“Where are we really with security risk?” The problem is that this question isn’t answered by meeting regulatory compliance, having security controls in place, or even running the typical security assessment. They all inform, but they lack critical context. Security leaders and Boards of Directors want to know:
Only a security assessment evaluated against both FFIEC standards and prevalent industry attack vectors, then subjected to statistical modeling paints the picture clearly. The results include meaningful ratings of existing controls, helping evaluate program health and prioritize needed action. This innovative approach gives the desired information, enabling confident communication and informed decision-making that best protects your critical data and reputation.
Simply following FFIEC guidance and “best practices” is no longer enough for protecting customer data. Banks must focus resources in areas that yield the most benefit. Alagen Strategic Advisory consultants start by reviewing your organization’s inherent risk profile. Once validated, the organization will be assessed against the five domains of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool framework to ensure that the appropriate level of maturity has been achieved. Unlike traditional audits, this deep dive review includes an effectiveness score for each declarative statement. Recommendations for any identified gaps will be provided.
Next, a scenario-based risk assessment will be performed within your environment against industry-relevant data breaches including: crimeware, insider and privilege misuse, cyber-espionage, DOS attacks, web application attacks, physical theft and loss, payment card losses, and miscellaneous errors. These attack scenarios, derived from industry reports, are developed for each of the breach loss categories based on services and applications in use at your company. A probability simulation is performed for each threat using parameters identified in the attack scenario analysis and taking into account the previously determined ratings of your controls used to defend against them. Used in this manner, the model helps you understand the impact of risk — predicting a meaningful, quantifiable range of potential Cybersecurity losses with reasonable associated probabilities.
An FFIEC Threat-Informed Cyber Risk Assessment allows your organization to: