Académique Documents
Professionnel Documents
Culture Documents
Update
Key Reference:
About FSSCC
Background
In June 2015, the Federal Financial Institutions Examination Council (FFIEC) released the Cybersecurity Assessmen
Tool (Assessment) to help institutions of all sizes identify their risks, assess their cybersecurity preparedness, and he
inform their risk management strategies. For more information, please visit the FFIEC's Cybersecurity Assessment T
webpage at http://www.ffiec.gov/cyberassessmenttool.htm.
Using the information outlined in the FFIEC's Assessment, the Financial Services Sector Coordinating Council for
Critical Infrastructure Protection and Homeland Security (FSSCC) developed the Automated Cybersecurity
Assessment Tool to provide all members of the financial services industry with an outline of the guidance and a mea
to collect and score their responses to the Assessment questions.
Update
The FFIEC published an update to the Assessment in May 2017. Two changes were made in the update to the
Assessment: 1) To the existing optional answers of "Yes, No, or N/A" on the Maturity Tool Input, the answer "Yes wit
Compensating Controls" was added. 2) Mappings to the Information Security and Management booklets provided in
Appendix A were revised.
The Automated Cybersecurity Assessment Tool was revised shortly after the update was released to allow financial
institutions who had to previously say "No" to a declarative statement the ability to change their answer to "Yes with
Compensating Controls" and show their true maturity level if they have the compensating controls in place to meet t
statement.
Key Reference:
Updated FFIEC CAT User Guide [May 2017]
https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_May_2017_Users_Guide.pdf
About FSSCC
FSSCC is one of sixteen sector-specific industry collaborates formed under a 2003 executive order that established
framework for public private partnership to address security and resilience of the nation’s critical infrastructures. The
FSSCC is focused on addressing operational and strategic risks to our critical financial infrastructure. This role is
further supported by President Policy Directive 21, which directs government agencies to identify critical infrastructu
and work with industry to mitigate threats and vulnerabilities.
The FSSCC coordinates the development of critical infrastructure strategies and initiatives with its financial services
members, trade associations, and other industry sectors.
Workbook Tabs
Page 5 of 163
FFIEC Cybersecurity Assessment Tool (CAT) Instructions
Page 6 of 163
FFIEC Cybersecurity Assessment Tool (CAT) Instructions
Page 7 of 163
FFIEC Cybersecurity Assessment Tool (CAT) Instructions
Page 8 of 163
FFIEC Cybersecurity Assessment Tool (CAT) Instructions
Provide an answer for each Declarative Statement in the Maturity Tool Assessment:
Page 9 of 163
FFIEC Cybersecurity Assessment Tool (CAT) Instructions
Page 10 of 163
FFIEC Cybersecurity Assessment Tool (CAT) Instructions
Page 11 of 163
FFIEC Cybersecurity Assessment Tool (CAT) Instructions
ok Tabs
Throughout the tool, orange-filled cells require input and blue-colored tabs will display results of your input. To help you determine where
these cells are, the sheets with orange-filled cells are colored orange as well.
Instructions - This tab provides key FFIEC links and general instructions for completing the Inherent Risk Profile and use of the Inherent Risk
Summary for reporting
Inherent Risk Profile Input - This tab contains the Risk Categories, risk criteria, and risk levels for identification of the overall inherent risk of
the institution
Inherent Risk Results - This tab contains summary tables and graph based on the results from the Inherent Risk Profile Input
Maturity Tool Input - This tab contains the declarative statements in the maturity assessment.
Maturity Results - This tab contains a chart that displays the maturity of each component, assessment factor, and domain based on the input
entered into the Maturity Tool Input tab.
Charts of Assessment Factor - This tab contains the table where you can select your institution's target maturity level. Based on that setting,
this tab also provides graphs for each domain and the maturity results of the individual assessment factors.
Charts of Component - This tab contains a graph for each domain and the maturity results of the individual components.
Ref - this is a hidden tab containing references across the other tabs to standardize inputs.
