When the FFIEC auditor comes knocking, how many people actually feel prepared? I can wager a guess that it’s not many. There is so much anxiety that comes along with an audit – you have to do your day job and on top of the time and resource needed to prepare.
So where do you start? Here we summarize tips from Cygilant’s experience in helping our customers prepare for an FFIEC audit.
1. Don’t panic!
When looking at what you are about to face, it will seem daunting. But don’t panic. While many people think the FFIEC is out to get them, it’s not the reality. The FFIEC exists to help financial institutions with measuring and managing cyber risk. They put in place minimum standards and enforcement of those standards. It’s all focused on protecting consumers and institutions. They don’t want you to face “gotcha” moments, but instead help avoid cyber threats.
2. Know what to expect
If you are reading this blog, you probably already know what the FFIEC is, but just in case (or if you are too afraid to ask), FFIEC stands for the Federal Financial Institution Examination Council. It’s a US government interagency body empowered to prescribe uniform principles, standards and report forms for the FFIEC members such as the National Credit Union Administration (NCUA). It’s the standard that apply to every financial institution credit union regulated in the US.
Some of the key requirements include building a strong information security culture in the organization, having defined risk identification processes, an effective risk monitoring and reporting processes and consistent security operations processes. It also includes allocating adequate resources e.g. staff and technology to the information security program. It’s a broad set of requirements that goes beyond just technology.
3. Don’t let your new technology be a gotcha
Most credit union IT teams that have been around the block will have touched upon this criteria, however the biggest “gotchas” we see are when new technology stacks are slowly incorporated into the business and are suddenly in the scope of an audit. A great example is the increasing utilization of Amazon Web Services (AWS) or similar hosted cloud infrastructure services. For AWS, examples like utilizing Cloud Trail or Trusted Advisor which is an internal tool, can be the difference between passing and failing.
4. Understand the tools of the trade
Preparing for an FFIEC includes knowing what tools are available to you. This includes the FFIEC Information Technology Examination Handbook. It’s the main guide for what an organization’s information security program should look like to manage risk effectively. It’s also the main guide for the FFIEC auditor when assessing you for compliance. In practice, not everything in the handbook will apply to your organization. There also may be additional controls not in the handbook that an auditor will want to see your organization implement such as the AWS examples mentioned above.
There is also the Cybersecurity Assessment Tool (CAT). It’s a two part assessment that will help you identify risks via an inherent risk profile and then determine your cyber security majority level. It’s consistent with the handbook and with the NIST cybersecurity framework. It’s a good option if you need to comply with multiple regulatory standards.
There is also the Automated Cybersecurity Examination Tool (ACET). It’s an excel-based tool aligned with FFIEC requirements that uses macros to make it easier to actually put information in and get results rather than just spitting out a PDF.
5. Before an audit: Pick a framework and stick to it!
The FFIEC encourages institutions to adopt a standardized approach or tool before an audit to check compliance. While the FFIEC does not endorse any tool, it mentions popular tools like its own FFIEC CAT audit or the NIST cybersecurity framework. The best way to prepare is to pick a framework and stick to it. The CSC, Critical Security Controls, is a useful framework. It provides 20 attainable and realistic controls that have clear implementation guidelines. We advise Cygilant customers to start here before using the FFIEC CAT tool.
6. Name a single point of contact
You should establish early in the FFIEC audit process a single internal point of contact that’s dedicated to working directly with auditors. You’ll also want to identify primary stakeholders from every part of the organization.
7. Think common sense
Auditors will ask to see the basics of IT programmatic documentation i.e. evidence of controls. The FFIEC came out with its top five focus areas that are common-sense practices and cybersecurity fundamentals you’ll want to have ready. These include:
- A formal risk management and oversight program.
- The existence, and hopefully utilization, of threat intelligence and a collaboration system within your cybersecurity program.
- CIS level cybersecurity controls i.e. the basic 20 controls mentioned above.
- External dependence management. This is becoming an increasing focus, but does still vary from auditor to auditor.
- Incident management resilience, the most important in my opinion.
8. Get vulnerability management in place
Known open vulnerabilities are still far and away the largest and easiest attack surface. Get a decent vulnerability management system or scanner deployed and up to scanning as early as possible. Organization-wide config fixing to address known vulnerabilities seems like a super simple fix, but due to the high availability and change management processes, it can take a while.
9. Plan for disruption
The audit process does impact IT projects and day-to-day security operations. While this varies wildly based on the organization, the disruption depends largely on two factors: the size of your team and level of preparedness. Even for small teams that are flat-out busy, you can mitigate disruption by appointing a single “audit tsar” or committee responsible for internally quarterbacking the logistical efforts for the audit prep and response. Ideally this person has a compliance, risk management or IT background and is able to organize and prioritize demands and assign responsibility. This could be the difference between passing and failing. It may sound simple, but it stands out.
10. Make a central repository and keep it up
Having an easy to access and central repository for artifacts is huge during an FFIEC audit. After the audit, canonize this repository and make it a go-to and well frequented place.
11. People make all the difference
The biggest issues for small teams is the incident management and response and having dedicate staff and time to run audits regularly. We see many successful programs run audits that go to the board on a quarterly basis – more than what’s needed.
12. Build on the momentum of an audit to change security culture
Use the momentum gained from preparing for and responding to an audit to move the needle on your security culture. As new processes and technologies are implemented, do your due-diligence. Make sure to have the security components and lockdown formalized and documented upon deployment. This makes a big difference as the next time you are audited, this is one of the first things the auditor will ask about.
13. Budget is a checkbox
Another big challenge is a lack of budget for appropriate tooling and programs. That’s actually a checkbox for the auditors as well.
14. No silver bullet in FFIEC preparedness
With an increase in deception technology, both human and technical, used by auditors to compromise assets, many are looking for a silver bullet. Unfortunately there is no real silver bullets to prevent being caught out. It’s just implementing solid security controls, training and monitoring.
15. When in doubt, consider a service to help
Cygilant has years of experience helping organizations pass audits. We have a team of experts who are regularly helping credit unions with teams of all sizes prepare. With the people and technology in place to help, we can provide you with Security-as-a-Service to overcome lack of resource or budget. Get in touch to discuss.