Ensure FFIEC Compliance

How cybersecurity asset management addresses multiple requirements

The Federal Financial Institutions Examination Council (FFIEC) is a formal interagency body composed of representatives from various U.S. federal regulatory agencies responsible for overseeing financial institutions. The FFIEC develops and issues uniform guidelines, standards, and reporting forms to promote consistency in the examination and supervision of financial institutions. These guidelines cover a wide range of areas, including information security, cybersecurity, risk management, and business continuity planning.

Cybersecurity asset management addresses several key requirements found in the FFIEC Cybersecurity Assessment Tool and plays a crucial role in your compliance efforts. This paper covers the key capabilities of a cybersecurity asset management solution and outlines which aspects of FFIEC guidelines cybersecurity asset management solutions address and how.

This document is not a complete record of all of the guidelines and standards outlined by the FFIEC. You can find the FFIEC Cybersecurity Assessment Tool, as well as supporting documentation, on the FFIEC’s website.

What is cybersecurity asset management?

The primary goal of cybersecurity asset management is to gain a comprehensive understanding of an organization's digital assets in order to improve security and reduce risk. Effective cybersecurity asset management solutions enhance an organization's overall cybersecurity posture by providing a solid foundation for risk assessment, vulnerability management, and incident response. These solutions help organizations make informed decisions about resource allocation and prioritization, ultimately contributing to better security operations.

Maintaining an accurate inventory of assets is often required to comply with regulatory requirements and for audit purposes. Cybersecurity asset management is essential to prove that security policies and compliance requirements are being met. Additionally, understanding the location of sensitive data and its interaction with various assets is essential to ensure data protection and demonstrate compliance with data privacy regulations.

How can cybersecurity asset management help enable compliance?

Cybersecurity asset management plays a crucial role in addressing FFIEC standards by providing a systematic approach to managing and securing digital assets.

The FFIEC Cybersecurity Assessment Tool consists of two parts: an Inherent Risk Profile Assessment, and a Cybersecurity Maturity Assessment. First, we will explore how cybersecurity asset management helps you more accurately assess your Inherent Risk Profile, then the Cybersecurity Maturity assessment tool.

Meeting the Inherent Risk Profile Assessment guidelines

Five categories are assessed to determine an organization’s Inherent Risk Profile:

1. Technologies and Connection Types

2. Delivery Channels

3. Online/Mobile Products and Technology Services

4. Organizational Characteristics

5. External Threats

Of these five categories, a cybersecurity asset management solution gives you the data you need to accurately assess your organization against the standards found in the Technologies and Connection Types category.

Technologies and Connection Types

The cybersecurity asset management capability that provides you with the bulk of the data you need to accurately measure where your organization falls in this category is asset discovery and inventory. Asset discovery and inventory automatically discovers and inventories all of the assets within your organization's network. This can include computers, servers, routers, switches, mobile devices, as well as other IT assets. This information helps you identify several elements measured as part of the assessment including:

• The number of internally hosted and developed or modified vendor applications supporting critical activities

• The number of internally hosted, vendor-developed applications supporting critical activities

• The number of user-developed technologies and user computing that support critical activities

• The number of end-of-life systems

• Network devices (e.g., servers, routers, and firewalls; including physical and virtual)

A cybersecurity asset management solution uses software-based network sensors to collect communications data from your network and then uses that data to identify and catalog assets. This communications data can also identify assets outside of your organization that communicate with assets within your organization. This information helps you identify several additional elements measured as part of the assessment including:

• The total number of internet service provider connections (including branch connections)

• The number of unsecured external connections

• The number of personal devices that are allowed to connect to the corporate network

• The number of third parties with access to internal systems

• The number of wholesale customers with dedicated connections

• The number of cloud computing services hosted externally that support critical activities

Overall, the data provided by a cybersecurity asset management solution can help you identify the data points required to complete a large portion of this section of the assessment.

Meeting the Cybersecurity Maturity Assessment guidelines

The purpose of the Cybersecurity Maturity part of the FFIEC Cybersecurity Assessment Tool is to help organizations measure their cybersecurity maturity on a 5-step scale ranging from ‘basic’ to ‘innovative’. This section of the assessment has five domains. Of these five domains, cybersecurity asset management contributes to helping you accurately gauge your organization’s maturity in four domains:

• Cyber Risk Management and Oversight

• Cybersecurity Controls

• External Dependency Management

• Cyber Incident Management and Resilience

Domain: Cyber Risk Management and Oversight

Section: Governance > IT Asset Management

For this section of the assessment, a cybersecurity asset management solution helps you meet the following requirements to achieve a baseline level of maturity.

