Cyber Security Self-Assessment

Type of Publication: Memorandum
Date: August 13, 2021
To: Federally Regulated Financial Institutions

The increasing frequency, severity and sophistication of cyber threats and attacks has resulted in an elevated risk profile for many organizations around the world, including federally regulated financial institutions (FRFIs) in Canada.

In October 2013, the Office of the Superintendent of Financial Institutions (OSFI) published its Cyber Security Self-Assessment to help FRFIs assess their level of cyber preparedness. Since then, this self-assessment has helped FRFIs prepare and improve their cyber security posture. However, digitalization of financial services is broadening the attack surface and introducing new entry points into FRFIs' technology environment, meaning institutions continue to be highly exposed to cyber risk. As a result, OSFI is enhancing its Cyber Security Self-Assessment to reflect the current cyber risk landscape in line with its strategic priorities.

FRFIs are encouraged to use this self-assessment or similar tools to assess their current level of cyber preparedness and to develop and maintain effective cyber security practices. As indicated in its Near-Term Plan of Prudential Policy, OSFI will establish new guidance for the sound management of technology and cyber risk. This self-assessment will supplement forthcoming guidance and will be refreshed regularly to keep abreast with the cyber risk landscape.

Further questions can be directed to Chris Suknundun, Managing Director, Technology Risk Division, at

Chris Suknundun
Managing Director

Rating levels explained

The cyber risk rating levels referred to in this self-assessment are intended to help the FRFI gauge the maturity of individual security controls (in the Column "Controls"). Those control statements address best practices, cyber risk and related processes, documentation, roles and responsibilities, technologies and other cyber security safeguards, all of which are important to robust cyber security operations and for the FRFI's strategic cyber security program development.

The maturity level that the FRFI assigns to each control is intended to estimate the maturity of that control, with reference to the differentiated levels.

Those ratings are then applicable in highlighting controls which are maturing effectively, as well as those which will need more attention (i.e., to address deficiencies). Maturity levels are also informative, in discussions with OSFI, and for future Cyber Security planning within the FRFI.

In this regard, OSFI has identified Cyber Security maturity levels (1-to-5). Level "0" is technically a sixth level but it only indicates a lack of any progress with respect to the assessed control.

Note: for most of the Cyber Security controls listed, there will be inter-dependencies with other controls (e.g., Risk Assessment, implemented by the Cyber Security group, will be related to Risk Management, as addressed by risk managers including senior management). So, in the following statements, the term "controls" is sometimes used, although when the FRFI completes this assessment, and estimates maturity scores, those scores are to be assigned to each individual control, one at a time rather than collectively.