Page 12 of 163
FFIEC Cybersecurity Assessment Tool (CAT) Instructions
Each "+" sign can be clicked to expand the Inherent Risk Category to present the risk statements for selection
Read the risk statement and determine the appropriate risk level based on the criteria to the right of the statement. Select from the
drop down in Column C the criteria that is closest to your institution's environment.
Page 13 of 163
FFIEC Cybersecurity Assessment Tool (CAT) Instructions
If needed, enter any comments in the Comments section (Column J) to capture additional information to support the selection of the
specific risk level.
Page 14 of 163
FFIEC Cybersecurity Assessment Tool (CAT) Instructions
t Risk Results
Inherent Risk Results Tab contains the summary results of your selections
NOTE: If there is an "incomplete" in the Inherent Risk column, then all the risk criteria have not been selected. Please return to the Inherent Risk
Profile Input tab to complete the selections.
Sa
m
pl
e
g a Maturity Target
The FFIEC provided a general chart which shows the intersection of the Inherent Risk Level obtained using this Risk Profile and the
Cybersecurity Maturity Levels.
For example - if the results of completing the Inherent Risk Profile indicated "Moderate" - then the institution should strive to have a
Cybersecurity Maturity of "Evolving", "Intermediate" or "Advanced"
The Inherent Risk Results Tab calculates what your Cybersecurity Maturity Level is expected to be.
Page 15 of 163
FFIEC Cybersecurity Assessment Tool (CAT) Instructions
Page 16 of 163
FFIEC Cybersecurity Assessment Tool (CAT) Instructions
Each "+" sign can be clicked to expand the Domain, Assessment Factor, Component and Maturity Level that categorize the
declarative statements. The second "+" sign expands the mappings to NIST Cybersecurity Framework.
Read the declarative statement and determine the appropriate response of Yes, Yes [CC]*, No, or N/A for your institution.
Page 17 of 163
FFIEC Cybersecurity Assessment Tool (CAT) Instructions
*Use the option "Yes [CC]" to indicate where the declarative statement is true, by way of other controls. Per the FFIEC's footnote, a
"compensating control" is "A management, operational, and/or technical control (e.g., safeguard or countermeasure) employed by an
organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or
comparable protection for an information system."
If needed, enter any comments in the Comments section (Column J) to capture additional information to support the selection of the
response.
Page 18 of 163
FFIEC Cybersecurity Assessment Tool (CAT) Instructions
y Tool Results
The "Maturity Results" tab contains summary results of all your selections on the tool input. Columns F-J contain the percentage which your
institution answered "Yes", "Yes [CC]" or "N/A" for each maturity level in each component.
Column D rolls those results up to the assessment factor level. Column B rolls those results up to the Domain level.
NOTE: If there is an "incomplete" in the Assessed Maturity Level column, then all the responses have not been selected. Please return to the
Maturity Tool Input tab to complete the selections.
On the Charts of Assessment Factor tab, select the Target Maturity your institution desires for each Domain (orange-colored cells) to influence
where the red lines are drawn on the graphs.
Sa
m
pl
e
Use Excel’s filter function to group results based on a “Below Baseline” ranking, and thus identify areas to focus efforts to move to the next
level. For example:
Go to the Maturity Tool Input tab
Page 19 of 163
FFIEC Cybersecurity Assessment Tool (CAT) Instructions
The results indicate the areas that are below baseline and in most need of immediate attention.
For additional information and actionable ways to prioritize next steps to take to protect your organization’s security architecture, please refer to
the SANS Top 20 CIS Critical Security Controls. The controls prioritize security functions that are effective against the latest threats, with a
strong emphasis on security controls where products, processes, architectures and services are in use that have demonstrated real world
effectiveness.
https://www.sans.org/critical-security-controls/
Page 20 of 163
FFIEC Cybersecurity Assessment Tool (CAT) Instructions
Technologies and Connection Types. Certain types of connections and technologies may pose a higher inherent risk depending on the
complexity and maturity, connections, and nature of the specific technology products or services. This category includes the number of Internet
service provider (ISP) and third-party connections, whether systems are hosted internally or outsourced, the number of unsecured connections,
the use of wireless access, volume of network devices, end-of-life systems, extent of cloud services, and use of personal devices.
