How the Redjack Cyber Resilience Platform Helps Enable Compliance With FFIEC Asset Management Guidelines

Use Case
Written By Kristen Jacobsen

The Federal Financial Institutions Examination Council (FFIEC) develops and issues uniform guidelines, standards, and reporting forms to promote consistency in the examination and supervision of financial institutions. These guidelines cover a wide range of areas, including information security, cybersecurity, risk management, and business continuity planning. 

The Redjack cyber resilience platform helps you address several key requirements found in the FFIEC Cybersecurity Assessment Tool and plays a crucial role in your compliance efforts. 

This blog will focus on asset management-related guidelines in the FFIEC Cybersecurity Assessment Tool. Upcoming blogs will focus on risk management guidelines and cyber resilience guidelines.

This is not a complete record of all of the guidelines and standards outlined by the FFIEC. You can find the FFIEC Cybersecurity Assessment Tool, as well as supporting documentation, on the FFIEC’s website. 

The FFIEC Cybersecurity Assessment Tool consists of two parts: an Inherent Risk Profile Assessment, and a Cybersecurity Maturity Assessment. We will start with the Inherent Risk Profile Assessment.

Inherent Risk Profile Assessment: Technologies and Connection Types

Five categories are assessed to determine an organization’s Inherent Risk Profile. Of these five categories, the Redjack cyber resilience platform gives you the data you need to accurately assess your organization against the standards found in the Technologies and Connection Types category.

The Redjack cyber resilience platform uses software-based network sensors to collect communications data and uses data science techniques to discover and inventory all of the connected assets within your organization's network. This is unlike legacy asset inventory solutions that focus on ingesting asset data from disparate sources, giving you a combined view of the part of your network that you already know about. The Redjack approach discovers assets that are overlooked by your existing solutions.

The Redjack cyber resilience platform also maps the dependencies between assets and between assets and your critical business functions. Critical business functions are the core activities that keep an organization running smoothly and generate revenue. The Redjack platform uses this data to assign criticality scores to assets, ranking assets according to the risk they pose to business continuity if they should happen to stop working. This allows you to prioritize your efforts and resources in the areas that will have the greatest impact on your organization.

These asset discovery, inventory, and risk prioritization capabilities give you information that helps you measure your risk level per the assessment’s guidelines. For example, it can help you measure:

  • The number of internally hosted and developed or modified vendor applications supporting critical activities

  • The number of internally hosted, vendor-developed applications supporting critical activities

  • The number of user-developed technologies and user computing that support critical activities

  • The number of cloud computing services hosted externally that support critical activities

Overall, the data provided by the Redjack cyber resilience platform helps you identify the data points required to complete a large portion of this section of the assessment. 

Cybersecurity Maturity Assessment

There are two sections of the Cybersecurity Maturity Assessment that we will cover in this blog. The first is under the Cyber Risk Management and Oversight Domain in the Section on Governance > IT Asset Management. 

Domain: Cyber Risk Management and Oversight

Section: Governance > IT Asset Management

As mentioned above, the Redjack cyber resilience platform is designed to automatically discover and inventory all the assets within your organization's network. It uses network sensor-based data collection to identify and catalog assets as well as to map the dependencies between assets. This information is used to assign criticality scores to individual assets, based on the impact to the organization should they stop working.

The Redjack platform’s sensors collect information passively, unlike solutions that utilize active scanning, which can clog your network and slow it down. It continuously monitors your network, automatically updating the asset inventory with newly discovered assets and removing outdated or decommissioned assets, preventing gaps or inaccuracies in the inventory that could arise from manual entry errors, oversights, or changes in the IT environment. This ensures that your inventory reflects the current state of your IT landscape and reduces the risk of relying on outdated or incomplete asset information.

These capabilities can help you meet the requirements in this section, depending on your level of organizational maturity. These capabilities include:

  • Baseline (level 1): An inventory of organizational assets 

  • Baseline (level 1): Organizational assets are prioritized for protection based on data classification and business value 

  • Advanced (level 4): Automated tools enable tracking, updating, asset prioritizing, and custom reporting of the asset inventory

Domain: External Dependency Management

Section: Connections

This is the second section of the Cybersecurity Maturity Assessment we will explore.

In addition to the Redjack cyber resilience platform’s ability to continuously discover, inventory, and prioritize assets it can also use the data it collects to identify connections with third-party vendors and contractors. It does this by identifying third-party systems that are communicating with assets in your environment. This helps you create a data-driven, comprehensive list of external vendors that helps you accurately understand your third-party dependencies and measure your third-party risk.

These capabilities can help you meet the requirements in this section, depending on your level of organizational maturity. These capabilities include:

  • Baseline (level 1): The critical business processes that are dependent on external connectivity have been identified

  • Baseline (level 1): The institution ensures that third-party connections are authorized 

  • Baseline (level 1): A network diagram is in place and identifies all external connections

  • Baseline (level 1): Data flow diagrams are in place and document information flow to external parties

  • Evolving (level 2): Critical business processes have been mapped to the supporting external connections

  • Evolving (level 2): The network diagram is updated when connections with third parties change or at least annually

  • Intermediate (level 3): A validated asset inventory is used to create comprehensive diagrams depicting data repositories, data flow, infrastructure, and connectivity

  • Advanced (level 4): The security architecture is validated and documented before the network connection infrastructure changes

  • Innovative (level 5): Diagrams of external connections are interactive and show real-time changes to the network connection infrastructure, new connections, volume fluctuations, and alerts when risks arise

Improve compliance  

The Redjack cyber resilience platform helps you address the standards set forth by the FFIEC for ensuring robust cybersecurity in financial institutions. By meticulously cataloging and monitoring digital assets, the Redjack platform not only facilitates compliance with FFIEC guidelines but also helps you strengthen your overall cybersecurity posture. 

Read the next FFIEC blog: How Redjack Helps Enable Compliance With FFIEC Risk Management Guidelines

Kristen Jacobsen
Previous

How Redjack Addresses Key Aspects of DORA
Next

How the Redjack Cyber Resilience Platform Enables Zero Trust