Welcome!

Blog Feed Post

Leveraging The FFIEC Cybersecurity Assessment Tool (CAT) To Improve Corporate Culture and Raise Security Posture

Bob Gourley

https://i0.wp.com/ctovision.com/wp-content/uploads/compliance-does-not-e... 300w" sizes="(max-width: 862px) 100vw, 862px" data-recalc-dims="1" />The FFIEC (Federal Financial Institutions Examination Council) is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB), and to make recommendations to promote uniformity in the supervision of financial institutions. In 2006, the State Liaison Committee (SLC) was added to the Council as a voting member. The SLC includes representatives from the Conference of State Bank Supervisors (CSBS), the American Council of State Savings Supervisors (ACSSS), and the National Association of State Credit Union Supervisors (NASCUS).

For the last several years the FFIEC has been making contributions to cybersecurity awareness, including initiatives aimed at helping financial institutions better understand and deal with cybersecurity risks. In June 2013, the FFIEC announced the creation of the Cybersecurity and Critical Infrastructure Working Group to enhance communication among the FFIEC member agencies and build on existing efforts to strengthen the activities of other interagency and private sector groups. In addition, the FFIEC began assessing and enhancing the state of the industry preparedness and identifying gaps in the regulators' examination procedures and training that can be closed to strengthen the oversight of cybersecurity readiness.

On 30 June 2015 the FFIEC released a new Cybersecurity Assessment Tool. This tool is intended to help financial organizations large and small better assess and understand risk and also the organization's maturity in cyber defense.

We have worked with financial institutions and other high risk organization in cyber security assessments for years and have seen first-hand the benefits that the FFIEC approach can provide to organizations. We have also captured many lessons learned from our engagements across the financial (and other) sectors regarding this approach. We share some of those lessons here:

  1. The most important lesson is to understand that the FFIEC CAT should not be seen as just a compliance drill. Regulators will check you for compliance and that is very important. But if used correctly it can also help an organization become more efficient, effective and more secure.
  2. The tool is meant to help and is not designed to be a one-size-fits-all approach. It is best when tailored to your specific organization.
  3. The most important determinant of whether or not the tool will work for you is the attention it gets from senior leadership. And getting their attention means approaching it with the vision of leveraging it to support and enhance business functions. In the financial industry that usually means focusing on enhancing trust among customers and partners.

Here are more thoughts:

The tool has two parts. The first assesses the institution’s inherent risk profile based on five categories:

  • Technologies and Connection Types
  • Delivery Channels
  • Online/Mobile Products and Technology Services
  • Organizational Characteristics
  • External Threats

It is this first section that is the most problematic. It seeks to quantify cyber risks in a very simple way, and this is actually a very complex and hard to measure/quantify topic. On top of that, the best topics to address regarding risk are going to vary significantly from company to company, and even division by division for larger firms. Perhaps this first section can just be thought of as a rough plan to deviate from. It can be an important drill to seek to assess cyber risks, of course, but it seems both arrogant and naive of the FFIEC to think that they can produce a matrix that captures risk for every organization. Since most organizations in the highly regulated financial sector will already have a chief risk officer and many risk processes around cyber, maybe this section should just be offered as a template of considerations.

The second section of this tool brings some good ideas and approaches to evaluation of the organization's Cybersecurity Maturity five domains:

  • Cyber Risk Management and Oversight
  • Threat Intelligence and Collaboration
  • Cybersecurity Controls
  • External Dependency Management
  • Cyber Incident Management and Resilience

This is were the tool can make contributions to many organizations. The descriptions and definitions for each of these domains and then the assessment factors in each domain are useful, especially for organizations that do not already have an approach to cybersecurity.

https://ctovision.com/wp-content/uploads/TheFiveDomains-1024x590.png 1024w, https://ctovision.com/wp-content/uploads/TheFiveDomains.png 1194w" alt="TheFiveDomains" width="590" height="340" />

These domains all map well into Cognitio's Cyber360 offering, which is an end to even evaluation of an organization's cybersecurity posture from a business perspective. Our Cyber360 has been leveraged in organizations across multiple sectors of the economy to ensure digital risk is mitigated and to ensure digital technologies are being leveraged in support of business. Our Cyber360 is focused on business first, in keeping with our belief that cybersecurity issues must be understood by and dealt with by leaders from across the firm, not just in the IT and security organizations.