Delivery Channels. Various delivery channels for products and services may pose a higher inherent risk depending on the nature of the specific
product or service offered. Inherent risk increases as the variety and number of delivery channels increases. This category addresses whether
products and services are available through online and mobile delivery channels and the extent of automated teller machine (ATM) operations.
Online/Mobile Products and Technology Services. Different products and technology services offered by institutions may pose a higher
inherent risk depending on the nature of the specific product or service offered. This category includes various payment services, such as debit
and credit cards, person-to-person payments, originating automated clearing house (ACH), retail wire transfers, wholesale payments, merchant
remote deposit capture, treasury services and clients and trust services, global remittances, correspondent banking, and merchant acquiring
activities. This category also includes consideration of whether the institution provides technology services to other organizations.
Organizational Characteristics. This category considers organizational characteristics, such as mergers and acquisitions, number of direct
employees and cybersecurity contractors, changes in security staffing, the number of users with privileged access, changes in information
technology (IT) environment, locations of business presence, and locations of operations and data centers.
External Threats. The volume and type of attacks (attempted or successful) affect an institution’s inherent risk exposure. This category
considers the volume and sophistication of the attacks targeting the institution.
Page 21 of 163
FFIEC Cybersecurity Assessment Tool (CAT) Instructions
Least Inherent Risk. An institution with a Least Inherent Risk Profile generally has very limited use of technology. It has few computers,
applications, systems, and no connections. The variety of products and services are limited. The institution has a small geographic footprint and
few employees.
Minimal Inherent Risk. An institution with a Minimal Inherent Risk Profile generally has limited complexity in terms of the technology it uses. It
offers a limited variety of less risky products and services. The institution’s mission-critical systems are outsourced. The institution primarily uses
established technologies. It maintains a few types of connections to customers and third parties with limited complexity.
Moderate Inherent Risk. An institution with a Moderate Inherent Risk Profile generally uses technology that may be somewhat complex in
terms of volume and sophistication. The institution may outsource mission-critical systems and applications and may support elements
internally. There is a greater variety of products and services offered through diverse channels.
Significant Inherent Risk. An institution with a Significant Inherent Risk Profile generally uses complex technology in terms of scope and
sophistication. The institution offers high- risk products and services that may include emerging technologies. The institution may host a
significant number of applications internally. The institution allows either a large number of personal devices or a large variety of device types.
The institution maintains a substantial number of connections to customers and third parties. A variety of payment services are offered directly
rather than through a third party and may reflect a significant level of transaction volume.
Most Inherent Risk. An institution with a Most Inherent Risk Profile uses extremely complex technologies to deliver myriad products and
services. Many of the products and services are at the highest level of risk, including those offered to other organizations. New and emerging
technologies are utilized across multiple delivery channels. The institution may outsource some mission-critical systems or applications, but
many are hosted internally. The institution maintains a large number of connection types to transfer data with customers and third parties.
