CISOs of leading organizations agree that a systematic and unified approach to the cyber security assessment of their organization is an essential step to data security. Several competing as well as complimentary data security standards regarding DLP have been created by various security standards councils and service providers. These include the following:
- PCI compliance for cardholder data
- GDPR for all companies doing business or collecting user information in the EU
- Sarbanes Oxley for all Financial Services organizations
- HIPAA and HITECH for healthcare information security standards
- FFIEC Cybersecurity Assessment Tool, or CAT, developed by the Federal Financial Institutions Examination Council as one of the most comprehensive security standards
The FFIEC CAT was developed by the council members to provide a comprehensive guide to help organizations identify their cybersecurity risks or shortcomings. The CAT then provides applicable steps to secure their cybersecurity preparedness based on their organization type and the threats they may face. The benefits to the organization for employing the data security assessment include the following:
- Defining risk management strategies
- Thorough assessment of the organizations cybersecurity preparedness
- Clearly identifying and determining the organizations overall cyber risk
- Fully evaluating and aligning the organizations cybersecurity position with its risks
- A defined project plan and process for reaching and demonstrating compliance
- Formally stating the risk management practices that are missing along with specific actions to take
For the organizations CISO, CIO or CEO, it is recommended that the following action items are considered in support of the implementation:
- Review and approve as well as support the risk management plans to control gaps
- Engage all key managers to establish and embrace the organizations risk appetite and overall strategic direction and goals
- Develop and/or approve the plan to conduct the assessment including the appointment and allocation of resources to execute the CAT
- Analyze and present the results of the CAT to the board, key stakeholders and any appropriate managers and/or committees.
- Approve and review plans and actions of those responsible for monitoring the organizations cybersecurity exposure and response actions
Due to the FFIEC CAT structure and step wise process, this cybersecurity assessment tool has become a principal tool for auditors and examiners. The structure is best represented by the following diagram of the five domains the CAT addresses and the factors considered for assessment:
Although it can seem to be a daunting task, having a systematic overview of the CAT structure as well as concise detail of each section has proven to be essential to a successful launch and execution. To acquire this helpful guide, download our complimentary white paper How Security Officers Optimize FFIEC CAT.