Cybersecurity Supervision Work Program References
The Cybersecurity Supervision Work Program (CSW) provides high-level examination procedures that are aligned with existing supervisory guidance and the National Institute of Standards and Technology Cybersecurity Framework. Users can filter and search for procedures by using the CSW Cross-References table on this page. The procedures are cross-referenced to common industry cybersecurity frameworks. Learn more about the OCC’s cybersecurity supervision .
The CSW is a component of the OCC’s risk-based bank information technology supervision process. The CSW sets no new regulatory expectations, and national banks and federal savings associations are not expected to use this work program to assess cybersecurity preparedness.
CSW Cross-References
Use the filters below to see a table of CSW procedures and the cross-references or click search without applying filters to view all data. Learn more about CSW Cross-References .
Select the Function of the scope of the cybersecurity activity:
Function:
Apply one or more filters to narrow your results: (Optional)
Category:
Procedure:
Unique ID:
Search
Reset
| Function | Function /Category /Unique ID | Procedure | OCC Resources | FFIEC IT Examination Handbook InfoBase | Industry Frameworks | Procedure Short Text | Category | Unique ID |
|---|---|---|---|---|---|---|---|---|
| Identify | Identify /IT Asset Management /ID.AM-1.AI | IT Asset Inventory:Evaluate the effectiveness of processes implemented to identify and maintain the asset inventory of all on-site and off-site system devices, hardware, and other system components. | OCC Bulletin 2020-46AttachmentOCC Bulletin 2020-94Attachment, Appendix A, page 10 | Information Security BookletII.C.5Appendix A, Objective 6, procedure 6, parts a - eArchitecture, Infrastructure, and Operations BookletIII.BIII.B.1Appendix A, Objective 4, procedure 1Appendix A, Objective 4, procedure 3, parts a and bAppendix A, Objective 4, procedure 5, parts a - f | Center for Internet Security (CIS)1.1Cyber Risk Institute (CRI)ID.AM-1.1ID.AM-2.1ID.AM-3.3ID.AM-4.1FFIEC Cybersecurity Assessment Tool (CAT)D1.G.IT.B.1D1.G.IT.B.2D1.G.IT.B.3NIST SP 800-53 r5CM-8CM-8 (4) | IT Asset Inventory | IT Asset Management | ID.AM-1.AI |
| Identify | Identify /IT Asset Management /ID.AM-2.SI | Software Inventory:Evaluate the effectiveness of software inventory management processes to include end of support and end of life situations. | None | Architecture, Infrastructure, and Operations BookletIII.B.2Appendix A, Objective 4, procedure 4, parts a - g | Center for Internet Security (CIS)2.1FFIEC Cybersecurity Assessment Tool (CAT)D1.G.ITE.1NIST SP 800-53 r5CM-8CM-8 (4)PM-5 | Software Inventory | IT Asset Management | ID.AM-2.SI |
| Identify | Identify /IT Asset Management /ID.AM-3.DF | Data Flow:Evaluate the effectiveness of the processes for developing, maintaining, and securing data flow diagrams. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 1, Procedure 4 | Information Security BookletII.C.6II.C.9Appendix A, Objective 1, procedure 3, part bAppendix A, Objective 6, procedure 10, part bArchitecture, Infrastructure, and Operations BookletIII.C.2Appendix A, Objective 5, procedure 1 | Center for Internet Security (CIS)3.8Cyber Risk Institute (CRI)ID.AM-3.1ID.AM-3.3FFIEC Cybersecurity Assessment Tool (CAT)D4.C.Co.B.3D4.C.Co.B.4D4.C.Co.E.3D4.C.Co.Int.1NIST SP 800-53 r5AC-4PL-8 | Data Flow | IT Asset Management | ID.AM-3.DF |
| Identify | Identify /IT Asset Management /ID.AM-4.EC | External Connections:Assess the processes for identifying and maintaining an inventory of all external connections. | OCC Bulletin 2020-46Attachment, page 5OCC Bulletin 2020-94Attachment, Appendix A, page 10OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 1, Procedure 4Information Technology, Objective 3, Procedures 1 - 4 | Architecture, Infrastructure and Operations BookletIII.BIII.B.1(a)Appendix A, Objective 4, procedure 3Appendix A, Objective 11, procedure 1, part aAppendix A, Objective 13, procedure 7, part bAppendix A, Objective 14, procedure 2, parts a - eBusiness Continuity Management BookletIII.A.1III.B.1Information Security BookletII.C.5 | Center for Internet Security (CIS)12.4Cyber Risk Institute (CRI)ID.AM-3.3FFIEC Cybersecurity Assessment Tool (CAT)D1.G.IT.B.1D4.C.Co.B.3D4.C.Co.B.4D4.C.Co.E.1NIST SP 800-53 r5AC-20SA-9 | External Connections | IT Asset Management | ID.AM-4.EC |
| Identify | Identify /IT Asset Management /ID.AM-5.DM | Data Management:Evaluate the effectiveness of the data management life cycle to include identification, analysis, storage, and disposal. | OCC Bulletin 2020-94Attachment, Appendix A, page 10OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 1Information Technology, Objective 5, Procedure 3 | Architecture, Infrastructure, and Operations BookletIII.AIII.A.1Appendix A, Objective 3, procedures 1-4 | Center for Internet Security (CIS)3.2Cyber Risk Institute (CRI)ID.AM-3.2PR.IP-6.1FFIEC Cybersecurity Assessment Tool (CAT)D1.G.IT.B.1D4.RM.Co.B.1D4.RM.Co.B.2NIST SP 800-53 r5SI-12SI-12 (3) | Data Management | IT Asset Management | ID.AM-5.DM |
| Identify | Identify /IT Asset Management /ID.AM-5.DI | Data Classification:Assess the adequacy of the data classification methodology to determine if data criticality and sensitivity are identified and maintained. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 1 | Information Security BookletII.C.5Appendix A, Objective 6, procedure 6, parts a - eArchitecture, Infrastructure, and Operations BookletIII.A.1III.BAppendix A, Objective 3, procedure 3Appendix A, Objective 3, procedure 5, parts a - d | Center for Internet Security (CIS)3.7Cyber Risk Institute (CRI)ID.AM-5.2ID.AM-5.1FFIEC Cybersecurity Assessment Tool (CAT)D1.G.IT.B.2NIST SP 800-53 r5RA-9RA-2 | Data Classification | IT Asset Management | ID.AM-5.DI |
| Identify | Identify /Business Environment /ID.BE-1.SC | Supply Chain:Evaluate how management determines and communicates if the bank holds a critical or systemically important role in providing services to other entities in the financial sector. | None | Business Continuity Management BookletIIIIVII.AAppendix A, Objective 10, procedure 25, part c | Cyber Risk Institute (CRI)DM.BE-1FFIEC Cybersecurity Assessment Tool (CAT)D1.G.IT.A.1NIST SP 800-53 r5SR-1SR-2 | Supply Chain | Business Environment | ID.BE-1.SC |
| Identify | Identify /Business Environment /ID.BE-2.FS | Critical Infrastructure:Evaluate how management determines and communicates the bank’s role in the financial services sector of the U.S. critical infrastructure. | OCC Bulletin 2020-94Attachment, page 4OCC Bulletin 2003-14Attachment | Business Continuity Management BookletIIIVII.JAppendix A, Objective 10, procedure 24, parts a, d, eInformation Security BookletII.A | Cyber Risk Institute (CRI)DM.BE-1.1DM.BE-1.2FFIEC Cybersecurity Assessment Tool (CAT)D1.G.Ov.B.5D1.G.Ov.A.6D1.G.SP.Inn.1NIST SP 800-53 r5PM-8 | Critical Infrastructure | Business Environment | ID.BE-2.FS |
| Identify | Identify /Business Environment /ID.BE-4.CR | Critical Dependencies:Evaluate the effectiveness of processes that identify and maintain critical dependencies, such as power, telecommunications, network connectivity, and other critical infrastructures. | OCC Bulletin 2020-94Attachment, page 4OCC Bulletin 2003-14AttachmentOCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 1, Procedure 4Information Technology, Objective 3, Procedures 1 through 4 | Business Continuity Management BookletIV.A.6IV.A.7Appendix A, Objective 4, procedure 3, parts a - cAppendix A, Objective 6, procedure 6, parts a – gAppendix A, Objective 10, procedure 25, part dInformation Security BookletII.C.5II.C.6II.C.9II.C.9(a)Appendix A, Objective 6, procedure 7, parts a - f | Cyber Risk Institute (CRI)RC.RP-1.2DM.BE-2.1FFIEC Cybersecurity Assessment Tool (CAT)D1.G.Ov.B.5D4.C.Co.B.1D3.PC.Se.A.2NIST SP 800-53 r5CP-8PE-9PE-11PM-8 | Critical Dependencies | Business Environment | ID.BE-4.CR |
| Identify | Identify /Business Environment /ID.BE-5.RR | Cybersecurity Resilience:Evaluate cybersecurity resilience planning and response capabilities to support delivery of critical services. | OCC Bulletin 2020-94Attachment, Appendix AOCC Bulletin 2003-14AttachmentOCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 6, Procedures 1 through 8 | Business Continuity Management BookletIV.A.2Appendix A, Objective 6, procedure 3, parts a – fAppendix A, Objective 6, procedure 5, parts a - fInformation Security BookletAppendix A, Objective 6, procedure 15, parts a – c | Cyber Risk Institute (CRI)RC.RP-1.2DM.BE-3.1FFIEC Cybersecurity Assessment Tool (CAT)D1.G.SP.B.6D5.IR.Pl.E.3 D3.CC.Re.Inn.1NIST SP 800-53 r5CP-2CP-10 | Cybersecurity Resilience | Business Environment | ID.BE-5.RR |