Page 22 of 163
FFIEC Cybersecurity Assessment Tool (CAT) Instructions
Page 23 of 163
FFIEC Cybersecurity Assessment Tool (CAT) Instructions
Page 24 of 163
Inherent Risk Profile Input
No wireless access
None
25 of 163
Inherent Risk Profile Input
None
Wholesale customers with dedicated connections 0
No applications
Internally hosted and developed or modified vendor
0
applications supporting critical activities
No user-developed technologies
26 of 163
Inherent Risk Profile Input
No systems (hardware or
software) that are past EOL or
at risk of nearing EOL within 2
End-of-life (EOL) systems 0 years
No OSS
Open Source Software (OSS) 0
No cloud providers
Cloud computing services hosted externally to
0
support critical activities
Least
Category: Delivery Channels Incomplete 0.00 0
1
27 of 163
Inherent Risk Profile Input
28 of 163
Inherent Risk Profile Input
Least
Category: External Threats Incomplete 0.00 0
1
29 of 163
Inherent Risk Profile Input
Separate access points for guest Guest and corporate wireless network Wireless corporate network access;
wireless and corporate wireless access are logically separated; limited significant number of users and access
number of users and access points (1– points (251–1,000 users; 26–100
250 users; 1–25 access points) access points)
Only one device type available; Multiple device types used; available to Multiple device types used; available to
available to <5% of employees (staff, <10% of employees (staff, executives, <25% of authorized employees (staff,
executives, managers); e-mail access managers) and board; e-mail access executives, managers) and board; e-
only only mail and some applications accessed
30 of 163
Inherent Risk Profile Input
Limited number of third parties (1–5) Moderate number of third parties (6– Significant number of third parties (11–
and limited number of individuals from 10) and moderate number of 25) and significant number of
third parties (<50) with access; low individuals from third parties (50–500) individuals from third parties (501–
complexity in how they access systems with access; some complexity in how 1,500) with access; high level of
they access systems complexity in terms of how they access
systems
Few dedicated connections (between Several dedicated connections Significant number of dedicated
1–5) (between 6–10) connections (between 11–25)
Few applications (between 1–5) Several applications (between 6–10) Significant number of applications
(between 11–25)
Few applications (6–30) Several applications (31–75) Significant number of applications (76–
200)
31 of 163
Inherent Risk Profile Input
Few systems that are at risk of EOL Several systems that will reach EOL A large number of systems that support
and none that support critical within 2 years and some that support critical operations at EOL or are at risk
operations critical operations of reaching EOL in 2 years
Limited OSS and none that support Several OSS that support critical Large number of OSS that support
critical operations operations critical operations
Few devices (250–1,500) Several devices (1,501–25,000) Significant number of devices (25,001–
50,000)
1–25 third parties that support critical 26–100 third parties that support critical 101–200 third parties that support
activities activities critical activities; 1 or more are foreign-
based
Few cloud providers; private cloud only Several cloud providers (4–7) Significant number of cloud providers
(1–3) (8– 10); cloud-provider locations used
include international; use of public
cloud
32 of 163
Inherent Risk Profile Input
33 of 163
Inherent Risk Profile Input
34 of 163
Inherent Risk Profile Input
Most
Comments
5
Most
5
Substantial complexity (>200
connections)
35 of 163
Inherent Risk Profile Input
Most
Comments
5
>2,500 technologies
36 of 163
Inherent Risk Profile Input
Most
Comments
5
Most
5
37 of 163
Inherent Risk Profile Input
Most
Comments
5
Most
5
38 of 163
Inherent Risk Profile Input
Most
Comments
5
Most
5
Most
5
39 of 163
Inherent Risk Profile Results
Page 40 of 163
Inherent Risk Profile Results
Page 41 of 163
Inherent Risk Profile Results
Most
Significant
Moderate
Minimal
Least
Page 42 of 163
Inherent Risk Profile Categories
Inherent Risk Profile Results
Page 43 of 163
Inherent Risk Profile Results
# of
Questions
14
14
39
Page 44 of 163
Inherent Risk Profile Results
0.00
nal Threats
Page 45 of 163
Inherent Risk Profile Results
Page 46 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
Page 47 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
15
Page 48 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
20
23
27
Page 49 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
28
29
30
32
Page 50 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
33
Page 51 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
48
50
Page 52 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
51
Page 53 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
64
Page 54 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
80
81
82
Page 55 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
94
Page 56 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
109
Page 57 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
113
119
120
121
Page 58 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
122
124
125
D1.TC.Cu.B.1 Management holds employees accountable for complying with the information security program. (FFIE
134
Page 59 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
143
144
Page 60 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
145
147
D2.MA.Ma.B.1 Audit log records and other security event logs are
reviewed and retained in a secure manner.
