Pub. 4 2015 Issue 3

17 F A L L | 2015 BANK BYTES levels ranging from Least to Most inherent risk (Figure 1). Inherent risk is determined by evaluating 39 questions across five categories. Cybersecurity Maturity Once an institution has determined their inherent risk, they can move to evaluate their cybersecurity maturity. Cy- bersecurity maturity is determined by answering 494 declara- tive statements organized into five domains (Cyber Risk Management and Oversight, Threat Intelligence and Collabo- ration, Cybersecurity Controls, External Dependency Man- agement, and Cyber Incident Management and Resilience). Each declarative statement describes activities supporting assessment factors for each domain. There are five maturity levels starting at the Baseline maturity level and progressing to the highest maturity, the Innovative level (Figure 2). To achieve a maturity level in a domain, all declarative statements in that maturity level and previous levels must be attained and sustained. Interpreting and Analyzing Assessment Results Once the Inherent Risk Profile and Cybersecurity Matu- rity results are complete, management can review inherent risk in relation to maturity for each domain to better under- stand where they align. In general, as inherent risk increases, maturity levels in each domain should also increase (Figure 3). If management determines the institution’s cybersecurity maturity levels are not appropriate based on the institution’s inherent risk, the institution should consider reducing inherent risk or developing a plan to improve cybersecurity maturity. This new, voluntary self-assessment is intended to complement, not replace, an institution’s current risk manage- ment and cybersecurity program and process. It is designed to be completed periodically and/or as significant operational and technological changes occur. To access the self-assessment or learn more, visit www.ffiec. gov/cyberassessmenttool.htm. Russ Horn is the president for CoNetrix. CoNetrix is a pro- vider of information technology consulting, IT/GLBA audits and security testing, Aspire IT hosting, and the developer of tandem, a security and compliance software. In addition, CoNetrix has developed a free tandem Cybersecurity Assess- ment module to help financial intuitions complete the new FFIEC Cybersecurity Assessment Tool. Visit CoNetrix at www.conetrix.com. Category: Technologies and Connection Types Risk Level Least Minimal Moderate Significant Most Total number of Internet ser- vice provide (ISP) connections (including branch connections No connections Minimal com- plexity (1–20 connections Moderate complexity (21–100 connections) Significant complexity (101–200 connections) Substantial complexity (>200 connections) Unsecured external connec- tions, number of connections not users (e.g., file transfer protocol (FTP), Telnet, rlogin) None Few instances of unsecured connec- tions (1–5) Several instances of unse- cure connections (6–10) Significant instances of unsecured connections (11–25) Substantial instanstances of unsecured connec- tions (>25) Wireless network access No wireless access Seperate access points for guest wireless and cor- porate wireless Guest and corporate wire- less network access are logically separated; limited number of users and access points (1–250 users; 1–25 access point) Wireless corporate network access; signifi- cant number of users and access points (251–1,000 users; 26–100 access points) Wireless corporate network access; all employees have access; substantial number of access points (>1,000 us- ers; >100 access points) F igure 1. Inherent Risk Profile Layout, FFIEC Cybersecurty Assessment Tool User’s Guide Innovative Advanced Intermediate Evolving Baseline Fig. 2 Cybersecurity Maturity Levels, FFIEC Cybersecurity Assessment Tool User’s Guide Inherent Risk Levels Least Minimal Moderate Significant Most Innovative Advanced Intermediate Evolving Baseline Cybersecurity Maturity Level for Each Domain Fig. 3 Risk/Maturity Relationship, FFIEC Cybersecurity Assessment Tool User’s Guide