Cybersecurity is an area of growing concern for financial institutions, especially in the face of recent high-profile data breaches. In June of this year, the Federal Financial Institutions Examination Council (FFIEC) released its Cybersecurity Self Assessment Tool (CAT) to help institutions determine their risks and evaluate their preparedness.

1. BUSINESS
CONSULTANTS
DEEP
TECHNOLOGISTS
FFIEC and NIST: What You Need to Know
About Two Prevalent New IT Security
Compliance Frameworks

2. © 2015 West Monroe Partners | Reproduction and distribution without
West Monroe Partners prior consent is prohibited.
West Monroe Partners is large enough to tackle our clients’
toughest challenges and nimble enough to adapt to unique
requirements with custom solutions.Established in 2002
Founded by a team from Arthur
Andersen, West Monroe is a full-service
business and technology consulting
firm.
People
Over 600 career consultants, confident
enough to engage in constructive
debate and understand that it’s okay to
disagree.
Organization
We are 100% employee owned. We
answer to our people and our clients
only.
Global reach but geographically
close
We serve global clients, locally by
partnering with BearingPoint Europe
and Grupo Assa.
2

3. © 2015 West Monroe Partners | Reproduction and distribution without
West Monroe Partners prior consent is prohibited.
In 2009 and 2010
named one of
Crain’s Chicago
Business “Best
20 Places to
Work in Chicago”
3
Named by National
Association of Business
Resources as one of
Chicago’s “101 Best and
Brightest Companies to
Work For” in 2006, 2007,
2008, 2009 and 2012
Early
2000s
Early
2000s
In 2008, 2011, 2012,
2013, 2014 and 2015
Seattle Business
Magazine named West
Monroe “Best Large
Company Headquartered
Outside Washington”
From 2010-2015
named as a
“Top
Workplace” by
the Chicago
Tribune
Named one of
Consulting
Magazines “Best
Small Firms to
Work For” for
second straight
year in 2010
In 2012, 2013, 2014
and 2015 named
one of the top
Managed Service
Providers in North
America by MSP
mentor
In 2011 named to
Columbus
Business First’s
2011 “Best
Places to Work”
In 2012, 2013, 2014
and 2015 named
one of Consulting
magazine’s “Best
Large Firms to
Work For”
In 2013 and 2014
named to Great
Place to Work
“Best Small &
Medium
Workplaces” list
published in
FORTUNE
magazine
2011 2012 2013 2014
In 2012, 2014 and
2015, the Puget Sound
Business Journal
selected West Monroe
Partners as a finalist
for Washington's Best
Workplaces
Selected for the
2013 “Inner City
100” by The
Initiative for a
Competitive Inner
City (ICIC) and
FORTUNE
In 2008, 2009, 2011,
2012, 2013 and 2015
named by Crain’s
Chicago Business as
one of its “Fast Fifty”
2015

4. © 2015 West Monroe Partners | Reproduction and distribution without
West Monroe Partners prior consent is prohibited.
 West Monroe’s Security team was built from the ground up with a blending of deep technologists and a
focus on strategic security consulting
 We emphasize security as a component of an overall risk management approach, meaning we focus on
strategic solutions and helping organizations to operationalize their security investments
 Where most security consultancies focus on addressing security through tactical assessments and
solutions, we deliver prioritized roadmaps that address the areas that will most effectively improve
your security posture and reduce risk
West Monroe Partners: An uncommon blend of business consultants and
deep technologists solving security challenges in today’s business climate
4

5. © 2015 West Monroe Partners | Reproduction and distribution without
West Monroe Partners prior consent is prohibited.
Federal Financial Institutions
Examination Council
FRBFederal Reserve Bank -
“The Fed”
OCCOffice of the Comptroller
of the Currency
FDICFederal Deposit
Insurance Corporation
NCUANational Credit Union
Association
CFPBConsumer Financial
Protection Bureau
SLC
State Liaison Committee
CSBSConference of State
Banking Supervisors
ACSSSAmerican Council of
State Savings Supervisors
NASCUSNat. Assoc. of State
Credit Union Supervisors
Starting in late 2015, examiners will begin using a new assessment tool to
better understand risks and controls related to cybersecurity

6. © 2015 West Monroe Partners | Reproduction and distribution without
West Monroe Partners prior consent is prohibited.
There are two pieces of the FFIEC tool that must be accomplished, in order
6
1
2Technologies
and
Connections
Delivery
Channels
Online, Mobile,
and Tech.
Services
Org.
Characteristics
External
Threats

7. © 2015 West Monroe Partners | Reproduction and distribution without
West Monroe Partners prior consent is prohibited.
The Cybersecurity Maturity profile worksheet is hierarchically structured,
similar to most compliance frameworks
7
Domain
Assessment
Factor
Component
Maturity
Level
Declarative
Statement

8. © 2015 West Monroe Partners | Reproduction and distribution without
West Monroe Partners prior consent is prohibited.
By combining the information from the Inherent Risk and Maturity
profiles, gaps can be assessed
8
1
2
3
3 8 21 7 0