(FFIEC Information Security Booklet, page 79)
155
Page 61 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
156
Page 62 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
173
174
175
179
Page 63 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
188
Page 64 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
189
190
191
192
Page 65 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
193
194
195
196
Page 66 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
Page 67 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
219
220
222
Page 68 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
223
224
225
226
Page 69 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
227
229
231
Page 70 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
233
236
Page 71 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
Page 72 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
Page 73 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
272
273
274
Page 74 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
285
286
Page 75 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
301
Page 76 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
302
303
305
Page 77 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
323
326
Page 78 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
327
338
Page 79 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
339
D3.CC.Re.B.1 Issues identified in assessments are prioritized and resolved based on criticality and within the time fra
351
Page 80 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
362
363
Page 81 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
364
365
Page 82 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
378
379
380
Page 83 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
389
391
Page 84 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
392
393
394
396
Page 85 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
402
403
404
409
Page 86 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
413
414
415
Page 87 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
417
418
Page 88 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
427
Page 89 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
433
434
435
Page 90 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
453
Page 91 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
454
455
Page 92 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
465
Page 93 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
483
Page 94 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
484
485
486
Page 95 of 163
E F
Maturity Tool Input
1 Mapping Number Declarative Statement
Page 96 of 163
G MaturityI Tool Input J K
Yes, Yes [CC], No,
1 Appendix A Baseline Mapping
and N/A
Comments
N/A
7
Page 97 of 163
G MaturityI Tool Input J K
Yes, Yes [CC], No,
1 Appendix A Baseline Mapping
and N/A
Comments
N/A
N/A
9
N/A
10
N/A
11
N/A
12
N/A
13
N/A
14
N/A
15
N/A
16
Page 98 of 163
G MaturityI Tool Input J K
Yes, Yes [CC], No,
1 Appendix A Baseline Mapping
and N/A
Comments
N/A
17
N/A
18
N/A
19
N/A
20
N/A
21
N/A
22
N/A
23
N/A
24
N/A
25
N/A
26
Page 99 of 163
G MaturityI Tool Input J K
Yes, Yes [CC], No,
1 Appendix A Baseline Mapping
and N/A
Comments