| Identify | Identify /Governance /ID.GV-2.CR | Cybersecurity Roles:Review management and staff roles and responsibilities to determine whether they address cybersecurity risk management processes and procedures. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 2, Procedure 2 | Information Security Booklet, section:II.BAppendix A, Objective 2 | Cyber Risk Institute (CRI)GV.RR-1.1GV.RR-2.1FFIEC Cybersecurity Assessment Tool (CAT)D1.R.St.B.1 D1.R.S.B.2NIST SP 800-53 r5PM-2PM-3AT-2AT-3 | Cybersecurity Roles | Governance | ID.GV-2.CR |
| Identify | Identify /Governance /ID.GV-3.LR | Regulatory Requirements:Evaluate the processes’ effectiveness for maintaining continued compliance with applicable rules and regulations. | OCC Bulletin 2021-55AttachmentOCC Bulletin 2013-39AttachmentOCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 8Information Technology, Objective 6, Procedure 8 | Management BookletIII.C.3(a)Appendix A, Objective 12, procedure 3Information Security BookletAppendix A, Objective 4, procedure 5, parts a – cArchitecture, Infrastructure, and Operations BookletAppendix A, Objective 2, procedure 9, part b | Cyber Risk Institute (CRI)GV.PL-3.1GV.PL-3.3FFIEC Cybersecurity Assessment Tool (CAT)D1.G.Ov.E.2D1.RM.RMP.Int.2D2.IS.Is.Int.2NIST SP 800-53 r5PM-1RA-1 | Regulatory Requirements | Governance | ID.GV-3.LR |
| Identify | Identify /Governance /ID.GV-4.CR | Cybersecurity Risk:Assess the effectiveness of cybersecurity risk management processes. | OCC Bulletin 2020-94Attachment, Appendix AOCC Bulletin 2015-20AttachmentOCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 2, Procedure 6Information Technology, Objective 5, Procedure 1Information Technology, Objective 5, Procedure 9 | Information Security BookletIIAppendix A, Objective 2, procedure 10Appendix A, Objective 3, procedure 1, parts a – e | Cyber Risk Institute (CRI)GV.RM-1.5GV.RM-1.6FFIEC Cybersecurity Assessment Tool (CAT)D1.G.Ov.B.2D1.RM.RMP.B.1D1.RM.RMP.E.1D1.RM.RA.Int.1D3.CC.Re.B.1NIST SP 800-53 r5PM-11PM-7SA-2 | Cybersecurity Risk | Governance | ID.GV-4.CR |
| Identify | Identify /Governance /ID.GV-4.AS | Assurance:Review and evaluate assurance and testing processes to determine whether cybersecurity controls are in place and working effectively to mitigate identified security risks. | OCC Bulletin 2020-94Attachment, page 3OCC Bulletin 2015-20AttachmentComptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 2Information Technology, Objective 5, Procedure 8Information Technology, Objective 5, Procedure 9 | Information Security BookletIV.AAppendix A, Objective 6, procedure 4, parts a - cAppendix A, Objective 6, procedure 5, parts a - cAppendix A, Objective 10, procedures 1 - 6Management BookletI.B.7(b)Architecture, Infrastructure and Operations BookletII.D | Cyber Risk Institute (CRI)GV.AU-1.2GV.AU-1.3GV.AU-3.1GV.IR-1.1FFIEC Cybersecurity Assessment Tool (CAT)D1.RM.RMP.E.2D1.RM.Au.E.3D1.RM.Au.B.4D3.DC.Th.B.1NIST SP 800-53 r5CA-2CA-2 (2) | Assurance | Governance | ID.GV-4.AS |
| Identify | Identify /Governance /ID.GV-4.PT | Penetration testing:Assess the adequacy of scope, frequency, and effectiveness of penetration testing. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 4 | Information Security BookletIV.A.2(b)Appendix A, Objective 8, procedure 1, parts a - dAppendix A, Objective 10, procedure 1, part a | Center for Internet Security (CIS)16.131818.118.5Cyber Risk Institute (CRI)DE.CM-8.2FFIEC Cybersecurity Assessment Tool (CAT)D3.DC.Th.A.2D3.DC.Th.B.1D3.DC.Th.E.5NIST SP 800-53 r5CA-8 | Penetration testing | Governance | ID.GV-4.PT |
| Identify | Identify /Risk Assessment /ID.RA-2.CT | Threat Intelligence:Evaluate the effectiveness of threat intelligence collection from external sources. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 1 | Information Security BookletII.CIIIIII.AIII.BIII.CAppendix A, Objective 4, procedure 4Appendix A, Objective 8, procedure 3Business Continuity Management BookletIII.B.1 | Center for Internet Security (CIS)7Cyber Risk Institute (CRI)ID.RA-2.1ID.RA-5.2FFIEC Cybersecurity Assessment Tool (CAT)D1.G.SP.B.3D1.G.SP.Int.1D2.TI.Ti.B.1NIST SP 800-53 r5SI-5PM-15PM-16 | Threat Intelligence | Risk Assessment | ID.RA-2.CT |
| Identify | Identify /Risk Assessment /ID.RA-5.CR | Risk Assessment:Evaluate the cybersecurity risk assessment process to assess whether threats, vulnerabilities, likelihoods, and impacts are used to determine business impacts and overall risk. | OCC Bulletin 2020-94Attachment, page 4OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 1Information Technology, Objective 5, Procedure 9 | Management BookletIII.BInformation Security BookletII.BIII.AAppendix A, Objective 3, procedure 2, part d | Center for Internet Security (CIS)7.0Cyber Risk Institute (CRI)ID.RA-4.1ID.RA-5.1FFIEC Cybersecurity Assessment Tool (CAT)D1.G.SP.Int.2D1.RM.RA.B.1D1.RM.RA.E.1D2.TI.Th.B.3NIST SP 800-53 r5RA-3RA-3 (3) | Risk Assessment | Risk Assessment | ID.RA-5.CR |
| Identify | Identify /Risk Assessment /ID.RA-6.RR | Risk Response:Assess the effectiveness of management’s prioritization and response to identified risks to include consideration of cybersecurity insurance. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 1Information Technology, Objective 5, Procedure 9 | Management BookletIII.BInformation Security BookletIIII.CII.BAppendix A, Objective 6, procedure 1, parts a - eAppendix A, Objective 6, procedure 2Appendix A, Objective 6, procedure 3Appendix A, Objective 6, procedure 4, parts a - c | Cyber Risk Institute (CRI)GV.RM-1.5GV.RM-1.6FFIEC Cybersecurity Assessment Tool (CAT)D1.G.SP.B.1D2.IS.Is.Inn.2D1.RM.RA.E.1D1.RM.RA.A.1D2.TI.Th.B.3D2.MA.Ma.Int.4D2.MA.Ma.A.4NIST SP 800-53 r5PM-4 | Risk Response | Risk Assessment | ID.RA-6.RR |
| Identify | Identify /Risk Management Strategy /ID.RM-1.RM | Risk Strategy:Evaluate, as part of cybersecurity risk management, the effectiveness of strategic decisions with regard to business constraints, business priorities, and risk tolerances. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 2, Procedure 7Information Technology, Objective 7, Procedures 1 - 3 | Management BookletI.B.1IIIAppendix A, Objective 2, procedure 1, parts a - dAppendix A, Objective 2, procedure 8, parts a - fAppendix A, Objective 2, procedure 6, parts a - i | Cyber Risk Institute (CRI)GV.SF-1.4GV.SF-1.5GV.SF-2.1FFIEC Cybersecurity Assessment Tool (CAT)D1.G.Ov.B.1D1.G.Ov.A.4D1.G.SP.B.2NIST SP 800-53 r5PM-9 | Risk Strategy | Risk Management Strategy | ID.RM-1.RM |
| Identify | Identify /Risk Management Strategy /ID.RM-2.RT | Risk Appetite/Tolerance:Evaluate the effectiveness of processes used to determine risk appetite and risk tolerance for cybersecurity. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 7, Procedures 1 - 3 | Management BookletIIIAppendix A, Objective 2, procedure 1, parts a - dAppendix A, Objective 7, procedure 3, parts a - c | Cyber Risk Institute (CRI)GV.RM-1.6GV.RM-2.1GV.SP-2.3FFIEC Cybersecurity Assessment Tool (CAT)D1.G.Ov.Int.3D1.G.Ov.Int.4D1.G.Ov.A.1NIST SP 800-53 r5CA-7 (4)RA-7 | Risk Appetite/Tolerance | Risk Management Strategy | ID.RM-2.RT |
| Identify | Identify /Risk Management Strategy /ID.RM-3.CI | Critical Infrastructure Risk Tolerance:Determine whether management considers and incorporates the bank’s role as part of critical infrastructure when establishing risk appetite or risk tolerances. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 7, Procedures 1 - 3 | Information Security BookletIIIAppendix A, Objective 7, procedure 3, parts a – cManagement BookletIII.AAppendix A, Objective 11, procedure 1, parts a – i | Cyber Risk Institute (CRI)DM.BE-1DM.RS-1.2DM.RS-2.2DM.RS-2.3FFIEC Cybersecurity Assessment Tool (CAT)D1.G.SP.A.3D1.G.Ov.B.5D1.G.Ov.A.6D1.G.SP.A.4NIST SP 800-53 r5PM-28PM-8 | Critical Infrastructure Risk Tolerance | Risk Management Strategy | ID.RM-3.CI |
| Identify | Identify /Supply Chain Risk Management /ID.SC-1.TP | Third party Risk:Evaluate how management incorporates cybersecurity and supply chain risk assessment into their third-party risk management processes. | OCC Bulletin 2023-17AttachmentOCC Bulletin 2021-40AttachmentOCC Bulletin 2017-43OCC Bulletin 2017-7AttachmentOCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 1, Procedure 5Information Technology, Objective 3, Procedure 2Information Technology, Objective 3, Procedure 4 | Information Security BookletII.C.14II.C.20Appendix A, Objective 6, procedure 19Appendix A, Objective 6, procedure 31Outsourcing Technology Service BookletBoard and Management ResponsibilitiesOngoing MonitoringAppendix A, Tier 1, Objective 3, procedure 6Architecture, Infrastructure and Operations BookletVI.D.1Appendix A, Objective 17, procedure 1, part dManagement BookletIII.C.8Appendix A, Objective 1, procedure 2, part cAppendix A, Objective 12, procedure 14 | Center for Internet Security (CIS)15Cyber Risk Institute (CRI)DM.ED-2.1DM.ED-4.1DM.ED-3.2DM.ED-6.5FFIEC Cybersecurity Assessment Tool (CAT)D1.G.SP.B.5D1.G.SP.A.3D4.RM.Om.Int.2NIST SP 800-53 r5SR-1SR-2 | Third party Risk | Supply Chain Risk Management | ID.SC-1.TP |