OSFI Cyber Security Self Assessment

Focus Number Category Control Statement Rating FRFI Rating Rationale and Notes FRFI Provided Supporting References
Governance 1 Planning and Strategy The FRFI has published a cyber risk strategy that is aligned with the technology and business strategies. blank blank blank
2 blank The FRFI has an established cyber risk framework (e.g., a complete set of elements including policies, standards, roles and responsibilities, risk management processes, risk taxonomy, risk appetite and emerging threats and technologies) in support of the cyber risk strategy, and ongoing threat, risk and incident management. blank blank blank
3 blank The FRFI conducts regular reviews of the cyber risk strategy and cyber risk framework, to ensure compliance with legal and regulatory requirements. blank blank blank
4 blank The FRFI considers cyber risk compliance requirements, identified risks, current and emerging threats, and potential incident related impacts on operations and services, as inputs to planning and prioritizing cyber risk projects, programs and budgets. blank blank blank
5 blank The FRFI has appointed an executive responsible for the cyber risk strategy, the cyber risk framework and for cyber risk awareness and knowledge at the executive level. blank blank blank
6 Policy The FRFI has documented cyber risk policies to explain staff and contractor roles, responsibilities, rules and constraints as well as possible penalties for non-compliance. blank blank blank
7 blank The roles and responsibilities of each of the three lines of defence and other stakeholders are clearly described within the cyber risk framework. blank blank blank
8 Risk Management Key risk and performance indicators as well as thresholds have been established for the FRFI's key cyber risk and controls. The risk indicators should align with the cyber risk appetite as stated in the cyber risk framework. blank blank blank
9 blank Cyber risks to the organization and its programs or customers are regularly reviewed, prioritized, escalated, explained to the appropriate executives or senior management, and those risks are prioritized for mitigation. blank blank blank
10 blank The second line of defence regularly provides an independent review of the various cyber risk assessments and other control activities conducted by the first line of defence. blank blank blank
11 blank The FRFI ensures that background checks have been implemented for personnel/contractors and at third party providers, commensurate with the sensitivity and cyber risk needs of FRFI assets being managed. blank blank blank
12 blank The FRFI has implemented a formal process for risk acceptance that is measured, tracked and reported. blank blank blank
Identify 13 Business Environment The FRFI has allocated sufficient and skilled resources for the sustainment of cyber risk programs, systems, roles and services. blank blank blank
14 blank The FRFI has identified its critical technology assets and has implemented appropriate controls to ensure confidentiality, integrity and availability. The controls are regularly reviewed and tested. blank blank blank
15 blank The FRFI ensures that contracts for outsourcing and external services (e.g., third party providers, Cloud Service Providers) include supplier and service provider responsibilities for the security of the FRFI's information. blank blank blank
16 Asset Management The FRFI maintains a configuration management database (CMDB) or similar utility for documenting and tracking IT component configurations (i.e., hardware, software, network addresses, security systems, dependencies, etc.). blank blank blank
17 blank The FRFI's IT assets and information are classified and managed according to a classification scheme. blank blank blank
18 blank The FRFI has established procedures for the disposal or destruction of IT assets. blank blank blank
19 Risk Assessment The FRFI conducts Threat and Risk Assessments in the early stages of new initiatives/projects or prior to changes in existing systems and data, to identify and prioritize threats, risks and remediation options. blank blank blank
20 blank The FRFI should periodically assess their cyber risks, which will require consideration for and assessment of the robustness, currency and completeness of the cyber risk practices and controls. blank blank blank
21 blank The FRFI conducts regular penetration testing against the network, Cloud environment and all critical IT systems to identify security gaps and deficiencies, and to affirm strengths. blank blank blank
Defend 22 Identity Management and Access Control The FRFI implements a consistent access control model (e.g., Role Based Access Control) across all critical systems. blank blank blank
23 blank The FRFI requires that all persons, systems or services be identified, authenticated and authorized prior to granting access to FRFI systems, services or data. blank blank blank
24 blank The FRFI consistently applies the principle of "least privilege", such that the permissions and access granted to an authenticated person, system or service is sufficient to their operational need, and no higher. blank blank blank
25 blank The FRFI ensures that permissions are revoked and accounts or active connections are terminated, when no longer required. blank blank blank
26 blank The FRFI implements Multi-Factor Authentication for access to critical systems and for remote access to the FRFI network. blank blank blank
27 blank The FRFI encrypts and securely stores identity and access control credentials (e.g. passwords), separate from other data. blank blank blank
28 blank Privileged account credentials are managed, monitored and secured. blank blank blank
29 Network Security The FRFI follows a positive security model for network security, allowing only pre-defined and authorized traffic (IP addresses, protocols, ports, etc.). blank blank blank
30 blank The FRFI defines logical network zones, and applies controls to segregate and limit or block traffic between those zones, to help track, manage and secure the assets within those zones. blank blank blank