For more information on either the FFIEC models or Cognitio's Cyber360 contact us here.

Read the original blog entry...

More Stories By Bob Gourley

Bob Gourley writes on enterprise IT. He is a founder and partner at Cognitio Corp and publsher of CTOvision.com

Latest Stories
Automation is enabling enterprises to design, deploy, and manage more complex, hybrid cloud environments. Yet the people who manage these environments must be trained in and understanding these environments better than ever before. A new era of analytics and cognitive computing is adding intelligence, but also more complexity, to these cloud environments. How smart is your cloud? How smart should it be? In this power panel at 20th Cloud Expo, moderated by Conference Chair Roger Strukhoff, paneli...
Cloud applications are seeing a deluge of requests to support the exploding advanced analytics market. “Open analytics” is the emerging strategy to deliver that data through an open data access layer, in the cloud, to be directly consumed by external analytics tools and popular programming languages. An increasing number of data engineers and data scientists use a variety of platforms and advanced analytics languages such as SAS, R, Python and Java, as well as frameworks such as Hadoop and Spark...
"Loom is applying artificial intelligence and machine learning into the entire log analysis process, from start to finish and at the end you will get a human touch,” explained Sabo Taylor Diab, Vice President, Marketing at Loom Systems, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
The current age of digital transformation means that IT organizations must adapt their toolset to cover all digital experiences, beyond just the end users’. Today’s businesses can no longer focus solely on the digital interactions they manage with employees or customers; they must now contend with non-traditional factors. Whether it's the power of brand to make or break a company, the need to monitor across all locations 24/7, or the ability to proactively resolve issues, companies must adapt to...
Cloud promises the agility required by today’s digital businesses. As organizations adopt cloud based infrastructures and services, their IT resources become increasingly dynamic and hybrid in nature. Managing these require modern IT operations and tools. In his session at 20th Cloud Expo, Raj Sundaram, Senior Principal Product Manager at CA Technologies, will discuss how to modernize your IT operations in order to proactively manage your hybrid cloud and IT environments. He will be sharing bes...
A look across the tech landscape at the disruptive technologies that are increasing in prominence and speculate as to which will be most impactful for communications – namely, AI and Cloud Computing. In his session at 20th Cloud Expo, Curtis Peterson, VP of Operations at RingCentral, highlighted the current challenges of these transformative technologies and shared strategies for preparing your organization for these changes. This “view from the top” outlined the latest trends and developments i...
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend 21st Cloud Expo October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
@DevOpsSummit at Cloud Expo taking place Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center, Santa Clara, CA, is co-located with the 21st International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is ...
"We are a monitoring company. We work with Salesforce, BBC, and quite a few other big logos. We basically provide monitoring for them, structure for their cloud services and we fit into the DevOps world" explained David Gildeh, Co-founder and CEO of Outlyer, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Join us at Cloud Expo June 6-8 to find out how to securely connect your cloud app to any cloud or on-premises data source – without complex firewall changes. More users are demanding access to on-premises data from their cloud applications. It’s no longer a “nice-to-have” but an important differentiator that drives competitive advantages. It’s the new “must have” in the hybrid era. Users want capabilities that give them a unified view of the data to get closer to customers and grow business. The...
Artificial intelligence, machine learning, neural networks. We’re in the midst of a wave of excitement around AI such as hasn’t been seen for a few decades. But those previous periods of inflated expectations led to troughs of disappointment. Will this time be different? Most likely. Applications of AI such as predictive analytics are already decreasing costs and improving reliability of industrial machinery. Furthermore, the funding and research going into AI now comes from a wide range of com...
For organizations that have amassed large sums of software complexity, taking a microservices approach is the first step toward DevOps and continuous improvement / development. Integrating system-level analysis with microservices makes it easier to change and add functionality to applications at any time without the increase of risk. Before you start big transformation projects or a cloud migration, make sure these changes won’t take down your entire organization.
"When we talk about cloud without compromise what we're talking about is that when people think about 'I need the flexibility of the cloud' - it's the ability to create applications and run them in a cloud environment that's far more flexible,” explained Matthew Finnie, CTO of Interoute, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Internet of @ThingsExpo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devic...
SYS-CON Events announced today that MobiDev, a client-oriented software development company, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. MobiDev is a software company that develops and delivers turn-key mobile apps, websites, web services, and complex software systems for startups and enterprises. Since 2009 it has grown from a small group of passionate engineers and business...