Making FFIEC cybersecurity compliance simpler for BanksAnirban Banerjee
Making FFIEC cybersecurity compliance simpler for Banks. FFIEC stands for the Federal Financial Institutions Examination Council. The Federal Financial Institutions Examination Council (FFIEC) was established on March 10, 1979, pursuant to title X of the Financial Institutions Regulatory and Interest Rate Control Act of 1978 (FIRA), Public Law 95-630. In 1989, title XI of the Financial Institutions Reform, Recovery and Enforcement Act of 1989 (FIRREA) established The Appraisal Subcommittee (ASC) within the Examination Council.
Quoting from  – The FFIEC is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB) and to make recommendations to promote uniformity in the supervision of financial institutions. To encourage the application of uniform examination principles and standards by the state and federal supervisory authorities, the Council established, in accordance with the requirement of the statute, the State Liaison Committee composed of five representatives of state supervisory agencies. In accordance with the Financial Services Regulatory Relief Act of 2006, a representative state regulator was added as a voting member of the Council in October 2006. The FFIEC is responsible for developing uniform reporting systems for federally supervised financial institutions, their holding companies, and the non-financial institution subsidiaries of those institutions and holding companies.
Cybersecurity and FFIEC
The FFIEC takes cybersecurity seriously. Look at the latest press release provided by the FFIEC  that provides advice to financial institutions, consistent with existing regulatory expectations, to actively manage the risks associated with interbank messaging and wholesale payment networks. The areas of focus are risk assessment; authentication, authorization and access controls; monitoring and mitigation; fraud detection; and incident response.
We are going to dig into the access and authentication control portion of the guidance here. Quoting verbatim from the report, the access and authorization portion talks about:
Protect against unauthorized access.
Limit the number of credentials with elevated privileges across the institution, especially administrator accounts, and the ability to easily assign elevated privileges to access critical systems. Review access rights periodically to confirm approvals are still appropriate to the job function. Establish stringent expiration periods for unused credentials, monitor logs for use of old credentials, and promptly terminate unused or unwarranted credentials. Establish authentication rules, such as time-of-day and geolocation controls, or implement multi-factor authentication protocols for web-based control panels. In addition,
- Conduct regular audits to review the access and permission levels to critical systems for employees and contractors. Implement least privileges access policies across the entire enterprise. In particular, do not allow users to have local administrator rights on workstations.
- Change default password and settings for system-based credentials.
- Prevent un-patched systems, such as home computers and personal mobile devices from connecting to internal-facing systems.
- Implement monitoring controls to detect unauthorized devices connected to internal networks.
- Use secure connections when remotely accessing systems and services (e.g., virtual private networks).
Challenges with Access and Authorization
The above makes great sense, however, it is not always straightforward to comply with guidance like the above. The issues that come up are due to a multitude of factors like: disparate systems, fragmented organizational layouts, ever evolving user roles, employee attrition and more. For IT and Security folks it can feel as if the organization is constantly putting one step outside the acceptable compliance boundaries, due to one reason or the other. This is similar to other verticals like health-care where IT, GRC and Security teams often grapple with complying with various laws like HIPAA.
We present some tips in order to make compliance with FFIEC cyber-security recommendations easier.
(1) Regular Audits: Use a Privileged Access Management system that provides you with a 30, 90, 180, 365 day business unit owner focused audit process. This makes sure that critical resources get audited every 30 days while access to less critical systems can happen on a longer timeline – albeit in a streamlined and automated manner. Use a documented and track-able process to escalate and deescalate rights on machines. Nobody should be an admin on a resource, forever. Here is an example of escalation and deescalation of privileges and another example for time based access.
(2) Password rotation: Use an automated system that takes the human out of the equation. This is critical – why? the reason is that people have different priorities at different times. Consider the case where your CFO is closing out the quarter reconciling numbers, do you think they are going to take immediate action on your end of quarter password change email? Not really. You should implement a system that automatically rotates credentials without human input. In fact you should also ficus on doing this for shared accounts, not just privileged ones. Lastly, make account sharing clear and follow a procedure so that credentials changes can be tracked and audited, Follow the KISS – Keep it Simple rule. Here is an example.
(3) Device management: Use some kind of a Mobile Device Management solution or an inventory management system or even a configuration management tool like Casper, SCCM, JAMF, Chef, Puppet. Something is better than nothing. You should be able to see at a moments notice how many applications are people using and what servers are in use. Here is an example.
(4) Session control: You should use some kind of a system that helps secure access and authorization for what you can do an a machine. The solution needs to handle privilege escalation and deescalation to make sure nobody keeps admin rights forever. Furthermore the systems needs to be able to provide assurance about what activities have been performed on the machines, in essence a DVRish kind of a functionality. Here is an example.
In this article we have talked about specific portions of the FFIEC framework that deal with cyber-security and in more detail about the access and authorization portions of the guidance. We hope the tips presented above help you in making the right choices for any solutions that you would like to use to help comply with FFIEC guidelines.
Also published on Medium.