You are here

Written by: Cory R. Lunn
As outlined in our article, FFIEC’s New Cybersecurity Assessment Tool: An Overview, in an effort to enhance cybersecurity awareness and preparedness in the financial industry, the Federal Financial Institution Examination Council developed a Cybersecurity Assessment Tool. The assessment tool aids institutions in identifying their cybersecurity risk profile and evaluating the maturity of their environment. An institution can determine its maturity level through self-assessment of each of the following five domains. This article will focus on the first domain.

The Cyber Risk Management and Oversight domain evaluates managements’ implementation and oversight of an effective cybersecurity program. An effective program will include comprehensive policies and procedures that establish accountability and detail oversight responsibilities. An institution will assess the domain by determining the maturity level across these assessment factors:

  • Governance
  • Risk Management
  • Resources
  • Training and Culture

In assessing governance, management must determine if the Board and management have implemented policies and strategies for an effective cybersecurity program. Additionally, management must assess the institution’s process for managing IT assets. Assessing risk management allows management to determine the maturity of their risk identification, assessment, and mitigation process as well as the adequacy of audit’s review of key controls.

The assessment of resources determines if there are adequate staff and tools to adequately manage the risk environment. Finally, management must assess training and culture to determine the maturity level of the institution’s cybersecurity awareness training program for employees. Management will also assess if an environment that promotes employee identification and mitigation of threats has been established.

Management’s assessment of the Cyber Risk Management and Oversight domain will allow for the identification of weaknesses and for plans to be established to improve the institution’s cybersecurity preparedness. In assessing the domain, management should remember an effective cybersecurity program begins with a culture and management team dedicated to addressing cybersecurity.

In subsequent issues of this Banking Technology Connection newsletter, the remaining four domains will be discussed to identify the factors management must assess to determine the institution’s maturity level.

If you have any questions or if you would like a review of your cybersecurity preparedness, please contact Cory R. Lunn, IT Assurance Senior Consultant, at 617-261-8187 or