What is FFIEC Compliance?

By John Gates

November 22nd, 2023

As financial institutions navigate the ever-evolving challenges of cybersecurity, understanding and implementing the Federal Financial Institutions Examination Council (FFIEC) compliance becomes paramount. Here, we aim to be your guide, providing valuable information and practical hardening tips to help financial institutions not only meet but exceed FFIEC compliance standards.

What is FFIEC?

Federal Financial Institutions Examination Council (FFIEC) is a formal interagency body consisting of five banking regulators, is tasked with conducting examinations of financial institutions in the United States on behalf of the federal government. The FFIEC Examiner Education Office releases IT Examination Handbooks designed for field examiners representing FFIEC member agencies.

FFIEC is a five-member U.S. Government interagency organization. The five banking regulators that form this body include:

The Board of Governors of the Federal Reserve System (FRB)
The Federal Deposit Insurance Corporation (FDIC)
The National Credit Union Administration (NCUA)
The Office of the Comptroller of the Currency (OCC)
The Consumer Financial Protection Bureau (CFPB)

What is FFIEC Compliance?

Achieving FFIEC compliance requires a financial organization to adhere to the technology standards for online banking established by the FFIEC. FFIEC provides guidelines and requirements for financial institutions in the United States.

The FFIEC guidelines encompass various aspects of financial services, including wholesale payment systems and payment systems. Financial services, in a broader sense, are subject to FFIEC requirements to ensure the security, soundness, and compliance of institutions within the financial sector. Specifically, when dealing with wholesale payment systems and payment systems, financial institutions must adhere to the relevant FFIEC guidelines to mitigate risks and enhance the resilience of these critical components of the financial infrastructure.

In addition to conventional security measures, the FFIEC Cybersecurity Assessment Tool (CAT) was introduced. This tool offers financial institutions the FFIEC compliance checklist for evaluating the status of their information security. It serves for internal assessments and provides regulators with insight into the organization’s cybersecurity practices during audit examinations.

What is the FFIEC Handbook?

The FFIEC Audit IT Examination Handbook offers guidance to examiners and financial institutions and Technology Service Providers (TSPs) on the characteristics of an effective information technology (IT) audit function. It recommends incorporating a thorough verification and monitoring process outlined in the FFIEC IT Examination Handbook.

What is Cybersecurity Maturity?

In response to the escalating cyber threat facing financial institutions, FFIEC has an Information Security handbook introduced in CAT. FFIEC aims to provide guidance to financial institutions and assist regulators in enforcing, leading, and auditing organizations. The FFIEC CAT introduces a set of demanding requirements for server configuration hardening.

The Cybersecurity Assessment Tool aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and widely accepted industry cybersecurity practices. The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity

To complete the Assessment an organizations inherent risk profile is based on five categories:

Technologies and Connection Types
Delivery Channels
Online/Mobile Products and Technology Services
Organizational Characteristics
External Threats

After the risk profile of an organization has been assessed, Cybersecurity Maturity levels across five domains are evaluated:

Domain 1 – Cyber Risk Management and Oversight
Domain 2 – Threat Intelligence and Collaboration
Domain 3 – Cybersecurity Controls
Domain 4 – External Dependency Management
Domain 5 – Cyber Incident Management and Resilience

There are 5 maturity levels that describe how the behaviors, practices, and processes of an institution can consistently produce the desired outcomes. The Maturity Levels are:

Baseline
Evolving
Intermediate
Advance
Innovative

FFIEC Baseline for hardening

The FFIEC CAT and IT security handbook mandate the implementation of robust configuration hardening baselines for servers and networks. However, manual FFIEC hardening presents challenges, including difficulties in continuous monitoring, which heightens the risk of overlooking security issues. Additionally, manual processes result in less detailed documentation, complicating compliance audits.

Automating the hardening process leads to a proactive and consistent security approach, ultimately contributing to risk reduction and enhancing the overall cybersecurity posture.

Domain 3 – Cybersecurity Controls are the practice of continually protecting assets and information by strengthening an organizations defensive posture with automated protection and monitoring.

Organizations must implement a controlled process for introducing changes to the IT environment, covering configuration management and hardening of systems and applications.

Hardening involves actions such as determining the purpose of applications and systems, documenting minimum software and hardware requirements, and installing the essential components.

Hardening involves configuring privilege and access controls through a principle of least privilege, initially denying all and then granting the minimum necessary to each user.

CalCom Hardening Suite (CHS) automates hardening, facilitating timely updates to security configurations for compliance with the latest standards. It enables continuous monitoring to promptly identify and address security deviations, ensuring adherence to Domain 3 baselines:

Domain 3 – Cybersecurity Controls Assessment Factor: Preventative Controls lists for FFIEC hardening baseline:

Baseline

Network perimeter defense tools are

used.

Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices.

All ports are monitored.

Up to date antivirus and anti-malware tools are used.

Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced.

Ports, functions, protocols and services are prohibited if no longer needed for business purposes.

Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored.

Programs that can override system, object, network, virtual machine, and application controls are restricted.

System sessions are locked after a pre-defined period of inactivity and are terminated after pre-defined conditions are met.

Wireless network environments require security settings with strong encryption for authentication and transmission.

(Source: FFIEC Cybersecurity Assessment Tool May 2017)

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

What is FFIEC Compliance?

This blog will discuss:

What is FFIEC?

What is FFIEC Compliance?

What is the FFIEC Handbook?

What is Cybersecurity Maturity?

FFIEC Baseline for hardening

Subscribe to Email Updates

You might be interested

Experience a personalized demo