* E-Banking, Operations
N/A
34
N/A
35
N/A
36
N/A
37
N/A
38
N/A
39
N/A
40
N/A
41
N/A
42
N/A
43
N/A
44
N/A
45
N/A
46
N/A
47
N/A
52
N/A
53
N/A
54
N/A
55
N/A
56
N/A
57
N/A
58
N/A
59
N/A
60
N/A
61
N/A
62
N/A
63
N/A
65
N/A
66
N/A
67
N/A
68
N/A
69
N/A
70
N/A
71
N/A
72
N/A
73
N/A
74
N/A
75
N/A
76
N/A
77
N/A
78
N/A
79
N/A
83
N/A
84
N/A
85
N/A
86
N/A
87
N/A
88
N/A
89
N/A
90
N/A
95
N/A
96
N/A
97
N/A
98
N/A
99
N/A
100
N/A
101
N/A
102
N/A
103
N/A
104
N/A
105
N/A
106
N/A
107
N/A
108
N/A
112
N/A
113
N/A
114
N/A
115
N/A
116
N/A
117
N/A
118
* E-Banking, Operations
* Operations
N/A
123
N/A
124
N/A
125
N/A
126
N/A
127
N/A
128
N/A
129
N/A
130
N/A
131
N/A
132
N/A
133
N/A
135
N/A
136
N/A
137
N/A
138
N/A
139
N/A
140
N/A
141
N/A
142
N/A
146
N/A
147
N/A
148
N/A
149
N/A
150
N/A
151
N/A
152
N/A
153
N/A
154
N/A
157
N/A
158
N/A
159
N/A
160
N/A
161
N/A
162
N/A
163
N/A
164
N/A
165
N/A
166
N/A
167
N/A
168
N/A
169
N/A
170
N/A
171
N/A
172
N/A
176
N/A
177
N/A
178
N/A
179
N/A
180
N/A
181
N/A
182
N/A
183
N/A
184
N/A
185
N/A
186
N/A
187
* Outsourcing
N/A
198
N/A
199
N/A
200
N/A
201
N/A
202
N/A
203
N/A
204
N/A
205
N/A
206
N/A
207
N/A
208
N/A
209
N/A
210
N/A
211
N/A
212
N/A
213
N/A
214
N/A
215
N/A
216
N/A
217
N/A
218
* Wholesale Payments
* Wholesale Payments
* Wholesale Payments
N/A
237
N/A
238
N/A
239
N/A
240
N/A
241
N/A
242
N/A
243
N/A
244
N/A
245
N/A
246
N/A
247
N/A
248
N/A
249
N/A
250
N/A
251
N/A
252
N/A
253
N/A
254
N/A
255
N/A
256
N/A
258
N/A
259
N/A
260
N/A
261
N/A
262
N/A
263
N/A
264
N/A
265
N/A
266
N/A
267
N/A
268
N/A
269
N/A
270
N/A
275
N/A
276
N/A
277
N/A
278
N/A
279
N/A
280
N/A
281
N/A
282
N/A
283
* E-Banking
N/A
288
N/A
289
N/A
290
N/A
291
N/A
292
N/A
293
N/A
294
N/A
295
N/A
296
N/A
297
N/A
298
N/A
299
N/A
300
N/A
306
N/A
307
N/A
308
N/A
309
N/A
310
N/A
311
N/A
312
N/A
313
N/A
314
N/A
315
N/A
316
N/A
317
N/A
318
N/A
319
N/A
320
N/A
321
N/A
322
* E-Banking
N/A
328
N/A
329
N/A
330
N/A
331
N/A
332
N/A
333
N/A
334
N/A
335
N/A
336
N/A
337
N/A
341
N/A
342
N/A
343
N/A
344
N/A
345
N/A
346
N/A
347
N/A
348
N/A
349
N/A
350
N/A
352
N/A
353
N/A
354
N/A
355
N/A
356
N/A
357
N/A
358
N/A
359
N/A
360
N/A
361
* Operations
* Operations
* E-Banking
N/A
366
N/A
367
N/A
368
N/A
369
N/A
370
N/A
371
N/A
372
N/A
373
N/A
374
N/A
375
N/A
376
N/A
377
N/A
381
N/A
382
N/A
383
N/A
384
N/A
385
N/A
386
N/A
387
N/A
388
* Audit, Outsourcing
* Retail Payments
* Retail Payments
N/A
395
N/A
396
N/A
397
N/A
398
N/A
399
N/A
400
N/A
401
N/A
405
N/A
406
N/A
407
N/A
408
N/A
409
N/A
410
N/A
411
N/A
412
* E-Banking
* Retail Payments
N/A
419
N/A
420
N/A
421
N/A
422
N/A
423
N/A
424
N/A
425
N/A
426
N/A
427
N/A
428
N/A
429
N/A
430
N/A
431
N/A
432
* Retail Payments
N/A
436
N/A
437
N/A
438
N/A
439
N/A
440
N/A
441
N/A
442
N/A
443
N/A
444
N/A
445
N/A
446
N/A
447
N/A
448
N/A
449
N/A
450
N/A
451
N/A
452
N/A
456
N/A
457
N/A
458
N/A
459
N/A
460
N/A
461
N/A
462
N/A
463
N/A
464
N/A
466
N/A
467
N/A
468
N/A
469
N/A
470
N/A
471
N/A
472
N/A
473
N/A
474
N/A
475
N/A
476
N/A
477
N/A
478
N/A
479
N/A
480
N/A
481
N/A
482
N/A
487
N/A
488
N/A
489
N/A
490
N/A
491
N/A
492
N/A
493
N/A
494
N/A
495
Instructions: No input required on this tab; all results will pull off of the "Maturity Tool Input" tab. Column K will assess the results at the Component level
Domain level.