| Detect | Detect /Anomalies and Events /DE.AE-1.NB | Network Baseline:Evaluate the effectiveness of the process for establishing and managing baseline network activity and normal internal and external data flows for users and systems, including those with third parties. | OCC Bulletin 2015-20Attachment, page 3OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 1, Procedure 4 | Architecture, Infrastructure and Operations BookletV.B.1III.CVAppendix A, Objective 5, Procedure 1Appendix A, Objective 13, Procedure 3, parts c, d, h and kInformation Security BookletII.C.6II.C.9Appendix A, Objective 6, Procedure 10, part b | Center for Internet Security (CIS)3.813.6Cyber Risk Institute (CRI)DE.AE-1.1FFIEC Cybersecurity Assessment Tool (CAT)D3.DC.Ev.B.1D4.C.Co.B.4D4.C.Co.E.2D4.C.Co.Int.1NIST SP 800-53 r5SI-4 (13)SA-15 (11)CM-3 | Network Baseline | Anomalies and Events | DE.AE-1.NB |
| Detect | Detect /Anomalies and Events /DE.AE-1.NA | Network Activity Monitoring:Assess the adequacy of processes that monitor network activities and identify and alert for anomalous activity and traffic patterns. | OCC Bulletin 2015-20Attachment, page 3OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 1, Procedure 4Information Technology, Objective 2, Procedure 6Information Technology, Objective 5, Procedure 4 | Information Security BookletII.C.9(a)II.C.12II.C.15(a)II.C.22IIIIII.AIII.CAppendix A, Objective 8, Procedure 1, part hAppendix A, Objective 8, Procedure 4, parts a, d, and eArchitecture, Infrastructure, and Operations BookletV.B.1Appendix A, Objective 13, Procedure 3, part h | Center for Internet Security (CIS)13.113.213.313.613.713.8Cyber Risk Institute (CRI)DE.AE-3.2DE.CM-1.2DE.CM-1.3DE.CM-1.4FFIEC Cybersecurity Assessment Tool (CAT)D3.DC.An.B.1D3.DC.An.E.1D3.DC.An.B.2D3.DC.An.B.4D3.DC.An.B.5NIST SP 800-53 r5SI-4 (13)SI-15SI-4 (17) | Network Activity Monitoring | Anomalies and Events | DE.AE-1.NA |
| Detect | Detect /Anomalies and Events /DE.AE-1.BC | Baseline Configuration:Evaluate the effectiveness of processes used to manage system configuration baselines and to detect unauthorized changes from the baseline configuration. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 1, Procedure 4Information Technology, Objective 4, Procedure 3 | Information Security BookletII.C.10(a)Appendix A, Objective 6, Procedure 12Appendix A, Objective 6, Procedure 28, part fArchitecture, Infrastructure, and Operations BookletV.B.IAppendix A, Objective 13, Procedure 3, parts c and d | Center for Internet Security (CIS)4.14.2Cyber Risk Institute (CRI)DE.AE-1.1DE.CM-7.3PR.IP-1.1FFIEC Cybersecurity Assessment Tool (CAT)D1.G.IT.B.4D3.PC.Im.B.5NIST SP 800-53 r5CM-2CM-3 (5) | Baseline Configuration | Anomalies and Events | DE.AE-1.BC |
| Detect | Detect /Anomalies and Events /DE.AE-2.EI | Event Identification and Analysis:Evaluate the effectiveness of processes that identify and analyze events. | OCC Bulletin 2005-13Attachment, page 15735OCC Bulletin 2021-55Attachment, page 66427OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 4. | Information Security BookletII.CIII.CIII.DAppendix A, Objective 2, Procedure 5, part cAppendix A, Objective 3, Procedure 2, part bAppendix A, Objective 8, Procedure 5, parts a – hArchitecture, Infrastructure, and Operations BookletVI.C.4 | Center for Internet Security (CIS)17.9Cyber Risk Institute (CRI)PR.PT-1.1PR.PT-1.2DE.CM-1.2FFIEC Cybersecurity Assessment Tool (CAT)D5.DR.De.B.3D5.ER.Es.B.4D5.IR.Pl.B.1NIST SP 800-53 r5SI-4 (5) | Event Identification and Analysis | Anomalies and Events | DE.AE-2.EI |
| Detect | Detect /Anomalies and Events /DE.AE-2.AP | Alert Parameters:Assess the adequacy of processes that define, manage, and adjust alert parameters for detecting and notifying management of events/incidents. | OCC Bulletin 2015-20Attachment, page 3 | Information Security BookletII.C.15(a)II.C.15(b)II.C.16Appendix A, Objective 6, Procedure 21, part fAppendix A, Objective 6, Procedure 22, part fAppendix A, Objective 6, Procedure 25, part bAppendix A, Objective 6, Procedure 35, part bArchitecture, Infrastructure, and Operations BookletVI.B.7Appendix A, Objective 15, Procedure 7, parts a - e | Center for Internet Security (CIS)13.113.11Cyber Risk Institute (CRI)DE.AE-2.1DE.AE-3.2DE.AE-5.1DE.CM-1.2DE.CM-1.4DE.CM-6.3DE.DP-5.1FFIEC Cybersecurity Assessment Tool (CAT)D3.DC.An.E.4D3.DC.An.Int.5D3.DC.Ev.B.2D5.DR.De.B.1NIST SP 800-53 r5SI-4 (5) | Alert Parameters | Anomalies and Events | DE.AE-2.AP |
| Detect | Detect /Anomalies and Events /DE.AE-3.AR | Event Analysis and Reporting:Evaluate the effectiveness of log collection and log data aggregation processes to determine whether event data are relevant, accurate, and complete. | OCC Bulletin 2021-36Attachment, page 8, section 6OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 2, Procedure 6. | Architecture, Infrastructure, and Operations BookletVI.B.7Appendix A, Objective 15, Procedure 7, parts a - eInformation Security BookletII.C.15(a)II.C.15(b)II.C.22Appendix A, Objective 6, Procedure 35, part a | Center for Internet Security (CIS)8.18.58.118.12Cyber Risk Institute (CRI)DE.CM-1.1PR.PT-1.1PR.PT-1.2DE.CM-1.2DE.CM-3.2FFIEC Cybersecurity Assessment Tool (CAT)D1.RM.Au.B.3D2.MA.Ma.B.1D2.MA.Ma.B.2D3.DC.An.B.3D5.ER.Es.B.4NIST SP 800-53 r5CM-5 (1) | Event Analysis and Reporting | Anomalies and Events | DE.AE-3.AR |
| Detect | Detect /Anomalies and Events /DE.AE-3.TC | Threat Correlation:Evaluate the effectiveness of the processes for correlating threat intelligence with internal event data analysis. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 4 | Information Security BookletII.A.1III.AIII.CAppendix A, Objective 7, Procedure 1Appendix A, Objective 8, Procedure 8, part iAppendix A, Objective 8, Procedure 3, parts a - f | Center for Internet Security (CIS)13.18.5Cyber Risk Institute (CRI)DE.AE-3.1DE.AE-3.2FFIEC Cybersecurity Assessment Tool (CAT)D2.TI.Ti.E.1D2.TI.Th.Int.1D3.DC.An.Int.6NIST SP 800-53 r5SI-4 (17)CA-7 (3)IR-4 (4) | Threat Correlation | Anomalies and Events | DE.AE-3.TC |
| Detect | Detect /Anomalies and Events /DE.AE-4.EI | Event Impact:Assess the adequacy of processes for analyzing the impact from active event(s). | OCC Bulletin 2015-20Attachment, page 3OCC Bulletin 2020-46Attachment, page 7OCC Bulletin 2021-55AttachmentOCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 1, Procedure 4 | Information Security BookletII.C.22II.D.1III.CArchitecture, Infrastructure, and Operations BookletVI.C.4Appendix A, Objective 16, Procedure 4, part b | Center for Internet Security (CIS)13.213.3Cyber Risk Institute (CRI)DE.AE-2.1RS.AN-2.2DE.AE-4.1FFIEC Cybersecurity Assessment Tool (CAT)D5.ER.Es.E.1D5.DR.RE.I.1D1.RM.RMP.I.2D5.IR.Pl.E.4 | Event Impact | Anomalies and Events | DE.AE-4.EI |
| Detect | Detect /Anomalies and Events /DE.AE-5.IT | Incident Thresholds:Evaluate the effectiveness of the process used to establish alert thresholds to determine when an event is designated as an incident. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 4 | Information Security BookletI.BIII.DIII.CAppendix A, Objective 2, Procedure 5, part eAppendix A, Objective 8, Procedure 5, part hAppendix A, Objective 8, Procedure 6, part fArchitecture, Infrastructure, and Operations BookletVI.C.4 | Center for Internet Security (CIS)13.1117.9Cyber Risk Institute (CRI)DE.AE-5.1FFIEC Cybersecurity Assessment Tool (CAT)D1.G.Ov.I.4D1.TC.Cu.E.3D3.DC.An.E.4D3.DC.Th.A.3D5.DR.De.B.1 | Incident Thresholds | Anomalies and Events | DE.AE-5.IT |
| Detect | Detect /Security Continuous Monitoring /DE.CM-1.NM | Network Monitoring:Assess the adequacy of processes to monitor the network for events (e.g., unauthorized personnel and third-party connections). | OCC Bulletin 2015-20Attachment, page 3OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 3Information Technology, Objective 5, Procedure 4 | Information Security BookletII.C.9Architecture, Infrastructure and Operations BookletAppendix A, Objective 13, Procedure 3, part h | Center for Internet Security (CIS)13.313.2Cyber Risk Institute (CRI)DE.AE-2.1DE.AE-3.1FFIEC Cybersecurity Assessment Tool (CAT)D3.PC.Im.B.1D3.PC.Im.B.3D3.PC.Im.E.2D4.C.Co.Int.4NIST SP 800-53 r5SI-4SI-4 (1)SI-4 (3) | Network Monitoring | Security Continuous Monitoring | DE.CM-1.NM |
| Detect | Detect /Security Continuous Monitoring /DE.CM-1.NS | Network Monitoring Scope:Assess the effectiveness of the risk management processes that determine the scope and type of implemented monitoring solutions. | OCC Bulletin 2015-20Attachment, page 3OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 2, Procedure 6Information Technology, Objective 5, Procedure 3Information Technology, Objective 5, Procedure 4 | Information Security BookletII.C.9II.C.9(a)Appendix A, Objective 6, Procedure 4, parts a - cArchitecture, Infrastructure and Operations BookletAppendix A, Objective 13, Procedure 3, part h | Center for Internet Security (CIS)13.3Cyber Risk Institute (CRI)DE.AE-2.1GV.RM-1.1FFIEC Cybersecurity Assessment Tool (CAT)D1.G.Ov.Int.7D1.G.SP.Int.2D3.PC.Im.B.1D3.PC.Im.B.3D3.PC.Im.E.2NIST SP 800-53 r5SI-4 | Network Monitoring Scope | Security Continuous Monitoring | DE.CM-1.NS |