Y
N
N
N
N













9. © 2015 West Monroe Partners | Reproduction and distribution without
West Monroe Partners prior consent is prohibited.
On its own, use of the FFIEC CAT has clear strengths and weaknesses
9
Easy to conduct
Ordained by regulators
Good coverage
Contextual
Thoroughly mapped
Lack of detailed gap analysis
Little flexibility
Hard for non-technologists to
digest
Difficult to represent findings

10. © 2015 West Monroe Partners | Reproduction and distribution without
West Monroe Partners prior consent is prohibited.
Depending on the ability of your organization to respond to regulatory
guidance, additional support or use of alternate frameworks may help
10

11. © 2015 West Monroe Partners | Reproduction and distribution without
West Monroe Partners prior consent is prohibited.
Subcategories further divide a Category into
specific outcomes of technical and/or
management activities.
Informative References are specific sections
of standards, guidelines, and practices
common among critical infrastructure
sectors that illustrate a method to achieve
the outcomes associated with each
Subcategory.
The NIST Framework Core identifies underlying key Categories and Subcategories
for each Function, and maps them to Informative References
11
Identify
Protect
Detect
Respond
Recover
Function Category
Subcategory
Informative References
 Asset Management
 Business Environment
 Risk Assessment
 Risk Management Strategy
 Access Control
 Awareness and Training
 Data Security
 Information Protection Procedures
 Maintenance
 Protective Technology
 Anomalies and Events
 Security Continuous Monitoring
 Detection Processes
 Response Planning
 Communications
 Analysis
 Mitigation
 Improvements
 Recovery Planning
 Improvements
 Communications
Governance
Categories are the subdivisions of a Function
into groups of cybersecurity outcomes
closely tied to programmatic needs and
particular activities.

12. © 2015 West Monroe Partners | Reproduction and distribution without
West Monroe Partners prior consent is prohibited.
The FFIEC Cybersecurity Assessment Tool directly aligns with the NIST
Cybersecurity Framework
12
NIST Framework: Industry Alignment
The FFIEC Cybersecurity Assessment
Tool (FFIEC CAT) provides a statement
by statement and page by page
comparison from the NIST
Cybersecurity Framework (NIST CSF)
to the FFIEC CAT.
FFIEC
Cybersecurity
Assessment Tool
NIST
Cybersecurity
Framework
Example of the NIST CSF mapping to the FFIEC CAT:

13. © 2015 West Monroe Partners | Reproduction and distribution without
West Monroe Partners prior consent is prohibited.
The Core of the NIST Cybersecurity Framework further aligns to other
Frameworks
13
NIST Framework: Industry Alignment
Organizations with successful implementations of NIST CSF can benefit from its synergy with
other Frameworks
The NIST CSF Core contains
Informative References which are
specific sections of other
Frameworks that illustrate a method
to achieve the outcomes associated
with each of the Core’s
Subcategories.
Example of the NIST CSF Core referring to other Frameworks:
Other
Frameworks
NIST
Cybersecurity
Framework
Function Category Subcategory Informative References
· CCS CSC 1
· COBIT 5 BAI09.01, BAI09.02
· ISA 62443-2-1:2009 4.2.3.4
· ISA 62443-3-3:2013 SR 7.8
· ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
· NIST SP 800-53 Rev. 4 CM-8
Asset Management (ID.AM): The data, personnel,
devices, systems, and facilities that enable the
organization to achieve business purposes are
identified and managed consistent with their relative
importance to business objectives and the
organization’s risk strategy.
IDENTIFY(ID)
ID.AM-1: Physical
devices and systems
within the
organization are
inventoried

14. © 2015 West Monroe Partners | Reproduction and distribution without
West Monroe Partners prior consent is prohibited.
By assessing both the current state and desired state profiles, an
organization can determine the most impactful areas of focus
14
PRISMA Scale
Govern
Protect
Recover Identify
Respond
Detect
Identify
Protect
Detect
Respond Recover
Govern
NIST / WMP Framework
Implementation TestingProcedures Org. IntegrationPolicies

15. © 2015 West Monroe Partners | Reproduction and distribution without
West Monroe Partners prior consent is prohibited.15
The NIST framework can be leveraged to monitor and objectively evaluate
an organization’s security maturity and associated progress
Function
Current
Rating
Desired
Rating
GOVERN 1.5 3.6
IDENTIFY 1.1 3.5
PROTECT 1.4 3.5
DETECT 1.4 3.2
RESPOND 1.5 3.5
RECOVER 1.2 3.1
LEGEND
Govern
Protect
Recover Identify
Respond
Detect

16. © 2015 West Monroe Partners | Reproduction and distribution without
West Monroe Partners prior consent is prohibited.
At the end of the day, regulators will demand more than a completed checklist
16

17. Questions & Discussion
17
JERIN MAY
Director - Infrastructure and Security - Seattle
Desk 206.905.0209
Cell 206.920.0958
jmay@westmonroepartners.com
ROSS MILLER
Manager – Infrastructure and Security - Seattle
Desk 206.905.0167
Cell 517.525.1843
rmiller@westmonroepartners.com