31 blank The FRFI places all internet facing systems and services in a DMZ or similar, segregated and closely monitored network zone with carefully secured and limited connection into the broader environment. blank blank blank
32 blank The FRFI engages in ongoing Threat Hunting (e.g., using manual techniques and machine learning tools) to proactively identify and isolate advanced threats which may not be detected by automated tools. blank blank blank
33 blank The FRFI implements critical network security and traffic management controls to be fault tolerant, and to fail securely, so that security will not be compromised during any fault, outage or security incident. blank blank blank
34 blank The FRFI limits remote access and connection options to authorized personnel, including third party providers, and secures all remote sessions (e.g., with session encryption, MFA, session timeouts). blank blank blank
35 Data Security The FRFI has implemented data loss prevention (DLP) controls across all technology assets for data at rest, data in use and data in transit to identify attempts at unauthorized data exfiltration, and to automatically limit or stop associated data loss. blank blank blank
36 blank The FRFI assesses all external data interfaces (e.g. APIs) to ascertain if implemented security controls are appropriate to the sensitivity of the FRFI's data. blank blank blank
37 blank The FRFI uses automated tools to examine all data (including source code and configuration data) prior to its introduction into FRFI's systems, to identify and quarantine unauthorized executable code (e.g., malware), and potentially harmful data. blank blank blank
38 blank The FRFI encrypts all data to be physically transported internally or externally (e.g., on portable/removable storage media), and restricts such data transport to authorized individuals only. blank blank blank
39 blank FRFI personnel "work from home" solutions are implemented with strong end-point controls (e.g., in laptops or other mobile devices) to maintain robust security. blank blank blank
40 blank The FRFI conducts regular, automated back-ups of its data. blank blank blank
41 Vulnerability Management The FRFI has published and implemented a Vulnerability and Patch Management Program, providing rules and guidance on roles, responsibilities, the FRFI's vulnerability management life cycle, vulnerability prioritization (e.g., based on risk), remediation timeframes, exception/exemption approvals, monitoring and reporting, and tools to be applied. blank blank blank
42 blank The FRFI has identified reputable sources of vulnerability information, and subscribes to recognized and authoritative vulnerability reporting services. blank blank blank
43 blank The FRFI conducts regular vulnerability scanning to identify new vulnerabilities. blank blank blank
44 blank The FRFI prioritizes identified vulnerabilities for resolution, based on the risk and potential impact represented. blank blank blank
45 blank The FRFI has an exception/exemption management process that documents and requires appropriate management approvals, for delays or exceptions to vulnerability remediation (e.g., through application of vendor supplied patches). blank blank blank
46 blank The FRFI verifies and tests vulnerability patches, prior to general deployment within the operational environment. blank blank blank
47 blank The FRFI identifies contingency options for reversing vulnerability resolution measures (e.g., through roll-back of patches), prior to general deployment. blank blank blank
48 blank The FRFI has established timelines for applying patches based on risk. blank blank blank
49 Change and Configuration Management The FRFI has created, documented and implemented standardized, secure configurations for all hardware and software (e.g., Operating Systems, VMs, desktop image). blank blank blank
50 blank The FRFI hardens all critical systems and networks. blank blank blank
51 blank The FRFI enforces security policies through the use of automated tools to identify and block use of unauthorized software and hardware across all of its systems. blank blank blank
52 blank The FRFI has documented and implemented a Change Management process, to formally identify, assess, approve and document configuration changes. blank blank blank
Detect 53 Monitoring and Logging The FRFI monitors all networks, sub-networks, and interfaces to identify information security events such as unauthorized connection attempts, unusual or suspicious traffic patterns or use of unauthorized ports and protocols. blank blank blank
54 blank The FRFI has established requirements for log collection and retention across all IT assets. blank blank blank
55 blank The FRFI uses automated tools (e.g., a SIEM or Log Analytics Tool) to collect, aggregate and analyze event data in real time or near to real time (e.g., anomalous activity), and alerts personnel according to established use cases and rules. blank blank blank
56 blank The FRFI's network monitoring and management processes are integrated with Incident Response processes, for rapid and formal escalations, communications and resolution of priority events. blank blank blank
57 blank FRFI and service provider logs and related records pertaining to security events are encrypted, time stamped and archived for later reference as needed. Event logs are maintained in a secure location. blank blank blank
58 Benchmarking, Reviews and Assessments The FRFI conducts ongoing and periodic assessments (e.g., of cyber risk processes), with reference to external security frameworks, best practices, and emerging vulnerabilities to identify control gaps or deficiencies across the FRFI environment, and to identify opportunities and recommendations for improvement. blank blank blank
59 blank The FRFI conducts ongoing reviews to determine policy compliance. blank blank blank
