In light of the increasing volume and sophistication of cyber threats, organizations needs to identify their relevant risk, determine their cybersecurity posture and act upon it. That much is clear, but it is easier said than done. Organizations needs not only an agreed methodology to work by, but also a tool to help them achieve that goal and properly assess their threat landscape, control maturity and better prepare for the upcoming threats.
The FFIEC (Federal Financial Institutions Examination Council) has developed a Cybersecurity Assessment Tool, which was released on June 2015.
The Assessment presents a new and innovative view on cybersecurity risk management, and consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. Upon completion of both parts, management can evaluate whether the institution’s inherent risk and preparedness are aligned.
Inherent Risk Profile :
Inherent risk incorporates the type, volume, and complexity of the institution’s operations and threats directed at the institution. Inherent risk does not include mitigating controls. The Inherent Risk Profile includes descriptions of activities across risk categories with definitions for the least to most levels of inherent risk. The profile helps management determine exposure to risk that the institution’s activities, services, and products individually and collectively pose to the institution. Cybersecurity inherent risk is the level of risk posed to the institution by the following:
- Technologies and Connection Types
- Delivery Channels
- Online/Mobile Products and Technology Services
- Organizational Characteristics
- External Threats
The Assessment’s second part is Cybersecurity Maturity, designed to help management measure the institution’s level of risk and corresponding controls. The levels range from baseline to innovative. Cybersecurity Maturity includes statements to determine whether an institution’s behaviors, practices, and processes can support cybersecurity preparedness within the following five domains:
- Cyber Risk Management and Oversight
- Threat Intelligence and Collaboration
- Cybersecurity Controls
- External Dependency Management
- Cyber Incident Management and Resilience
When we look at the grand picture of the assessment, it lacks several key issues:
- There is missing information about Threat Actors, their motivations (which assets are they targeting and why), their used Attack Methods and Activity Level (Actual up-to-date threat landscape).
- The Assessment doesn’t perform a measurable analysis, it leaves the organization itself to set the maturity score, inherent risk and even the relation between them.
- There is no correlation between different types of threats against different type of controls (or the effect of a control in mitigating a specific threat).
- Not Actionable – Assessment like these take a lot of time and resources to conduct, which result in irrelevant data (due to the ever changing nature of control status) and more “what we should have done in the past” rather than “what we should do in the future”. Therefore the organization needs to continuously monitor and measure its control maturity and threat landscape using an automated system.
Overall, the tool describes a solid and important methodology on cybersecurity risk management, but in fact it defines the building blocks in cyber risk management and not an organized methodology that defines objectively and monovalent the actual risk level against measurable threats and control maturity. The tool is an additional standard (such as NIST CSF, FISMA, Israeli Banking Regulation 361, Etc.) that describes a guideline and the principles of cybersecurity risk management process but is not an actionable tool.[su_box title=”About FFIEC” style=”noise” box_color=”#336588″]