IT Examiner School eBook

Internal Use Only

Overview of FFIEC Cybersecurity Assessment Tool • Provided by FFIEC as a methodology for financial institutions to use in determining their cybersecurity preparedness. • Based on NIST 800-53 (National Institute of Standards & Technology) • In 2015, examiners began reviews to ensure Licensees are at the Assessment “Baseline”, voluntary but strongly encouraged. • IT Exam process was updated to include regular Cybersecurity reviews • Divided into two main parts: 1. Inherent risk assessment 2. Maturity assessment

Internal Use Only

Benefits Financial Institutions

Identify risks factors that contribute to and determine the institutions' overall cyber risk

Assessing the institutions cyber preparedness

Evaluating whether the institution cybersecurity preparedness is aligned with it’s inherit risks.

Through directive statements, provides risk management practices and controls that could be taken to achieve the institutions desired state of cybersecurity preparedness

Informs on repeatable risk management strategies