I've seen some criticism of the Federal Financial Institutions Examination Council's Cybersecurity Assessment Tool...
that says it sets up enterprises for compliance failure. What are the issues with this tool, and what do tools like this one need in order to really help enterprises?
The FFIEC Cybersecurity Assessment Tool, released in June 2015, provides a consistent methodology for member institutions to evaluate their cybersecurity posture. While this is a laudable goal, the tool has been met with some criticism by cybersecurity experts and institution officials. The chief criticism is that the tool is a blunt instrument that lacks nuance.
The core component of the FFIEC Cybersecurity Assessment Tool is a Cybersecurity Maturity self-assessment that asks institutions to walk through the domains of cybersecurity and answer a series of questions about the controls in place to safeguard information and systems. For example, here is a section of the tool used to assess baseline infrastructure management controls:
Notice that the tool lists ten broadly-worded security control objectives in this area and then asks the institution to provide a single yes/no response regarding the presence of these controls.
The issue here is that cybersecurity is rarely a yes/no decision. We live in a world filled with nuance where context is important in evaluating security controls. At the very least, this assessment would provide much more value if it allowed responses on a more granular level, and provided institutions with the ability to provide clarifying comments and offer information about compensating controls.
The FFIEC Cybersecurity Assessment Tool is a good start toward performing security assessments, but expect to see changes in the next version that adapt it to becoming a more useful tool.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Learn how CISOs should present a security assessment report to the board
Find out if security assessments should be conducted by consultants
Discover how to work networking devices into security risk assessments
Dig Deeper on Security audit, compliance and standards
Related Q&A from Mike Chapple
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading