This page, Ask questions about cybersecurity planning, is offered by
Division of Banks

Ask questions about cybersecurity planning

Are you a financial institution manager or director in need of guidance when developing a cybersecurity plan? You should ask specific questions to get started.

Chief Executive Officers, Managers, and Trustees/Directors of financial institutions and non-depository institutions should ask specific questions when developing a cybersecurity program. You should also ensure satisfactory responses are available.

The following questions are based on the five functions of the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The Conference of State Bank Supervisors (CSBS) developed these questions.

Identify

Does my institution understand what information it manages, where the information is stored, how sensitive the information is, and who has access to it?
What are my institution’s key business assets? Do I have adequate protection for them?
What types of connections does my financial institution have (VPNs, wireless, LAN, etc.)? How are we managing these connections?
How is staff at my institution identifying risk? Do they provide me with accurate and timely information about those risks?
What is our ability to mitigate those risks?
How is my institution connecting to third parties? How do they manage cybersecurity controls?

Protect

How effective are my institution’s policies and procedures for monitoring information inventory?
Do my IT personnel have the right knowledge or skills to protect against a potential cyber attack?
Is my staff informed about cyber threats? Do they have an understanding of risk from their actions?

Detect

How are our Trustees/Directors and senior managers informed about the current level and business impact of cyber risks to our organization?
Are we prepared to prevent or limit the damage caused by these attacks?

Respond

Have we created an effective incident response plan? How often is it tested?
What would we do if we were hacked today?
Do we have a plan to inform internal and external stakeholders of an incident?

Recover

Does my financial institution’s incident response plan include steps for recovering after a cyber attack?
When did we last test our incident response plan?
How will we communicate with internal staff, consumers, third parties, regulators, and law enforcement regarding a data breach at my financial institution?

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the Division of Banks. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback.

If you need assistance, please contact the Division of Banks.

Please let us know how we can improve this page.