Analysis: FFIEC's Update to Cyber Assessment Tool Makes "Baseline" Maturity Easier

A just released update to the Federal Financial Institutions Examination Council's Cybersecurity Assessment Tool will help make meeting regulators' demands for "baseline" cybersecurity more attainable, says Amy McHugh, a bank adviser and former IT examination analyst for the Federal Deposit Insurance Corp.

For example, before the changes, which only impact Appendix A of the tool, many smaller institutions were not able to meet the tool's requirement for having a data-flow diagram, she explains in an interview with Information Security Media Group.

"A lot of institutions I see do not have data-flow diagrams," McHugh says. "They may have network diagrams or network topologies; so, again, if they don't have a data flow diagram, they can't reach baseline in the cybersecurity maturity level rating."

Now, thanks to the updates to Appendix A, banks and credit unions don't have to prove that they have a data-flow diagram - only that they have compensating controls, she explains. "We may not have a data-flow diagram, but we are able to meet this requirement with a detailed network topology," McHugh says.

Read the full article here:

http://www.bankinfosecurity.com/interviews/analysis-ffiecs-update-to-cyber-assessment-tool-i-3606