| Detect | Detect /Security Continuous Monitoring /DE.CM-2.PA | Physical Asset Controls:Assess effectiveness of controls over the physical facility and technology assets. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 3Information Technology, Objective 6, Procedure 7 | Information Security BookletII.C.8Appendix A, Objective 6, Procedure 9Architecture, Infrastructure, and Operations BookletVI.A.1Appendix A, Objective 13, Procedure 9, part e | Center for Internet Security (CIS)1Cyber Risk Institute (CRI)DE.CM-2.1DE.CM-1.2FFIEC Cybersecurity Assessment Tool (CAT)D3.PC.Am.B.11D3.PC.Am.E.4D3.DC.Ev.B.5NIST SP 800-53 r5PE-6PE-6 (4)PE-22 | Physical Asset Controls | Security Continuous Monitoring | DE.CM-2.PA |
| Detect | Detect /Security Continuous Monitoring /DE.CM-4.AA | Application Anomalous Activity:Evaluate the effectiveness of application-level controls that identify, measure, monitor, manage, and report anomalous activities. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 4, Procedure 3 | Information Security BookletII.C.17II.C.12Appendix A, Objective 6, Procedure 27, parts a - gAppendix A, Objective 6, Procedure 17Appendix A, Objective 8, Procedure 4, parts a – e | Center for Internet Security (CIS)99.19.49.69.71010.410.7Cyber Risk Institute (CRI)DE.CM-4.1DE.CM-4.2FFIEC Cybersecurity Assessment Tool (CAT)D3.PC.Im.B.4D3.PC.Im.E.2D3.DC.Th.B.4D3.PC.De.E.5D5.DR.Re.E.3 | Application Anomalous Activity | Security Continuous Monitoring | DE.CM-4.AA |
| Detect | Detect /Security Continuous Monitoring /DE.CM-5.UM | Unauthorized Mobile Code:Evaluate the effectiveness of processes and controls to detect unauthorized mobile code. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 4, Procedure 3 | Information Security BookletII.C.12Appendix A, Objective 6, Procedure 17Appendix A, Objective 6, Procedure 24, parts b and c | Center for Internet Security (CIS)1010.110.210.4Cyber Risk Institute (CRI)DE.CM-5.1FFIEC Cybersecurity Assessment Tool (CAT)D3.PC.De.E.5D3.PC.De.E.6NIST SP 800-53 r5SC-43SC-18 (1) | Unauthorized Mobile Code | Security Continuous Monitoring | DE.CM-5.UM |
| Detect | Detect /Security Continuous Monitoring /DE.CM-7.ST | Shadow IT:Evaluate the adequacy of processes and the effectiveness of detection tools to identify and monitor for shadow IT. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 4, Procedure 3Information Technology, Objective 5, Procedure 3 | Architecture, Infrastructure and Operations BookletIII.B.3Appendix A, Objective 4, Procedure 5, parts a - fInformation Security BookletII.C.13eII.C.12 | Center for Internet Security (CIS)21.31.5Cyber Risk Institute (CRI)DE.CM-7.1DE.CM-7.3FFIEC Cybersecurity Assessment Tool (CAT)D3.PC.Im.E.3D3.PC.De.E.1D3.PC.Am.B.16D3.DC.Ev.B.3NIST SP 800-53 r5CM-7 (4)CM-8 (3) | Shadow IT | Security Continuous Monitoring | DE.CM-7.ST |
| Detect | Detect /Security Continuous Monitoring /DE.CM-8.VS | Vulnerability Scanning:Evaluate the adequacy of the scope, frequency, and effectiveness of the vulnerability scanning process. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 4 | Information Security BookletII.A.2IV.A.2(c)Appendix A, Objective 8, Procedure 1, parts a – dAppendix A, Objective 10, Procedure 1, part a | Center for Internet Security (CIS)77.17.57.6Cyber Risk Institute (CRI)DE.CM-8.1DE.CM-8.2FFIEC Cybersecurity Assessment Tool (CAT)D3.DC.Th.B.1D3.DC.Th.A.1D3.DC.Th.E.5NIST SP 800-53 r5RA-5CA-2 (2)RA-5 (3) | Vulnerability Scanning | Security Continuous Monitoring | DE.CM-8.VS |
| Detect | Detect /Detection Processes /DE.DP-2.ED | Event Detection Processes:Assess the effectiveness of detection processes, including planning and implementation, personnel, and communication of event information. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 3Information Technology, Objective 5, Procedure 4 | Information Security BookletIII.CAppendix A, Objective 8, Procedure 1, part g – jAppendix A, Objective 8, Procedure 4, part aAppendix A, Objective 4, Procedure 1Business Continuity Management BookletAppendix A, Objective 8, Procedure 3, parts a - c | Center for Internet Security (CIS)717.1Cyber Risk Institute (CRI)DE.CM-1.2DE.DP-5.1FFIEC Cybersecurity Assessment Tool (CAT)D3.PC.Im.B.1D3.PC.Im.B.3D3.DC.An.E.1D3.DC.An.Int.2D4.C.Co.Int.4NIST SP 800-53 r5CA-7IR-4SI-4 | Event Detection Processes | Detection Processes | DE.DP-2.ED |
| Detect | Detect /Detection Processes /DE.DP-3.ET | Event Detection Testing and Improvement:Assess the adequacy of detection process testing. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 1, Procedure 2Information Technology, Objective 5, Procedure 4Information Technology, Objective 5, Procedure 9 | Information Security BookletIV.AIVAppendix A, Objective 6, Procedure 5, parts a – cAppendix A, Objective 10, Procedure 3, parts a - d | Center for Internet Security (CIS)717.717.817.9Cyber Risk Institute (CRI)DE.DP-3.1DE.DP-5.1FFIEC Cybersecurity Assessment Tool (CAT)D1.G.RM.Au.B.1D1.RM.RMP.E.2D3.DC.Th.B.1D5.IR.Te.B.1D5.DR.Re.E.8NIST SP 800-53 r5IR-3 (3)CA-2 (2) | Event Detection Testing and Improvement | Detection Processes | DE.DP-3.ET |
| Respond | Respond /Response Planning /RS.RP-1.RE | Response Plan Execution:Assess effectiveness of processes related to execution of the cybersecurity incident response plan. | OCC Bulletin 2005-13Attachment, page 15752OCC Bulletin 2020-94Attachment, Appendix AOCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 4 | Information Security BookletIII.DAppendix A, Objective 8, Procedure 5, Parts a - hAppendix A, Objective 8, Procedure 6, Parts a - iArchitecture, Infrastructure, and Operations BookletVI.C.4Appendix A, Objective 16, Procedure 4, Parts a - fBusiness Continuity Management BookletV.AV.F.1 | Center for Internet Security (CIS)17.117.317.8Cyber Risk Institute (CRI)RS.RP-1.1RS.CO-2.1RS.CO-2.2RS.CO-2.3RS.CO-2.4FFIEC Cybersecurity Assessment Tool (CAT)D1.TC.Cu.E.3D5.IR.Pl.Inn.1D5.DR.Re.E.1NIST SP 800-53 r5IR-4IR-5IR-6IR-8 | Response Plan Execution | Response Planning | RS.RP-1.RE |
| Respond | Respond /Communications/RS.CO-3.IS | Information Sharing:Assess the appropriateness of strategy and practices to share information with affected staff, industry groups (e.g., Financial Services Information Sharing and Analysis Center (FS-ISAC)), financial sector, regulators, and peers. | OCC Bulletin 2020-94Attachment | Information Security BookletIII.CAppendix A, Objective 8, question 6, Parts a - c and Part fBusiness Continuity Management BookletIII.B.1Appendix A, Objective 7, Procedure 1, Parts a - eArchitecture, Infrastructure, and Operations BookletIII.CVI.C.4Appendix A, Objective 16, Procedure 4, Parts a, b and e | Center for Internet Security (CIS)17.217.5Cyber Risk Institute (CRI)RS.CO-3.1RS.CO-3.2RS.CO-5.1FFIEC Cybersecurity Assessment Tool (CAT)D2.IS.Is.B.3D5.ER.Es.B.2D5.ER.Es.E.2NIST SP 800-53 r5PM-16IR-4 (4)IR-4 (11) | Information Sharing | Communications | RS.CO-3.IS |
| Respond | Respond /Communications/RS.CO-4.IC | Incident Coordination:Assess the adequacy of internal and external stakeholder coordination in accordance with the response plan. | OCC Bulletin 2020-94Attachment, page 9 | Information Security BookletIII.DAppendix A, Objective 6, Procedure 25, Parts a - cAppendix A, Objective 8, Procedure 6, Part a – iArchitecture, Infrastructure, and Operations BookletVI.C.4Appendix A, Objective 16, Procedure 4. Parts a - fBusiness Continuity Management BookletIV.BV.F.1Appendix A, Objective 7, Procedure 1, Parts a - e | Center for Internet Security (CIS)17.117.5Cyber Risk Institute (CRI)RS.CO-4.1FFIEC Cybersecurity Assessment Tool (CAT)D2.IS.Is.Int.1D2.IS.Is.A.1D5.ER.Es.Int.2D5.ER.Es.Inn.1NIST SP 800-53 r5IR-4 (10)IR-4 (8) | Incident Coordination | Communications | RS.CO-4.IC |
| Respond | Respond /Communications/RS.CO-5.II | Incident Information Sharing:Evaluate information sharing arrangements to assess the effectiveness of sharing threats and countermeasures with other external stakeholders in order to support sector-wide situational awareness and response to incidents. | None | Information Security BookletIII.CIII.DBusiness Continuity Management BookletIII.B.1Appendix A, Objective 7, Procedure 1, Parts a - e | Cyber Risk Institute (CRI)RS.CO-5.1RS.CO-5.2FFIEC Cybersecurity Assessment Tool (CAT)D2.IS.Is.E.1D2.IS.Is.Int.3NIST SP 800-53 r5PM-15 | Incident Information Sharing | Communications | RS.CO-5.II |
| Respond | Respond /Analysis /RS.AN-1.NI | Notifications Investigated:Assess the adequacy of the processes to investigate event notifications. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 3Information Technology, Objective 5, Procedure 4 | Information Security BookletIII.CII.C.22Appendix A, Objective 6, Procedure 35, Parts a – dAppendix A, Objective 8, Procedure 5, Parts a – d and Part h | Center for Internet Security (CIS)8.1116.3Cyber Risk Institute (CRI)RS.AN-2.2NIST SP 800-53 r5SI-4 | Notifications Investigated | Analysis | RS.AN-1.NI |
