14. Domain 3: Cybersecurity Controls
14
• The good news here is that not all domains are created equal. By observing the past, present
and anticipated future FFIEC guidance, along with the sheer volume of content, one can clearly
read the tea leaves.
• The following section describes FIS’ recommendation for how financial institutions should align
their priorities and why.
• Considering the fact that the FFIEC published two specific statements on March 30, 2015 on
compromised credentials and destructive malware, this tips their hat as to what they think is
really important in the Cybersecurity Assessment Tool.
• Recognizing that compromised credentials (especially privileged accounts) and destructive
malware are particularly disruptive to a bank’s operations, it is clear that:
• Domain 3: Cybersecurity Controls, under the assessment factor of Preventive and Detective
controls, is incredibly important. Key themes to pay close attention to are Device/End Point
Security and Anomaly Activity Detection. It is also worth noting that the largest part of the
assessment is comprised of Domain 3.
15. Domain 2: Threat Intelligence and Collaboration
15
• Domain 2: Threat Intelligence and Collaboration. This is a short but a big part of the FFIEC
Cybersecurity Strategy. Why? A couple of factors support this conclusion.
• It is no secret that government agencies don’t effectively share threat information among
themselves or with private industry. Critical threat information may be missed simply because
organizations do not work well with each other. Therefore, there is an enormous need for
government agencies and security organizations to share threat information with private
industry to be ahead of emerging and new threats.
• The Cybersecurity Information Sharing Act of 2015 is emblematic of this. Although it has yet to
pass Congress, it is on the right conceptual track.
• Unfortunately, cyber attackers do not have to go through the same drawn out government or
policymaking processes to share information or to plan their next attack. Critical to the success
of cyberattacks is their ability to collaborate instinctively, naturally, freely and securely, much
to the dismay of government agencies and private companies.
16. Domain 5: Cyber Incident Management and Resilience
16
• Additionally, the FFIEC has a targeted working group set up to investigate robust information
sharing among law enforcement and intelligence agencies.
• As it relates to the Cybersecurity Assessment Tool, be sure to take a long, hard look at the
threat data you are consuming, and make sure you can convert it into actionable intelligence.
• The remaining domains fall into place simply by following the planned FFIEC workgroup
deliverables. Incident analysis has a logical next step because it builds upon information
sharing capabilities in Domain 2, except it targets the process of sharing cybersecurity incident
information.
• Along with crisis management and understanding protocols to respond to system‐wide cyber
incidents that involve public and private companies.
• Domain 5: Cyber Incident Management and Resilience should be considered the third
important aspect of the Cybersecurity Assessment Tool.