,

hardware, or changes occur.

Tools are in place to actively correlate event information from multiple

sources and send alerts based on established parameters.

Innovative

The institution is leading efforts to develop event detection systems that

will correlate in real time when events are about to occur.

The institution is leading the development effort to design new

technologies that will detect potential insider threats and block activity in

real time.

✔

Event Detect

✔

FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity: Domain 3

June 2015 45

Assessment Factor: Corrective Controls

PATCH MANAGEMENT

Baseline

A patch management program is implemented and ensures that software

and firmware patches are applied in a timely manner. (

FFIEC Information

Security Booklet, page 62)

Patches are tested before being applied to systems and/or software.

(FFIEC Operations Booklet

, page 22)

Patch management reports are reviewed and reflect missing security

patches. (FFIEC Development and Acquisition Booklet

, page 50)

Evolving

A formal process is in place to acquire, test, and deploy software patches

based on criticality.

Systems are configured to retrieve patches automatically.

Operational impact is evaluated before deploying security patches.

An automated tool(s) is used to identify missing security patches as well

as the number of days since each patch became available.

Missing patches across all environments are prioritized and tracked.

Intermediate

Patches for high-risk vulnerabilities are tested and applied when released

or the risk is accepted and accountability assigned.

Advanced

Patch monitoring software is installed on all servers to identify any

missing patches for the operating system software, middleware,

database, and other key software.

The institution monitors patch management reports to ensure security

patches are tested and implemented within aggressive time frames (e.g.,

0-30 days).

Innovative

The institution develops security patches or bug fixes or contributes to

open source code development for systems it uses.

Segregated or separate systems are in place that mirror production

systems allowing for rapid testing and implementation of patches and

provide for rapid fallback when needed.

Patch Mgmt

FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity: Domain 5

June 2015 51

Domain 5: Cyber Incident Management and Resilience

Assessment Factor: Incident Resilience Planning and Strategy

Y, N

PLANNING

Baseline

The institution has documented how it will react and respond to cyber

incidents. (FFIEC Business Continuity Planning Booklet

, page 4)

Communication channels exist to provide employees a means for

reporting information security events in a timely manner. (

FFIEC

Information Security Booklet, page 83)

Roles and responsibilities for incident response team members are

defined. (FFIEC Information Security Booklet

, page 84)

The response team includes individuals with a wide range of

backgrounds and expertise, from many different areas within the

institution (e.g., management, legal, public relations, as well as

information technology). (FFIEC Information Security Booklet

, page

84)

A formal backup and recovery plan exists for all critical business lines.

(FFIEC Business Continuity Planning Booklet

, page 4)

The institution plans to use business continuity, disaster recovery, and

data backup programs to recover operations following an incident.

(FFIEC Information Security Booklet

, page 71)

Evolving

The remediation plan and process outlines the mitigating actions,

resources, and time parameters.

The corporate disaster recovery, business continuity, and crisis

management plans have integrated consideration of cyber incidents.

Alternative processes have been established to continue critical

activity within a reasonable time period.

Business impact analyses have been updated to include

cybersecurity.

Due diligence has been performed on technical sources, consultants,

or forensic service firms that could be called to assist the institution

during or following an incident.

✔

Planning

✔

FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity: Domain 5

June 2015 56

Innovative

The institution’s risk management of significant cyber incidents results in

limited to no disruptions to critical services.

The technology infrastructure has been engineered to limit the effects of a

cyber attack on the production environment from migrating to the backup

environment (e.g., air-gapped environment and processes).

Assessment Factor: Escalation and Reporting

ESCALATION AND REPORTING

Baseline

A process exists to contact personnel who are responsible for analyzing

and responding to an incident. (FFIEC Information Security Booklet

,

page 83)

Procedures exist to notify customers, regulators, and law enforcement as

required or necessary when the institution becomes aware of an incident

involving the unauthorized access to or use of sensitive customer

information. (FFIEC Information Security Booklet

, page 84)

The institution prepares an annual report of security incidents or violations

for the board or an appropriate board committee. (

FFIEC Information

Security Booklet, page 5)

Incidents are classified, logged, and tracked. (FFIEC Operations Booklet,

page 28)

Evolving

Criteria have been established for escalating cyber incidents or

vulnerabilities to the board and senior management based on the

potential impact and criticality of the risk.

Regulators, law enforcement, and service providers, as appropriate, are

notified when the institution is aware of any unauthorized access to

systems or a cyber incident occurs that could result in degradation of

services.

Tracked cyber incidents are correlated for trend analysis and reporting.

Intermediate

Employees that are essential to mitigate the risk (e.g., fraud, business

resilience) know their role in incident escalation.

A communication plan is used to notify other organizations, including third

parties, of incidents that may affect them or their customers.

An external communication plan is used for notifying media regarding

incidents when applicable.

Advanced

The institution has established quantitative and qualitative metrics for the

cybersecurity incident response process.

Detailed metrics, dashboards, and/or scorecards outlining cyber incidents

and events are provided to management and are part of the board

meeting package.

✔

Escalation and Reporting

FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity: Domain 5

June 2015 57

Innovative

A mechanism is in place to provide instantaneous notification of incidents

to management and essential employees through multiple communication

channels with tracking and verification of receipt.

Cybersecurity Maturity Scorecard

Domain One: Cyber Risk Management and Oversight

Gap in Domain One Baseline

Oversight

Strategy/Policies

IT Asset Mgmt

Risk Mgmt Prog Baseline Achieved

Risk Assessment

Audit

Staffing

Training

Culture Baseline Achieved

Domain Two: Threat Intelligence and Collaboration

Gap in Domain Two Baseline

Threat Intel & Info

Mtring & Analzing

Info Sharing

Domain Three: Cybersecurity Controls

Gap in Domain Three Baseline

Infrastructure Mgmt

Access & Data Mgmt

Device & EP Sec

Secure Coding

Domain Three: Cybersecurity Controls (cont'd)

Gap in Domain Three Baseline

Threat & Vuln Detect

Anomalous Act Detect

Event Detect

Patch Mgmt

Remediation

Domain Four: External Dependency Mgmt

Gap in Domain Four Baseline

Connections

Due Diligence

Contracts

Ongoing Mtr'g

Domain Five: Cyber Incident Mgmt and Resilience

Gap in Domain Five Baseline

Planning

Testing

Detection

Response and Mitigation Baseline

Achieved

Escalation and Reporting

Organization's Risk Profile vs

Cybermaturity Matrix

Accepted Risk Profile ->

(if signed on page 18)

Max score 30 @

Cybersecurity Maturity

Level

▼▼

0

3

Sign below when entire assessment

has been completed.

Chad D.

Marley

Digitally signed by Chad D.

Marley

Date: 2018.03.21 09:46:15

-06'00'

Gaps

27

Fill Online, Printable, Fillable, Blank 5P1d ITS FFIEC CAT-Assess P-60 March 2018 Form

Related forms

Fillable 5P1d ITS FFIEC CAT-Assess P-60 March 2018

Fill Online, Printable, Fillable, Blank 5P1d ITS FFIEC CAT-Assess P-60 March 2018 Form

Related forms

First 20 documents completely FREE!