After helping many financial institutions complete their Cybersecurity Assessment Toolkit (“CAT”), we have found that there are a small number of CAT statements that commonly get institutions “stuck” at a certain maturity level. Today, we will look at the statements that commonly keep institutions from being able to attain the “Baseline” maturity levels on the CAT.
The Baseline maturity level of the CAT is meant to include the basic cybersecurity controls that all institutions should be able to attain. When considering Baseline statements, do not overthink them and make them more complex than they need to be. The most common missing controls at the Baseline level are:
Data flow diagrams are in place and document information flow to external parties:
Many institutions point to their network diagrams when asked whether they have the data flow diagrams for this Baseline requirement, but a network diagram is not what is being asked for. Instead, this statement is asking that the institution have a basic understanding of how customer data flows between systems and external vendors during critical business processes. Complying with this does not have to be hard and can normally be accomplished in a day by simply interviewing the process owner and documenting the process visually. Remember that this is a baseline requirement and a mapping of every data element is not required at this level. Once this process is completed, it is not uncommon for institutions to feel that they better understand how information flows during these processes.
Firewall rules are audited or verified at least quarterly:
Firewalls are a critical control designed to protect an institutions network from unauthorized access from the Internet. To ensure that firewalls are configured properly, regulators expect an institution to periodically review the configuration and rules to ensure they are providing the protection they should. There are tools available for sale that can make this review easy. Note that at this baseline level, the verification can be performed by an internal party (other FFIEC guidance requires that there be at least an annual independent review of these rules and configurations, but this is outside the scope of the Baseline level). It is important that the institution not only perform the reviews, but also document that it is being completed.
Elevated privileges are monitored:
It may sound obvious that institutions must monitor activities performed by administrator accounts, but many institutions miss this control. For critical systems, administrator activity should at minimum be recorded and periodically reviewed. At the network level, there are many tools which can be used to alert whenever an administrator makes a change. Within other critical applications, it can be more difficult to monitor because of limitations in the application. Remember again to not only implement this control, but also to record when the monitoring is actually completed.
If your institution is finding it difficult to complete the CAT or having problems implementing the required CAT controls, please contact us at support@bedelsecurity.com. We can often provide the guidance and expertise to help make CAT compliance simple!
Additional Resources:
Awareness: Understand the Options for Maturing Your Cybersecurity
https://www.bedelsecurity.com/blog/awareness-understand-the-options-for-maturing-your-cybersecurity
Five Tips for a Healthy CAT Experience
https://www.bedelsecurity.com/blog/five-tips-for-a-healthy-cat-experience