<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Financial Services

Do's and Don'ts Of Conducting a FSSC Cybersecurity Profile Assessment

down-arrow

The Financial Sector Cybersecurity Framework Profile was developed by the Financial Services Sector Coordinating Council (FSSCC) as a means to harmonize to the plethora of cybersecurity regulations and standards that members of the financial sector must comply with. According to the FSSCC, over 80% of the supervisory instructions in finserv regulations had a similar focus, but used different language, or had marginally different compliance requirements. The Profile was developed as a means to streamline compliance with those various regulatory requirements, much like the NIST Cybersecurity Framework has emerged as a means for organizations to build their cybersecurity programs on regardless of industry. NIST has hailed the Profile as a perfect extension of the CSF, tailored specifically for financial institutions - going so far as to add two new functions to NIST’s five: Governance and Supply/Dependency Management.

 

Institutions of all types can use it for internal and external use with vendors as a means to benchmark cybersecurity posture. As you and your organization consider whether to adopt the Profile to increase efficiency at your organization, we’ve assembled three Do’s and Dont’s when adopting the Profile.

What to Do When Adopting the Financial Sector Cybersecurity Framework Profile

Get the Board and Executive Management involved early

Whether your organization is one in which the CISO presents to executive management and the Board frequently or yours is one where the CISO presents less frequently (annually), building a strong line of communication between business-side leadership and the security organization is critical. While we have seen the CISO title emerge as a mandated function under some regulatory standards, there are no standards set for the relationship that individual has other executive leaders.

Ensure that as a technical leader that you’re facilitating early and often with executive management in terms that are actionable. One of the many benefits of the Financial Services Sector Cybersecurity Profile is its ability to translate complex compliance and cybersecurity terms into actionable information that leadership can act on.

Align Risk and Compliance Teams

A critical element of the Profile is a risk assessment. Ensure that your risk teams and compliance teams are aligned and in sync especially around the adoption of this process. Often that requires exploring tools to enable that alignment including single-pane-of-glass solutions that allow risk and compliance teams to work within the same platform side by side.

Approach the Profile with a Continuous Assessment Mindset

The Profile is most effective when organizations approach it as a living process, not a static or periodic method to hit 80% of compliance requirements. For some organizations, that can mean a change in solutions. Most GRC solutions today are designed for periodic assessments, not the continuous approach that gold-standard frameworks like the Profile suggest. As a result, the adoption of the profile can be a watershed moment for your organization towards making the shift to an integrated risk management approach to cybersecurity program management.

What Not Do When Adopting the Financial Sector Cybersecurity Framework Profile

Prioritize the Profile Over Regulations and Standards

While the Profile can help streamline the compliance process by harmonizing multiple standards, ensure that you approach adopting the Profile as a means to increase efficiency for your organization. While many regulatory frameworks do have commonalities and that’s where the Profile is of value, ensure that your organization is meeting all the necessary requirements for each standard. The Profile is often referred to as the 80% solution - ensure your organization is meeting that remaining 20% of standards and regulations.

Assume that the FSSCC Profile is Only for Large Financial Institutions

Much like the NIST CSF, the Profile is a scalable and extensible assessment tool for financial institutions of all sizes. For small and medium-sized organizations, adopting the Profile early in your program’s maturity can pay large dividends down the road as compliance requirements become more complex.

Manage a Profile Assessment in a Modular or Static Tool

As we discussed in the Do’s, ensuring program alignment between risk and compliance is critical. However, many financial institutions manage their programs using modular and siloed tools that make the assessment process difficult. The goal of the Profile is to streamline and increase efficiency for financial institutions’ compliance, yet conducting the assessment in a modular solution can result in the time that would have been spent on assessments being spent on assembling assessment data across modules in a tool.

Adopting the Financial Sector Cybersecurity Framework Profile

As we’ve seen, adopting the Profile is a sound decision for financial organizations of all sizes. It is an extensible assessment that financial institutions can use to not only build and enhance relationships with business-side leadership but also as a means to significantly increase efficiency across the compliance process.

Ensuring that your cybersecurity program is fully integrated is critical for success when implementing the Profile, an integrated solution like CyberStrong can help - with risk and compliance at the control level, both teams are fully aligned throughout of the assessment process. To learn more, give us a call at 1 800 NIST CSF or click here and request a free demo

You may also like

Informing Cyber Risk Management ...
on May 18, 2023

Cybersecurity is no longer just an IT issue but a business risk that can impact an organization's reputation, financial health, and legal compliance. Cybersecurity risks are ...

Is Your Organization Prepared for ...
on May 3, 2023

Data storage, as well as maintenance tools and applications, have undergone many iterations in the past decade, with the introduction of cloud computing and Security Information ...

Strategies for Automating a Cyber ...
on May 8, 2023

Cybersecurity leaders and teams are overburdened by several growing trends and issues. And when your cybersecurity team is overworked and unequipped to manage cyber risk ...

Selecting the Right Cyber Risk ...
on April 13, 2023

Cyber risk quantification is the process of determining the likelihood and potential impact of a cyber attack or security breach. The probability and impact will vary based on ...

Leveraging Cyber Security ...
on May 26, 2023

A common misunderstanding with cyber risk management is that only the CISO and security practitioners should be concerned about cyber and information security. Instead, the state ...

Tips and Tricks to Transform Your ...
on April 12, 2023

Simply being “cyber aware” is an unviable option for board members as the impact of cybersecurity expands beyond IT systems. An unnoticed security gap or dated risk assessment are ...