Implementing The FSSCC & NIST CSF Cybersecurity Risk And Maturity Assessment

Background

The Federal Financial Institutions Examination Council (FFIEC) is an official partnership of financial inter-agency regulatory organizations. An example of the FFIEC members includes, but is not limited to, the Federal Reserve System (FRB), the Nation Credit Union Administration (NCUA), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC).¹ The FFIEC is tasked with guiding the financial sector on managing standards, best practices, and Federal financial examinations conducted by financial institutions to meet legal and industry regulator standards.

In the summer of 2013, the FFIEC advocated developing a cybersecurity assessment specific to the Financial Services Sector² Critical Infrastructure.³ Up to that point, the primary cybersecurity assessment framework in the financial services industry had been the FFIEC Cyber Security Assessment Tool (FFIEC CAT).⁴ The bedrock of the FFIEC CAT is the FFIEC IT Examination Handbook⁵ and the National Institute of Standard and Technology Cybersecurity Framework (NIST CSF).⁶

In 2002, the financial sector established the Financial Service Sector Coordinating Council (FSSCC). The U.S. Department of the Treasury supports the FSSCC.⁷ Seventy member organizations comprise the FSSCC (from across the financial services industry). The FSSCC coordinates cybersecurity governance activities between public and private financial establishments, the Department of Homeland Security (DHS), and other government agencies to protect financial services (as part of the nation's critical infrastructure).⁸

‍

Why the FSSCC Profile was Created

The FSSCC created a Working Group to develop an integrated NIST CSF and FSSCC cybersecurity assessment tool, which became the "FSSCC Profile." The Working Group surveyed Chief Information Security Officers (CISOs) from across the finance industry. The organization discovered up to 40% of the CISO's time was dedicated to meeting regulatory compliance requirements instead of addressing cybersecurity gaps.⁹ Using the FFIEC CAT and similar finance-based assessment tools proved to be time and cost-intensive.

‍

Take The "NIST 800-53: Intro to Security and Privacy Controls" Course Now >>

‍

The FFIEC CAT

The FFIEC CAT addresses two areas to determine an organization's cybersecurity risk profile: Inherent Risk and Controls Maturity. The cybersecurity-controls are evaluated across five functional domains:¹⁰

• Incident Response
• External Dependency Management
• Controls
• Threat Intelligence Collaboration
• Governance

Inherent Risk evaluates cybersecurity in an organization's networks, delivery channels, the cloud, mobile, external/internal threats, and the organization's overall cyber-disposition.¹¹ The FFIEC CAT is rigorous and comprehensive in addressing the maturity of cybersecurity controls. Assessment questions can be exhaustive and range from hundreds to thousands of questions. Other financial cybersecurity assessment tools are equally challenging and focus on regulatory compliance over cybersecurity evaluation. For these reasons, the FSSCC created the FSSCC Profile tool. The result was a decrease in the time needed to conduct an assessment, a reduction in costs, and a decrease in the number of diagnostic statement questions. Overall, this increased the accuracy of the cybersecurity assessment as it produced meaningful and manageable results.

‍

Development of the FSSCC Profile Assessment Tool

The FSSCC and the Bank Policy Institute (BPI)¹² reviewed many cybersecurity assessments required by multiple financial regulators. Cyber-risk-assessment terminology differs between regulators. The FSSCC and the BPI evaluated the differing cyber-terms and the core risk assessment objectives. Common terms were grouped and mapped to the regulatory requirements related to NIST CSF functions, categories, and subcategories (see Image 1). The result was the FSSCC Profile is streamlined between various financial sector regulatory requirements and the NIST CSF.¹³

In October 2018, the FSSCC released the first version of the FSSCC Profile and soon learned "The Profile" significantly reduced the time, cost, and the number of diagnostic statement questions by 73 percent.¹⁴

Image 1: Financial Services Sector Cybersecurity "Profile." ¹⁵

‍

Technical Overview of the NIST CSF & FSCCC Profile

The FSSCC Profile is published as a Microsoft Excel workbook. It will be helpful to download the workbook as a companion to this article. It can be downloaded directly from the Cyber Risk Institute: https://cyberriskinstitute.org/the-profile/

The workbook tabs contain a user guide, descriptions of functional domains, diagnostic statements, mapping the diagnostic statements between the FFIEC to the NIST CSF, and a glossary of terms. The bulk of the risk and maturity assessment will be contained within the "Diagnostic Statement" tab of the workbook. The worksheet is read from left to right in the following order :

‍

The Functions (Domains)

The assessment tool contains seven "Functions," otherwise known as domains. The NIST CSF as a stand-alone assessment addresses five domains:

• Identify (ID)
• Protect (PR)
• Detect (DE)
• Respond (RS)
• Recover (RC)

The FSSCC Profile incorporated two additional domains:

• Governance (GV)
• Supply Chain/Dependency Management (DM)

‍

The Categories

Each function includes the standard NIST CSF categories but can be expanded to include assessment questions specific to an organization's risk evaluation needs. Categories can cover multiple Subcategories. The last two columns of the Diagnostic Statement worksheet includes two columns titled "FS References" and "Informative References from NIST CSF." The columns list the documentation references for each Category and Subcategory.

‍

The Subcategories

Multiple subcategories exist for each category. Additional subcategories can be included in the assessment based on the organization's needs to meet compliance and cybersecurity objectives.