Assessment
Domain Domain Maturity Assessment Factor
Factor Maturity
1: Governance Incomplete
3: Resources Incomplete
1: Connections Incomplete
4: External Dependency
Incomplete
Management 2: Relationship Management Incomplete
ts at the Component level first; then Column D rolls up those results to the Assessment Factor level; then finally, Column B rolls up those results to the
1:Oversight 0% 0% 0% 0% 0%
2: Strategy / Policies 0% 0% 0% 0% 0%
3: IT Asset Management 0% 0% 0% 0% 0%
1: Risk Management Program 0% 0% 0% 0% 0%
2: Risk Assessment 0% 0% 0% 0% 0%
3: Audit 0% 0% 0% 0% 0%
1: Staffing 0% 0% 0% 0% 0%
1: Training 0% 0% 0% 0% 0%
2: Culture 0% 0% 0% 0% 0%
1: Threat Intelligence and Information 0% 0% 0% 0% 0%
1: Monitoring and Analyzing 0% 0% 0% 0% 0%
1: Information Sharing 0% 0% 0% 0% 0%
1: Infrastructure Management 0% 0% 0% 0% 0%
2: Access and Data Management 0% 0% 0% 0% 0%
3: Device / End-Point Security 0% 0% 0% 0% 0%
4: Secure Coding 0% 0% 0% 0% 0%
1: Threat and Vulnerability Detection 0% 0% 0% 0% 0%
2: Anomalous Activity Detection 0% 0% 0% 0% 0%
3: Event Detection 0% 0% 0% 0% 0%
1: Patch Management 0% 0% 0% 0% 0%
2: Remediation 0% 0% 0% 0% 0%
1: Connections 0% 0% 0% 0% 0%
1: Due Diligence 0% 0% 0% 0% 0%
2: Contracts 0% 0% 0% 0% 0%
3: Ongoing Monitoring 0% 0% 0% 0% 0%
1: Planning 0% 0% 0% 0% 0%
2: Testing 0% 0% 0% 0% 0%
1: Detection 0% 0% 0% 0% 0%
2: Response and Mitigation 0% 0% 0% 0% 0%
1: Escalation and Reporting 0% 0% 0% 0% 0%
HIDE
Assessed
Maturity Level
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Incomplete
Instructions: Select the desired maturity level your institution wants to achieve in column C.
This selection will set the red line on each of the charts on this and the next sheets.
HIDEHIDE
1: Governance 0 2
1: Cyber Risk 2: Risk Management 0 2
Management & Baseline
Oversight 3: Resources 0 2
4: Training & Culture 0 2
2: Threat 1: Threat Intelligence 0 2
Intelligence & 2: Monitoring & Analyzing Baseline 0 2
Collaboration 3: Information Sharing 0 2
1: Preventative Controls 0 2
3: Cybersecurity
2: Detective Controls Baseline 0 2
Controls
3: Corrective Controls 0 2
4: External 1: Connections 0 2
Dependency Baseline
Management 2: Relationship Management 0 2
5: Cyber Incident 1: Incident Resilience Planning and Strategy 0 2
Management and 2: Detection, Response, and Mitigation Baseline 0 2
Resilience 3: Escalation and Reporting 0 2
Based on the Inherent Risk Assessment, your institution is recommended to be at the following
maturity levels in all domains:
Inherent Risk Profile To Be Completed- Minimum Maturity
D5
D2 - Threat Intelligence & Collaboration 6
5
4
6 3
2
1
5 0
4
3
2
1
0
1: Threat Intelligence 2: Monitoring & Analyzing 3: Information Sharing
D3 - Cybersecurity Controls
6
5
4
3
2
1
0
1: Preventative Controls 2: Detective Controls 3: Corrective Controls
Page 155 of 163
4
3
2 Charts of Assessment Factors
1
0
1: Preventative Controls 2: Detective Controls 3: Corrective Controls
Instructions: No input required on this sheet. All data is pulled from the "Maturity Results" sheet and the "Charts of Assessment
Factor" sheet.
