The FSSCC released a new tool that hopes to reduce the number of hours spent answering redundant security control questions. Like the ACAT tool, the new Cybersecurity Profile attempts to determine an institutions risk impact level. The main difference is the ACAT attempts to define the scale of the risk based on organization size, whereas the Cybersecurity Profile attempts to define the impact of the institution on everyone else. Much like how NERC attempts to establish a utility’s impact on the greater grid before applying controls, the FSSCC’s modifies some controls based on the impact assessment results.
Where the FSSCC’s new tool really shines is that it the NIST CSF and maps every single control to the FFIEC, CFTC, FINRA, SEC, COBIT, ISO/IEC 27001, and NIST SP 800-53. If all the regulators get on board, then you could answer each question only once in the tool. Auditors could then take this tool and map it back to whatever they are required to use. The amount of time saved by using this framework would allow CISOs to focus more on getting actual work done and less on dancing the regulatory waltz.
This answer once approach is something I personally have been looking for, both in the energy industry and now in finance. The key is regulators all need to get on board. My naive side says this should be a simple costs/benefit decision for regulators, but let’s see how this shakes out once all the proper politicking has been applied. I look forward to the results.