| Respond | Respond /Analysis /RS.AN-2.II | Incident Impact:Evaluate the effectiveness of processes that analyze the impact of an incident. | OCC Bulletin 2005-13Attachment, page 17572OCC Bulletin 2020-94Attachment, page 9OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 4 | Architecture, Infrastructure, and Operations BookletVI.C.4Appendix A, Objective 16, Procedure 4, Part bInformation Security BookletAppendix A, Objective 8, Procedure 1, Parts b - i | Cyber Risk Institute (CRI)RS.AN-2.2RS.AN-2.1FFIEC Cybersecurity Assessment Tool (CAT)D1.G.Ov.A.5D5.IR.Te.Int.1D5.DR.Re.Int.1D5.ER.Es.E.1 | Incident Impact | Analysis | RS.AN-2.II |
| Respond | Respond /Analysis /RS.AN-3.FI | Forensic Investigation:Assess the adequacy of forensic investigation processes, to include planning, scope, and timeliness. | OCC Bulletin 2005-13Attachment, page 17572 | Information Security BookletIII.CIII.DAppendix A, Objective 8, Procedure 1, Part a – fBusiness Continuity Management BookletV.F.1 | Center for Internet Security (CIS)8.5Cyber Risk Institute (CRI)RS.AN-3.1FFIEC Cybersecurity Assessment Tool (CAT)D3.CC.Re.Int.3NIST SP 800-53 r5IR-4 (11)IR-5IR-7 | Forensic Investigation | Analysis | RS.AN-3.FI |
| Respond | Respond /Analysis /RS.AN-4.IC | Incident Categorization:Assess the adequacy of criteria to categorize and prioritize incidents. | OCC Bulletin 2020-94Attachment, Appendix A | Information Security BookletIII.CAppendix A, Objective 8, Procedure 1, Part jArchitecture, Infrastructure, and Operations BookletVI.C.4Appendix A, Objective 16, Procedure 4, Parts a and b | Center for Internet Security (CIS)17.9Cyber Risk Institute (CRI)RS.AN-4.1FFIEC Cybersecurity Assessment Tool (CAT)D5.ER.Es.B.4NIST SP 800-53 r5IR-6 (2) | Incident Categorization | Analysis | RS.AN-4.IC |
| Respond | Respond /Analysis /RS.AN-5.VM | Vulnerability Management:Evaluate the effectiveness of processes that receive, analyze, and respond to vulnerabilities. | OCC Bulletin 2020-94Attachment, page 9OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 4, Procedure 3Information Technology, Objective 5, Procedure 4Information Technology, Objective 6, Procedure 2 | Information Security BookletIII.AIV.A.2Appendix A, Objective 4, Procedure 2, Parts a – eAppendix A, Objective 4, Procedure 4Appendix A, Objective 8, Procedure 1, Parts c, d, h and IAppendix A, Objective 8, Procedure 3, Parts a - fAppendix A, Objective 10, Procedure 1, Parts a and cAppendix A, Objective 10, question 3, Part cArchitecture, Infrastructure, and Operations BookletVI.B.3(a)Appendix A, Objective 15, Procedure 3, Part aBusiness Continuity Management BookletV.F.1 | Center for Internet Security (CIS)716.2Cyber Risk Institute (CRI)RS.AN-5.1RS.AN-5.2RS.AN-5.3FFIEC Cybersecurity Assessment Tool (CAT)D2.TI.Ti.B.1D2.TI.Ti.B.2D2.TI.Th.B.3D3.DC.Th.B.1D3.DC.Th.B.2D3.DC.Th.E.5D3.DC.Th.A.1D3.DC.Th.Inn.2D3.CC.Re.Int.1NIST SP 800-53 r5RA-5 | Vulnerability Management | Analysis | RS.AN-5.VM |
| Respond | Respond /Mitigation /RS.MI-1.IC | Incident Containment:Assess the adequacy of incident containment processes to minimize damage from the effects of an incident. | OCC Bulletin 2005-13Attachment, page 17572OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 6, Procedure 2Information Technology, Objective 6, Procedure 3Information Technology, Objective 6, Procedure 5 | Information Security BookletIII.DAppendix A, Objective 8, Procedure 6, Parts b, h, and i | Center for Internet Security (CIS)17.217.4Cyber Risk Institute (CRI)RS.MI-1.1RS.MI-1.2FFIEC Cybersecurity Assessment Tool (CAT)D5.DR.Re.B.1D5.DR.Re.E.3D5.DR.Re.E.4NIST SP 800-53 r5IR-4IR-4 (11) | Incident Containment | Mitigation | RS.MI-1.IC |
| Respond | Respond /Mitigation /RS.MI-2.IM | Incident Mitigation:Assess the adequacy of incident mitigation processes as defined in the response plan or evidenced during actual incidents. | OCC Bulletin 2005-13Attachment, page 17572OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 4 | Information Security BookletIII.DAppendix A, Objective 3, Procedure 2, Part eArchitecture, Infrastructure, and Operations BookletVI.C.4Appendix A, Objective 8, Procedure 1Appendix A, Objective 16, Procedure 4, Parts a - c | Center for Internet Security (CIS)17Cyber Risk Institute (CRI)RS.MI-2.1FFIEC Cybersecurity Assessment Tool (CAT)D5.IR.Pl.E.1D5.IR.Te.A.4NIST SP 800-53 r5IR-4 (11) | Incident Mitigation | Mitigation | RS.MI-2.IM |
| Respond | Respond /Mitigation /RS.MI-3.VM | Vulnerability Mitigation:Assess the adequacy of processes to respond to additional vulnerabilities identified during mitigation. | OCC Bulletin 2005-13Attachment, page 17572OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 4, Procedure 3Information Technology, Objective 5, Procedure 4 | Information Security BookletII.A.2Appendix A, Objective 8, Procedure 4, Parts a, and d – fAppendix A, Objective 6, Procedure 15, Part hAppendix A, Objective 4, Procedure 1Appendix A, Objective 4, Procedure 4Architecture, Infrastructure, and Operations BookletAppendix A, Objective 15, Procedure 3 | Center for Internet Security (CIS)7.37.4Cyber Risk Institute (CRI)RS.MI-3.1RS.MI-3.2FFIEC Cybersecurity Assessment Tool (CAT)D3.CC.Pa.B.1D3.CC.Pa.Int.1D3.CC.Re.E.2NIST SP 800-53 r5IR-6 (2)RA-5 | Vulnerability Mitigation | Mitigation | RS.MI-3.VM |
| Respond | Respond /Improvements /RS.IM-1.IR | Incident Response - Lessons Learned:Assess adequacy of processes that analyze and incorporate lessons learned to the Incident Response Plan. | OCC Bulletin 2005-13AttachmentOCC Bulletin 2020-94AttachmentOCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 4 | Information Security BookletIII.DAppendix A, Objective 9, Procedure 1, Part bArchitecture, Infrastructure, and Operations BookletIII.FAppendix A, Objective 8, Procedure 1 | Center for Internet Security (CIS)17.8Cyber Risk Institute (CRI)RS.IM-2.1RS.IM-1.1RS.IM-1.2FFIEC Cybersecurity Assessment Tool (CAT)D5.IR.Pl.Int.4 | Incident Response - Lessons Learned | Improvements | RS.IM-1.IR |
| Recover | Recover /Recovery Planning /RC.RP-1.RP | Recovery Plan Execution:Evaluate the effectiveness of incident recovery plans and restoration processes, including recovery plan testing. | OCC Bulletin 2020-94AttachmentOCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 4Information Technology, Objective 6 Procedures 1 through 5 | Information Security BookletIII.DAppendix A, Objective 8, procedure 6, parts a - iBusiness Continuity Management BookletV.F.1V.BAppendix A, Objective 8, procedure 10, parts a – c | Center for Internet Security (CIS)11.117.4Cyber Risk Institute (CRI)RC.RP-1.1FFIEC Cybersecurity Assessment Tool (CAT)D5.IR.Pl.B.1D5.IR.Pl.B.6NIST SP 800-53 r5IR-8CP-2 | Recovery Plan Execution | Recovery Planning | RC.RP-1.RP |
| Recover | Recover /Improvements/RC.IM-1.RU | Recovery Plan Updates:Assess if recovery plans and tests are updated to include current threat intelligence, recognize lessons learned, and address issues identified during actual incidents or tests. | OCC Bulletin 2020-94AttachmentOCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 6, Procedure 2Information Technology, Objective 6, Procedure 3 | Information Security BookletIII.DBusiness Continuity Management BookletVIIIVII.EAppendix A, Objective 10, Procedure 30Appendix A, Objective 11, procedure 1, parts a - kAppendix A, Objective 11, procedure 2, parts a – eAppendix A, Objective 11, procedure 3 | Center for Internet Security (CIS)17.417.717.8Cyber Risk Institute (CRI)RC.IM-2.1RS.MI-3.1RS.MI-3.2RS.IM-1.1FFIEC Cybersecurity Assessment Tool (CAT)D5.IR.Pl.A.3D5.IR.Te.Int.3NIST SP 800-53 r5CP-2CP-3 | Recovery Plan Updates | Improvements | RC.IM-1.RU |
| Recover | Recover /Communication/RC.CO-3.RC | Recovery Communications:Evaluate the effectiveness of communication to internal and external stakeholders regarding recovery activities. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 6, Procedure 5 | Business Continuity Management BookletIV.BV.F.1Appendix A, Objective 7, procedure 1, parts a - eAppendix A, Objective 8, procedure 12, parts a - gAppendix A, Objective 8, procedure 13, parts a and d | Center for Internet Security (CIS)17.217.6Cyber Risk Institute (CRI)RC.CO-1.1RC.CO-3.1RC.CO-1.2FFIEC Cybersecurity Assessment Tool (CAT)D5.ER.Es.Int.3D5.ER.Es.Inn.1D5.IR.Pl.Int.1NIST SP 800-53 r5IR-4 (15) | Recovery Communications | Communication | RC.CO-3.RC |
| Protect | Protect /Identity Management, Authentication and Access Control /PR.AC-1.AM | Access and Authentication Management Program:Evaluate the effectiveness of the access management processes to implement and administer logical and physical access controls. This includes assessing authentication controls and use of multifactor authentication or similarly strong controls. | OCC Bulletin 2021-36AttachmentOCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 3Information Technology, Objective 5, Procedure 7 | Information Security BookletII.C.7II.C.7(b)II.C.15Appendix A, Objectives 6, procedure 21, part eAppendix A, Objective 6, procedure 22, parts a - fAppendix A, Objective 6, procedure 23, parts a and b | Center for Internet Security (CIS)66.2Cyber Risk Institute (CRI)PR.AC-1.1PR.AC-1.2PR.AC-1.3PR.AC-2.1PR.AC-4.1FFIEC Cybersecurity Assessment Tool (CAT)D3.PC.Am.B.5D3.PC.Am.B.6NIST SP 800-53 r5AC-2AC-3 | Access and Authentication Management Program | Identity Management, Authentication and Access Control | PR.AC-1.AM |
