
FFIEC Risk Assessment Services
Designing a security strategy can overcome compliance hurdles and help your organization keep client data secure. It further ensures you are compliant with the Federal Financial Institutions Examination Council (FFIEC) while providing peace of mind and protecting what matters most.
Drummond offers a comprehensive FFIEC Risk Assessment for financial institutions by identifying and finding gaps in your security policies and practices. By conducting a risk assessment, your organization will gain compliance for key assets and IT systems with solid controls and frameworks in place.
Our team of experts and services meet federal, state, and local regulatory requirements for the banking and financial services industry. Drummond FFIEC Risk Assessment is designed to help you:
- Test your network for vulnerabilities
- Monitor networks for anomalies
- Implement an incident response program
- Train your staff on security awareness
- Ensure third parties have adequate security controls in place
If you are interested in our FFIEC Risk Assessment Services, please complete this form and let us know how we may help you get started.
FFIEC Cybersecurity Assessment Tool
Due to the increasing volume and sophistication of cyber threats, the FFIEC developed the Cybersecurity Assessment Tool (Assessment) on behalf of its members to help institutions identify risks and determine their cybersecurity maturity.
The content of the Assessment is consistent with the principles of the FFIEC Information Technology Examination Handbook (IT Handbook) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework, as well as industry-accepted cybersecurity practices.
The Assessment provides institutions with a repeatable and measurable process to inform management of their institution’s risks and cybersecurity preparedness and consists of two parts:
-
- Inherent Risk Profile
- Cybersecurity Maturity
The Inherent Risk Profile identifies the institution’s inherent risk before implementing controls.
The Cybersecurity Maturity includes domains, assessment factors, components, and individual declarative statements across five maturity levels to identify specific controls and practices that are in place. While management can determine the institution’s maturity level in each domain, the Assessment is not designed to identify an overall cybersecurity maturity level.
To complete the Assessment, management first assesses the institution’s inherent risk profile based on five categories:
- Technologies and Connection Types
- Delivery Channels
- Online/Mobile Products and Technology Services
- Organizational Characteristics
- External Threats
Management then evaluates the institution’s Cybersecurity Maturity level for each of five domains:
-
- Cyber Risk Management and Oversight
- Threat Intelligence and Collaboration
- Cybersecurity Controls
- External Dependency Management
- Cyber Incident Management and Resilience