FFIEC (Federal Financial Institutions Examination Council)
Cybersecurity Assessment

For a brief history, official users guide, and lots of additional information and tools for the FFIEC Cybersecurity Assessment, please click on the below URL:  

Official FFIEC Assessment Webpage

The assessment is designed to accurately and repeatably measure an institution's Cybersecurity Risk Profile (how much inherent risk does the institution currently have before implementing controls), and an insitution's Cybersecurity Maturity Level (how sophisticated are the institution's cybersecurity controls and practices).

The Cybersecurity Risk Profile is based upon measuring five specific categories of deployed technology:

  • Technololgies and Connection Types
  • Delivery Channels
  • Online / Mobile Products and Technology Services
  • Organization Charateristics
  • External Threats

The Cybersecurity Maturity Level is established by evaluating five specific domains of controls and practices as they exist within the institution:

  • Cyber Risk Management and Oversight - Cyber risk management and oversight addresses the board of directors’ (board’s) oversight and management’s development and implementation of an effective enterprise-wide cybersecurity program with comprehensive policies and procedures for establishing appropriate accountability and oversight.
  • Threat Intelligence and Collaboration - Threat intelligence and collaboration includes processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties
  • Cybersecurity Controls - 
  • External Dependency Management
  • Cyber Incident Management and Resilience