You are here

Written by: Alexander T. Hintlian, CISA 
After previously covering the first three domains of the FFIEC’s Cybersecurity Assessment Tool, we now continue on to the fourth domain: External Dependency Management. 

External dependency management involves establishing and maintaining a comprehensive vendor management program to oversee and manage the external connections and third party relationships that can access your institution’s network and information. There are two assessment factors that can be used to evaluate an institution’s maturity level within this domain:

Connections include the identification, monitoring, and management of external connections and data flows to third parties. Institutions should document a network diagram identifying all external connections. In addition, data flow diagrams should identify how exactly information is shared with third parties.

Relationship Management addresses initial vendor due diligence, contract reviews, and ongoing monitoring to validate that third parties have appropriate cybersecurity controls in place to safeguard your institution’s data.

This domain stresses the importance of strong vendor management controls because a third party breach can have a major impact on an institution’s reputation or the stability of the national financial system as a whole. Even if you already have a documented network diagram and vendor management program in place, assessing your institution’s maturity against the External Dependency Management domain will assist you in identifying any weaknesses, and with developing plans to strengthen your institution’s overall cybersecurity program.

If you have any questions or if you would like a review of your cybersecurity preparedness, please contact Alexander T. Hintlian, CISA, IT Assurance Supervisor, at 617-933-3346 or