Feds Create Cybersecurity Program for Banks

ffiecIf you are involved in the management of a commercial bank, The Federal Financial Institutions Examination Council (FFIEC) has developed a Cybersecurity Assessment Tool that was released in June 2015.  As a cybersecurity practitioner who provides security audits, compliance audits, vulnerability scans, and penetration tests, I was encouraged to see another example of a federal government agency getting serious about improving cybersecurity practices for their client community.

This is a paper-based self-assessment tool, and as such is flawed by the biases, errors, and oversights of the person or persons performing the assessment.  Nevertheless, this exercise is a great launching pad for a cybersecurity strategy development program.  According to the FFIEC, the process is this:

“To complete the Assessment, management first assesses the institution’s inherent risk profile based on five categories:

  • Technologies and Connection Types
  • Delivery Channels
  • Online/Mobile Products and Technology Services
  • Organizational Characteristics
  • External Threats

“Management then evaluates the institution’s Cybersecurity Maturity level for each of five domains:

  • Cyber Risk Management and Oversight
  • Threat Intelligence and Collaboration
  • Cybersecurity Controls
  • External Dependency Management
  • Cyber Incident Management and Resilience”

For more information you can refer to the links below, and download the assessment documents.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.