FFIEC Cybersecurity Assessment Tool

By Patrick Morin September 8, 2015

联邦金融机构审查委员会(FFIEC)最近开发了一种网络安全评估工具，以应对针对金融机构的网络威胁的数量和复杂性不断增加, which it published this past June. 在我们最近参加美国注册会计师协会(AICPA)的全国高级会计和审计技术研讨会期间, we were provided a stark reminder that the volume, 网络攻击的频率和规模逐年上升，风险管理在保护公司及其客户方面的重要性也在不断提高. Additionally, the symposium highlighted the lack of security awareness within organizations; it has been estimated that over 80% of employees are unable to detect even the most common and frequent attacks, such as phishing scams. Further, 许多组织需要指导如何采取行动，以减轻网络犯罪崛起带来的风险. FFIEC的评估工具旨在通过向管理层提供一个框架来评估其组织为减轻网络风险所做的准备，并向领导层提供建议，从而帮助机构做到这一点.

评估工具分为两部分:度量组织的固有风险级别, 确定组织的网络安全成熟度. 固有风险的度量旨在告知管理层他们的风险暴露水平(攻击的可能性)，并纳入类型, volume, and complexity of the institution’s operations and corresponding threats; it is measured along a five-unit scale from “Least Inherent Risk” to “Most Inherent Risk” across five potential risk categories:

1. Technologies and Connection Types
2. Delivery Channels
3. Online/Mobile Products and Technology Services
4. Organizational Characteristics
5. External Threats

网络安全成熟度是衡量机构对网络犯罪事件准备情况的一个指标，该指标基于对预防控制措施的评估, detect, and respond to attacks. 网络安全成熟度也是通过五个单位的频谱来衡量的, 最不成熟的是“基线”，最成熟的是“创新”.“一个组织通过五个领域来衡量其网络安全成熟度:

1. Cyber Risk Management and Oversight
2. Threat Intelligence and Collaboration
3. Cybersecurity Controls
4. External Dependency Management
5. Incident Management and Resilience

评估应由高级管理人员完成, 根据需要利用组织工作人员的专门知识. In order to be effective, 评估应该定期完成，以确保它随着组织的变化而更新. 作为威胁，组织的固有风险概况和相应的成熟度级别将随时间变化, vulnerabilities, and operations change. 在新产品发布之前重新进行评估是有益的, service or initiative is launched; doing so will help management understand how these changes will affect the organization’s inherent risk profile.

一旦一个机构确定了其内在风险和相应的网络安全成熟度水平在所有五个领域, management must determine their organization’s risk appetite and adopt an optimal level of mitigating controls for their organization; the more inherent risk an organization faces, 它的风险缓解战略就应该更有力. FFIEC提供了一个矩阵，说明与操作环境相关的固有风险级别与实现风险缓解的安全控制的成熟度级别之间的关系. 认识到风险和成熟度水平之间的差距可以为提高机构的网络安全意识和准备提供信息. Note that the FFIEC does not identify a correct level of cybersecurity for every organization; this may be an area where a trusted, 独立顾问可以用来帮助确定一个组织的风险偏好.

FFIEC网络安全评估工具的设计并不是为了提供您机构所面临的所有风险的综合度量, as cyberattacks are only one avenue of risk. The cybersecurity assessment, along with a thorough fraud risk assessment, 是否应该合并到您现有的企业风险管理(ERM)计划中，以确保它在您组织的治理过程中被集成, information security, business continuity, and third-party management. 有关FFIEC网络安全评估工具如何有助于您的组织防范网络犯罪的更多信息，或查询beat365最新地址的服务如何帮助您确定您的风险概况, cybersecurity maturity level, and opportunities for improvement, please contact Pat Morin, principal, at 1.800.244.7444.