Cyber Security Assessment Tool [New 2019]

CISOs of leading organizations agree that a systematic and unified approach to the cyber security
assessment of their organization is an essential step to data security. Several competing as well as
complimentary data security standards regarding DLP have been created by various security
standards councils and service providers. These include the following:

 PCI compliance for cardholder data

 GDPR for all companies doing business or collecting user information in the EU
 Sarbanes Oxley for all Financial Services organizations
 HIPAA and HITECH for healthcare information security standards
 FFIEC Cybersecurity Assessment Tool, or CAT, developed by the Federal Financial
Institutions Examination Council as one of the most comprehensive security standards

The FFIEC CAT was developed by the council members to provide a comprehensive guide to help
organizations identify their cybersecurity risks or shortcomings. The CAT then provides applicable
steps to secure their cybersecurity preparedness based on their organization type and the threats
they may face. The benefits to the organization for employing the data security assessment include
the following:

 Defining risk management strategies

 Thorough assessment of the organizations cybersecurity preparedness
 Clearly identifying and determining the organizations overall cyber risk
 Fully evaluating and aligning the organizations cybersecurity position with its risks
 A defined project plan and process for reaching and demonstrating compliance
 Formally stating the risk management practices that are missing along with specific actions
to take

For the organizations CISO, CIO or CEO, it is recommended that the following action items are
considered in support of the implementation:

 Review and approve as well as support the risk management plans to control gaps
 Engage all key managers to establish and embrace the organizations risk appetite and
overall strategic direction and goals
 Develop and/or approve the plan to conduct the assessment including the appointment and
allocation of resources to execute the CAT
 Analyze and present the results of the CAT to the board, key stakeholders and any
appropriate managers and/or committees.
 Approve and review plans and actions of those responsible for monitoring the organizations
cybersecurity exposure and response actions

Due to the FFIEC CAT structure and step wise process, this cybersecurity assessment tool has
become a principal tool for auditors and examiners. The structure is best represented by the
following diagram of the five domains the CAT addresses and the factors considered for
assessment:

Although it can seem to be a daunting task, having a systematic overview of the CAT structure as
well as concise detail of each section has proven to be essential to a successful launch and
execution. To acquire this helpful guide, download our complimentary white paper How Security
Officers Optimize FFIEC CAT.