If you have not done so, an excellent tool worthy of your review time is the FFIEC Cybersecurity Assessment Tool. The breakdown of the tool is as follows:
Cyber Risk Management and Oversight (Domain 1)
Threat Intelligence and Collaboration (Domain 2)
Cybersecurity Controls (Domain 3)
External Dependency Management (Domain 4)
Cyber Incident Management and Resilience (Domain 5)
Under each Domain are certain Assessment Factors:
Training and Culture
Monitoring and Analyzing
Incident Resilience Planning and Strategy
Detection, Response, and Mitigation
Escalation and Reporting
The Assessment Factors are further broken down into subcategories and then comes an excellent feature – the breakdown into Baseline, Evolving, Intermediate, Advanced and Innovative characteristics.
Baseline items give specifics (complete with references from the FFIC Information Security Booklet).
Here is one specific example from Baseline:
Domain/Cyber Risk Management and Oversight Assessment Factor: Governance Oversight
Designated members of management are held accountable by the board or an appropriate board committee for implementing and managing the information security and business continuity programs. (FFIEC Information Security Booklet, page 3)
Information security risks are discussed in management meeting when prompted by highly visible cyber events or regulatory alerts. (FFIEC Information Security Booklet, page 6)
Management provides a written report on the overall status of the information security and business continuity programs to the board or an appropriate board committee at least annually. (FFIEC Information Security Booklet, page 5)
The budgeting process includes information security related expenses and tools. (FFIEC E-Banking Booklet, page 20)
Management considers the risks posed by other critical infrastructures (e.g., telecommunications, energy) to the institution. (FFIEC Business Continuity Planning Booklet, page J-12)
To pick another example under this same category
The board or board committee approved cyber risk appetite statement is part of the enterprise-wide risk appetite statement.
Management as a formal process to continuously improve Cybersecurity oversight.
The budget process for requesting additional Cybersecurity staff and tools maps current resources and tools to the Cybersecurity strategy.
Management and the board of an appropriate board committee hold business units accountable for effectively managing all cyber risks associated with their activities.
Management Identifies root cause(s) when cyber attacks result in material loss.
The board or an appropriate board committee ensures that management’s actions consider the cyber risks that the institution poses to the financial sector.
This is definitely a tool you will NOT want to fail to overlook, study carefully, and incorporate in your overall Cybersecurity Risk Assessment Process.