The FFIEC Cyber Security Assessment Tool (CAT), published last July, gives banks a method to measure their inherent risks and compare them to their current controls to quantify the maturity of their cyber security preparedness. Using the CAT, banks can understand where their security practices fall short and how to address those gaps. This is useful because of the sensitive customer and corporate information that financial institutions have to protect from advanced threats, but the CAT’s principles can also be applied across other industries.
- Use industry reports, such as the 2015 Verizon PCI Compliance Report, to identify and document the inherent risks you face. For instance, the Verizon report shows that the requirement for Testing Security Systems (Requirement 11) was the area where companies in the QSA dataset fared worst, with just 33 percent passing all the PCI DSS controls and testing procedures. In the group of breached companies, only 9 percent of companies passed. The takeaway here is that you should be sure to include how many systems you will need to test in your inherent risk profile.
- Tailor the inherent risk questionnaire by identifying the thresholds you fall into (from least to most risk), based on business operations.
The inherent risk questionnaire covers five categories:
- Technologies and Connection types – This category includes the number of Internet service provider (ISP) and third-party connections, whether systems are hosted internally or outsourced, the number of unsecured connections, the use of wireless access, volume of network devices, end-of-life systems, extent of cloud services, and use of personal devices. For instance, healthcare providers often have challenges accounting for the number of of medical devices connected to the network, so this exercise alone can be very informative. And organizations across numerous industries still use EOL systems like Windows XP and Windows Server 2003.
- Delivery Channels – This category addresses whether products and services are available through online and mobile delivery channels. While the FFIEC CAT uses ATMs as an example, you might tailor it based on the number of fixed function devices you have in place, such as POS machines.
- Online/Mobile Products and Technology Services – The CAT focuses on payment services, however this section could be tailored around how you accept payments and how information is secured, as well as what third parties are looped into the mix. This category also includes consideration of whether the enterprise provides technology services to other organizations.
- Organizational Characteristics – This covers such areas as: mergers and acquisitions, number of direct employees and cyber security contractors, changes in security staffing, the number of users with privileged access, changes in information technology (IT) environment, locations of business presence, and locations of operations and data centers.
- External Threats – The volume and type of attacks (attempted or successful) affect an organization’s inherent risk exposure. This category considers the volume and sophistication of the attacks targeting the enterprise, and should consider such threats as hacktivism, organized crime, and nation states, among others.
- Map out a framework for cyber security maturity using best practices and compliance standards
The CAT includes cyber security maturity domains that can be applied to other industries to measure organizations’ achieved controls (from baseline to innovative):
- Domain 1 – Cyber Risk Management and Oversight: Governance, Risk Management, Resources, Training, and Culture. List out your company’s policies and risk management processes. Consider how effective your security awareness training is.
- Domain 2 – Threat Intelligence and Collaboration: Monitoring and analyzing, and Information sharing. Does your organization have solutions to alert and remediate against threats, and how quickly can you disseminate information across the organization? Do you have a security solution that provides active intelligence about the current state of your environment?
- Domain 3 – Cyber Security Controls: Preventative, detective and corrective controls. Document your security stack and see what is used for your best practice framework or industry regulations.
- Domain 4 – External Dependency Management: Third party security controls and reviews around connections and relationship management. Look into how you are currently reviewing vendors and contractors, diagram how they receive sensitive information and ask what certifications and best practices they are using.
- Domain 5 – Cyber incident and Resilience: Incident management, response and reporting. Develop – and test – incident response plans. Set availability criteria for backups and recovery time objectives.
Now You’re Ready to Measure Your Cyber Security Maturity
In the cyber security maturity matrix you can create a matrix that maps your existing solutions to the regulations or mandates your organization is subject to, incorporating such information as your organization size, or other important criteria that may need to be accounted for (e.g. the different merchant levels covered by PCI-DSS).
From there you can reference best practice guides such as NIST 800-53 or ISO 27001 for further guidance. My recommendation would be to map out what they have determined as recommendations and use the criteria for the intermediate or advanced levels. Next, research innovative solutions that can help you advance your cyber security to the next level.
This process may take some fine tuning, but knowing your institution’s risk posture and what gaps are currently in place will not only help you during your next audit but provide management peace of mind for protection against advanced threats.