Risk Assessment Toolbox

NIST defines cybersecurity as “the process of protecting information by preventing, detecting, and responding to attacks.” As part of cybersecurity, institutions should consider managing internal and external threats and vulnerabilities to protect infrastructure and information assets.

The content of the Assessment is consistent with the principles of the FFIEC Information Technology Examination Handbook (IT Handbook) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework, as well as industry accepted cybersecurity practices. The Assessment provides institutions with a repeatable and measureable process to inform management of their institution’s risks and cybersecurity preparedness.

The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. The Inherent Risk Profile identifies the institution’s inherent risk before implementing controls. The Cybersecurity Maturity includes domains, assessment factors, components, and individual declarative statements across five maturity levels to identify specific controls and practices that are in place. While management can determine the institution’s maturity level in each domain, the Assessment is not designed to identify an overall cybersecurity maturity level.

To complete the Assessment, management first assesses the institution’s inherent risk profile based on five categories:

  • - Technologies and Connection Types
  • - Delivery Channels
  • - Online/Mobile Products and Technology Services
  • - Organizational Characteristics
  • - External Threats

Management then evaluates the institution’s Cybersecurity Maturity level for each of five domains:

  • - Cyber Risk Management and Oversight
  • - Threat Intelligence and Collaboration
  • - Cybersecurity Controls
  • - External Dependency Management
  • - Cyber Incident Management and Resilience

By reviewing both the institution’s inherent risk profile and maturity levels across the domains, management can determine whether its maturity levels are appropriate in relation to its risk. If not, the institution may take action either to reduce the level of risk or to increase the levels of maturity. This process is intended to complement, not replace, an institution’s risk management process and cybersecurity program.

ThreatAdvice has Automated the NIST and FFIEC cyber Assessment tool.

Call Your ThreatAdvice Advisor for more information on your complete Cyber Risk Assessment.