How Redjack Helps Enable Compliance With FFIEC Risk Management Guidelines

Use Case
Written By Kristen Jacobsen

This is the second blog in a series on FFIEC compliance. Read the first blog in this series: How Redjack Helps Enable Compliance With FFIEC Asset Management Guidelines.

As mentioned in the first blog in this series, the Redjack cyber resilience platform helps you address several key requirements found in the FFIEC Cybersecurity Assessment Tool, playing a crucial role in your compliance efforts. 

This blog will focus on risk management-related guidelines in the FFIEC Cybersecurity Assessment Tool. The next blog will focus on cyber resilience guidelines.

This is not a complete record of all of the guidelines and standards outlined by the FFIEC. You can find the FFIEC Cybersecurity Assessment Tool, as well as supporting documentation, on the FFIEC’s website. 

The FFIEC Cybersecurity Assessment Tool consists of two parts: an Inherent Risk Profile Assessment, and a Cybersecurity Maturity Assessment. This blog will focus on guidelines found in the Cybersecurity Maturity Assessment.

Cybersecurity Maturity Assessment

There are two sections of the Cybersecurity Maturity Assessment that we will cover in this blog. The first is under the Cyber Risk Management and Oversight Domain in the Section on Risk Management > Risk Management Program. 

Domain: Cyber Risk Management and Oversight

Section: Risk Management > Risk Management Program 

Accurate and constantly updated asset information enables your organization to assess potential risks associated with specific assets. The Redjack cyber resilience platform is designed to automatically discover and inventory all the assets within your organization's network. It uses network sensor-based data collection to identify and catalog assets as well as to map the dependencies between assets. This information is used to assign criticality scores to individual assets, based on the impact to the organization should they stop working. This allows your cybersecurity team to prioritize security efforts, allocate resources effectively, and implement targeted measures to mitigate risks, enhancing your overall cybersecurity resilience.

These capabilities could help you meet the requirements in this section, depending on your level of organizational maturity. These capabilities include:

  • Baseline (level 1): An information security and business continuity risk management function exists within the institution

  • Evolving (level 2): The risk management program incorporates cyber risk identification, measurement, mitigation, monitoring, and reporting

  • Advanced (level 4): Cybersecurity metrics are used to facilitate strategic decision-making and funding in areas of need

Domain: Cybersecurity Controls

Section: Detective Controls > Threat and Vulnerability Detection

The second section that we will cover is under the Cybersecurity Controls Domain in the Section on Detective Controls > Threat and Vulnerability Detection. 

Vulnerability scanning tools identify and assess vulnerabilities present in your organization's environment. This includes software vulnerabilities, misconfigurations, and other weaknesses attackers could exploit. 

The Redjack cyber resilience platform maps the dependencies between assets and between assets and your critical business functions. The Redjack platform uses this data to assign criticality scores to assets, ranking assets according to the risk they pose to business continuity if they should happen to stop working. It allows you to focus on the most critical assets, allocate resources efficiently, and take a risk-based approach to addressing vulnerabilities, ultimately strengthening your overall resilience.

These capabilities could help you meet the requirements in this section, depending on your level of organizational maturity. These capabilities include:

  • Baseline (level 1): Independent testing (including penetration testing and vulnerability scanning) is conducted according to the risk assessment for external facing systems and the internal network

  • Evolving (level 2): Vulnerability scanning is conducted and analyzed before deployment/redeployment of new/existing devices 

  • Evolving (level 2): Processes are in place to monitor potential insider activity that could lead to data theft or destruction

  • Advanced (level 4): Weekly vulnerability scanning is rotated among environments to scan all environments throughout the year

  • Innovative (level 5): Vulnerability scanning is performed weekly across all environments

Conclusion

In this second installment of our series on FFIEC compliance, we delve into the risk management guidelines outlined in the FFIEC Cybersecurity Assessment Tool. By leveraging the capabilities of the Redjack cyber resilience platform, you can use accurate asset information to prioritize security efforts and effectively mitigate risks, thereby enhancing overall cybersecurity resilience. 

Stay tuned for our upcoming blog where we will explore FFIEC cyber resilience guidelines.

Kristen Jacobsen
Previous

How to Achieve Cyber Resilience
Next

Redjack Cyber Resilience Platform FAQs