Federal Financial Institutions Examination Council (FFIEC)

Share it in

What is the FFIEC Cybersecurity assessment tool? 

FFIEC -> Federal Financial Institutions Examination Council developed the Cybersecurity Assessment Tool to help financial institutions identify their risks and determine their cybersecurity preparedness. The tool is a framework that can help organizations, and not a law or regulation that requires compliance. Financial institutions can also use the assessment tool to evaluate their third-party service providers.


What does FFIEC Cybersecurity say about data classification?

  • Institution management should employ encryption strength sufficient to protect information from disclosure. Encryption methods should be reviewed periodically to ensure that the types and forms of encryption are still secure as technology and threats evolve. Decisions regarding what data to encrypt and at what points to encrypt the data are typically based on the risk of disclosure and encryption costs. The need to encrypt data is determined by the institution’s data classification and risk assessment.
  • System devices, programs, and data are system resources. Because users may access these resources through the institution’s network, management should identify and restrict logical access to all system resources to the minimum required for legitimate and approved work activities, according to the principle of least privilege. Pass beyond the minimum necessary work to be performed exposes the institution’s systems and information to a potential loss of confidentiality, integrity, and availability.
  • Inventories are essential for management to identify assets that require additional protection, such as those that store, transmit, or process sensitive customer information, trade secrets, or other information or support that could be a target of cybercriminals. Knowing what information assets the institution has and where they are stored, transmitted, or processed helps management comply with federal and state laws and regulations regarding the privacy and security of sensitive customer information.
  • After inventorying the assets, management should classify the information according to the appropriate level of protection needed. For example, systems containing sensitive customer information may require access controls based on job responsibilities. These systems should have more robust controls than systems containing information meant for the general public. Some institutions classify information as public, non-public, or institution-confidential, while others use the classifications high, moderate, and low. Additional categories, such as critical and non-critical, may be helpful to certain types of institutions.
  • Primary considerations for incident response include balancing concerns regarding confidentiality, integrity, and availability for devices and data. This consideration is a crucial driver for a containment strategy and may involve legal and liability considerations. Management may decide that some systems must be disconnected or shut down at the first sign of intrusion, while others must be left online.
  • The institution should protect the confidentiality of customer and institution information. A breach in confidentiality could disclose proprietary information, increase fraud risk, damage the institution’s reputation, violate customer privacy and associated rights, and break laws or regulations.
  • When transmitting sensitive information over a public network, information should be encrypted to protect it from interception or eavesdropping.
  • For institution-owned devices, the institution should Encrypt sensitive data residing on the access device.


These are a few examples where data classification of documents is necessary or would greatly help the organization get an overview of where sensitive and confidential information is residing. This makes it easier to implement the measures required to protect the information and know the risk involved. It also makes it easier to get an overview in case of a cybersecurity incident.

Summary: The FFIEC cybersecurity tool explains many requirements for good cybersecurity practices where having performed data classification would greatly help.

Related Posts