• An inventory of organizational assets

• Organizational assets are prioritized for protection based on data classification and business value

Going beyond the baseline requirements, a cybersecurity asset management solution helps you meet the following higher-level requirements.

• Advanced (level 4): Automated tools enable tracking, updating, asset prioritizing, and custom reporting of the asset inventory

Cybersecurity asset management helps you fulfill these guidelines through the following capabilities:

Asset Discovery and Inventory

Cybersecurity asset management solutions are designed to automatically discover and inventory all the assets within your organization's network. This includes computers, servers, routers, switches, mobile devices, and other IT assets. These solutions use methods such as network sensor-based data collection to identify and catalog assets as well as to map the dependencies between assets and between assets and critical business functions.

Critical Business Function Identification

Cybersecurity asset management solutions use AI and data science to identify critical business functions. These functions are the core activities that keep an organization running smoothly and generate revenue. Identifying and prioritizing critical business functions is crucial for building cyber resilience, allocating security and IT resources, and developing effective business continuity and disaster recovery plans.

Real-Time Monitoring

Cybersecurity asset management solutions provide real-time monitoring of assets on your network. Continuously monitoring and tracking assets allows your organization to detect changes or anomalies in your IT environment, aiding in the early identification of potential security incidents.

Section: Risk Management > Risk Management Program

For this section of the assessment, a cybersecurity asset management solution helps you meet the following requirements to achieve a baseline level of maturity.

• An information security and business continuity risk management function exists within the institution

Going beyond the baseline requirements, a cybersecurity asset management solution helps you meet the following higher-level requirements.

• Evolving (level 2): The risk management program incorporates cyber risk identification, measurement, mitigation, monitoring, and reporting

• Advanced (level 4): Cybersecurity metrics are used to facilitate strategic decision-making and funding in areas of need

Cybersecurity asset management helps you fulfill these guidelines through its risk management capability.

Assess and Mitigate Risks

Accurate and constantly updated asset information, including known vulnerabilities and dependencies, enables your organization to assess potential risks associated with specific assets. Cybersecurity asset management allows security teams to prioritize security efforts, allocate resources effectively, and implement targeted measures to mitigate risks, enhancing your overall cybersecurity resilience.

Domain: Cybersecurity Controls

Section: Detective Controls > Threat and Vulnerability Detection

For this section of the assessment, a cybersecurity asset management solution helps you meet the following requirements to achieve a baseline level of maturity.

• Independent testing (including penetration testing and vulnerability scanning) is conducted according to the risk assessment for external facing systems and the internal network

Going beyond the baseline requirements, a cybersecurity asset management solution also helps you meet the following higher-level requirements.

• Evolving (level 2): Vulnerability scanning is conducted and analyzed before deployment/redeployment of new/existing devices

• Evolving (level 2): Processes are in place to monitor potential insider activity that could lead to data theft or destruction

• Advanced (level 4): Weekly vulnerability scanning is rotated among environments to scan all environments throughout the year

• Innovative (level 5): Vulnerability scanning is performed weekly across all environments

Cybersecurity asset management helps you fulfill these guidelines through its vulnerability management capability.

Identify and Prioritize Vulnerabilities

Vulnerability scanning tools identify and assess vulnerabilities present in your organization's environment. This includes software vulnerabilities, misconfigurations, and other weaknesses that attackers could exploit. Cybersecurity asset management allows security teams to focus on addressing the most critical issues by prioritizing vulnerable assets based on their connection to critical business functions and their dependencies with other assets.

Domain: External Dependency Management

Section: Connections

For this section of the assessment, a cybersecurity asset management solution helps you meet the following requirements to achieve a baseline level of maturity.

• The critical business processes that are dependent on external connectivity have been identified

• The institution ensures that third-party connections are authorized

• A network diagram is in place and identifies all external connections

• Data flow diagrams are in place and document information flow to external parties

Going beyond the baseline requirements, a cybersecurity asset management solution also helps you meet the following higher-level requirements.