‍

The Diagnostic Statements

Each subcategory can include multiple Diagnostic Statements. The FSSCC Profile Diagnostic Statements are specific to the financial services industry but based on NIST CSF terminology. Each statement serves to better define an organization's overall cybersecurity posture. Below is an example of a subcategory Diagnostic Statement:

‍

The Tiering Process

A detailed explanation of the Tiering process can be found on the FSSCC Profile workbook's first tab. Tiers are evaluated by reviewing the organization's responses to Diagnostics Statements' assessment (functions, categories, and subcategories). In short, the Tier Level of an organization corresponds to the degree of impact the organization will have on the overall Financial Sector (as critical infrastructure) if the organization experiences a major outage (e.g., breach, attack, failure) due to a cybersecurity attack.

An organization can determine its Tier Level by completing the four-step Tiering process and a nine-question survey, which is located in the user guide tab of the FSSCC Profile workbook. After completing the questionnaire, an organization can identify its appropriate Tier Level and cybersecurity gaps.

The FSSCC Profile addresses four Tiers and defines the number of diagnostic statement questions that need to be reviewed in the risk and maturity assessment.¹⁶

• Tier 1: National/Super-National Impact; 277 Diagnostic Statement questions
• Tier 2: Subnational Impact; 262 Diagnostic Statement questions
• Tier 3: Sector Impact; 188 Diagnostic Statement questions
• Tier 4: Localized Impact; 137 Diagnostic Statement questions

Image 2: FSSCC Profile, Four-Step Repeatable Tiering Process.¹⁷

‍

Conclusion

The FSSCC Profile is a framework that can be expanded and tailored to meet any financial institution's cybersecurity risk and maturity assessment objectives. Components from other risk assessments can be integrated into the overall workbook format. For example, tracking and calculation mechanisms can be added to formulate a weighted point system to determine if gaps are being addressed and access-controls matured from year to year.

To learn more about the FSSCC Profile, download the complete User's Guide from the Cyber Risk Institute.¹⁸ The FSSCC Profile can also be used as a study companion for many of Cybrary's courses, such as the CISSP and IT Governance and Management.

‍

References

1. FFIEC. (2021). Federal Financial Institutions Examination Council's web site. Retrieved, January 28, 2021, from: https://www.ffiec.gov
2. FFIEC. (2017, May). Cybersecurity Awareness. Federal Financial Institutions Examination Council. Retrieved, January 28, 2021, from: https://www.ffiec.gov/cybersecurity.htm
3. CISA. (n.d.). Financial Services Sector. Cybersecurity and Infrastructure Security Agency. Retrieved January 27, 2021, from: https://www.cisa.gov/financial-services-sector
4. FFIEC. (2020, April, 15). Cybersecurity Assessment Tool. Federal Financial Institutions Examination Council's web site. Retrieved, January 28, 2021, from: https://www.ffiec.gov/cyberassessmenttool.htm
5. FFIEC. (2021). FFIEC IT Handbook. FFIEC IT Examination Handbook Infobase. Retrieved January 28, 2021, from: https://ithandbook.ffiec.gov
6. NIST. (2021). The NIST Cybersecurity Framework. The National Institute of Standards and Technology (NIST). Retrieved January 28, 2021, from: https://www.nist.gov/cyberframework
7. FSSCC. (2017). Annual Report, 2016-2017. Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security. Retrieved January 28, 2021, from: https://fsscc.org/files/galleries/Annual_Report_2016-2017_final.pdf
8. CISA. (2015). Financial Services Sector-Specific Plan 2015, (p.5). Coordinated publication between the U.S. Department of the Treasury, the U.S. Department of Homeland Security, the Financial Services Sector Coordinating Council, and the Financial and Banking Information Infrastructure Committee (FBIIC). Retrieved January 27, 2021, from: https://www.cisa.gov/sites/default/files/publications/nipp-ssp-financial-services-2015-508.pdf
9. FSSCC. (2021). Frequently asked questions: Why was the profile developed? Federal Financial Institutions Examination Council. Retrieved January 28, 2021, from: https://fsscc.org/The-Profile-FAQs
10. Imarc. (2017, Aug. 27). A quick look at FFIEC's Assessment Tool. Security Scorecard. Retrieved January 28, 2021, from: https://securityscorecard.com/blog/quick-look-ffiecs-assessment-tool
11. Ibid.
12. Cyber Risk Institute. (2020). The Profile is the benchmark for cyber risk assessment. Cyber Risk Institute. Retrieved January 29, 2021, from: https://cyberriskinstitute.org/the-profile/
13. Furneaux, A. (2021). Leveraging FSSCC Cybersecurity Profile in the Financial Sector. CyberSaint Security. Retrieved January 29, 2021, from: https://www.cybersaint.io/blog/fsscc-cybersecurity-profile
14. Cyber Risk Institute. (2020). The Profile is the benchmark for cyber risk assessment. Cyber Risk Institute. Retrieved January 29, 2021, from: https://cyberriskinstitute.org/the-profile/
15. FSSCC. (2017, May 17). Financial Services Sector-Specific Cybersecurity "Profile." NIST Cybersecurity Workshop. Retrieved January 29, 2021, from: https://www.nist.gov/system/files/documents/2017/05/18/financial_services_csf.pdf
16. FSSCC. (2017, May 17). Financial Services Sector-Specific Cybersecurity "Profile." NIST Cybersecurity Workshop. Retrieved January 29, 2021, from: https://www.nist.gov/system/files/documents/2017/05/18/financial_services_csf.pdf
17. Image 2: FSSCC Profile Workbook, User's Guide, tab1. https://cyberriskinstitute.org/the-profile/
18. Cyber Risk Institute. (2020). The Profile: Downloaded workbook, tab 1, User Guide. Cyber Risk Institute. Retrieved January 29, 2021, from: https://cyberriskinstitute.org/the-profile/

‍