• This page, Questions about cybersecurity planning, is   offered by
  • Division of Banks

Questions about cybersecurity planning

Are you a financial institution manager or director in need of guidance when developing a cybersecurity plan? You should ask specific questions to get started. The following questions are based on the five functions of the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Table of Contents


Chief Executive Officers, Managers, and Trustees/Directors of financial institutions and non-depository institutions should ask specific questions when developing a cybersecurity program. You should also ensure satisfactory responses are available.

The Conference of State Bank Supervisors (CSBS) developed these questions based on the five functions of the NIST Cybersecurity Framework.

Identify function questions

  • Does my institution understand what information it manages, where the information is stored, how sensitive the information is, and who has access to it?
  • What are my institution’s key business assets? Do I have adequate protection for them?
  • What types of connections does my financial institution have (VPNs, wireless, LAN, etc.)? How are we managing these connections?
  • How is staff at my institution identifying risk? Do they provide me with accurate and timely information about those risks?
  • What is our ability to mitigate those risks?
  • How is my institution connecting to third parties? How do they manage cybersecurity controls?

Protect function questions

  • How effective are my institution’s policies and procedures for monitoring information inventory?
  • Do my IT personnel have the right knowledge or skills to protect against a potential cyber attack?
  • Is my staff informed about cyber threats? Do they have an understanding of risk from their actions?

Detect function questions

  • How are our Trustees/Directors and senior managers informed about the current level and business impact of cyber risks to our organization?
  • Are we prepared to prevent or limit the damage caused by these attacks?

Respond function questions

  • Have we created an effective incident response plan?  How often is it tested?
  • What would we do if we were hacked today?
  • Do we have a plan to inform internal and external stakeholders of an incident?

Recover function questions

  • Does my financial institution’s incident response plan include steps for recovering after a cyber attack?
  • When did we last test our incident response plan?
  • How will we communicate with internal staff, consumers, third parties, regulators, and law enforcement regarding a data breach at my financial institution?

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.