Network Quality Assurance: FFIEC Compliance Process

Know your network

The Federal Financial Institutions Examination Council (FFIEC) requires that all members all must ensure their information systems and confidential data are kept safe. Specifically, they all must establish administrative, technical and physical information safeguards to:

• Ensure the security and confidentiality of customer records and information
• Protect against any anticipated threats or hazards to the security or integrity of such records
• Protect against unauthorized access to or use of such records or information

FFIEC Compliance

The board of directors are ultimately responsible for overseeing the implementation and maintenance of their organization's information security program, and for the consequences if it fails. Congruity Inspector's one-click, self-audit feature places the control in their hands offering a consistent and repeatable way to document technical and administrative status and verify security compliance. Congruity Inspector delivers the best cost-performance of any network qualityh assurance solution, providing an objective 168 hour IT security profile for less than 1 minute of effort.

Banks and Credit Union are required by law to conduct a risk assessment at least once annually. However, with IT threats on the rise, a single audit using conventional risk assessment methods are not sufficient. A penetration-test and vulnerability scan provide only static, moment-in-time snapshots of known flaws. They don't identify unknown flaws or operational threats conditions. These are the causes of system compromise and confidential data leaks which can occur in spite of a fully-patched and properly-configured network. Congruity Inspector offers an easy, comprehensive, and cost-effective way to regularly identify these issues and reduce Information System and data security risks.

FFIEC Risk Assessment Process

1. Access control & usage: Congruity Inspector is a usage-based monitoring and reporting tool.
   1. Network Access: Logs and identifies internal and external user activity. (Country of origin)
   2. Application Access: Logs which applications are in-use along with usage details (port, protocol, bandwidth, date, time, transcripts)
   3. Remote Access: Identifies GoToMyPC which can be easily downloaded and installed by user, creating an undocumented vector for data leakage or system compromise.
2. Encryption: Identifies all HTTPS connections, servers and users, plus highlights sensitive communications that could contain 'regulated data' that should not be sent over the Internet in a unencrypted plain text such as social security numbers or credit card numbers.
3. Malicious code prevention: Identifies Spyware, Malware and other unauthorized software that may be sending information outside the protected network to an unaffiliated third party (hacker).
4. Systems development, acquisition and maintenance: Congruity Inspector offers an efficient and cost-effective way to verify and document that a new network component, application or configuration change has not impacted the overall security, compliance or performance of the Information System.
5. Personnel security: Can be used to objectively investigate, log and identify policy breaches that may arise due to personnel abuse or other issues associated with employment termination. Also offers detailed forensic review providing comprehensive usage transcripts and history of use archive.
6. Data security: Logs and documents all open threat vectors in and out of the protected network, including file uploading/downloading, on-line communications and file attachments. Enables users to quickly and easily identify legitimate business processes and configurations...and that which is not permitted.
7. Service provider oversight: In any circumstance where a regulated entity hires a third party service provider, the organization (management) is responsible for verifying that its service provider has implemented the appropriate measures to ensure that information Systems and member data is safe. Congruity Inspector's device-independent self-auditing capability provides board members with independent assurance they are receiving all the service guarantees they are paying for.
8. Business continuity considerations:Congruity Inspector's reports provide accurate base-line metric and system performance details so decisions can make better-informed decisions and better prioritize IT projects and spending.

FFIEC IT Security Standards Also Recommend Regular Security Monitoring (document)

1. Activity monitoring: Congruity Inspector monitors all usage activity entering and leaving the protected network, plus identifies source and destination devices.
2. Intrusions and independent logging: Independently logs all activity on every port over a 7 day operational term. A firewall, Filter or IDS device cannot tell you what information or events they missed. Only through a device-independent and objective review can these threats be identified. Congruity Inspector was designed to fulfill this need.
3. Self-assessment: One-click, on-demand, self-audit offers the sost comprehensive, easy-to-use and lowest cost objective audit method available.
4. Metrics: Comprehensive usage metrics for each workstation, bandwidth usage, Surfing time on-line, email usage summaries, network bandwidth trends, Top Sites, Top Users, Top files, Top attachments and more.
5. Independent tests: Congruity Inspector offers a device-independent way to regularly test security controls and policy compliance or troubleshoot issues without disrupting normal operations.

One-Click FFIEC Compliance

Congruity Inspector simplifies FFIEC compliance, automating a review and documentation process that identifies threats that leave IT systems and confidential data exposed.