On May 31, the FFIEC released an update to its Cybersecurity Assessment Tool (CAT). The official press release can be found here: https://www.ffiec.gov/press/pr053117.htm
While there were no changes to the questions of the Inherent Risk Profile Input or the declarative statements of the Cybersecurity Maturity Input, there were other changes worth noting:
- The most significant is that the additional answer of “Yes with Compensating Controls” has been added to the possible selections for declarative statements on the Cybersecurity Maturity Input. FFIEC defines a compensating control as “A management, operational, and/or technical control (e.g., safeguard or countermeasure employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system.)”In practice, this update will allow financial institutions to achieve higher maturity levels regardless of size and complexity. Previously, a declarative statement at even an “innovative” level may have been financially or operationally unobtainable or unpractical given the resources at the institution. With the addition of a new “Yes with Compensating Controls” answer, financial institutions will be able to more accurately assess their maturity level without being restricted by the black and white nature of the declarative statements.
- Also in the Cybersecurity Maturity Input, the mapping of declarative statements has also been updated to reflect the previous update of the FFIEC’s its Information Security Handbook from September 2016.
What you should do now:
Review your current CAT and specifically examine the declarative statements that you have answered “No” to. Is there a compensating control that would allow you to answer that question differently now?
The updated CAT and associated documents can be found here:
Related articles
Change Healthcare Attack: Ransomware Protection Measures for Healthcare Organizations
In light of the Change Healthcare attack, we explore why hackers target healthcare and how healthcare can defend against ransomware.
GraVoc Recognized on CRN MSP 500 List for Second Year in a Row
For the second year in a row, GraVoc has been recognized on the CRN® MSP 500 list in the Pioneer 250 category!
PCI SAQ Types: Which SAQ is Right for Your Business?
In this blog post, we provide an overview of the SAQ types for PCI DSS v4.0 and how to select a PCI SAQ that’s right for your business.