FFIEC Cybersecurity Assessment Tool Maturity Level

The Cybersecurity Assessment Tool or Assessment has been issued by The Federal Financial Institutions Examination Council (FFIEC) for its members. This tool is made for banking institutions is used to evaluate a bank’s risk and cybersecurity readiness. The assessments give a process of measurement for their cybersecurity readiness over time. Consisting of two parts the Assessment is made of Inherent Risk Profile and Cybersecurity Maturity.  

Cybersecurity Maturity is designed to measure a banking institution’s level of risk and corresponding controls. Cybersecurity Maturity consists of five sub-levels of maturity: Baseline, Evolving, Intermediate, Advanced, and Innovative. It includes five domains to determine if the institution’s behaviors, practices, and process can support cybersecurity preparedness. The five domains include Cyber Risk Management and oversight, Threat Intelligence and Collaboration, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management and Resilience. 

Domain 1: Cyber Risk Management and Oversight: Oversees the board of director’s oversight and management’s development and implementation of an effective enterprise. The assessment factors focus on Governance, Risk Management, Resources, and Training and Culture.  

Domain 2: Threat Intelligence and Collaboration: The processes to positively discover, analyze, and understand threats with the ability to share information internally. The assessment factors include Threat Intelligence, Monitoring and Analyzing, and information Sharing. 

Domain 3: Cybersecurity Controls: Methods used to protect assets, infrastructure, and information by reinforcing the institution’s defenses by continuous protection and monitoring. Assessment factors target Preventative Controls, Detective Controls, and Corrective Controls. 

Domain 4: External Dependency Management: Establishes and maintains a comprehensive program to oversee external connections and external dependency’s with access to the bank’s assets and information. The assessment factors focus on Connections and Relationship Management. 

Domain 5: Cyber Incident Management and Resilience: Establishes, identifies, and analyses cyber events. Prioritizes the institution’s containment and escalates information to stakeholders. Cyber resilience involves planning and testing to maintain and recover ongoing operations. Assessment factors include Incident Resilience Planning and Strategy, Detection, Response, Mitigation, and Escalation and Reporting 

Each Domain starts at the Baseline maturity and gradually increases to Innovative.  

Baseline: At this level management reviews and evaluates guidelines 

Evolving: At this level, additional procedures and policies are set with risk driven objectives. Cybersecurity is increased to include information assets and systems. 

Intermediate: At this level, detailed processes occur, controls remain consistent, and risk-management is integrated into business strategies.  

Advanced: Cybersecurity is practices and analytics are included in all businesses. There is also continuous improvement in risk-management processes.   

Innovative: There is a driving innovation in the people, processes and technology in the institution in managing cyber risks, such as making new tools, new controls, or new information sharing groups.