Cyber Security Self-Assessment

Document properties

  • Type of publication: Memorandum
  • Date: August 13, 2021
  • To: Federally Regulated Financial Institutions

The increasing frequency, severity and sophistication of cyber threats and attacks has resulted in an elevated risk profile for many organizations around the world, including federally regulated financial institutions (FRFIs) in Canada.

In October 2013, the Office of the Superintendent of Financial Institutions (OSFI) published its Cyber Security Self-Assessment to help FRFIs assess their level of cyber preparedness. Since then, this self-assessment has helped FRFIs prepare and improve their cyber security posture. However, digitalization of financial services is broadening the attack surface and introducing new entry points into FRFIs' technology environment, meaning institutions continue to be highly exposed to cyber risk. As a result, OSFI is enhancing its Cyber Security Self-Assessment to reflect the current cyber risk landscape in line with its strategic priorities.

FRFIs are encouraged to use this self-assessment or similar tools to assess their current level of cyber preparedness and to develop and maintain effective cyber security practices. As indicated in its Near-Term Plan of Prudential Policy, OSFI will establish new guidance for the sound management of technology and cyber risk. This self-assessment will supplement forthcoming guidance and will be refreshed regularly to keep abreast with the cyber risk landscape.

Further questions can be directed to Chris Suknundun, Managing Director, Technology Risk Division, at

Chris Suknundun
Managing Director

Rating levels explained

The cyber risk rating levels referred to in this self-assessment are intended to help the FRFI gauge the maturity of individual security controls (in the Column "Controls"). Those control statements address best practices, cyber risk and related processes, documentation, roles and responsibilities, technologies and other cyber security safeguards, all of which are important to robust cyber security operations and for the FRFI's strategic cyber security program development.

The maturity level that the FRFI assigns to each control is intended to estimate the maturity of that control, with reference to the differentiated levels.

Those ratings are then applicable in highlighting controls which are maturing effectively, as well as those which will need more attention (i.e., to address deficiencies). Maturity levels are also informative, in discussions with OSFI, and for future Cyber Security planning within the FRFI.

In this regard, OSFI has identified Cyber Security maturity levels (1-to-5). Level "0" is technically a sixth level but it only indicates a lack of any progress with respect to the assessed control.

Note: for most of the Cyber Security controls listed, there will be inter-dependencies with other controls (e.g., Risk Assessment, implemented by the Cyber Security group, will be related to Risk Management, as addressed by risk managers including senior management). So, in the following statements, the term "controls" is sometimes used, although when the FRFI completes this assessment, and estimates maturity scores, those scores are to be assigned to each individual control, one at a time rather than collectively.

