IT RISK ASSESSMENT
The FFIEC Cybersecurity Assessment Tool (CAT) is a diagnostic test that helps institutions identify their risk level and determine the maturity of their cybersecurity programs. This assessment measures risk levels across several categories, including delivery channels, connection types, external threats, and organizational characteristics. Ultimately, the results allow management to make risk-driven security management decisions through regular cybersecurity assessments using standardized criteria for risk measurement.
The FFIEC Cybersecurity Assessment Tool measures both the security risk present in an institution and the institution's preparedness to mitigate that risk.
The FFIEC Cybersecurity Assessment Tool measures both the security risk present in an institution and the institution's preparedness to mitigate that risk. These two factors are measured across the following categories:
Technologies and Connection Types
Some types of technologies and the networks they connect to come with a higher inherent risk level. In this category, we examine the number of connections from third parties and ISPs, the number of unsecured connections, whether hosting is outsourced or handled internally, and several other factors.
Delivery Channels
Some delivery channels for company products and services pose a higher risk than others. More delivery channels and more diverse delivery channels means a higher inherent risk. In this category, the risk is measured across websites, web and mobile applications, and ATMs.
Online and/or Mobile Products and Tech Services
The security of an institution varies depending on the different technology products and services they offer. Payment services and transaction services such as credit cards, wire transfers, person-to-person payments, and correspondent banking all come with different security challenges that are assessed in this category.
Organizational Characteristics
In this category, characteristics of the institution itself are examined, including the number of direct employees, changes in security staff, number of users with elevated security privileges, locations of data centers, and more.
External Threats
The number of attacks (and the type of attacks) sustained by an organization factor into its risk assessment under this section.
Cyber Risk Management and Oversight
Does the board of directors oversee management's commitment to an institution-wide cybersecurity program? This assessment examines oversight in terms of strategy, policies, robustness of the risk management program, staffing and budgeting of the program, culture, and training.
Threat Intelligence and Collaboration
What processes are in place to uncover, analyze, and share findings on evolving cybersecurity threats? In this domain, management grades the institution in terms of threat intelligence, monitoring/analyzing, and relationships between peers and internal stakeholders that facilitate or hinder cyber threat information sharing.
Cyber Incident Management Resilience
In this domain, we assess how the organization evaluates its response to cyber threat events, including planning and testing to recover normal operations after an event.
Cybersecurity Controls
What's the current maturity of controls in place to protect infrastructure, assets, and information through constant, automated monitoring and protection? In this domain, controls are assessed from detective, preventative, and corrective perspectives.
External Dependency Management
This FFIEC maturity assessment domain delves into the organization's existing program to oversee and manage third-party relationships and external connections that have access to the enterprise's information and technology assets.