6
HIDEHIDE 5
Domain Assessment Factor Component Component Maturity Level
Component Maturity4
TargetMaturity
3
1: Oversight Incomplete 0 2 2
1
1: Governance 2: Strategy / Policies Incomplete 0 2 0
1 : O v e rs ig h t
3: IT Asset Management Incomplete 0 2
1: Cyber Risk 1: Risk Management Program Incomplete 0 2
Management & 2: Risk Management 2: Risk Assessment Incomplete 0 2
Oversight 3: Audit Incomplete 0 2
3: Resources 1: Staffing Incomplete 0 2
1: Training Incomplete 0 2
4: Training & Culture
2: Culture Incomplete 0 2
1: Threat Intelligence and Information Incomplete
2: Threat 1: Threat Intelligence 0 2
Intelligence &
Collaboration 2: Monitoring & Analyzing 1: Monitoring and Analyzing Incomplete 0 2
3: Information Sharing 1: Information Sharing Incomplete 0 2
1: Infrastructure Management Incomplete 0 2
2: Access and Data Management Incomplete
0 2
1: Preventative Controls
3: Device / End-Point Security Incomplete 0 2
4: Secure Coding Incomplete 0 2 6
3: Cybersecurity 1: Threat and Vulnerability Detection Incomplete
0 2 5
Controls
2: Detective Controls 2: Anomalous Activity Detection Incomplete
0 2 4
3: Event Detection Incomplete 0 2
3
1: Patch Management Incomplete 0 2
3: Corrective Controls
2: Remediation Incomplete 0 2
2
1: Connections 1: Connections Incomplete 0 2
4: External 1: Due Diligence Incomplete 0 2
Dependency 1
Management 2: Relationship Management 2: Contracts Incomplete 0 2
3: Ongoing Monitoring Incomplete 0 2 0
1: Incident Resilience Planning and 1: Planning Incomplete 0 2 1: T
5: Cyber Incident Strategy Info
1
Management and
Resilience Page 158 of 163
1
Charts of Components
0
1: Incident Resilience Planning and 1: T
5: Cyber Incident Strategy 2: Testing Incomplete 0 2 Info
1
Management and 2: Detection, Response, and 1: Detection Incomplete 0 2
Resilience Mitigation 2: Response and Mitigation Incomplete 0 2
3: Escalation and Reporting 1: Escalation and Reporting Incomplete 0 2
6
5
4
1 : In fra s tru c tu re M a n a g e m e n t
3
2
1
0
1 : R is k M a n a g e m e n t P ro g ra m
3 : IT A s s e t M a n a g e m e n t
1
2 : S tra te g y / P o lic ie s
2 : R is k A s s e s s m e n t
0
1 : O v e rs ig h t
1 : Tra in in g
1 : S ta ffin g
2 : C u ltu re
3 : A u d it
4
0
1: Connections 1:
1: Connections
5 5
4 4
3
3
2
2
1
1
0
0 1: Planning 2: Testin
1: Threat Intelligence and 1: Monitoring and Analyzing 1: Information Sharing
Information 1: Incident Resilience Planning an
1: Threat Intelligence 2: Monitoring & Analyzing 3: Information Sharing Strategy
Page 160 of 163
1
1
Charts of Components 0
0 1: Planning 2: Testin
1: Threat Intelligence and 1: Monitoring and Analyzing 1: Information Sharing
Information 1: Incident Resilience Planning an
1: Threat Intelligence 2: Monitoring & Analyzing 3: Information Sharing Strategy
D3 - Cybersecurity Controls
6
5
4
1 : T h r e a t a n d V u ln e ra b ility D e te c tio n
2 : A c c e s s a n d D a ta M a n a g e m e n t
3 : D e v ic e / E n d -P o in t S e c u rity
3
2
1 : P a tc h M a n a g e m e n t
3 : E v e n t D e te c tio n
4 : S e c u re C o d in g
1
2 : R e m e d ia tio n
0