When you need an expert to assess cyber security risk we can help. Our cyber security professionals have in both the in-depth knowledge and practical experience in assessing cyber security risk.
COMPLY WITH FFIEC CYBER SECURITY ASSESSMENT REQUIREMENTS AND IDENTIFY YOUR WEAKNESSES
The FFIEC Cyber Security tool is actually a cyber risk compliance framework that has been developed to assist management and the board in assessing their financial institution’s cyber security risk and preparedness. The execution of this assessment provides vital information necessary for the development of a Cyber Security Program. The tool has been designed specifically for the financial services industry, is based on the NIST Cyber Security Framework, and has become a key component of a financial institution’s enterprise-wide governance process.
Our cyber security consultants can perform a Cyber Security Assessment using the FFIEC’s Cyber Security Tool and in Europe we use the ISO 27001 standards to guide you through a detailed assessment. Our approach assesses your inherent cyber security risk and preparedness and is based on two components: Inherent Risk Profile and Cybersecurity Maturity. Our assessment results will include identified gaps in your current cyber security posture and recommendations to achieve your desired state of cyber readiness.
In determining your organization’s inherent risk, the following five components are assessed:
- Technology and Connection Types. The use of different technologies and connections present potential entry points for attack. The complexity and number of connection types must be identified and evaluated and can include the use of higher risk communications protocols with third party service providers, personal devices (BYOD), and wireless, local, and virtual private networks.
- Online/Mobile Products and Services. Certain products and services introduce increased inherent cyber security risk. These products and services will be identified and evaluated and can include various types of payment services, originating automated clearing house (ACH) transactions, retail wire transfers, wholesale payments, merchant remote deposit capture, treasury services, and others.
- Delivery Channels. Various delivery channels for products and services may pose a higher inherent cyber security risk and often include online and mobile delivery channels as well as the use of automated teller machine (ATM) operations.
- Organizational Characteristics. The organizational structure and operating model in place may holistically represent increased inherent cyber security risk. Factors increasing risk can include the location of internally managed and outsourced data centers, the use of managed security service providers, and the maturity and allocation of resources to the IT Security function.
- External Threats. The identification and consideration of both the volume and type of historical attacks (both successful and unsuccessful) can help forecast the probability of cyber threat occurrence and assess inherent cyber security risk.
In determining your organization’s cyber security posture, the following five domains are assessed:
- Cyber Risk Management and Oversight – Addresses the board’s oversight and management’s development and implementation of an effective enterprise-wide Cyber Security Program with comprehensive policies and procedures for establishing appropriate accountability and oversight.
- Threat Intelligence and Collaboration – Includes processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties.
- Cybersecurity Controls – Used to protect assets, infrastructure, and information by strengthening the institution’s defensive posture through continuous, automated protection and monitoring.
- External Dependency Management – Involves establishing and maintaining a comprehensive program to oversee and manage external connections and third-party relationships with access to the institution’s technology assets and information.
- Cyber Incident Management and Resilience – Includes establishing, identifying, and analyzing cyber events; prioritizing the institution’s containment or mitigation; and escalating information to appropriate stakeholders. Cyber resilience encompasses both planning and testing to maintain and recover ongoing operations during and following a cyber-incident.