The threat to network systems has increased significantly over the last few years, and the consequences of a breach can be potentially disastrous for organizations and individuals alike. Due to the volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) plays a major part in helping financial institutions identify risk and understand their cybersecurity preparedness. To better protect the network, financial institutions must understand where their security practices fall short and how to effectively address those gaps. The CAT provides a clear set of standards to ensure an institution’s network systems are managed efficiently and compliantly.
Some key areas of network management that are addressed in the CAT include:
- Risk Identification
There must be documented processes that outline potential threats and vulnerabilities. Risk identification activities that determine the institution’s information security risk profile, including cybersecurity risk, must be documented and evaluated on a routine basis.
- Network Border Protection
There must be effective preventative controls in place to adequately protect the network from attack. This includes firewalls, anti-virus protection and anti-malware software.
- Inventory of Assets
An updated inventory of technology assets including hardware, software, information, and connections should be maintained. The inventory should include where all assets are stored, transmitted and processed.
- Auditing of the Network
Financial institutions must have the ability to identify what devices are present on a network; the ability to monitor at the device level to determine the health of network components; and the extent to which their performance matches capacity plans and intra-enterprise service-level agreements (SLAs). It also includes the ability to track performance indicators such as bandwidth utilization, packet loss, latency, availability and uptime of routers, switches and other Simple Network Management Protocol (SNMP) enabled devices.
- Dual-Factor Authentication
The system must have more than one form of authentication in order to access it to ensure a secure log-in.
- Patch Management
An effective patch management program is a must in today’s environment. All software applications require updates from vendors to remedy weaknesses. Updates should be rolled out to all devices in a timely manner, updates should be tested to ensure they don’t create an issue for the institution’s applications and all patches must be well documented.
- Remote Control Access
Remote access to a network allows employees to connect to any machine in their network via encrypted and logged sessions. It gives administrative personnel the tools to administer and manage a network, enabling increased productivity, heightened security, greater flexibility and centralized control that’s accessible from anywhere they have an Internet connection. While this is beneficial, it must be monitored and protected from outside attacks.
Financial institutions must be able to generate and provide easily configurable, customizable and accurate reports for all exams and audits in a timely manner.
Consequences of Not Being in Compliance
Failure to comply with FFIEC guidelines puts a financial institution at risk of doing poorly on exams, being written up for not following protocols and spending large amounts of time remedying violations, which can all lead to reputational damage and loss of revenue. Regardless of location and size, banks and credit unions are all subject to largely the same regulations. Governing agencies have become more stringent in their exams in the last several years and have been liberal in issuing citations to community financial institutions that have lapses or are not meeting regulations.
Automating Network Management
To help ensure community financial institutions operate more efficiently, securely and compliantly, IT professionals are implementing network management systems designed specifically for financial institutions and their compliance needs. These systems help to further decrease costs, increase performance, and improve their compliance posture by automating the myriad of tasks associated with exams and regulatory requirements. Systems with built-in automated intelligence eliminate the need for IT staff to directly administer challenging and time-consuming tasks such as patch management, anti-malware updates, and reporting.
Automating IT activities helps ease the burden of maintaining network compliance. Remember, while compliance requirements can be cumbersome and time-consuming, these standards are in place to ensure that sensitive, financial data is protected from the malicious threats and attackers who seek to exploit it.