FSSCP Question Set: Financial Services Cybersecurity Profile

This download includes the FSSC Profile requirements and mapped questions that you can use to assess your organisation.

The FSSC Profile is a scalable and extensible assessment that financial institutions of all types can use for internal and external (i.e., third party) cyber risk management assessment and as a mechanism to evidence compliance with various regulatory frameworks (a “common college application for regulatory compliance”) both within the United States and globally.

The Profile includes 277 requirements across 31 Categories:

• Strategy and Framework (GV.SF)
• Risk Management (GV.RM)
• Policy (GV.PL)
• Roles and Responsibilities (GV.RR)
• Security Program (GV.SP)
• Independent Risk Management Function (GV.IR)
• Audit (GV.AU)
• Technology (GV.TE)
• Asset Management (ID.AM)
• Risk Assessment (ID.RA)
• Identity Management and Access Control (PR.AC)
• Awareness and Training (PR.AT)
• Data Security (PR.DS)
• Information Protection Processes and Procedures (PR.IP)
• Maintenance (PR.MA)
• Protective Technology (PR.PT)
• Anomalies and Events (DE.AE)
• Security Continuous Monitoring (DE.CM)
• Detection Processes (DE.DP)
• Response Planning (RS.RP)
• Communications (RS.CO)
• Analysis (RS.AN)
• Mitigation (RS.MI)
• Improvements (RS.IM)
• Recovery Planning (RC.RP)
• Improvements (RC.IM)
• Communications (RC.CO)
• Internal Dependencies (DM.ID)
• External Dependencies (DM.ED)
• Resilience (DM.RS)
• Business Environment (DM.BE)