| Protect | Protect /Identity Management, Authentication and Access Control /PR.AC-3.RA | Remote Access:Evaluate the effectiveness of processes to manage remote access. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 5Information Technology, Objective 5, Procedure 6 | Architecture, Infrastructure, and Operations BookletIII.GAppendix A, Objective 9, procedure 1, parts a - cInformation Security BookletII.C.15(c)Appendix A, Objectives 6, procedure 21, part eAppendix A, Objective 6, procedure 23, parts a and b | Center for Internet Security (CIS)6.4Cyber Risk Institute (CRI)PR.AC-3.1PR.AC-3.2FFIEC Cybersecurity Assessment Tool (CAT)D3.PC.Im.B.2D3.PC.Am.B.15NIST SP 800-53 r5CM-6AC-17IA-2 | Remote Access | Identity Management, Authentication and Access Control | PR.AC-3.RA |
| Protect | Protect /Identity Management, Authentication and Access Control /PR.AC-4.EP | Privileged Access:Evaluate the effectiveness of processes to manage accounts with privileged access. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 4, Procedure 1Information Technology, Objective 4, Procedure 6 | Information Security BookletII.C.15Appendix A, Objective 6, procedure 20, part d | Center for Internet Security (CIS)6Cyber Risk Institute (CRI)PR.AC-4.1PR.AC-4.2FFIEC Cybersecurity Assessment Tool (CAT)D3.PC.Am.B.1D3.PC.Am.B.3D3.PC.Am.B.4D3.PC.AM.B.16D3.PC.Am.E.2NIST SP 800-53 r5SC-2AC-6 (5) | Privileged Access | Identity Management, Authentication and Access Control | PR.AC-4.EP |
| Protect | Protect /Identity Management, Authentication and Access Control /PR.AC-5.NS | Network Segmentation:Evaluate the effectiveness of processes governing network segmentation, including planning and implementation. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 1, Procedure 4 | Information Security BookletII.C.9Appendix A, Objective 6, procedure 27, part gAppendix A, Objective 6, procedure 10, part a | Center for Internet Security (CIS)12.2Cyber Risk Institute (CRI)PR.AC-5.1FFIEC Cybersecurity Assessment Tool (CAT)D3.PC.Im.E.1D3.PC.Im.Int.1D3.PC.Im.A.1D4.C.Co.Inn.2NIST SP 800-53 r5SC-7 (21)SC-7 (22)SC-2 | Network Segmentation | Identity Management, Authentication and Access Control | PR.AC-5.NS |
| Protect | Protect /Identity Management, Authentication and Access Control /PR.AC-6.UI | User Identity:Assess the adequacy of identity verification and management processes. | OCC Bulletin 2021-36AttachmentOCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 4, Procedure 1Information Technology, Objective 4, Procedure 4 | Information Security BookletII.C.15Appendix A, Objective 6, Procedure 20, parts a - eManagement BookletIII.C.2Appendix A, Objective 12, Procedure 5, parts a – f | Cyber Risk Institute (CRI)PR.AC-1.1PR.AC-1.2FFIEC Cybersecurity Assessment Tool (CAT)D3.PC.Am.B.5D3.PC.Am.B.6NIST SP 800-53 r5IA-12IA-2IA-5 | User Identity | Identity Management, Authentication and Access Control | PR.AC-6.UI |
| Protect | Protect /Identity Management, Authentication and Access Control /PR.AC-7.UA | User Authentication:Evaluate the adequacy of processes to manage user authentication practices. | OCC Bulletin 2021-36AttachmentOCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 4, Procedure 6Information Technology, Objective 5, Procedure 3 | Information Security BookletII.C.7(b)II.C.16Appendix A, Objective 6, procedure 22, part aAppendix A, Objective 6, procedure 27, part f | Center for Internet Security (CIS)56Cyber Risk Institute (CRI)PR.AC-1.1PR.AC-1.2PR.AC-1.3FFIEC Cybersecurity Assessment Tool (CAT)D1.RM.RA.B.2D3.PC.Im.B.9D3.PC.Am.Int.5D3.PC.Am.Int.6NIST SP 800-53 r5IA-2IA-5 | User Authentication | Identity Management, Authentication and Access Control | PR.AC-7.UA |
| Protect | Protect /Identity Management, Authentication and Access Control /PR.AC-7.DS | Device and System Authentication:Evaluate the adequacy of processes to manage system to system authentication. | OCC Bulletin 2021-36AttachmentOCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 3 | Information Security BookletII.C.7(b)II.C.15(b)Appendix A, Objective 6, procedure 22, part aAppendix A, Objective 6, procedure 27, part f | Cyber Risk Institute (CRI)PR.AC-4.3FFIEC Cybersecurity Assessment Tool (CAT)D3.PC.Am.B.6D3.PC.Am.B.8NIST SP 800-53 r5IA-5 (10) | Device and System Authentication | Identity Management, Authentication and Access Control | PR.AC-7.DS |
| Protect | Protect /Awareness and Training /PR.AT-1.TA | Training and Awareness:Evaluate the adequacy of information security training and awareness programs. | OCC Bulletin 2021-36AttachmentOCC Bulletin 2005-44Attachment, page 12OCC Bulletin 2015-19Attachment, page 5OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 3, Question 8Information Technology, Objective 5, Question 8 | Information Security BookletI.BII.C.7(e)II.C.13(e)II.C.15Appendix A, Objective 2, procedure 5, part lAppendix A, Objective 2, procedure 10, parts c and dAppendix A, Objective 6, procedure 5, parts b and cAppendix A, Objective 6, procedure 8, part fArchitecture, Infrastructure, and Operations BookletAppendix A, Objective 14, procedure 1, part f | Center for Internet Security (CIS)14.114.214.414.5Cyber Risk Institute (CRI)PR.AT-1.1PR.AT-1.2PR.AT-1.3PR.AT-2.1PR.AT-2.2PR.AT-2.3PR.AT-3.1PR.AT-3.2PR.AT-4.1FFIEC Cybersecurity Assessment Tool (CAT)D1.TC.Tr.B.1D1.TC.Tr.B.2D1.TC.Tr.B.3D1.TC.Tr.E.2D1.TC.Tr.E.3NIST SP 800-53 r5AT-2AT-3 | Training and Awareness | Awareness and Training | PR.AT-1.TA |
| Protect | Protect /Data Security /PR.DS-1.EP | Encryption Practices:Assess the adequacy of processes to plan and implement effective encryption practices for data at rest and data in-transit. | The Interagency Guidelines Establishing Information Security Standards, Part 30, Appendix BParagraph III.BParagraph III.COCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 3Information Technology, Objective 5, Procedure 5 | Information Security BookletII.C.19Appendix A, Objective 6, procedure 23Appendix A, Objective 6, procedure 27, part fAppendix A, Objective 6, procedure 30Architecture, Infrastructure, and Operations BookletIII.A.2(a) | Center for Internet Security (CIS)3.63.93.103.11Cyber Risk Institute (CRI)PR.DS-1.1PR.DS-1.2PR.DS-2.1PR.DS-2FFIEC Cybersecurity Assessment Tool (CAT)D3.PC.Am.B.13D3.PC.Am.E.3D3.PC.AM.Int.7D3.PC.Am.A.2D3.PC.Am.A.1NIST SP 800-53 r5SC-13SC-8AC-19 (5) | Encryption Practices | Data Security | PR.DS-1.EP |
| Protect | Protect /Data Security /PR.DS-1.KM | Cryptographic Key and Certificate Management:Assess the adequacy of cryptographic key and certificate management processes. | None | Information Security BookletII.C.19Appendix A, Objective 6, procedure 30 | Cyber Risk Institute (CRI)PR.DS-1.2FFIEC Cybersecurity Assessment Tool (CAT)D3.PC.Am.E.5NIST SP 800-53 r5SC-12CM-3 (6) | Cryptographic Key and Certificate Management | Data Security | PR.DS-1.KM |
| Protect | Protect /Data Security /PR.DS-1.MP | Media Protection:Evaluate the effectiveness of processes to manage electronic media storage, transit, sanitization, and disposal. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 6, Procedure 6Information Technology, Objective 6, Procedure 7 | Information Security BookletII.C.8II.C.13II.C.13(c)II.C.13(d)Appendix A, Objective 6, procedure 18, parts a - gArchitecture, Infrastructure, and Operations BookletVI.B.4VI.B.8Appendix A, Objective 15, procedure 8, parts a – g | Center for Internet Security (CIS)3.13.5Cyber Risk Institute (CRI)PR.DS-1.1PR.DS-1.2PR.DS-2.1PR.DS-2.2PR.DS-3.1PR.IP-6.1FFIEC Cybersecurity Assessment Tool (CAT)D1.G.IT.B.2D3.PC.Am.B.11D3.PC.Am.B.18D3.PC.De.B.1NIST SP 800-53 r5MP-4MP-5MP-6 | Media Protection | Data Security | PR.DS-1.MP |
| Protect | Protect /Data Security /PR.DS-1.MM | Mobile Device Management:Assess the adequacy of processes to manage mobile devices used for critical functions or contain confidential data. | None | Architecture, Infrastructure, and Operations BookletIII.HAppendix A, Objective 10, procedure 1, parts a – eInformation Security BookletII.C.15(d)Appendix A, Objectives 6, procedure 24, parts a - c | Center for Internet Security (CIS)4.104.114.12Cyber Risk Institute (CRI)PR.PT-2.1FFIEC Cybersecurity Assessment Tool (CAT)D3.PC.Am.B.14D3.PC.De.E.6D3.CC.Re.E.1D3.PC.De.Int.2NIST SP 800-53 r5AC-19 | Mobile Device Management | Data Security | PR.DS-1.MM |
