CAT Gaps – 2021

Where relying on a 6 year old tool can hurt banks.

A comparison of the FFIEC’s Cybersecurity Assessment Tool (2015) to the CIS Top 20 (2021 and counting).
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .


You see that parenthetical above?

“(2021 and counting)”

– It’s the point of this article.

The FFIEC has updated the Cybersecurity Assessment Tool a total of


since it was first published in 2015.  It was a great tool then, and still is if you are trying to combat six-year old threats.  But keep in mind:

  • It’s only update, in 2017, weakened it if anything, by allowing us to declare “yes with compensating controls.”
  • Nothing new from a security perspective was added in this 2017 update.
  • The CIS Top 20 Controls have been updated seven times since 2017.

So there are gaps.  Many banks and credit unions are now looking at the “next maturity level” in the CAT process.  That’s a good thing.  But we should risk rank the CAT Gaps into our thinking, when it comes to prioritizing mitigation.  In other words, if we are wanting to be at intermediate in the CAT, and find our punchlist is down to:

  1. Real Risk mitigating thing one.
  2. Real Risk mitigating thing two.
  3. Compliance thing one.
  4. Compliance thing two.

I am suggesting that you consider things like MFA on user accounts, restricting scripting tools, etc. as MORE IMPORTANT than compliance thing one and compliance thing two.  More specficially, I would rather my bank use unique passwords on service accounts than spend all the time it is going to take to ensure that “Cyber-attack scenarios are analyzed to determine potential impact to critical business processes.”

We’ve compiled a list of the thirteen gaps that scare us the most.  Happy risk-ranking!

Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”




Related Posts

Considerations – Why you should choose infotex, Inc. as your next MSOC!

Reasons why we should be considered! infotex provides a number of services that can be checked out if you click over to! We even made a movie with all the reasons why infotex...

The Magnificent Seven 2023

Seven Trends . . . …that small bank Information Security Officers face in 2023 Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Welcom...

Cybersecurity Awareness Month Awareness Poster

About Services Audit & Assessment Policies & Procedures EDR/MDR/XDR Managed SIEM Consulting Services Network Monitoring Education Resource Library Webinars & Workshops V...