e-InnoSec’s experienced consulting team has worked with various banks on FFIEC Risk Assessment and Maturity Assessment engagements. The team has also performed several privacy assessments and includes GLBA assessments for Banks.
FFIEC Risk Assessment and Maturity Assessment
The FFIEC cybersecurity assessment is meant to be completed periodically and after significant technological or operational changes. It is a diagnostic test that helps institutions identify their risk level and determine the maturity of their cybersecurity programs. The FFIEC's Inherent Risk assessment measures risks across the following five categories:
After determining the Inherent Risk Profile, the institution transitions to the Cybersecurity Maturity part of the Assessment to determine the institution’s maturity level within each of the following five domains.
The FFIEC works by building a measurable picture of an organization's levels of risk and preparedness (maturity assessment). Management conducts a two-part survey, including:
- An Inherent Risk Profile, which determines an organization's current level of cybersecurity risk.
- A Cybersecurity Maturity assessment, which identifies an organization's current cybersecurity preparedness level, as defined by maturity scores in five distinct domains.
The Gramm-Leach-Bliley Act of 1999 (GLBA) requires that organizations protect consumer financial information. As part of the GLBA, the Federal Trade Commission (FTC) issued the Privacy Rule and the Safeguards Rule, which require that financial institutions have an information security program in place to protect the privacy and integrity of customer data.
e-InnoSec services include:
- Assist with implementation of FFIEC framework
- Readiness assessment
- Determine the inherent risk assessment level using five categories from the framework
- Determine the cybersecurity maturity of the institution
- Assess and test the controls, identify gaps, and remediate
- Perform GLBA assessments