FFIEC Cybersecurity Assessment Tool

Watkins Consulting designed an Excel-based workbook to simplify the record keeping of responses and to calculate corresponding scores for the FFIEC Cybersecurity Assessment. We are pleased to offer a free download of this Excel workbook.  Upon downloading and deciding to use this tool, please register it so we can send you update notices. If you need help expanding this assessment into governance or need help with cybersecurity compliance efforts, please contact us at [email protected].

Download Excel Workbook Download User Guide

Additional download information is below.

Background

In June 2015, the Federal Financial Institutions Examination Council (FFIEC) published a Cybersecurity Assessment Tool (CAT) to help financial institutions identify and evaluate their cybersecurity risk awareness and readiness; click here to view their web page describing this tool. The tool consists of an extensive set of questions designed to evaluate the cybersecurity risk of a Financial Institution. In 2017 the FFIEC made some minor adjustments to the tool.

The FFIEC published the CAT to encourage consistent analysis, evaluation, and examination of cybersecurity risks inherent in US Financial Institutions. The Tool leverages industry standards, guidelines and best practices, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF, see our post on this), to help organizations better manage, evaluate, and reduce cybersecurity risk. The FFIEC has added an additional metric to the NIST CSF by considering the maturity cycle of an institution and its products and services, thereby aligning cybersecurity maturity to cyber risk—or, the greater the cyber risk, the greater the need for mature cybersecurity. Watkins has also published a short video containing a background description and a worked example using the CAT; click here to view that post.

The CAT was published in a static PDF format; therefore, in order to assist our clients Watkins has derived an equivalent Excel-based workbook that automates the tracking and scoring of an institution’s maturity levels and risk profile. Upon completion, this workbook will provide a snapshot of a Financial Institution’s cyber readiness and exposure. And, a series of workbooks over time will document cyber risk remediation efforts.

An immediate benefit is that our clients and contacts can download and use the FFIEC CAT Excel workbook. It is our hope that this tool will reduce the level of clerical work involved, allowing you to immediately engage in the important work of effective cybersecurity governance. Watkins is offering this tool for your use free of charge; however, we do recommend that you register your tool so that you can receive version updates as they become available. We recommend that you let us know that you are using the Excel workbook by sending us an email.

The purpose of this tool is to record responses and calculate corresponding scores. Should your institution require further explanation of results or interpretation of the FFIEC Cybersecurity Assessment requirements, please contact us at [email protected] or (888) 230-3032.

Download Information

The Excel file is a macro-free file and uses latest Excel Microsoft Office Open XML Format which does not allow for macros. The file size is 512,098 bytes and the SHA-1 checksum is C0D3A8EBEC36F9070EBEDB0257BC082650AD437B.

Free Excel Cybersecurity Assessment Tool Change Log

Version (link) Change SHA-1
3.4.2 (link) Unlocked improperly locked input cells C0D3A8EBEC36F9070EBEDB0257BC082650AD437B
3.4.1 Allows for easier cell formatting, corrected typos, correct user guide link 9FDD75D417BF0DEF7DAA56BAED5AE21BD92C599F
3.3.1 (link) Adds Appendix A, table of contents tab, user defined worksheet, warning message for component marked as N/A, cleaned up pivot reports, and a switch to hide registration link 421E68579EB72673E74F87A9BE699A36043D3594
2.1 (link) Updates useful links to point to updated handbook location on the web. 47B15DEE606CF514C5EF5DC9BD100C6F0CB3C706
2.00 (link) Includes for FFIEC 2017 update; broke up Risk Management/Training and Culture/Culture/Evolving declarative statements 703B7EA7AC13CA4D419A0BBEF7C9DBAEAE9BFED2
1.02 (link) Unlocked data input; added maturity heat map 0bc71b7153f6d83b83534a0fcb1054b7e05cafdb
1.01 Initial public release 2430acfd22e04c0e49f568af58642dab809d373f