turbot/aws_compliance

Benchmark: Federal Financial Institutions Examination Council (FFIEC)

To obtain the latest version of the official guide, please visit https://www.ffiec.gov/cyberassessmenttool.htm.

Overview

In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (Assessment), on behalf of its members, to help institutions identify their risks and determine their cybersecurity maturity.

The Assessment is designed to provide a measurable and repeatable process to assess an institution's level of cybersecurity risk and preparedness. The Assessment consists of two parts: Part one of this Assessment is the Inherent Risk Profile, which identifies an institution's inherent risk relevant to cyber risks. Part two is the Cybersecurity Maturity, which determines an institution's current state of cybersecurity preparedness represented by maturity levels across five domains. For this Assessment to be an effective risk management tool, an institution may want to complete it periodically and as significant operational and technological changes occur.

To complete the Assessment, management first assesses the institution's inherent risk profile based on five categories:

  • Technologies and Connection Types
  • Delivery Channels
  • Online/Mobile Products and Technology Services
  • Organizational Characteristics
  • External Threats

Management then evaluates the institution's Cybersecurity Maturity level for each of five domains:

  • Cyber Risk Management and Oversight: Addresses the board of directors' (board's) oversight and management's development and implementation of an effective enterprise-wide cybersecurity program with comprehensive policies and procedures for establishing appropriate accountability and oversight.
  • Threat Intelligence and Collaboration: Includes processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties.
  • Cybersecurity Controls: Practices and processes used to protect assets, infrastructure, and information by strengthening the institution's defensive posture through continuous, automated protection and monitoring.
  • External Dependency Management: Involves establishing and maintaining a comprehensive program to oversee and manage external connections and third-party relationships with access to the institution's technology assets and information.
  • Cyber Incident Management and Resilience: Cyber incident management includes establishing, identifying, and analyzing cyber events; prioritizing the institution's containment or mitigation; and escalating information to appropriate stakeholders. Cyber resilience encompasses both planning and testing to maintain and recover ongoing operations during and following a cyber incident.

Usage

Install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/steampipe-mod-aws-compliance

Start the Powerpipe server:

steampipe service start
powerpipe server

Open http://localhost:9033 in your browser and select Federal Financial Institutions Examination Council (FFIEC).

Run this benchmark in your terminal:

powerpipe benchmark run aws_compliance.benchmark.ffiec

Snapshot and share results via Turbot Pipes:

powerpipe benchmark run aws_compliance.benchmark.ffiec --share

Benchmarks

Tags