You've completed the FFIEC's CAT, now what? 6 Tips on an effective remediation plan.

So you've taken the time to complete the Cybersecurity Assessment Tool (CAT) that the FFIEC released last year.  And whether you used a spreadsheet, a web application, or the plain old .pdf, you should have come up with an action plan comprised of the statements within your target maturity level that you answered “No” to.  In working through the action items with several of my clients, I’ve put together a list of tips to help make the remediation effort as smooth as possible.

1. Make sure that statements were answered honestly.  It’s tempting to use wishful thinking when doing this type of assessment, because  every “No” means more work.  But keep this in mind: examiners will be using results from your CAT in their examination process, so be prepared to defend and even provide evidence to support your answers.
   
   
2. Use references included by the FFIEC as guidance.  Each statement in the CAT maturity levels contains a reference to an IT Booklet or Work Program that can be used to clarify what is meant by that given statement.  This can be useful in not only completing the assessment, but also in planning a remediation strategy.
   
   
3. Prioritize your efforts.  The CAT is based on a maturity model, meaning you shouldn’t focus on higher levels until the lowest maturity has been achieved.  So don’t worry about evolving maturity statements if you are still missing baseline controls.  The good thing about this is that without prioritization, it can be easy to get overwhelmed with what the CAT contains.  If you really have a high number of items to work on for a given maturity level, break it in to smaller chunks by focusing on that target maturity in a single domain.
   
   
4. Clearly report to appropriate parties.  The CAT isn’t going away any time soon, and for some financial institutions, it could  potentially be an area of focus for some time.  That’s why it’s a good idea to make sure that everyone understands what it is, why you are doing it, and what the goals are.  Be sure to explain prioritization in Tip #3, so that staff are focusing on the appropriate maturity level and domain.
   
   
5. Get the team involved.  This goes hand in hand with Tip #4; the CAT covers everything related to cybersecurity from budgets, to policy, to technical controls, to contracts, to training.  That means that you can’t hand the action item list to the IT guy and expect him to take care of it.  This will take a team effort.
   
   
6. Get started.  Well, this is a little understated.  If you haven’t completed the CAT already, it’s not too late.  Examiners and auditors will ask to see it and you need to be able to demonstrate that you are taking it seriously.  Merely completing the assessment won’t be enough, you need to have a good plan for hitting your target maturity level and the only way to do that is to start doing the work.
   
   If you're overwhelmed by the thought of completing or updating your CAT, or maybe you just don't have the time to give it the attention it deserves, we can help you through the process. Shoot us an email at support@bedelsecurity.com.