OSFI Cyber Security Self Assessment

FocusNumberCategoryControl StatementRatingFRFI Rating Rationale and NotesFRFI Provided Supporting References
Governance1Planning and StrategyThe FRFI has published a cyber risk strategy that is aligned with the technology and business strategies.blankblankblank
2blankThe FRFI has an established cyber risk framework (e.g., a complete set of elements including policies, standards, roles and responsibilities, risk management processes, risk taxonomy, risk appetite and emerging threats and technologies) in support of the cyber risk strategy, and ongoing threat, risk and incident management.blankblankblank
3blankThe FRFI conducts regular reviews of the cyber risk strategy and cyber risk framework, to ensure compliance with legal and regulatory requirements.blankblankblank
4blankThe FRFI considers cyber risk compliance requirements, identified risks, current and emerging threats, and potential incident related impacts on operations and services, as inputs to planning and prioritizing cyber risk projects, programs and budgets.blankblankblank
5blankThe FRFI has appointed an executive responsible for the cyber risk strategy, the cyber risk framework and for cyber risk awareness and knowledge at the executive level.blankblankblank
6PolicyThe FRFI has documented cyber risk policies to explain staff and contractor roles, responsibilities, rules and constraints as well as possible penalties for non-compliance.blankblankblank
7blankThe roles and responsibilities of each of the three lines of defence and other stakeholders are clearly described within the cyber risk framework.blankblankblank
8Risk ManagementKey risk and performance indicators as well as thresholds have been established for the FRFI's key cyber risk and controls. The risk indicators should align with the cyber risk appetite as stated in the cyber risk framework.blankblankblank
9blankCyber risks to the organization and its programs or customers are regularly reviewed, prioritized, escalated, explained to the appropriate executives or senior management, and those risks are prioritized for mitigation.blankblankblank
10blankThe second line of defence regularly provides an independent review of the various cyber risk assessments and other control activities conducted by the first line of defence.blankblankblank
11blankThe FRFI ensures that background checks have been implemented for personnel/contractors and at third party providers, commensurate with the sensitivity and cyber risk needs of FRFI assets being managed.blankblankblank
12blankThe FRFI has implemented a formal process for risk acceptance that is measured, tracked and reported.blankblankblank
Identify13Business EnvironmentThe FRFI has allocated sufficient and skilled resources for the sustainment of cyber risk programs, systems, roles and services.blankblankblank
14blankThe FRFI has identified its critical technology assets and has implemented appropriate controls to ensure confidentiality, integrity and availability. The controls are regularly reviewed and tested.blankblankblank
15blankThe FRFI ensures that contracts for outsourcing and external services (e.g., third party providers, Cloud Service Providers) include supplier and service provider responsibilities for the security of the FRFI's information.blankblankblank
16Asset ManagementThe FRFI maintains a configuration management database (CMDB) or similar utility for documenting and tracking IT component configurations (i.e., hardware, software, network addresses, security systems, dependencies, etc.).blankblankblank
17blankThe FRFI's IT assets and information are classified and managed according to a classification scheme.blankblankblank
18blankThe FRFI has established procedures for the disposal or destruction of IT assets.blankblankblank
19Risk AssessmentThe FRFI conducts Threat and Risk Assessments in the early stages of new initiatives/projects or prior to changes in existing systems and data, to identify and prioritize threats, risks and remediation options.blankblankblank
20blankThe FRFI should periodically assess their cyber risks, which will require consideration for and assessment of the robustness, currency and completeness of the cyber risk practices and controls.blankblankblank
21blankThe FRFI conducts regular penetration testing against the network, Cloud environment and all critical IT systems to identify security gaps and deficiencies, and to affirm strengths.blankblankblank
Defend22Identity Management and Access ControlThe FRFI implements a consistent access control model (e.g., Role Based Access Control) across all critical systems.blankblankblank
23blankThe FRFI requires that all persons, systems or services be identified, authenticated and authorized prior to granting access to FRFI systems, services or data.blankblankblank
24blankThe FRFI consistently applies the principle of "least privilege", such that the permissions and access granted to an authenticated person, system or service is sufficient to their operational need, and no higher.blankblankblank
25blankThe FRFI ensures that permissions are revoked and accounts or active connections are terminated, when no longer required.blankblankblank
26blankThe FRFI implements Multi-Factor Authentication for access to critical systems and for remote access to the FRFI network.blankblankblank
27blankThe FRFI encrypts and securely stores identity and access control credentials (e.g. passwords), separate from other data.blankblankblank
28blankPrivileged account credentials are managed, monitored and secured.blankblankblank
29Network SecurityThe FRFI follows a positive security model for network security, allowing only pre-defined and authorized traffic (IP addresses, protocols, ports, etc.).blankblankblank
30blankThe FRFI defines logical network zones, and applies controls to segregate and limit or block traffic between those zones, to help track, manage and secure the assets within those zones.blankblankblank
