Go to:

September 2018
< Aug Oct >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

InfoSight Highlight: FFIEC Cybersecurity Assessment
Friday, April 7, 2017 7:00 AM

Overview of the FFIEC Cybersecurity Assessment Tool

The Federal Financial Institutions Examination Council's (FFIEC) Cybersecurity Assessment consists of two main components: the Inherent Risk Profile and the Cybersecurity Maturity.

The Inherent Risk Profile helps the institution understand how their products and services contribute to the institution’s overall inherent risk and whether specific categories pose more risk than others. The Cybersecurity Maturity component contains assessment factors and individual declarative statements across five main domains to identify specific controls and practices. While management can determine the institution’s maturity level in each area, the Assessment is not designed to identify an overall cybersecurity maturity level.

Before beginning the assessment, the FFIEC provided an overview of the tool for senior management to review, as well as a user’s guide. To complete the Assessment, the credit union first assesses the institution’s Inherent Risk Profile based on five categories:

  • Technologies and Connection Types
  • Delivery Channels
  • Online/Mobile Products and Technology Services
  • Organizational Characteristics
  • External Threats

Management then evaluates the institution’s cybersecurity Maturity Level for each of the five domains:

  • Cyber Risk Management and Oversight
  • Threat Intelligence and Collaboration
  • Cybersecurity Controls
  • External Dependency Management
  • Cyber Incident Management and Resilience

By reviewing both the institution’s inherent risk profile and maturity levels across the domains, management can determine whether its maturity levels are appropriate in relation to its risk. If not, the institution may take action either to reduce the level of risk or to increase the levels of maturity. This process is intended to complement, not replace, an institution’s risk management process and cybersecurity program.

Source:  InfoSight Compliance.

Need more info on a regular basis? Check out InfoSight, your first stop when searching for compliance answers. InfoSight operates as an online compliance manual at your fingertips, containing federal and state-specific content that is accurate, concise, and detailed on a wide range of topics and issues. Subscribers are able to access easy-to-read compliance summaries, checklists for compliance, direct links to laws and regulations, frequently asked questions, and links to additional important resources, including CUNA's online compliance resource "E-Guide." As part of InfoSight, the League sends out a weekly eNewsletter highlighting regulatory changes, hot topics in compliance, and comment calls.

Subscribe here.