-
FFIEC Releases Cybersecurity Assessment Tool
UPDATE: Safe Systems just released their Enhanced CyberSecurity Assessment Toolkit (ECAT) – This enhanced version of the FFIEC toolkit addresses the biggest drawback of the tool; the ability to collect, summarize, and report your risk and control maturity levels. Once risks and controls have been assessed (Step 1 below), institutions will now be better able…
-
FFIEC Issues Stealth Update to BCP Handbook
This caught me by surprise as it was not formally announced in the “What’s New” section, but the Appendix J update to the Business Continuity Planning Handbook apparently constituted a complete update to the Handbook. Here is what the press release said in part: The Federal Financial Institutions Examination Council (FFIEC) members today issued a revised…
-
FFIEC Issues 2 Statements on Cybersecurity
Both statements address recent cybersecurity threats; one targeting online credentials (passwords, usernames, e-mail addresses that may be used by employees or customers to authenticate themselves), and one addressing destructive malware. The statements advise specific risk mitigation steps institutions should consider, and I thought it would be instructive to compare the steps to see which are common to…
-
FFIEC Issues Update to Business Continuity Guidance
The FFIEC just issued new BCP Guidance in the form of a 16 page addendum to the existing 2008 IT Handbook on Business Continuity Planning. It is titled “Appendix J: Strengthening the Resilience of Outsourced Technology Services”, and it has significant implications for both financial institutions and service providers, and across the entire business relationship…
-
Vendor Management in 3 Parts. Part 2 – Risk Assessment (or, “will they or won’t they?”)
In Part 1 I said that vendor management, just as any other risk management endeavor, consists of 3 basic phases; Identify the risk Assess the risk, and Control the risk I also discussed why risk identification was a more difficult task today because of the “access to data” question, and also because “data” includes not just NPI, but confidential…
-
Guru Briefs – OCC on Cybersecurity & MRA’s, FFIEC on Cybersecurity Assessments
(NOTE: Guru Briefs are short takes on recently released regulatory activity. They are not a detailed analysis, but designed to draw attention to the Guru’s initial impressions.) In this edition: The OCC has been particularly active on the regulatory front lately, and even non-OCC institutions may want to pay attention, as the head of the OCC…