Financial Services Sector Cybersecurity Profile (FSSCP)

This download includes the FSSC Profile requirements and no mapped questions. Use this download if you just want to create your own question set. 

The FSSC Profile is a scalable and extensible assessment that financial institutions of all types can use for internal and external (i.e., third party) cyber risk management assessment and as a mechanism to evidence compliance with various regulatory frameworks (a “common college application for regulatory compliance”) both within the United States and globally.

The Profile includes 277 requirements across 31 Categories:

• Strategy and Framework (GV.SF)
• Risk Management (GV.RM)
• Policy (GV.PL)
• Roles and Responsibilities (GV.RR)
• Security Program (GV.SP)
• Independent Risk Management Function (GV.IR)
• Audit (GV.AU)
• Technology (GV.TE)
• Asset Management (ID.AM)
• Risk Assessment (ID.RA)
• Identity Management and Access Control (PR.AC)
• Awareness and Training (PR.AT)
• Data Security (PR.DS)
• Information Protection Processes and Procedures (PR.IP)
• Maintenance (PR.MA)
• Protective Technology (PR.PT)
• Anomalies and Events (DE.AE)
• Security Continuous Monitoring (DE.CM)
• Detection Processes (DE.DP)
• Response Planning (RS.RP)
• Communications (RS.CO)
• Analysis (RS.AN)
• Mitigation (RS.MI)
• Improvements (RS.IM)
• Recovery Planning (RC.RP)
• Improvements (RC.IM)
• Communications (RC.CO)
• Internal Dependencies (DM.ID)
• External Dependencies (DM.ED)
• Resilience (DM.RS)
• Business Environment (DM.BE)