Why Should a Small Business Care About the FFIEC Cybersecurity Assessment Tool?

What does protecting information at a financial institution have to do with my business?  Maybe a lot.  After reading the May 2017 FFIEC Cybersecurity Assessment tool I see many similarities. Most small businesses can learn a lot by reading this paper. It is broken into major parts: The Inherent Risk Profile and Cybersecurity Maturity. I think the Inherent Risk Profile is a little confusing for most small business but could be used to shape some understanding of the risks being faced. The Cybersecurity Maturity provides a good baseline for any small (or medium size) business. I would not spend much time beyond those items described in the “Baseline” sections of each topic area. As an organization matures, the referenced FFIEC booklets can provide additional information and guidance. There are quite a few other areas associated with the maturity model. I included the ones that I thought should be addressed first. As the organization’s cybersecurity maturity increases additional items can be addressed.


  • someone must to be responsible (held accountable) for implementing and managing the information security and business continuity programs.
  • The budgeting process includes information security related expenses and tools.


  • The organization has an information security strategy that integrates technology, policies and training.
  • The organization has policies commensurate with its risk and complexity.

IT Asset Management

  • The organization has an up-to-date inventory of the its assets (hardware, software, data, and third-party relationships).
  • A change management process is in place.


  • An independent audit or review evaluates policies, procedures and controls across the organization for significant risks and control issues associated with the organization’s operations. Often organizations have audits performed but these audits should be expanding to include the key information security controls and procedures.
  • Issues identified and their associated corrective actions resulting from the independent audits need to be formally tracked.


  • Periodic (at least annually) training is provided. This training must be relevant to t the organization’s business activities and technical infrastructure.


  • Management holds employees accountable for complying with the information security program just as they do with other policies and procedures.