Benchmark: Federal Financial Institutions Examination Council (FFIEC)
To obtain the latest version of the official guide, please visit https://www.ffiec.gov/cyberassessmenttool.htm.
In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (Assessment), on behalf of its members, to help institutions identify their risks and determine their cybersecurity maturity.
The Assessment is designed to provide a measurable and repeatable process to assess an institution's level of cybersecurity risk and preparedness. The Assessment consists of two parts: Part one of this Assessment is the Inherent Risk Profile, which identifies an institution's inherent risk relevant to cyber risks. Part two is the Cybersecurity Maturity, which determines an institution's current state of cybersecurity preparedness represented by maturity levels across five domains. For this Assessment to be an effective risk management tool, an institution may want to complete it periodically and as significant operational and technological changes occur.
To complete the Assessment, management first assesses the institution's inherent risk profile based on five categories:
- Technologies and Connection Types
- Delivery Channels
- Online/Mobile Products and Technology Services
- Organizational Characteristics
- External Threats
Management then evaluates the institution's Cybersecurity Maturity level for each of five domains:
- Cyber Risk Management and Oversight: Addresses the board of directors' (board's) oversight and management's development and implementation of an effective enterprise-wide cybersecurity program with comprehensive policies and procedures for establishing appropriate accountability and oversight.
- Threat Intelligence and Collaboration: Includes processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties.
- Cybersecurity Controls: Practices and processes used to protect assets, infrastructure, and information by strengthening the institution's defensive posture through continuous, automated protection and monitoring.
- External Dependency Management: Involves establishing and maintaining a comprehensive program to oversee and manage external connections and third-party relationships with access to the institution's technology assets and information.
- Cyber Incident Management and Resilience: Cyber incident management includes establishing, identifying, and analyzing cyber events; prioritizing the institution's containment or mitigation; and escalating information to appropriate stakeholders. Cyber resilience encompasses both planning and testing to maintain and recover ongoing operations during and following a cyber incident.
steampipe check aws_compliance.benchmark.ffiec
- Cyber Risk Management and Oversight (Domain 1)
- Threat Intelligence and Collaboration (Domain 2)
- Cybersecurity Controls (Domain 3)
- External Dependency Management (Domain 4)
- Cyber Incident Management and Resilience (Domain 5)