60 blank The FRFI conducts regular, automated reviews of IT infrastructure (e.g., endpoints) to verify that security controls are configured and functioning as expected. blank blank blank
61 blank The FRFI communicates security assessment and audit results to appropriate internal management, and to the executive(s) responsible for the cyber risk framework. blank blank blank
62 Secure Software Development The FRFI treats security and the adoption of security best practices as a priority within the software development life cycle. blank blank blank
63 blank The FRFI deploys all software, including off the shelf products, in a segregated test environment, and executes relevant testing and security scans, prior to general deployment. blank blank blank
64 blank The FRFI verifies the code from external sources is from a reputable and recognized source (e.g., by review of digital signature, or hash function). blank blank blank
Respond 65 Incident Management The FRFI's Incident Management standard is designed to respond rapidly to cyber risk incidents. blank blank blank
66 blank The FRFI has established a "whole of organization " response including but not limited to: cyber risk team, IT team, business owner, legal, privacy, and communications (public affairs), and others as required and has developed playbooks and runbooks as needed. blank blank blank
67 blank The FRFI regularly exercises the Incident Management standard. blank blank blank
68 blank The FRFI has an established communication plan that includes, but is not limited to, customers/clients, business partners, provincial or federal regulatory or security agencies, law enforcement, internal staff, and others as appropriate. blank blank blank
69 blank The FRFI conducts post-incident analysis to identify root cause, vulnerabilities, remedies and to document lessons learned for future reference by staff. blank blank blank
Recover 70 Testing and Planning The FRFI regularly tests data back-ups to verify their integrity, and to confirm that restoration of data is feasible in case of need. blank blank blank
71 blank The FRFI develops and tests playbooks to ensure timely restoration of data, systems or services impacted by cyber risk incidents. blank blank blank
72 blank The FRFI has a Disaster Recovery Plan and/or Business Continuity Plan to execute in the event of a material cyber risk incident. blank blank blank
Learn 73 Continuous Improvement The FRFI regularly reviews its IT environment and mitigates risks from end of life/support hardware and software. blank blank blank
74 blank The FRFI conducts threat modeling to improve cyber resilience. blank blank blank
75 blank The FRFI conducts regular simulation exercises (e.g. ransomware, DDOS) to validate response plans, and familiarize stakeholders with their roles and responsibilities. blank blank blank
76 blank The FRFI subscribes to reputable information sources for understanding of emerging threats, trends, vulnerabilities, and cyber risk best practices. blank blank blank
77 blank The FRFI keeps abreast of new and emerging technologies and their impact on cyber risk. blank blank blank
78 Security Education The FRFI has a cyber risk education and awareness plan for employees, customers and other stakeholders. blank blank blank
79 blank The FRFI provides for necessary and appropriate training for cyber risk personnel, to maintain current knowledge and skills, in support of their roles and responsibilities. blank blank blank
80 blank The FRFI provides all staff with ongoing security awareness education to make them aware of their role and responsibilities with respect to cyber risk, to help them identify threats and to explain cyber risk best practices. blank blank blank
81 blank FRFI executives and senior management are regularly briefed on cyber risk trends, identified risks, incidents, planned cyber risk initiatives and associated, potential impacts on the organization. blank blank blank
Third Party Providers 82 Governance and Management The FRFI has identified and assessed cyber risk arising from its third party providers. The risk assessment is regularly refreshed and drives the frequency and intensity of risk management activities (e.g., due diligence, contract obligations, monitoring, reporting and assurance activities). blank blank blank
83 blank The FRFI ensures that cyber risk controls implemented by third party providers are appropriate to the sensitivity of FRFI data, and are as robust and comprehensive as those which the FRFI implements on premise. blank blank blank
84 blank FRFI has developed exit strategies for critical third party providers that outline possible cyber related scenarios, triggers and alternative solutions developed and assessed for viability. blank blank blank
85 blank The FRFI periodically obtains independent assurance of third party controls using various methods such as audit certifications, internal audit reviews, pooled audits etc. blank blank blank
86 blank The FRFI ensures that the third party provider has established incident response playbooks, including procedures as to when and how the FRFI will be informed of any impact on its systems, services or data. blank blank blank
87 blank The FRFI verifies that third party providers completely delete all FRFI data including backups, when no longer required. blank blank blank
88 Cloud Service Providers The FRFI has a documented Cloud exit strategy that defines cyber risk processes, roles and responsibilities to be implemented if the FRFI discontinues CSP services (e.g., to migrate to a different CSP). blank blank blank
89 blank The FRFI ensures that all cyber risk roles and responsibilities (e.g., for implementation and management of controls), are clearly documented and agreed by all parties when implementing Cloud services (IaaS, PaaS, and SaaS). blank blank blank
90 blank Centralized logging and monitoring processes are implemented across all Cloud assets, with the capability to conduct consolidated analysis and reporting on the security posture across all platforms. blank blank blank