MODULE 2 – APPLIED STANDARDS AND

CYBERSECURITY RISK MANAGEMENT

FEDERAL FINANCIAL INSTITUTIONS EXAMINATION
COUNCIL (FFIEC) CYBERSECURITY ASSESSMENT TOOL

APPLICATION OF FFIEC CYBERSECURITY ASSESSMENT TOOL

LAB SOLUTIONS

INHERENT RISK PROFILE

The inherent risk profile of the company is determined using the inherent
risk profile table and given information.
Table 1. Inherent Risk Summary Table

Inherent Risk Levels

Least Minimal Moderate Significant Most

Number of
Statements 5 5 18 11 0
Selected in Each
Risk Level
Based on Individual
Risk Levels
Selected, Assign an Least Minimal Moderate Significant Most
Inherent Risk
Profile

According to this table. The company’s inherent risk level is moderate.

Page | 1

This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
INFORMATION ABOUT THE CYBERSECURITY MATURITY PART
The cybersecurity maturity level of the organization for

Domain 1: Cyber Risk Management and Oversight

Assessment Factor: Risk Management

Criteria: Risk Management Program

Table 2. Cybersecurity Maturity Level for Risk Management Program

Domain 1: Cyber Risk Management and Oversight

Assessment Factor: Governance
  Y, Y(C), N  
Baseline Y An information security and business continuity risk
management function exist within the institution.
Evolving Y The risk management program incorporates cyber
risk identification, measurement, mitigation,
monitoring, and reporting.
RISK MANAGEMENT PROGRAM

Y Management reviews and uses the results of audits to

improve existing cybersecurity policies, procedures,
and controls.
Y Management monitors moderate and high residual
risk issues from the cybersecurity risk assessment
until items are addressed.
Intermediate N The cybersecurity function has no clear reporting line.
N The risk management program does not address
cyber risks beyond the boundaries of the
technological impacts.
N There are no benchmarks or target performance
metrics.
N Management does not use the results of independent
audits and reviews to improve cybersecurity.
N There is no process to analyze and assign potential
losses and related expenses, by cost center,
associated with cybersecurity incidents.

Based on this table, the maturity level is evolving since all statements at
this level and below are positive.

Page | 2

This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).
The cybersecurity maturity level of the organization for

Domain 2: Threat Intelligence and Collaboration

Assessment Factor: Threat Intelligence

Criteria: Threat Intelligence and Information

Table 3. Cybersecurity Maturity Level for Threat Intelligence and Information

Domain 2: Threat Intelligence and Collaboration

Assessment Factor: Threat Intelligence
  Y, Y(C), N  
Baseline Y The institution belongs to a threat and vulnerability
AND INFORMATIONTHREAT INTELLIGENCE

information sharing source that provides information

on threats.
Y(C) Threat information is used to monitor threats and
vulnerabilities with some compensating controls.
Y Threat information is used to enhance internal risk
management and controls.
Evolving N

Threat information received by the institution does

not include analysis of tactics, patterns, and risk
mitigation recommendations.

According to this table, the cybersecurity maturity level for this criteria is
Baseline since the organization only meets the statements at this level.

Page | 3

This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).
INTERPRETATION THE ASSESSMENT RESULTS
The organization’s inherent risk profile is benchmarked with the
cybersecurity maturity of assessment factors in each criteria.

Domain 1: Cyber Risk Management and Oversight

Assessment Factor: Risk Management

Criteria: Risk Management Program

Figure 1. Relationship Matrix for Risk Management Program

According to the chart, the organization is within acceptable level.

Feedback to students: However, if the inherent risk level increases, the

maturity level should also be improved by actions that will be taken by the
management.

Page | 4

This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).
Domain 2: Threat Intelligence and Collaboration

Assessment Factor: Threat Intelligence

Criteria: Threat Intelligence and Information

Figure 2. Relationship Matrix for Threat Intelligence and Information

The organization’s maturity level is not sufficient for its inherent risk level

Feedback to students: Since there is a gap between the organization’s

inherent risk level and maturity level, the organization needs to take action
either to decrease the inherent risk level or improve cybersecurity maturity
level. A gap analysis should be made so that appropriate actions could be
planned, prioritized, and conducted. When the gap is eventually addressed,
the results should be communicated throughout the organization.

Page | 5

This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).