You are here

Written by: Ryan J. Rodrigue, CISA, CISSP
After previously covering the first two domains of the FFIEC’s Cybersecurity Assessment Tool, we now continue on to the third domain: Cybersecurity Controls.

Cybersecurity controls are practices and processes that an institution can use in order to protect its assets, information, and infrastructure. This is done through continuous, automated protection and monitoring. The maturity level for your cybersecurity controls involves three assessment factors, which should be familiar to information security professionals:

Preventative Controls are designed to deter and prevent cyber attacks. This assessment factor includes infrastructure management, access and data management, device/end-point security, and secure coding practices. Strong preventative controls don’t just include technological protection, such as firewalls and anti-virus; they also include measures like proper security awareness training for employees and fences/locks to prevent intruders.

Detective Controls alert an organization whenever network or system irregularities occur, since those can be an indicator that an incident has or may transpire. These irregularities include distinct attack signatures, such as a known exploit or malware infection, as well as unusual or anomalous behavior. Configuring system monitoring and intrusion detection systems to effectively identify the correct activity on all systems can be a challenge, and will likely be informed by the Threat Intelligence and Collaboration controls from Domain 2 (Threat Intelligence and Collaboration).

Corrective Controls are used to resolve system and software vulnerabilities. This is mainly done through patch management and remediation of issues identified from vulnerability scans or penetration testing. Having automatic software updates and upgrades, effective vulnerability remediation, and regular testing of backups will contribute to strong controls in this assessment factor.

Reviewing your cybersecurity controls will help to prevent and mitigate cyber attacks.  Having strong controls in this area is vital to protecting your institution from potential threats as well as identifying them quickly before a system can be compromised.

If you have any questions or if you would like a review of your cybersecurity preparedness, please contact Ryan J. Rodrigue, CISA, CISSP, IT Assurance Senior Manager, at 617-428-5443 or