New Tool Designed to Help Banks Evaluate Cyber Risk
On June 30, 2015, the Federal Financial Institutions Examination Council rolled out a new assessment tool for financial organizations, with the aim of helping them detect and defend against security risks.
The Cybersecurity Assessment Tool walks users through the process of analyzing their own systems, personnel policies and technology infrastructure to determine how prepared they are to defend against threats like data theft and hacking.
The assessment is divided into two sections – Inherent Risk Profile, and Cybersecurity Maturity – with five points of focus for each section:
Inherent Risk Profile
This section of the assessment offers guidelines for assigning five risk levels – least, minimal, moderate, significant and most – to each activity, service or product. For example, wireless network access would be scored “most at risk” if a business has more than 1,000 employees with wireless network access, and more than 100 access points.
The Inherent Risk Profile’s five focus areas, and some of their specifics, are:
Technology and Connection Types – The number of Internet Service Providers and third-party connections, wireless access, personal devices and extent of cloud services.
Delivery Channels – The variety and number of delivery channels, such as ATMs and online delivery of products.
Online/Mobile Products and Technology Services – Payment services, such as debit and credit cards, retail wire transfers, person-to-person payments and correspondent banking.
Organizational Characteristics – Mergers and acquisitions, number of users with privileged access, number of cybersecurity contractors and locations and operations of data centers.
External Threats – Volume of attempted or successful cyber attacks, along with the volume and sophistication of such attacks.
This section specifies five maturity level ratings: Baseline, evolving, intermediate, advanced and innovative. A “baseline” rating would indicate an organization is following minimum requirements, whereas an “innovative” rating could indicate an organization is developing processes or technologies that protect the business and the industry from cyber threats.
The Cybersecurity Maturity assessment’s five focus areas, and some of their specifics, are:
Cyber Risk Management and Oversight – Policies, risk management programs, ensuring staff or external IT consultants have expertise appropriate for a firm’s level of risk, employee training and awareness about cybersecurity.
Threat Intelligence and Collaboration – An organization’s ability to detect and analyze threat, and how it shares threat information with peers or third parties.
Cybersecurity Controls – Device and end-point security, automated threat monitoring, alerts about system irregularities and the ability to correct system and software deficiencies.
External Dependency Management – Monitoring and management of data flow with third parties, and due diligence and contracts that keep the institution secure.
Cyber Incident Management and Resilience – Resilience planning and testing, disaster recovery plans and procedures for internal escalation and reporting of cyber attacks.
For financial institutions, or any business that handles secure and sensitive information, mitigating the risk of a cyber attack is a big concern. That’s why Lifeline Data Centers uses complex security protections in our colocation data center, and why we have a staff with extensive security and compliance expertise.
If you’re looking for a safe place for your server or other IT systems, find out what Lifeline can do for you. Schedule a tour today.