Preparing for FFIEC CAT Sunset: Key Takeaways for Financial Institutions
The Federal Financial Institutions Examination Council (FFIEC) has announced that it will phase out its Cybersecurity Assessment Tool (CAT) by August...
3 min read
Randy Lindberg : 12 Dec 2019
When I get questions about the name “Rivial” I tend to cringe a little. Way back in 2008 when the idea was born, the concept was this: information security is not a trivial matter, but managing it should be. If you take the word ‘trivial’ and remove the ’t’ you get rivial. It’s a made up word taken from that cheesy tag-line. It’s easy to see why we quickly dropped that tag-line...
The management of any complex program can be challenging, and managing a cybersecurity program in today’s high-stakes, always-changing world of regulations and evolving attacks is downright intimidating. It turns out there was some insight into that cheese-tastic statement from over a decade ago. Despite the company making a handful of slight pivots along the way, the core goal has remained the same. That is to make our client’s lives easier.
Since 2011, Rivial has been a virtual CISO to financial institutions. I want to further our goal of making people’s lives easier by outlining the key areas we manage so that you can evaluate your cybersecurity program’s overall maturity.
If you’re at a financial institution, you might be thinking that there is already a way to evaluate a bank’s or credit union’s cybersecurity program. It’s called the FFIEC Cybersecurity Assessment Tool (CAT), the FDIC’s Information Technology Risk Examination (InTREx) or the NCUA’s Automated Cybersecurity Examination Tool (ACET). Most of the elements of a solid cybersecurity program are contained within these documents. The catch is that they are broken into individual line items called declarative statements, also referred to as cybersecurity controls. The CAT controls are organized by maturity levels (baseline, evolving, intermediate, advanced, and innovative) to help financial institutions determine what level they are at, or should be at.
In an attempt to make your life easier, I would like to suggest an alternative approach to managing the maturity of a cybersecurity program. We use a more holistic structure, using areas of information security rather than the list of 494 individual line items that can be found in the CAT.
The first step to building a mature information security program is implementing a policy framework. This is a set of policies, approved by the Board of Directors, that instructs the organization on cybersecurity matters. Most financial institutions should have at least 8-10 individual policies (not you Bank of America, you probably have a few more) in place for a mature framework, starting with a concise 3-5 page document that outlines the program itself. There should be a comprehensive information security policy that specifies how the organization will handle system access, security training, and other key areas. We have also found some topics, such as vendor management and mobile device management, are important enough to warrant their own policy document.
The area of IT Risk covers a lot of ground, and is the fundamental element of the cybersecurity program. IT Risk Management is where you establish a risk tolerance, measure risk across the organization’s IT assets, and manage risk by comparing it to the stated tolerance and treating it in some way (accept, transfer, mitigate). These are the security controls designed to reduce risk and may not be covered by the compliance area (hint: the very next paragraph).
Aside from risk management, which is about being secure, financial institutions also need to comply with GLBA. This typically means ensuring all of the declarative statements (controls) are in place for a designated maturity level within the CAT for banks, or the ACET for credit unions. As I mentioned earlier in this article, there are controls in the CAT/ACET that cover policies, risk assessment, and other areas. Looking at individual controls to build a security program, like these programs do, is a very inefficient and unorganized approach. That would be like designing a house by looking at each individual piece of wood.
One of the areas identified in policies, risk management, and compliance is security testing. Security testing consists of vulnerability assessment and penetration testing, inside and outside the network, as well as social engineering to test employee resistant to phishing and pretext calling attacks. If the organization writes its own software code, testing should also include web application security testing.
Closely related to and in some cases overlapping social engineering testing, is user awareness training. All employees are part of the security program and need to know the basics of information security. IT admins and department managers with elevated privileges and executives prone to spear phishing, should receive additional training beyond what standard employees get. Developing or finding the right materials and tracking the organizations progress are keys to a mature cybersecurity program.
As we all know, no amount of security controls can reduce risk to zero. Unfortunately it just isn’t possible. This means every organization needs a plan for responding to cybersecurity incidents. The plan should outline who is going to perform what activities to identify, contain, eradicate, and recover from incidents. To be fully mature the plan must also be tested regularly to identify gaps and areas for improvement. I also recommend pre-vetting 2-3 computer forensics vendors now, before an incident occurs. Perform the required vendor due diligence ahead of time so you don’t end up in a pinch when there is a need to move quickly.
A competent virtual CISO can tie it all together. With the proper security expertise and a solid maturity model, a financial institution can implement the right cybersecurity program to protect customer/member information while not spending tens of thousands on unnecessary effort or solutions.
Focusing on the areas above will help organize the overall information security program and build a strategic road map. Because, you know... information security is not a trivial matter, but managing it should be.
Learn more about how we manage cybersecurity programs with our virtual CISO solution.
The Federal Financial Institutions Examination Council (FFIEC) has announced that it will phase out its Cybersecurity Assessment Tool (CAT) by August...
ANOTHER CONTROL SET?!!
Our hearts go out to those impacted by COVID-19. This is an unprecedented and very stressful time in our history. However, if I try to stay positive,...