<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Financial Services

Do's and Don'ts Of Conducting a FSSC Cybersecurity Profile Assessment

down-arrow

The Financial Sector Cybersecurity Framework Profile was developed by the Financial Services Sector Coordinating Council (FSSCC) as a means to harmonize to the plethora of cybersecurity regulations and standards that members of the financial sector must comply with. According to the FSSCC, over 80% of the supervisory instructions in finserv regulations had a similar focus, but used different language, or had marginally different compliance requirements. The Profile was developed as a means to streamline compliance with those various regulatory requirements, much like the NIST Cybersecurity Framework has emerged as a means for organizations to build their cybersecurity programs on regardless of industry. NIST has hailed the Profile as a perfect extension of the CSF, tailored specifically for financial institutions - going so far as to add two new functions to NIST’s five: Governance and Supply/Dependency Management.

 

Institutions of all types can use it for internal and external use with vendors as a means to benchmark cybersecurity posture. As you and your organization consider whether to adopt the Profile to increase efficiency at your organization, we’ve assembled three Do’s and Dont’s when adopting the Profile.

What to Do When Adopting the Financial Sector Cybersecurity Framework Profile

Get the Board and Executive Management involved early

Whether your organization is one in which the CISO presents to executive management and the Board frequently or yours is one where the CISO presents less frequently (annually), building a strong line of communication between business-side leadership and the security organization is critical. While we have seen the CISO title emerge as a mandated function under some regulatory standards, there are no standards set for the relationship that individual has other executive leaders.

Ensure that as a technical leader that you’re facilitating early and often with executive management in terms that are actionable. One of the many benefits of the Financial Services Sector Cybersecurity Profile is its ability to translate complex compliance and cybersecurity terms into actionable information that leadership can act on.

Align Risk and Compliance Teams

A critical element of the Profile is a risk assessment. Ensure that your risk teams and compliance teams are aligned and in sync especially around the adoption of this process. Often that requires exploring tools to enable that alignment including single-pane-of-glass solutions that allow risk and compliance teams to work within the same platform side by side.

Approach the Profile with a Continuous Assessment Mindset

The Profile is most effective when organizations approach it as a living process, not a static or periodic method to hit 80% of compliance requirements. For some organizations, that can mean a change in solutions. Most GRC solutions today are designed for periodic assessments, not the continuous approach that gold-standard frameworks like the Profile suggest. As a result, the adoption of the profile can be a watershed moment for your organization towards making the shift to an integrated risk management approach to cybersecurity program management.

What Not Do When Adopting the Financial Sector Cybersecurity Framework Profile

Prioritize the Profile Over Regulations and Standards

While the Profile can help streamline the compliance process by harmonizing multiple standards, ensure that you approach adopting the Profile as a means to increase efficiency for your organization. While many regulatory frameworks do have commonalities and that’s where the Profile is of value, ensure that your organization is meeting all the necessary requirements for each standard. The Profile is often referred to as the 80% solution - ensure your organization is meeting that remaining 20% of standards and regulations.

Assume that the FSSCC Profile is Only for Large Financial Institutions

Much like the NIST CSF, the Profile is a scalable and extensible assessment tool for financial institutions of all sizes. For small and medium-sized organizations, adopting the Profile early in your program’s maturity can pay large dividends down the road as compliance requirements become more complex.

Manage a Profile Assessment in a Modular or Static Tool

As we discussed in the Do’s, ensuring program alignment between risk and compliance is critical. However, many financial institutions manage their programs using modular and siloed tools that make the assessment process difficult. The goal of the Profile is to streamline and increase efficiency for financial institutions’ compliance, yet conducting the assessment in a modular solution can result in the time that would have been spent on assessments being spent on assembling assessment data across modules in a tool.

Adopting the Financial Sector Cybersecurity Framework Profile

As we’ve seen, adopting the Profile is a sound decision for financial organizations of all sizes. It is an extensible assessment that financial institutions can use to not only build and enhance relationships with business-side leadership but also as a means to significantly increase efficiency across the compliance process.

Ensuring that your cybersecurity program is fully integrated is critical for success when implementing the Profile, an integrated solution like CyberStrong can help - with risk and compliance at the control level, both teams are fully aligned throughout of the assessment process. To learn more, give us a call at 1 800 NIST CSF or click here and request a free demo

You may also like

What's New in NIST SP 800 53 Rev 5
on November 27, 2020

NIST Special Publication (SP) 800-53 offers regulatory guidelines and controls for federal information systems except those relating to national security. This catalog of security ...

NIST SP 800-53 Explained
on November 24, 2020

Has anyone ever been the victim of a data breach? I have, and it’s not a pleasant experience. For some, it’s as simple as getting a new credit or debit card, but for others, it ...

How Healthcare IT Teams Can Unify ...
on November 19, 2020

The Health Insurance Portability and Accountability Act (HIPAA) seeks to ensure that patients’ data, protected health information (PHI), is reasonably protected from both a ...

How the Convergence of IT and OT ...
on November 17, 2020

The oil and gas industry has transformed through the adoption of many new technologies. Information Technology (IT), Operational Technology (OT), and Internet of Things (IoT) ...

Three Ways Tracking NIST 800 53 in ...
on November 12, 2020

The new NIST 800-53 revision five has over one thousand controls. Let that sink in - over one thousand individual controls. Of course, as the sophistication of cyber-attacks has ...

How IRM is Accelerating Digital ...
on November 9, 2020

The way the insurance industry has operated has changed dramatically in recent years. With the rise of insurtech startups and digitalization using emerging technologies to bridge ...