Chances are you haven’t crammed for a final in quite some time. But why not give the FFIEC Cybersecurity Exam the old college try?
It’s been almost two years since the Federal Financial Institutions Examination Council announced the addition of a cybersecurity risk assessment to regular IT examinations. The addition came with good reason, as cyber attacks have continued to increase alarmingly in both frequency and severity. Recently, the FFIEC released several statements to aid financial institutions in not only preparing for a cybersecurity exam, but also in creating a sturdier standard of defense against the almost inevitable threat of cyber attack. So let’s hit the books.
Review the Study Guide
No matter how tight your cybersecurity already is, you can’t do well on a test unless you know what will be on it. The following are the four areas of assessment the FFIEC tests for:
- Governance—How the IT or related staff are providing information to the CEO. You need to make sure that your IT department is providing correct information in a timely manner so the CEO (and consequently, the Board of Directors) can make informed decisions about what actions to take and what resources to devote to cybersecurity issues.
- Threat intelligence—Threat intelligence relates to how knowledgeable your internal staff is about their level of risk. They need to be able to monitor and identify cyber threats based on internal audits and risk assessments. Make sure your institution is performing these assessments and audits, and that they are informing your response to threats.
- Vendor management—Third-party or vendor management is crucial to cyber security. Your due diligence and continual monitoring efforts must be thorough for any third party that your institution uses for any purpose to ensure that you are creating and continually monitoring the most secure third-party relationships possible.
- Incident response and resilience—You don’t want to wait until the real deal to understand how your institution’s cyber defense plans will work. Your institution should develop a robust response plan and frequently test the plan to ensure that it works and is kept up-to-date.
Don’t Forget the Flash Cards
In its recent statement made in March, the FFIEC outlined several steps institutions can and should do to prep for a cybersecurity exam. The following bullet points may be worth writing down and memorizing
In accordance with FFIEC guidance, institutions should:
– Securely configure systems and services;
– Review, update, and test incident response and business continuity plans;
– Conduct ongoing information security risk assessments;
– Perform security monitoring, prevention, and risk mitigation;
– Protect against unauthorized access;
– Implement and test controls around critical systems regularly;
– Enhance information security awareness and training programs; and
– Participate in industry information-sharing forums, such as the Financial Services Information Sharing and Analysis Center.
Know What the Professor is Looking For
In another statement made last June, the FFIEC further explained how it was determining its assessment standards. Working with law enforcement, intelligence, Homeland Security, and industry officials, the FFIEC determined cybersecurity assessments should accomplish the following:
- Assess the complexity of an institution’s operating environment, including the types of communication connections and payments initiated, as well as how the institution manages its information technology products and services.
- Assess an institution’s current practices and overall cybersecurity preparedness, with a focus on the following key areas:
Check Out Other Resources
The FFIEC has also provided ample resources to further understand what a cybersecurity exam will entail, and how to be best prepared. Check out the following links:
- FFIEC IT Handbook
- US-CERT Security Tip (ST13-003) “Handling Destructive Malware”
- National Institute of Standards and Technology “Cybersecurity Framework”
- Federal Trade Commission’s On Guard Online
- National Cyber Security Alliance’s Stay Safe Online