31blankThe FRFI places all internet facing systems and services in a DMZ or similar, segregated and closely monitored network zone with carefully secured and limited connection into the broader environment.blankblankblank
32blankThe FRFI engages in ongoing Threat Hunting (e.g., using manual techniques and machine learning tools) to proactively identify and isolate advanced threats which may not be detected by automated tools.blankblankblank
33blankThe FRFI implements critical network security and traffic management controls to be fault tolerant, and to fail securely, so that security will not be compromised during any fault, outage or security incident.blankblankblank
34blankThe FRFI limits remote access and connection options to authorized personnel, including third party providers, and secures all remote sessions (e.g., with session encryption, MFA, session timeouts).blankblankblank
35Data SecurityThe FRFI has implemented data loss prevention (DLP) controls across all technology assets for data at rest, data in use and data in transit to identify attempts at unauthorized data exfiltration, and to automatically limit or stop associated data loss.blankblankblank
36blankThe FRFI assesses all external data interfaces (e.g. APIs) to ascertain if implemented security controls are appropriate to the sensitivity of the FRFI's data.blankblankblank
37blankThe FRFI uses automated tools to examine all data (including source code and configuration data) prior to its introduction into FRFI's systems, to identify and quarantine unauthorized executable code (e.g., malware), and potentially harmful data.blankblankblank
38blankThe FRFI encrypts all data to be physically transported internally or externally (e.g., on portable/removable storage media), and restricts such data transport to authorized individuals only.blankblankblank
39blankFRFI personnel "work from home" solutions are implemented with strong end-point controls (e.g., in laptops or other mobile devices) to maintain robust security.blankblankblank
40blankThe FRFI conducts regular, automated back-ups of its data.blankblankblank
41Vulnerability ManagementThe FRFI has published and implemented a Vulnerability and Patch Management Program, providing rules and guidance on roles, responsibilities, the FRFI's vulnerability management life cycle, vulnerability prioritization (e.g., based on risk), remediation timeframes, exception/exemption approvals, monitoring and reporting, and tools to be applied.blankblankblank
42blankThe FRFI has identified reputable sources of vulnerability information, and subscribes to recognized and authoritative vulnerability reporting services.blankblankblank
43blankThe FRFI conducts regular vulnerability scanning to identify new vulnerabilities.blankblankblank
44blankThe FRFI prioritizes identified vulnerabilities for resolution, based on the risk and potential impact represented.blankblankblank
45blankThe FRFI has an exception/exemption management process that documents and requires appropriate management approvals, for delays or exceptions to vulnerability remediation (e.g., through application of vendor supplied patches).blankblankblank
46blankThe FRFI verifies and tests vulnerability patches, prior to general deployment within the operational environment.blankblankblank
47blankThe FRFI identifies contingency options for reversing vulnerability resolution measures (e.g., through roll-back of patches), prior to general deployment.blankblankblank
48blankThe FRFI has established timelines for applying patches based on risk.blankblankblank
49Change and Configuration ManagementThe FRFI has created, documented and implemented standardized, secure configurations for all hardware and software (e.g., Operating Systems, VMs, desktop image).blankblankblank
50blankThe FRFI hardens all critical systems and networks.blankblankblank
51blankThe FRFI enforces security policies through the use of automated tools to identify and block use of unauthorized software and hardware across all of its systems.blankblankblank
52blankThe FRFI has documented and implemented a Change Management process, to formally identify, assess, approve and document configuration changes.blankblankblank
Detect53Monitoring and LoggingThe FRFI monitors all networks, sub-networks, and interfaces to identify information security events such as unauthorized connection attempts, unusual or suspicious traffic patterns or use of unauthorized ports and protocols.blankblankblank
54blankThe FRFI has established requirements for log collection and retention across all IT assets.blankblankblank
55blankThe FRFI uses automated tools (e.g., a SIEM or Log Analytics Tool) to collect, aggregate and analyze event data in real time or near to real time (e.g., anomalous activity), and alerts personnel according to established use cases and rules.blankblankblank
56blankThe FRFI's network monitoring and management processes are integrated with Incident Response processes, for rapid and formal escalations, communications and resolution of priority events.blankblankblank
57blankFRFI and service provider logs and related records pertaining to security events are encrypted, time stamped and archived for later reference as needed. Event logs are maintained in a secure location.blankblankblank
58Benchmarking, Reviews and AssessmentsThe FRFI conducts ongoing and periodic assessments (e.g., of cyber risk processes), with reference to external security frameworks, best practices, and emerging vulnerabilities to identify control gaps or deficiencies across the FRFI environment, and to identify opportunities and recommendations for improvement.blankblankblank
59blankThe FRFI conducts ongoing reviews to determine policy compliance.blankblankblank
