MODULE 2 – APPLIED STANDARDS AND
CYBERSECURITY RISK MANAGEMENT
FEDERAL FINANCIAL INSTITUTIONS EXAMINATION
COUNCIL (FFIEC) CYBERSECURITY ASSESSMENT TOOL
APPLICATION OF FFIEC CYBERSECURITY ASSESSMENT TOOL
Lab Description: In this lab, students will employ FFIEC Cybersecurity
Assessment Tool according to a hypothetical case study. The student will
determine appropriate inherent risk profiles, cybersecurity maturity levels
for each domain.
Lab Environment: The students should have accessed the FFIEC
Cybersecurity Assessment Tool website to download lab files.
Lab Files that are Needed: Student will need FFIEC Cybersecurity
Assessment Tool Documents: Overview for Chief Executive Officers and
Boards of Directors, User’s Guide, Inherent Risk Profile and Cybersecurity
Maturity (can be downloaded at
https://www.ffiec.gov/cyberassessmenttool.htm).
LAB EXERCISE: A HYPOTHETICAL CASE
Management wants to know if wants you to assess the cybersecurity of
your organization using FFIEC Cybersecurity Assessment Tool. You started
research about the tool on the web.
Step 1: Read Overview for Chief Executive Officers and Boards of Directors
Step 2: Read User’s Guide
Step 3: Complete Inherent Risk Profile
Step 4: Complete the Cybersecurity Maturity Part
Step 5: Interpret the Assessment Results
Page | 1
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
�INFORMATION ABOUT THE ORGANIZATION FOR INHERENT RISK PROFILE
In order to complete the assessment using the tool, you need to get more
information about the organization. After you contacted the relevant people
within the organization multiple times, you finally came up with the
following information:
1. Total number of Internet service provider (ISP) connections is 23.
2. Unsecured external connections, number of connections, not users is
13.
3. In corporate wireless network, there are 789 users and 64 access
points.
4. Multiple types of personal devices allowed to connect to the corporate
network and available to 13% of employees.
5. There are seven third parties, and almost 150 individual have access
to the systems.
6. There are seven wholesale customers with dedicated connections.
7. There are 19 vendor applications supporting critical activities.
8. There are 103 vendor-developed applications supporting critical
activities.
9. There are 307 technologies that support critical activities.
10. Several systems will reach End-of-life within two years.
11. There are a large number of Open Source Software (OSS) that
support critical operations.
12. There are almost 33,000 network devices.
13. 52 Third-party service providers store and process information that
supports critical activities.
14. There are six cloud service providers.
15. Organization’s web site serves as a delivery channel for retail to the
customers. The organization has social media pages.
16. Mobile applications have been used for retail customers.
17. ATM service is offered, but the machines are managed by the third
party.
18. The organization issued debit and credit cards to 77,932 customers.
19. The organization issued 13,763 prepaid cards.
20. Emerging payment technologies are indirectly accepted.
21. Monthly average person-to-person transaction volume is 59,726.
22. Organization originates ACH debits and credits daily volume is almost
4%.
23. Daily originated wholesale payment volume is almost 4%.
Page | 2
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).
� 24. Wire transfers are offered through online and other channels. Daily
volume increases up to almost 9% of total assets.
25. The company does not offer Merchant remote deposit capture.
26. Gross daily global transaction volume is 2% of total assets in
average.
27. The company does not offer treasury services.
28. The company does not offer trust services.
29. The company act as a correspondent bank for 22 institutions.
30. The company does not offer as Merchant acquirer.
31. The company does not host IT services for other organizations.
32. The company is open to discussions with mergers.
33. There are 23,589 employees.
34. There is some turnover in senior IT positions.
35. The level of turnover in administrators affects operations.
36. There are not frequent changes in the IT environment.
37. The company has locations in one country’s multiple regions.
38. Data centers are in multiple regions of one country.
39. Company is under cyber attacks, and the volume is almost 200 per
month.
Page | 3
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).
�INFORMATION ABOUT THE CYBERSECURITY MATURITY PART
Using the following statements, determine the cybersecurity maturity level
of the organization for the following two assessment factors from two
different domains (separately for each one).
Domain 1: Cyber Risk Management and Oversight
Assessment Factor: Risk Management
Criteria: Risk Management Program
Baseline
1. An information security and business continuity risk management
function(s) exists within the institution.
Evolving
2. The risk management program incorporates cyber risk identification,
measurement, mitigation, monitoring, and reporting.
3. Management reviews and uses the results of audits to improve
existing cybersecurity policies, procedures, and controls.
4. Management monitors moderate and high residual risk issues from
the cybersecurity risk assessment until items are addressed.
Intermediate
5. The cybersecurity function has no clear reporting line.
6. The risk management program does not address cyber risks beyond
the boundaries of the technological impacts.
7. There are no benchmarks or target performance metrics.
8. Management uses the results of independent audits and reviews to
improve cybersecurity.
9. There is a process to analyze and assign potential losses and related
expenses, by cost center, associated with cybersecurity incidents.
Page | 4
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).
�Domain 2: Threat Intelligence and Collaboration
Assessment Factor: Threat Intelligence
Criteria: Threat Intelligence and Information
Baseline
1. The institution belongs to a threat and vulnerability information
sharing source that provides information on threats.
2. Threat information is used to monitor threats and vulnerabilities with
some compensating controls.
3. Threat information is used to enhance internal risk management and
controls.
Evolving
4. Threat information received by the institution does not include
analysis of tactics, patterns, and risk mitigation recommendations.
Page | 5
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).
�INTERPRETATION THE ASSESSMENT RESULTS
In order to review the institution’s risk profile in relation to its
cybersecurity maturity level, use the following relationship matrix.
Provide comments on your findings.
Figure 1. Relationship Matrix
WHAT TO SUBMIT
1. Inherent risk summary table (Similar to the Figure 2 in User’s Guide)
2. Relationship matrices and interpretation for the given two criteria
from Domain 1 and 2.
Submit your answers as a PDF or Word document.
Page | 6
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).
