Profile version 1.2.1 incorporates guidance to help both the government and financial institutions achieve key objectives.
Washington, D.C.–The Cyber Risk Institute (CRI) is pleased to announce new and important updates to the growing body of work related to the Profile. The CRI Profile connects key cybersecurity control principles to guidance from government agencies and can be updated to address new expectations as they arise.
As a most recent example of this flexibility, CRI Profile version 1.2.1 includes a reference to cybersecurity time synchronization controls based on best practices as requested by the U.S. Department of the Treasury. This reference, or diagnostic statement, was developed by CRI and its growing membership to facilitate Treasury meeting requirements in Executive Order 13905.
“Treasury, as Sector Risk Management Agency for the financial services sector, appreciates the inclusion of precision time resiliency into the CRI Profile. This collaboration on responsible use of precision time enables the sector to fully benefit from the Biden-Harris Administration’s continued work on this Executive Order,” said Todd Conklin, Treasury Deputy Assistant Secretary for the Office of Cybersecurity and Critical Infrastructure Protection.
CRI Profile v1.2.1 is accompanied with a revised Profile Workbook that includes detailed guidance on the need for time synchronization for cybersecurity purposes, as well as examples of effective evidence that could be used by financial institutions during examinations.
“We are proud of our collaboration with Treasury on developing a statement that reflects an important issue for cybersecurity in financial institutions. We see collaboration with the government agencies and regulators as central to Profile’s success. When we work together, everyone wins,” CRI Founder and President, Josh Magri, said.
The Profile v1.2.1 also includes a new mapping to the National Institute of Standards and Technology’s (NIST) Ransomware Profile guidance and modified display of the mapping to the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT). This update will allow financial institutions to more readily implement key controls to address the growing threat of Ransomware, as well as more easily cross-reference their existing frameworks to the FFIEC CAT. Furthermore, CRI is also pleased that the FFIEC recognized the CRI Profile as a resource for assessments in its recent “Cybersecurity Resource Guide for Financial Institutions.”
Concurrent with the release of Profile version 1.2.1, CRI also published an update to the Cloud Profile, which refines the mappings to the Cloud Security Alliance’s (CSA) Cloud Control Matrix. The CRI Cloud Profile is the result of an intensive collaboration with CSA, financial institutions, and the major cloud service providers. The Cloud Profile proactively provides guidance on contractual responsibilities by service model, control types, and phases of cloud implementation where controls apply.
As always, the Profile and Workbook, and the Cloud Profile is available for free download at www.cyberriskinstitute.org. To learn more about membership, please contact CRI at firstname.lastname@example.org.
About Cyber Risk Institute: The Cyber Risk Institute (CRI) is a not-for-profit coalition of financial institutions and trade associations. We’re working to protect the global economy by enhancing cybersecurity and resiliency through standardization. https://cyberriskinstitute.org/
* The CRI Profile is the successor to the Financial Services Sector Coordinating Council (FSSCC) Cybersecurity Profile, a NIST and IOSCO based approach to assessing cybersecurity in the financial services industry.
For Immediate Release
January 25, 2023