60blankThe FRFI conducts regular, automated reviews of IT infrastructure (e.g., endpoints) to verify that security controls are configured and functioning as expected.blankblankblank
61blankThe FRFI communicates security assessment and audit results to appropriate internal management, and to the executive(s) responsible for the cyber risk framework.blankblankblank
62Secure Software DevelopmentThe FRFI treats security and the adoption of security best practices as a priority within the software development life cycle.blankblankblank
63blankThe FRFI deploys all software, including off the shelf products, in a segregated test environment, and executes relevant testing and security scans, prior to general deployment.blankblankblank
64blankThe FRFI verifies the code from external sources is from a reputable and recognized source (e.g., by review of digital signature, or hash function).blankblankblank
Respond65Incident ManagementThe FRFI's Incident Management standard is designed to respond rapidly to cyber risk incidents.blankblankblank
66blankThe FRFI has established a "whole of organization " response including but not limited to: cyber risk team, IT team, business owner, legal, privacy, and communications (public affairs), and others as required and has developed playbooks and runbooks as needed.blankblankblank
67blankThe FRFI regularly exercises the Incident Management standard.blankblankblank
68blankThe FRFI has an established communication plan that includes, but is not limited to, customers/clients, business partners, provincial or federal regulatory or security agencies, law enforcement, internal staff, and others as appropriate.blankblankblank
69blankThe FRFI conducts post-incident analysis to identify root cause, vulnerabilities, remedies and to document lessons learned for future reference by staff.blankblankblank
Recover70Testing and PlanningThe FRFI regularly tests data back-ups to verify their integrity, and to confirm that restoration of data is feasible in case of need.blankblankblank
71blankThe FRFI develops and tests playbooks to ensure timely restoration of data, systems or services impacted by cyber risk incidents.blankblankblank
72blankThe FRFI has a Disaster Recovery Plan and/or Business Continuity Plan to execute in the event of a material cyber risk incident.blankblankblank
Learn73Continuous ImprovementThe FRFI regularly reviews its IT environment and mitigates risks from end of life/support hardware and software.blankblankblank
74blankThe FRFI conducts threat modeling to improve cyber resilience.blankblankblank
75blankThe FRFI conducts regular simulation exercises (e.g. ransomware, DDOS) to validate response plans, and familiarize stakeholders with their roles and responsibilities.blankblankblank
76blankThe FRFI subscribes to reputable information sources for understanding of emerging threats, trends, vulnerabilities, and cyber risk best practices.blankblankblank
77blankThe FRFI keeps abreast of new and emerging technologies and their impact on cyber risk.blankblankblank
78Security EducationThe FRFI has a cyber risk education and awareness plan for employees, customers and other stakeholders.blankblankblank
79blankThe FRFI provides for necessary and appropriate training for cyber risk personnel, to maintain current knowledge and skills, in support of their roles and responsibilities.blankblankblank
80blankThe FRFI provides all staff with ongoing security awareness education to make them aware of their role and responsibilities with respect to cyber risk, to help them identify threats and to explain cyber risk best practices.blankblankblank
81blankFRFI executives and senior management are regularly briefed on cyber risk trends, identified risks, incidents, planned cyber risk initiatives and associated, potential impacts on the organization.blankblankblank
Third Party Providers82Governance and ManagementThe FRFI has identified and assessed cyber risk arising from its third party providers. The risk assessment is regularly refreshed and drives the frequency and intensity of risk management activities (e.g., due diligence, contract obligations, monitoring, reporting and assurance activities).blankblankblank
83blankThe FRFI ensures that cyber risk controls implemented by third party providers are appropriate to the sensitivity of FRFI data, and are as robust and comprehensive as those which the FRFI implements on premise.blankblankblank
84blankFRFI has developed exit strategies for critical third party providers that outline possible cyber related scenarios, triggers and alternative solutions developed and assessed for viability.blankblankblank
85blankThe FRFI periodically obtains independent assurance of third party controls using various methods such as audit certifications, internal audit reviews, pooled audits etc.blankblankblank
86blankThe FRFI ensures that the third party provider has established incident response playbooks, including procedures as to when and how the FRFI will be informed of any impact on its systems, services or data.blankblankblank
87blankThe FRFI verifies that third party providers completely delete all FRFI data including backups, when no longer required.blankblankblank
88Cloud Service ProvidersThe FRFI has a documented Cloud exit strategy that defines cyber risk processes, roles and responsibilities to be implemented if the FRFI discontinues CSP services (e.g., to migrate to a different CSP).blankblankblank
89blankThe FRFI ensures that all cyber risk roles and responsibilities (e.g., for implementation and management of controls), are clearly documented and agreed by all parties when implementing Cloud services (IaaS, PaaS, and SaaS).blankblankblank
90blankCentralized logging and monitoring processes are implemented across all Cloud assets, with the capability to conduct consolidated analysis and reporting on the security posture across all platforms.blankblankblank