| Protect | Protect /Data Security /PR.DS-5.DL | Data Loss Prevention:Evaluate the effectiveness of processes to minimize or prevent the risk of data loss. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 5 | Architecture, Infrastructure and Operations BookletIII.B.3IV.BAppendix A, Objective 4, procedure 5, part dInformation Security BookletGlossary | Center for Internet Security (CIS)3.13Cyber Risk Institute (CRI)PR.IP-4.2PR.IP-4.3FFIEC Cybersecurity Assessment Tool (CAT)D3.PC.Am.Int.1D3.PC.Am.Int.3NIST SP 800-53 r5SC-7 (10)AU 13PE-19 | Data Loss Prevention | Data Security | PR.DS-5.DL |
| Protect | Protect /Data Security /PR.DS-4.SC | System Capacity:Assess the adequacy of processes to manage system capacity. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 1, Procedure 4Information Technology, Objective 2, Procedure 6 | Architecture, Infrastructure and Operations BookletVI.B.6Appendix A, Objective 15, procedure 6, parts a - jBusiness Continuity Management BookletAppendix A, Objective 10, procedure 9 | Cyber Risk Institute (CRI)PR.DS-4.1FFIEC Cybersecurity Assessment Tool (CAT)D3.PC.Im.E.4NIST SP 800-53 r5CP-2 (2)SC-5 (2)SC-6 | System Capacity | Data Security | PR.DS-4.SC |
| Protect | Protect /Data Security /PR.DS-8.HI | Hardware Integrity:Assess the adequacy of processes that identify and manage hardware integrity. | None | Architecture, Infrastructure, and Operations BookletVI.B.2Appendix A, Objective 13, procedure 3, parts c and dInformation Security BookletII.C.10(a)Appendix A, Objective 6, procedure 19, part c | Center for Internet Security (CIS)4.6Cyber Risk Institute (CRI)PR.DS-6.1PR.DS-8.1FFIEC Cybersecurity Assessment Tool (CAT)D1.G.IT.A.3D1.G.IT.Inn.2D3.PC.De.Int.2NIST SP 800-53 r5PE-22CM-3 (2)CM-7 (9) | Hardware Integrity | Data Security | PR.DS-8.HI |
| Protect | Protect /Information Protection Processes and Procedures /PR.IP-1.SB | Security Baselines:Assess the adequacy of processes to identify and manage security baselines. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 4, Procedure 3Information Technology, Objective 5, Procedure 3 | Architecture, Infrastructure, and Operations BookletV.B.1Appendix A, Objective 13, procedure 3, part cAppendix A, Objective 15, procedure 4, parts a and bInformation Security BookletII.C.10(a)II.C.10(b)II.C.10(c)Appendix A, Objective 6, procedure 12Appendix A, Objective 6, procedure 13 | Center for Internet Security (CIS)4.14.2.Cyber Risk Institute (CRI)PR.IP-1.1FFIEC Cybersecurity Assessment Tool (CAT)D3.PC.Im.B.5D1.G.IT.B.4D1.G.IT.Int.1D5.DR.De.B.2NIST SP 800-53 r5CM-2CM-3PL-10 | Security Baselines | Information Protection Processes and Procedures | PR.IP-1.SB |
| Protect | Protect /Information Protection Processes and Procedures /PR.IP-4.DB | Data Backup:Assess the adequacy of backup strategies and processes to protect data from physical and cyber threats. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 6, Procedure 3Information Technology, Objective 6, Procedure 6 | Business Continuity Management BookletIVIV.A.3Appendix A, Objective 6, procedure 3, parts a - fArchitecture, Infrastructure, and Operations BookletVI.B.4Appendix A, Objective 15, procedure 4, parts a and b | Center for Internet Security (CIS)11.111.211.311.411.5Cyber Risk Institute (CRI)PR.IP-4.1PR.IP-4.2PR.IP-9.1FFIEC Cybersecurity Assessment Tool (CAT)D5.IR.Te.E.3D5.IR.Pl.B.5D5.IR.Te.E.1NIST SP 800-53 r5CP-9CP-2 (6)CP-3 (1) | Data Backup | Information Protection Processes and Procedures | PR.IP-4.DB |
| Protect | Protect /Information Protection Processes and Procedures /PR.IP-9.RP | Response Plans:Assess the adequacy of governance and oversight of response plans supporting cybersecurity protection. | OCC Bulletin 2020-94Attachment, page 3OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 4Information Technology, Objective 6, Procedure 4Information Technology, Objective 6, Procedure 5 | Information Security BookletIII.DAppendix A, Objective 3, procedure 2, parts a – eAppendix A, Objective 3, procedure 3 | Center for Internet Security (CIS)17.117.2Cyber Risk Institute (CRI)RS.RP-1.1RS.CO-1.1FFIEC Cybersecurity Assessment Tool (CAT)D1.G.SP.B.6D1.RM.RMP.B.1D5.ER.Es.B.1D5.ER.Es.B.2D5.IR.Pl.E.4NIST SP 800-53 r5IR-1IR-3 (3)IR-4 (11) | Response Plans | Information Protection Processes and Procedures | PR.IP-9.RP |
| Protect | Protect /Information Protection Processes and Procedures /PR.IP-10.RT | Test Response and Recovery Plans:Assess the adequacy of cybersecurity incident response and recovery plan testing. | OCC Bulletin 2020-94Attachment, page 3OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 6, Procedure 3 | Business Continuity Management BookletVIIAppendix A, Objective 10, procedures 1 - 30Information Security BookletAppendix A, Objective 8, procedure 5, parts a - hAppendix A, Objective 8, procedure 6, parts a - i | Center for Internet Security (CIS)17.711.1Cyber Risk Institute (CRI)PR.IP-10.4FFIEC Cybersecurity Assessment Tool (CAT)D5.IR.Te.B.3D5.IR.Te.A.1D5.IR.Te.Inn.1NIST SP 800-53 r5IR-4IR-3IR-3 (3) | Test Response and Recovery Plans | Information Protection Processes and Procedures | PR.IP-10.RT |
| Protect | Protect /Maintenance /PR.MA-1.MT | Maintenance Tools:Assess the adequacy of processes and tools to maintain IT assets. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 1, Procedure 5Information Technology, Objective 2, Procedure 6Information Technology, Objective 4, Procedure 3 | Architecture, Infrastructure, Operations BookletVI.B.1Appendix A, Objective 15, procedure 1, parts a – i | Center for Internet Security (CIS)1.12.1Cyber Risk Institute (CRI)PR.MA-1.1PR.MA-2.1FFIEC Cybersecurity Assessment Tool (CAT)D1.RM.Au.B.3D3.PC.Im.B.8D3.CC.Re.Int.5D3.CC.Re.Int.6NIST SP 800-53 r5MA-2MA-3MA-5 | Maintenance Tools | Maintenance | PR.MA-1.MT |
| Protect | Protect /Protective Technology /PR.PT-1.LM | Log Management:Assess the adequacy of processes to manage audit and system logs. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 2, Procedure 6Information Technology, Objective 4, Procedure 2Information Technology, Objective 5, Procedure 4 | Information Security BookletII.C.22Appendix A, Objective 6, procedure 21, parts b, f, and gAppendix A, Objective 6, procedure 35, parts a – d | Center for Internet Security (CIS)8.18.28.58.111313.1Cyber Risk Institute (CRI)DE.CM-1.1DE.CM-1.2PR.PT-1.1PR.PT-1.2FFIEC Cybersecurity Assessment Tool (CAT)D1.RM.Au.B.3D2.MA.Ma.B.1D2.MA.Ma.B.2D3.DC.An.B.3NIST SP 800-53 r5AU-12SI-4 | Log Management | Protective Technology | PR.PT-1.LM |
| Protect | Protect /Protective Technology /PR.PT-2.RM | Removable Media:Evaluate the processes to manage removable media and portable devices. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 3 | Information Security BookletII.C.15(a)II.C.13(a)Appendix A, Objective 6, procedure 18, part aAppendix A, Objective 6, procedure 21, part d | Center for Internet Security (CIS)3.94.04.104.1110.310.4Cyber Risk Institute (CRI)PR.PT-2.1FFIEC Cybersecurity Assessment Tool (CAT)D3.PC.Am.B.14D3.PC.De.B.1D3.PC.De.E.4NIST SP 800-53 r5MP-7 | Removable Media | Protective Technology | PR.PT-2.RM |
| Protect | Protect /Protective Technology /PR.PT-2.DS | Data Disposal and Device Sanitization:Assess the adequacy of processes to manage data disposal and device sanitization. | 12 CFR 30 Appendix B (GLBA):II Standards for information security (B 4)OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 3 | Information Security BookletII.C.13(c)Appendix A, Objective 6, procedure 18, part eArchitecture, Infrastructure, Operations BookletVI.B.8Appendix A, Objective 15, procedure 8, parts a – f | Center for Internet Security (CIS)3.13.5Cyber Risk Institute (CRI)PR.DS-3.1PR.IP-6.1PR.PT-2.1FFIEC Cybersecurity Assessment Tool (CAT)D3.PC.Am.B.18NIST SP 800-53 r5MP-6MP-7 (2) | Data Disposal and Device Sanitization | Protective Technology | PR.PT-2.DS |
| Protect | Protect /Protective Technology /PR.PT-3.LF | Least Functionality:Assess the adequacy of processes for configuring systems and components based on the principle of least functionality. | OCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 5, Procedure 3 | Information Security BookletII.C.10(b)II.C.10(c)Appendix A, Objective 6, procedure 13Architecture, Infrastructure and Operations BookletVI.B.2Appendix A, Objective 6, procedure 14Appendix A, Objective 12, procedure 6, parts a and b | Center for Internet Security (CIS)4.812.216.10Cyber Risk Institute (CRI)PR.PT-3.1FFIEC Cybersecurity Assessment Tool (CAT)D3.PC.Im.B.6NIST SP 800-53 r5CM-7SA-8 (2) | Least Functionality | Protective Technology | PR.PT-3.LF |
| Protect | Protect /Protective Technology /PR.PT-5.CR | Operational Resilience:Network and Communications Resilience: Assess the adequacy of network and communications resiliency. | OCC Bulletin 2020-94AttachmentOCC Comptroller’s Handbook: Community Bank SupervisionInformation Technology, Objective 6, Procedure 3Information Technology, Objective 6, Procedure 4Information Technology, Objective 6, Procedure 5 | Business Continuity Management BookletIV.AIV.A.1IV.A.2IV.A.3Appendix A, Objective 6, procedure 3, part eAppendix A, Objective 6, procedure 6, part a – iInformation Security BookletAppendix A, Objective 7, procedure 1 | Center for Internet Security (CIS)17.6Cyber Risk Institute (CRI)PR.DS-4.1PR.PT-5.1DM.BE-3.1FFIEC Cybersecurity Assessment Tool (CAT)D5.IR.Pl.A.2NIST SP 800-53 r5PE-18SC-7CP-11 | Operational Resilience | Protective Technology | PR.PT-5.CR |
