pixel_dreams - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What's wrong with the FFIEC Cybersecurity Assessment Tool?

The FFIEC Cybersecurity Assessment Tool has faced harsh criticism since its 2015 release. Expert Mike Chapple reviews the tool and how it can be improved.

I've seen some criticism of the Federal Financial Institutions Examination Council's Cybersecurity Assessment Tool...

that says it sets up enterprises for compliance failure. What are the issues with this tool, and what do tools like this one need in order to really help enterprises?

The FFIEC Cybersecurity Assessment Tool, released in June 2015, provides a consistent methodology for member institutions to evaluate their cybersecurity posture. While this is a laudable goal, the tool has been met with some criticism by cybersecurity experts and institution officials. The chief criticism is that the tool is a blunt instrument that lacks nuance.

The core component of the FFIEC Cybersecurity Assessment Tool is a Cybersecurity Maturity self-assessment that asks institutions to walk through the domains of cybersecurity and answer a series of questions about the controls in place to safeguard information and systems. For example, here is a section of the tool used to assess baseline infrastructure management controls:

cybersecurity controls

Notice that the tool lists ten broadly-worded security control objectives in this area and then asks the institution to provide a single yes/no response regarding the presence of these controls.

The issue here is that cybersecurity is rarely a yes/no decision. We live in a world filled with nuance where context is important in evaluating security controls. At the very least, this assessment would provide much more value if it allowed responses on a more granular level, and provided institutions with the ability to provide clarifying comments and offer information about compensating controls.

The FFIEC Cybersecurity Assessment Tool is a good start toward performing security assessments, but expect to see changes in the next version that adapt it to becoming a more useful tool.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Learn how CISOs should present a security assessment report to the board

Find out if security assessments should be conducted by consultants

Discover how to work networking devices into security risk assessments

This was last published in June 2016

Dig Deeper on Security audit, compliance and standards