• Request Info

Addressing FFIEC Information Security for Vulnerability Management

Addressing FFIEC Information Security Guidelines with Vulnerability Management

The Federal Financial Institutions Examination Council (FFIEC) is a U.S. government interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the following organizations:

  • Board of Governors of the Federal Reserve System (FRB)
  • Federal Deposit Insurance Corporation (FDIC)
  • National Credit Union Administration (NCUA)
  • Office of the Comptroller of the Currency (OCC)
  • Consumer Financial Protection Bureau (CFPB)


The FFIEC IT Examination Handbook Information Security Booklet

The FFIEC created the Information Technology Examination Handbook to provide field examiners in the above financial institution regulatory agencies with introductory training and basic information. A key part of the Handbook, the Information Security Booklet, outlines several security best practices that examiners look for when auditing financial institutions.



The FFIEC “Authentication in an Internet Banking Environment” Guidance Supplement

The continued growth of electronic banking, coupled with evolution of sophisticated cyber threats, has increased risks for financial institutions and their customers.  The FFIEC therefore amended their 2005 guidance “Authentication in an Internet Banking Environment” with a 2011 supplement that puts forth a set of revised guidelines that include provisions for IT risk assessments and layered security controls.


Prepare for Audits and Improve Overall Security

CORE Security solutions for predictive security intelligence help financial institutions prepare for audits and improve overall security by addressing key sections of both the Information Security section of the FFIEC IT Examination Handbook and the FFIEC “Authentication in an Internet Banking Environment” supplement.


FFIEC Guidance How CORE can help

Information Security Risk Assessment (from FFIEC IT Examination Handbook)

Financial institutions must maintain an ongoing information security risk assessment program that effectively:

  • Gathers data regarding the information and technology assets of the organization, threats to those assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements;
  • Analyzes the probability and impact associated with the known threats and vulnerabilities to their assets; and
  • Prioritizes the risks present due to threats and vulnerabilities to determine the appropriate level of training, controls, and assurance necessary for effective mitigation.

Risk Assessments (from “Authentication in an Internet Banking Environment” supplement)

Institutions must establish a Risk Assessment that accounts for:

• Constantly evolving threats to both its internal and external environment
• Changes to how customers utilize online banking systems, or when new services are introduced
• Actual security incidents which occur within the institution and industry

The Risk Assessment must be reviewed, updated or performed at least every 12 months

Conduct Proactive, Real-World Risk Assessments

Our predictive security intelligence solutions enable financial institutions to proactively identify critical threats, see how risk changes over time as technology and business processes evolve, and prioritize their risk and security practices to stay ahead.

  • Continuously assess changing infrastructure against the latest threats and proactively identify weaknesses posing imminent risks
  • Leverage automation and delegation to increase the scale and frequency of security assessments across large IT environments
  • Add deeper intelligence and context to vulnerability and threat data through actual testing and simulation; enabling security and risk teams to prioritize and remediate the most critical threats. 

Information Security Strategy (from FFIEC IT Examination Handbook)

Financial Institutions should develop a strategy that defines control objectives and establishes an implementation plan, including appropriate considerations of prevention, detection, and response mechanisms as well as layered controls that identify threats to organizational assets.

Build Risk Preemption into Your Security Strategy

  • Prevent and proactively defend against newer types of threats such as malware and advanced persistent threats through real world replication and simulation of attacks
  • Conduct multi- and cross-vector analysis across web applications, network systems, and endpoints to identify exposures across layered controls and access to organizational assets such as IP or customer data
  • Reduce the overall response and remediation time by alerting security and downstream IT teams to the highest priority vulnerabilities

Security Controls Implementation (from FFIEC IT Examination Handbook)

An effective control mechanism includes numerous controls to safeguard and limits access to key information system assets at all layers in the network stack.  This section addresses logical and administrative controls, including access rights administration for individuals and network access issues.

Layered Security Controls (from “Authentication in an Internet Banking Environment” supplement)

Institutions should implement a strategy of Layered Security to protect online transactions:

  • Use different controls at different points in a transaction to help mitigate any weaknesses
  • Use a risk-based approach where controls are strengthened as risk increases
  • Deploy processes that detect and respond to suspicious activities at the riskiest points of online transactions
  • Enhance the controls over system administrators who manage online access and configurations of commercial accounts
  • Use the results of the Risk Assessment to adjust levels of authentication controls accordingly.

Verify Security Controls Efficacy

FFIEC guidance acknowledges that diverse security controls at different points in a transaction flow can help mitigate weaknesses. Most banks also realize that single layer of authentication will simply not work with constant change and myriad of technologies.

As a result, CISOs and CROs must grapple with multiple layers of security technologies – and somehow consolidate and understand the data they provide. CORE solutions offer continuous and consistent application to monitoring and assessment to keep up with diverse controls environments.

  • Continuously assess large, diverse IT environments
  • Assess IPS/IDS, firewalls and other defenses against real-world network, client-side and web application attack techniques
  • Ensure that defensive technologies are configured and updated to protect against current threats
  • Reveal paths that attackers and malicious insiders would use to circumvent security controls and access sensitive assets
  • Maintain asset visibility by automatically sensing and adapt to changes in infrastructure
  • Repeat assessments to validate the efficacy of new or updated security controls

Follow the letter and spirit of the PCI DSS, FFIEC and other regulations

Don’t just check the compliance box once a year – gain ongoing predictive intelligence for continuously predicting threats and preempting business risk.

Comply with mandates for proactive IT security assessment and enhance overall security

Security Threat & Process Monitoring & Updating (from FFIEC IT Examination Handbook)

Financial institutions should continuously gather and analyze information regarding new threats and vulnerabilities, actual attacks on the institution or others, and the effectiveness of the existing security controls. They should then use that information to update the risk assessment, strategy, and implemented controls.

Stay Ahead of Evolving Threats

Things change -- Financial institutions should validate their ongoing risk mitigation strategy and processes by monitoring network and host activity to identify policy violations, anomalous behavior, unauthorized configuration, and other conditions that increase risk. They should also analyze the results of monitoring to accurately and quickly identify, classify, escalate, report and guide responses to security incidents.

CORE solutions enable financial institutions to:

  • Assess systems designated as critical and delivers proactive alerts regarding the latest threats and impacts to those systems
  • Assimilate data from multiple sources (e.g., network and web scanners) to validate potential threats as real
  • Pinpoint what is truly exploitable, enabling smarter decisions to prioritize and escalate remediation actions.
  • Deliver data using terminology specific to the organization, system, location, mandates, data types, etc.
  • Validate security metrics; benchmark & track risk posture

Next Steps

Request Info