• Evolving (level 2): Critical business processes have been mapped to the supporting external connections

• Evolving (level 2): The network diagram is updated when connections with third parties change or at least annually

• Intermediate (level 3): A validated asset inventory is used to create comprehensive diagrams depicting data repositories, data flow, infrastructure, and connectivity

• Advanced (level 4): The security architecture is validated and documented before the network connection infrastructure changes

• Innovative (level 5): Diagrams of external connections are interactive and show real-time changes to the network connection infrastructure, new connections, volume fluctuations, and alerts when risks arise

Cybersecurity asset management helps you fulfill these guidelines through its ability to identify connections with third-party vendors and contractors.

Identify Connections With Third-Party Vendors and Contractors

Cybersecurity asset management gives you complete visibility into the true extent of your environment, including third-party vendors and contractors whose systems are communicating with assets in your environment. This comprehensive list of external vendors allows you to accurately understand your third-party dependencies and measure your third-party risk.

Domain: Cyber Incident Management and Resilience

Section: Incident Resilience Planning and Strategy > Planning

For this section of the assessment, a cybersecurity asset management solution helps you meet the following requirements to achieve a baseline level of maturity.

• A formal backup and recovery plan exists for all critical business lines

• The institution plans to use business continuity, disaster recovery, and data backup programs to recover operations following an incident

Going beyond the baseline requirements, a cybersecurity asset management solution also helps you meet the following higher-level requirements.

• Evolving (level 2): The remediation plan and process outlines the mitigating actions, resources, and time parameters

• Evolving (level 2): The corporate disaster recovery, business continuity, and crisis management plans have integrated consideration of cyber incidents

• Evolving (level 2): Alternative processes have been established to continue critical activity within a reasonable time period

• Evolving (level 2): Business impact analyses have been updated to include cybersecurity

• Intermediate (level 3): Plans are in place to re-route or substitute critical functions and/or services that may be affected by a successful attack on Internet-facing systems

• Advanced (level 4): Methods for responding to and recovering from cyber incidents are tightly woven throughout the business units’ disaster recovery, business continuity, and crisis management plans

• Advanced (level 4): Multiple systems, programs, or processes are implemented into a comprehensive cyber resilience program to sustain, minimize, and recover operations from an array of potentially disruptive and destructive cyber incidents

• Advanced (level 4): A process is in place to continuously improve the resilience plan

Cybersecurity asset management helps you fulfill these guidelines through its business continuity and disaster recovery capability.

Create Effective Business Continuity and Disaster Recovery Plans

Understanding the full scope of your organization's digital assets allows for effective risk assessment and is integral to developing robust continuity and recovery strategies, ensuring that essential assets are prioritized, protected, and efficiently restored in the event of a cybersecurity incident or disaster.

Section: Incident Resilience Planning and Strategy > Response and Mitigation

For this section of the assessment, a cybersecurity asset management solution helps you meet the following requirements to achieve a baseline level of maturity.

• Appropriate steps are taken to contain and control an incident

Going beyond the baseline requirements, a cybersecurity asset management solution also helps you meet the following higher-level requirements.

• Evolving (level 2): A process is in place to help contain incidents and restore operations with minimal service disruption

• Evolving (level 2): Records are generated to support incident investigation and mitigation

• Evolving (level 2): Analysis of events is used to improve the institution's security measures and policies

• Intermediate (level 3): Analysis of security incidents is performed in the early stages of an intrusion to minimize the impact of the incident

• Intermediate (level 3): Processes are in place to ensure assets affected by a security incident that cannot be returned to operational status are quarantined, removed, disposed of, and/or replaced

• Innovative (level 5): The technology infrastructure has been engineered to limit the effects of a cyber attack on the production environment from migrating to the backup environment

Cybersecurity asset management helps you fulfill these guidelines through its incident response capability.

Accurate Incident Response

In the event of a cybersecurity incident, cybersecurity asset management provides a foundation for incident response teams to quickly identify affected assets and take appropriate action to contain and mitigate the incident.

Conclusion

Cybersecurity asset management is a critical component in addressing the stringent standards set forth by the Federal Financial Institutions Examination Council (FFIEC) for ensuring robust cybersecurity in financial institutions. By meticulously cataloging and monitoring digital assets, cybersecurity asset management not only facilitates compliance with FFIEC guidelines but also strengthens overall cybersecurity posture.

Cybersecurity asset management plays a pivotal role in fulfilling various aspects of the FFIEC Cybersecurity Assessment Tool, underscoring its significance in risk assessment, vulnerability management, incident response, and continuity planning. Embracing cybersecurity asset management is imperative for financial institutions aiming to fortify their cybersecurity defenses and uphold regulatory compliance.