| Protect | Protect /Protective Technology /PR.PT-5.FS | Fail Secure:Assess the processes to implement fail secure controls. | None | Business Continuity Management BookletIV.BAppendix A, Objective 7, procedure 1Information Security BookletII.C.4Appendix A, Objective 7, procedure 1Architecture, Infrastructure, and Operations BookletAppendix A, Objective 13, procedure 1Appendix A, Objective 13, procedure 3, part m | Center for Internet Security (CIS)11.14.1Cyber Risk Institute (CRI)PR.PT-5.1DM.BE-3.1FFIEC Cybersecurity Assessment Tool (CAT)D5.IR.Pl.A.2NIST SP 800-53 r5SI-17 | Fail Secure | Protective Technology | PR.PT-5.FS |
| Specialty Area | Specialty Area /Secure Software Development /SA.SD-1.DG | Development Governance:Evaluate the effectiveness of processes governing in-house software development to ensure cybersecurity is considered at all phases. | None | Information Security BookletII.C.17Architecture, Infrastructure, and Operations BookletIII.D.1V.C.1V.C.3VII.DAppendix A, Objective 13, procedure 5, part a, subpart ii | NIST SP 800-53 r5SA-3SA-8-30SA-15-5 | Development Governance | Secure Software Development | SA.SD-1.DG |
| Specialty Area | Specialty Area /Secure Software Development /SA.SD-1.SC | Secure Coding:Evaluate the effectiveness of processes and standards that enable secure coding practices. | OCC Bulletin 2008-16 | Information Security BookletII.C.17IV.A.1Architecture, Infrastructure, and Operations BookletV.C.2(c)Appendix A, Objective 13, procedure 7, part a | NIST SP 800-53 r5SA-3SA-8SA-11SA-15-2 | Secure Coding | Secure Software Development | SA.SD-1.SC |
| Specialty Area | Specialty Area /Secure Software Development /SA.SD-1.CR | Code Review:Evaluate the effectiveness of processes to review code for vulnerabilities and security weaknesses prior to release. Consider the criticality or sensitivity of the data. | OCC Bulletin 2008-16 | Information Security BookletII.C.17IV.A.1Architecture, Infrastructure, and Operations BookletAppendix A, Objective 13, procedure 6, parts g i - iv | Center for Internet Security (CIS)16.1Cyber Risk Institute (CRI)PR.IP-12.1PR.IP-12.2FFIEC Cybersecurity Assessment Tool (CAT)D3.DC.Th.E.5NIST SP 800-53 r5SA-8SA-11SA-15-2 | Code Review | Secure Software Development | SA.SD-1.CR |
| Specialty Area | Specialty Area /Secure Software Development /SA.SD-1.NP | NPPI:Evaluate the effectiveness of controls in place to protect nonpublic personal information in test environments. | None | Architecture, Infrastructure, and Operations BookletIII.A.3Appendix A, Objective 3, procedure 8, parts a – d | Cyber Risk Institute (CRI)PR.DS-7.1FFIEC Cybersecurity Assessment Tool (CAT)D3.PC.Am.B.10D3.PC.Am.E.3NIST SP 800-53 r5SA-3-2 | NPPI | Secure Software Development | SA.SD-1.NP |
| Specialty Area | Specialty Area /Secure Software Development /SA.SD-1.SO | Source Code:Evaluate the effectiveness of processes in place to protect and restrict access to source code. | None | Architecture, Infrastructure, and Operations BookletIII.DIII.D.1 | Center for Internet Security (CIS)16.1NIST SP 800-53 r5SA-10 | Source Code | Secure Software Development | SA.SD-1.SO |
| Specialty Area | Specialty Area /Secure Software Development /SA.SD-1.EC | Emergency Change:Evaluate the effectiveness of processes associated with implementing emergency changes to ensure cybersecurity is considered. | None | Architecture, Infrastructure, and Operations BookletIII.DIII.D.1 | Center for Internet Security (CIS)16.1Cyber Risk Institute (CRI)PR.IP-3.1FFIEC Cybersecurity Assessment Tool (CAT)D1.G.IT.B.4 | Emergency Change | Secure Software Development | SA.SD-1.EC |
| Specialty Area | Specialty Area /Secure Software Development /SA.SD-1.MV | Manage Vulnerabilities in Code:Assess the adequacy of tools or practices to identify and remediate code vulnerabilities or code that is noncompliant with internal security standards. | OCC Bulletin 2008-16 | Information Security BookletII.C.17IV.A.1Architecture, Infrastructure, and Operations BookletAppendix A, Objective 13, procedure 6, part g, subparts i - vi | Center for Internet Security (CIS)16.1Cyber Risk Institute (CRI)PR.IP-12.1 | Manage Vulnerabilities in Code | Secure Software Development | SA.SD-1.MV |
More Information About CSW Cross-References
The CSW Cross-References table above offers several columns of information. Select the sections below to learn more about what is displayed under each column.
Expand All
Collapse All
Function / Category / Unique ID
Show
The CSW is structured according to the five National Institute of Standards and Technology Cybersecurity Framework (NIST-CSF) functions’ 23 categories. The OCC developed an additional function, Specialty Areas, to address areas of risk that support OCC cybersecurity assessments, where applicable.
The figure below shows how NIST aligns the categories under each function. The OCC developed Specialty Areas that are not included in this figure.
| Identify | Protect | Detect | Respond | Recover |
|---|---|---|---|---|
| IT Asset ManagementBusiness EnvironmentGovernanceRisk AssessmentRisk Management StrategySupply Chain Risk Management | Data SecurityIdentity Management Authentication, and Access ControlAwareness and TrainingInformation Protection Processes and ProceduresMaintenanceProtective Technology | Anomalies and EventsSecurity Continuous MonitoringDetection Processes | CommunicationsResponse PlanningAnalysisMitigationImprovements | Recovery PlanningRecovery ImprovementsRecovery Communications |
The CSW does not include NIST-CSF subcategories that are addressed as part of other examination programs or subcategories that do not apply to the OCC bank information technology supervision process.
The unique ID identifies the procedure and its hierarchy. Unique IDs are structured using a hierarchy of NIST-CSF functions, categories, and subcategories. The OCC added two characters at the end to designate the specific procedure. See the figure pictured below.
Procedure
Show
During supervisory activities, examiners use the procedures to guide their reviews and evaluations of cybersecurity preparedness.
Cross-References
Show
OCC Resources, FFIEC IT Examination Handbook InfoBase, Industry Frameworks
The table provides cross-references that map CSW procedures to existing supervisory guidance and industry frameworks. The cross-references are provided for informational purposes only; inclusion of products, processes, services, manufacturers, or companies in the CSW is not indicative of an OCC endorsement.
OCC Resources
Each bulletin listed in the table will have a hyperlink to the applicable attachment or bulletin transmittal. If necessary, scroll to the page indicated or search for the applicable text.
OCC Comptroller’s Handbook: Community Bank Supervision
To find the associated procedures in the “Community Bank Supervision” booklet of the Comptroller’s Handbook , navigate to Core Assessment > Information Technology > Other Assessment Objectives. Then search for the Objective and Procedure listed in the table.
FFIEC IT Examination Handbook InfoBase
Each booklet listed will have bullets with hyperlinks.
The characters (e.g., II.C.5) refer to the listed booklet’s table of contents. The hyperlink will lead to the specific section of the narrative.
Appendix A references link to Examination Procedures in the corresponding booklet. Scroll to the Objective and Procedure listed in the table.
Industry Frameworks
Center for Internet Security’s (CIS) Critical Cybersecurity Controls
CIS requires registration to access the controls. The associated text can be found by searching for the identifier listed in the table.
Cyber Risk Institute’s (CRI) Profile
CRI requires registration to access the Profile content. The associated text can be found by searching for the identifier listed in the table.
FFIEC Cybersecurity Assessment Tool (CAT)
The hyperlink will open the PDF version of the tool. (If prompted, respond to the CAPTCHA).
Each declarative statement in the CAT has a unique identifier that comprises the Domain, Assessment Factor, Component, Maturity Level, and statement number. Each portion is separated by a period. To find the declarative statement, scroll to the domain number and the related assessment factor. For example, “D1.G.Ov.B.1” refers to Domain: 1, Assessment Factor: Governance, Component: Oversight, Maturity Level: Baseline, and statement 1.
For a table listing, go to page 111 of Explanation of Cybersecurity Assessment Tool References (if prompted, respond to the CAPTCHA).
NIST Special Publication 800-53, Revision 5
The hyperlink goes to a PDF version of the controls catalog. The associated text can be found by searching for the identifier listed in the table.