As financial institutions navigate the ever-evolving challenges of cybersecurity, understanding and implementing the Federal Financial Institutions Examination Council (FFIEC) compliance becomes paramount. Here, we aim to be your guide, providing valuable information and practical hardening tips to help financial institutions not only meet but exceed FFIEC compliance standards.
This blog will discuss:
- What is FFIEC?
- What is FFIEC Compliance?
- What is the FFIEC Handbook?
- What is Cybersecurity Maturity?
- FFIEC Baseline for hardening
Federal Financial Institutions Examination Council (FFIEC) is a formal interagency body consisting of five banking regulators, is tasked with conducting examinations of financial institutions in the United States on behalf of the federal government. The FFIEC Examiner Education Office releases IT Examination Handbooks designed for field examiners representing FFIEC member agencies.
FFIEC is a five-member U.S. Government interagency organization. The five banking regulators that form this body include:
- The Board of Governors of the Federal Reserve System (FRB)
- The Federal Deposit Insurance Corporation (FDIC)
- The National Credit Union Administration (NCUA)
- The Office of the Comptroller of the Currency (OCC)
- The Consumer Financial Protection Bureau (CFPB)
Achieving FFIEC compliance requires a financial organization to adhere to the technology standards for online banking established by the FFIEC. FFIEC provides guidelines and requirements for financial institutions in the United States.
The FFIEC guidelines encompass various aspects of financial services, including wholesale payment systems and payment systems. Financial services, in a broader sense, are subject to FFIEC requirements to ensure the security, soundness, and compliance of institutions within the financial sector. Specifically, when dealing with wholesale payment systems and payment systems, financial institutions must adhere to the relevant FFIEC guidelines to mitigate risks and enhance the resilience of these critical components of the financial infrastructure.
In addition to conventional security measures, the FFIEC Cybersecurity Assessment Tool (CAT) was introduced. This tool offers financial institutions the FFIEC compliance checklist for evaluating the status of their information security. It serves for internal assessments and provides regulators with insight into the organization’s cybersecurity practices during audit examinations.
The FFIEC Audit IT Examination Handbook offers guidance to examiners and financial institutions and Technology Service Providers (TSPs) on the characteristics of an effective information technology (IT) audit function. It recommends incorporating a thorough verification and monitoring process outlined in the FFIEC IT Examination Handbook.
In response to the escalating cyber threat facing financial institutions, FFIEC has an Information Security handbook introduced in CAT. FFIEC aims to provide guidance to financial institutions and assist regulators in enforcing, leading, and auditing organizations. The FFIEC CAT introduces a set of demanding requirements for server configuration hardening.
The Cybersecurity Assessment Tool aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and widely accepted industry cybersecurity practices. The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity
To complete the Assessment an organizations inherent risk profile is based on five categories:
- Technologies and Connection Types
- Delivery Channels
- Online/Mobile Products and Technology Services
- Organizational Characteristics
- External Threats
After the risk profile of an organization has been assessed, Cybersecurity Maturity levels across five domains are evaluated:
- Domain 1 – Cyber Risk Management and Oversight
- Domain 2 – Threat Intelligence and Collaboration
- Domain 3 – Cybersecurity Controls
- Domain 4 – External Dependency Management
- Domain 5 – Cyber Incident Management and Resilience
There are 5 maturity levels that describe how the behaviors, practices, and processes of an institution can consistently produce the desired outcomes. The Maturity Levels are:
The FFIEC CAT and IT security handbook mandate the implementation of robust configuration hardening baselines for servers and networks. However, manual FFIEC hardening presents challenges, including difficulties in continuous monitoring, which heightens the risk of overlooking security issues. Additionally, manual processes result in less detailed documentation, complicating compliance audits.
Automating the hardening process leads to a proactive and consistent security approach, ultimately contributing to risk reduction and enhancing the overall cybersecurity posture.
Domain 3 – Cybersecurity Controls are the practice of continually protecting assets and information by strengthening an organizations defensive posture with automated protection and monitoring.
Organizations must implement a controlled process for introducing changes to the IT environment, covering configuration management and hardening of systems and applications.
Hardening involves actions such as determining the purpose of applications and systems, documenting minimum software and hardware requirements, and installing the essential components.
Hardening involves configuring privilege and access controls through a principle of least privilege, initially denying all and then granting the minimum necessary to each user.
CalCom Hardening Suite (CHS) automates hardening, facilitating timely updates to security configurations for compliance with the latest standards. It enables continuous monitoring to promptly identify and address security deviations, ensuring adherence to Domain 3 baselines:
Domain 3 – Cybersecurity Controls Assessment Factor: Preventative Controls lists for FFIEC hardening baseline:
|Network perimeter defense tools are
Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices.
All ports are monitored.
Up to date antivirus and anti-malware tools are used.
Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced.
Ports, functions, protocols and services are prohibited if no longer needed for business purposes.
Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored.
Programs that can override system, object, network, virtual machine, and application controls are restricted.
System sessions are locked after a pre-defined period of inactivity and are terminated after pre-defined conditions are met.
Wireless network environments require security settings with strong encryption for authentication and transmission.
(Source: FFIEC Cybersecurity Assessment Tool May 2017)