<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Financial Services

Do's and Don'ts Of Conducting a FSSC Cybersecurity Profile Assessment

down-arrow

The Financial Sector Cybersecurity Framework Profile was developed by the Financial Services Sector Coordinating Council (FSSCC) as a means to harmonize to the plethora of cybersecurity regulations and standards that members of the financial sector must comply with. According to the FSSCC, over 80% of the supervisory instructions in finserv regulations had a similar focus, but used different language, or had marginally different compliance requirements. The Profile was developed as a means to streamline compliance with those various regulatory requirements, much like the NIST Cybersecurity Framework has emerged as a means for organizations to build their cybersecurity programs on regardless of industry. NIST has hailed the Profile as a perfect extension of the CSF, tailored specifically for financial institutions - going so far as to add two new functions to NIST’s five: Governance and Supply/Dependency Management.

 

Institutions of all types can use it for internal and external use with vendors as a means to benchmark cybersecurity posture. As you and your organization consider whether to adopt the Profile to increase efficiency at your organization, we’ve assembled three Do’s and Dont’s when adopting the Profile.

What to Do When Adopting the Financial Sector Cybersecurity Framework Profile

Get the Board and Executive Management involved early

Whether your organization is one in which the CISO presents to executive management and the Board frequently or yours is one where the CISO presents less frequently (annually), building a strong line of communication between business-side leadership and the security organization is critical. While we have seen the CISO title emerge as a mandated function under some regulatory standards, there are no standards set for the relationship that individual has other executive leaders.

Ensure that as a technical leader that you’re facilitating early and often with executive management in terms that are actionable. One of the many benefits of the Financial Services Sector Cybersecurity Profile is its ability to translate complex compliance and cybersecurity terms into actionable information that leadership can act on.

Align Risk and Compliance Teams

A critical element of the Profile is a risk assessment. Ensure that your risk teams and compliance teams are aligned and in sync especially around the adoption of this process. Often that requires exploring tools to enable that alignment including single-pane-of-glass solutions that allow risk and compliance teams to work within the same platform side by side.

Approach the Profile with a Continuous Assessment Mindset

The Profile is most effective when organizations approach it as a living process, not a static or periodic method to hit 80% of compliance requirements. For some organizations, that can mean a change in solutions. Most GRC solutions today are designed for periodic assessments, not the continuous approach that gold-standard frameworks like the Profile suggest. As a result, the adoption of the profile can be a watershed moment for your organization towards making the shift to an integrated risk management approach to cybersecurity program management.

What Not Do When Adopting the Financial Sector Cybersecurity Framework Profile

Prioritize the Profile Over Regulations and Standards

While the Profile can help streamline the compliance process by harmonizing multiple standards, ensure that you approach adopting the Profile as a means to increase efficiency for your organization. While many regulatory frameworks do have commonalities and that’s where the Profile is of value, ensure that your organization is meeting all the necessary requirements for each standard. The Profile is often referred to as the 80% solution - ensure your organization is meeting that remaining 20% of standards and regulations.

Assume that the FSSCC Profile is Only for Large Financial Institutions

Much like the NIST CSF, the Profile is a scalable and extensible assessment tool for financial institutions of all sizes. For small and medium-sized organizations, adopting the Profile early in your program’s maturity can pay large dividends down the road as compliance requirements become more complex.

Manage a Profile Assessment in a Modular or Static Tool

As we discussed in the Do’s, ensuring program alignment between risk and compliance is critical. However, many financial institutions manage their programs using modular and siloed tools that make the assessment process difficult. The goal of the Profile is to streamline and increase efficiency for financial institutions’ compliance, yet conducting the assessment in a modular solution can result in the time that would have been spent on assessments being spent on assembling assessment data across modules in a tool.

Adopting the Financial Sector Cybersecurity Framework Profile

As we’ve seen, adopting the Profile is a sound decision for financial organizations of all sizes. It is an extensible assessment that financial institutions can use to not only build and enhance relationships with business-side leadership but also as a means to significantly increase efficiency across the compliance process.

Ensuring that your cybersecurity program is fully integrated is critical for success when implementing the Profile, an integrated solution like CyberStrong can help - with risk and compliance at the control level, both teams are fully aligned throughout of the assessment process. To learn more, give us a call at 1 800 NIST CSF or click here and request a free demo

You may also like

October Product Update
on October 3, 2022

Hey, Jimmy - is it really always 5 o’clock somewhere? If not, it should be! With this release, we’re focusing on empowering our customers to work smarter, not harder. Whether ...

How Does FAIR Fit into ...
on September 26, 2022

The Factor Analysis of Information Risk (FAIR) methodology breaks down risk into elements that organizations can compute, understand, analyze and quantify cyber threats and their ...

All-in-One Cybersecurity Board ...
on September 19, 2022

CISOs and Board Members can no longer ignore the importance of cybersecurity. New cyber attacks and threats surface every week and threaten the security of business operations. ...

Rules for Effective Cyber Risk ...
on September 12, 2022

Cybersecurity threats are becoming more challenging for businesses. According to PurpleSec’s Cyber Security Trend Report in 2021, cybercrime surged by 600% during the pandemic, ...

A Pocket Guide to Factor Analysis ...
on September 14, 2022

FAIR, short for Factor Analysis of Information Risk, is a risk quantification methodology founded to help businesses evaluate information risks. FAIR is the only international ...

Your Guide to Cyber Risk ...
on August 30, 2022

During the pandemic, online businesses flourished as people turned to e-commerce stores to shop from the comfort and safety of their homes. This unprecedented expansion of ...