September 22, 2015
Regulatory Update: The FFIEC Cybersecurity Assessment Tool (CAT)
© 2015 ProcessUnity, Inc. All Rights Reserved.
Today’s Presenters Meet the ProcessUnity Team
2
Ed Thomas Senior Director, Marketing
Gary Phipps Director, Risk Solutions
© 2015 ProcessUnity, Inc. All Rights Reserved.
ProcessUnity Risk Suite Comprehensive, Flexible, Scalable
Easy to Use
Cloud Based
Deploys Quickly Senior Project Managers Proven Methodologies Data Migration Tools
Secure, Single Application Automatic System Upgrades Technical Support Included
Simple, Point & Click Configuration Alerts & Notifications Online Help System
RISK SUITE
Enterprise Risk
Regulatory Compliance
Operational Risk
SOX Compliance
Incident Management
Cybersecurity
Offer Management
Third-Party Risk
Policy & Procedures
INTEGRATION
Analytics Data Synchronization
Tableau – SAP / Ariba – RSA / Archer – Oracle
Thomson Reuters – LexisNexis – Dun & Bradstreet
Salesforce.com – Microsoft Office
4
Agenda • Cybersecurity in the news
• What is the FFIEC CAT?
• Where does the CAT live
• The path forward: Cybersecurity process overview
© 2015 ProcessUnity, Inc. All Rights Reserved.
Reading the Tea Leaves: On the Way to Legislation?
Cybersecurity In the News The Consequences of Data Breach Incidents
6 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
The Road to Legislation
“Experts seem to agree that it’s only a matter of time before information security is mandated by law. Over the past few years, various incarnations of bills have been proposed. While security chiefs understand the scrutiny, they have concerns about security becoming a compliance burden.
They worry that this will cause businesses to lose sight of what really matters: focusing on their strategy and thinking about next threats.” - PWC
7 © 2015 ProcessUnity, Inc. All Rights Reserved.
FFIEC Cybersecurity Assessment Tool
FFIEC Cybersecurity Assessment Tool
• “OCC examiners will begin incorporating the Assessment into examinations in late 2015.”
• Based on the IT Examination Handbook and NIST
• “…process for financial institutions to measure their cybersecurity preparedness over time.”
• “This process is intended to complement, not replace, an institutions risk management process.”
9 © 2015 ProcessUnity, Inc. All Rights Reserved.
Overview
Where does the CAT fit in?
10 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
IT Risk Universe
• Many IT control activities overlap • Understanding the overlap is key • Test once, satisfy many approach
IT Control Framework
Where does the CAT fit in?
11 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
• Many IT control activities overlap • Understanding the overlap is key • Test once, satisfy many approach
IT Risk Universe
IT Control Framework
IT Risk Universe
IT Control Framework
Where does the CAT fit in?
12 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
• Many IT control activities overlap • Understanding the overlap is key • Test once, satisfy many approach
FFIEC Cybersecurity Assessment Tool
Inherent Risk – Maturity = GAP
Identify gaps in your IT Control Framework
Finding the GAP (CAT End State)
13 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
Finding the GAP (CAT End State)
14 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
The Path Forward: An Effective Cybersecurity Process (Step 1 – The Inherent Risk Assessment)
FFIEC Cybersecurity Assessment Tool
16
Assessment One: Inherent Risk Profile Matrix
FFIEC Cybersecurity Assessment Tool
17
Assessment One: Inherent Risk Profile Matrix
Establish the Assessment
18 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
Establish the Assessment
19 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
Kickoff the Inherent Risk Assessment
20 © 2015 ProcessUnity, Inc. All Rights Reserved.
Complete the Inherent Risk Assessment
21 © 2015 ProcessUnity, Inc. All Rights Reserved.
Complete the Inherent Risk Assessment
22 © 2015 ProcessUnity, Inc. All Rights Reserved.
Inherent Risk Summary
23 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
Inherent Risk Summary
24 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
Inherent Risk Detail
25 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
The Path Forward: An Effective Cybersecurity Process (Step 2 – The Maturity Assessment)
FFIEC Cybersecurity Assessment Tool Assessment Two: Cybersecurity Maturity Matrix
27
FFIEC Cybersecurity Assessment Tool Assessment Two: Cybersecurity Maturity Matrix
28
FFIEC Cybersecurity Assessment Tool Assessment Two: Cybersecurity Maturity Matrix
29
Establish the Assessment
30 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
Establish the Assessment
31 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
Establish the Assessment
32 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
Complete the Maturity Assessment
33 © 2015 ProcessUnity, Inc. All Rights Reserved.
Achieved / Not Achieved
34 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
Achieved / Not Achieved
35 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
Control Impact and GAP
36 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
Closing the GAP
37 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
Closing the GAP
38 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
Summary: Managing Cyber Risk
Three Steps to Keep Cyber Risk Out
40 © 2015 ProcessUnity, Inc. All Rights Reserved.
Adjust your control framework and effectiveness to move up the maturity continuum
Identify your institution’s inherent risk level for each cyber category
Evaluate your maturity level and the maturity level required to reach risk equilibrium
September 22, 2015
ProcessUnity Can Help Comprehensive, Flexible, Scalable
Easy to Use
Cloud Based
Deploys Quickly Senior Project Managers Proven Methodologies Data Migration Tools
Secure, Single Application Automatic System Upgrades Technical Support Included
Simple, Point & Click Configuration Alerts & Notifications Online Help System
RISK SUITE
Enterprise Risk
Regulatory Compliance
Operational Risk
SOX Compliance
Incident Management
Cybersecurity
Offer Management
Third-Party Risk
Policy & Procedures
INTEGRATION
Analytics Data Synchronization
Tableau – SAP / Ariba – RSA / Archer – Oracle
Thomson Reuters – LexisNexis – Dun & Bradstreet
Salesforce.com – Microsoft Office
42 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
Get Started on the Road to Automation with a Custom Demo www.processunity.com/contact
INHERENT RISK MATURITY SUMMARY GAP IDENTIFICATION