Analysis: FFIEC's Update to Cyber Assessment ToolChanges Make Attaining 'Baseline' Security Easier, Former IT Examination Specialist Says
A just released update to the Federal Financial Institutions Examination Council's Cybersecurity Assessment Tool will help make meeting regulators' demands for "baseline" cybersecurity more attainable, says Amy McHugh, a bank adviser and former IT examination analyst for the Federal Deposit Insurance Corp.
For example, before the changes, which only impact Appendix A of the tool, many smaller institutions were not able to meet the tool's requirement for having a data-flow diagram, she explains in an interview with Information Security Media Group.
"A lot of institutions I see do not have data-flow diagrams," McHugh says. "They may have network diagrams or network topologies; so, again, if they don't have a data flow diagram, they can't reach baseline in the cybersecurity maturity level rating."
Now, thanks to the updates to Appendix A, banks and credit unions don't have to prove that they have a data-flow diagram - only that they have compensating controls, she explains. "We may not have a data-flow diagram, but we are able to meet this requirement with a detailed network topology," McHugh says.
Still, it's important for all institutions to use the tool to assess their own cybersecurity preparedness, she says. "Work with your IT committee or senior management to discuss each area and understand, 'Are we actually compliant with these particular areas? And if we do want to move to a higher complexity organization or services that may increase our inherent risk level, what is it we might need to do, then, in order to meet that from a cybersecurity maturity level standpoint?"
The tool, which the FFIEC introduced in June 2015, has been criticized by some security experts for its vagueness and diversion from other well-established cybersecurity assessment frameworks, such as the NIST Cybersecurity Framework (see Gartner's Litan: FFIEC Assessment Tool Falls Short ).
The tool also has been criticized by banks and credit unions, which claim its use does not seem voluntary, as regulators have repeatedly insisted (see Cybersecurity Assessment Tool Use Not 'Truly' Voluntary).
McHugh says she continues to hear from her community bank and credit union clients that use of the tool is mandatory, because regulators routinely ask about its use during IT examinations.
"I think it's a really good tool," McHugh says. "It gives institutions a different perspective on additional threats that might be facing their institution. ... Walk through it; talk about the different items. Take two or three different sessions to complete it. Don't think you need to get it all done at one time."
During this interview (see audio link below photograph), McHugh also discusses:
- Why more clarification surrounding the tool's use and requirements is still needed;
- How the tool can be used to assess the value of new products and services; and
- Why completion of the tool, though recommended, should be low on an institution's cybersecurity list of priorities.
McHugh, an attorney and Certified Information Systems Auditor, is a former IT examination analyst for the Federal Deposit Insurance Corp. who now works as a banking institution adviser for CliftonLarsonAllen, a professional services firm. Her areas of specialization include Gramm-Leach-Bliley Act compliance; information systems review; risk assessments and policy development; information security program development and implementation; vendor management; cloud computing; and corporate account takeover fraud.