Where relying on a 6 year old tool can hurt banks.

A comparison of the FFIEC’s Cybersecurity Assessment Tool (2015) to the CIS Top 20 (2021 and counting).
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .

Hey.

You see that parenthetical above?

“(2021 and counting)”

– It’s the point of this article.

The FFIEC has updated the Cybersecurity Assessment Tool a total of

once

since it was first published in 2015.  It was a great tool then, and still is if you are trying to combat six-year old threats.  But keep in mind:

• It’s only update, in 2017, weakened it if anything, by allowing us to declare “yes with compensating controls.”
• Nothing new from a security perspective was added in this 2017 update.
• The CIS Top 20 Controls have been updated seven times since 2017.

So there are gaps.  Many banks and credit unions are now looking at the “next maturity level” in the CAT process.  That’s a good thing.  But we should risk rank the CAT Gaps into our thinking, when it comes to prioritizing mitigation.  In other words, if we are wanting to be at intermediate in the CAT, and find our punchlist is down to:

1. Real Risk mitigating thing one.
2. Real Risk mitigating thing two.
3. Compliance thing one.
4. Compliance thing two.

I am suggesting that you consider things like MFA on user accounts, restricting scripting tools, etc. as MORE IMPORTANT than compliance thing one and compliance thing two.  More specficially, I would rather my bank use unique passwords on service accounts than spend all the time it is going to take to ensure that “Cyber-attack scenarios are analyzed to determine potential impact to critical business processes.”

We’ve compiled a list of the thirteen gaps that scare us the most.  Happy risk-ranking!

Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”