The FFIEC’s Cybersecurity Assessment Tool is an excellent tool to not only determine your organization’s security maturity level but also help develop a roadmap for increasing overall security levels.
The Cybersecurity Assessment Tool was originally developed in 2015 by the FFIEC to aid financial institutions in determining the maturity level of their organization. The “tool” is a document containing a set of questions that could be used to create a repeatable measurement of the cybersecurity risks faced by an organization, and how effectively they were managing those risks. It is literally a PDF document. I abhor long PDF documents created by regulators but thankfully, the FSSCC created an Excel version of the tool to simplify the process for any organization. The tool contains two main sections:
- the inherent risk section which gives the organization a qualitative risk score based on size, complexity, and exposure;
- a maturity assessment giving the organization a measurement from sub-baseline to advanced, with 'baseline' being the minimum that all organizations should attain.
This rather simple tool appears to be what is lacking with the NIST Cybersecurity Framework, NERC CIP, and other security frameworks that I’ve used in the past. Just read the statement, determine if your level of compliance and move on to the next question.
My assessment approach is broken into three passes:
- first, pass to quickly answer as many questions as possible based on the known information;
- second, pass to determine if supporting documentation/policy exists for each factor;
- third pass work with other departments where responsibilities overlap or are outside of my direct involvement
I suspect others may take a one or two pass approach to the assessment, but I also leveraged this to get to know my organization better as I’ve only been here a few months. You should get a good high-level view of your organization’s maturity level once completed.
The results for each domain and sub-domain are listed as:
- Sub-Baseline - The organization does not meet the minimum expectations required.
- Baseline - Baseline maturity is characterized by minimum expectations required by law and regulations or recommended in supervisory guidance. This level includes compliance-driven objectives. Management has reviewed and evaluated guidance.
- Evolving - Evolving maturity is characterized by the additional formality of documented procedures and policies that are not already required. Risk-driven objectives are in place. Accountability for cybersecurity is formally assigned and broadened beyond the protection of customer information to incorporate information assets and systems.
- Intermediate - Intermediate maturity is characterized by detailed, formal processes. Controls are validated and consistent. Risk-management practices and analysis are integrated into business strategies.
- Advanced - Advanced maturity is characterized by cybersecurity practices and analytics that are integrated across lines of business. Majority of risk-management processes are automated and include continuous process improvement. Accountability for risk decisions by frontline businesses is formally assigned.
- Innovative - Innovative maturity is characterized by driving innovation in people, processes, and technology for the institution and the industry to manage cyber risks. This may entail developing new controls, new tools, or creating new information-sharing groups. Real-time, predictive analytics are tied to automated responses.
The primary objective should be to bring any domains flagged as sub-baseline into baseline compliance, as this would mean your organization should at least be FFIEC complaint. My goal is to take our organization past the baseline and start moving towards an intermediate maturity level. Evolving and Intermediate levels would have documented, repeatable systems and measures which should help encourage growth. Getting to this level should be doable without major expenditures other than time and labor, provided you already meet baseline compliance.
In my case, I am creating a prioritized list of recommended actions based on the domain, the difficulty to implement the required control, and the risk of exposure from not having the control in place. Refreshing the patch management policy or formalizing the firewall rule review procedure moves to the top of the list as they are contained within one department and are relatively quick to implement. Working with Human Resources to refresh employee-facing policies is a bit more complicated, thus moves down the list as it will take more time to implement. Highly interdependent controls such as incident response or business continuity move down the list as they typically involve the entire organization and take a long time to implement.
One word of caution - the assessment tool is not designed to give you specifics, just assess the overall maturity level. If you need to develop a threat sharing policy for example, then you need to look up the specifics on that elsewhere. NIST and SANS are both great places to start researching your policy needs.