Last week, we saw the Federal Financial Institutions Council (FFIEC) announce an update to its Cybersecurity Resource Guide. It was originally released in 2018 and intended to be a resource to institutions in order to continue to strengthen their cybersecurity resilience. This update is intended to provide resources for the most prevalent risk today- ransomware.
Many of our customers asked if there is a new requirement or any updates required to the program as a result of this publication. As far as we can tell the short answer is no. This is assuming that you have completed the CSBS Ransomware Self-Assessment released in late 2020. We have not yet seen a requirement for the R-SAT to be performed annually if you have tracked or closed any gaps noted.
There are, however, a few tools listed in the guide which I think are worth reviewing and could be helpful in refreshing your program. These include:
- CIS Benchmarks- If you’re deploying new systems or reviewing configurations annually, these are very helpful in ensuring they are configured securely. Just be sure that you test these before deploying to ensure the configurations don’t interfere with the functionality needed for day-to-day operations.
- Incident Scenarios and Questions- Having trouble coming up with new tabletop scenarios or discussion questions? There are some that are well thought out scenarios and discussion questions to help refresh your tabletop exercise and guide the discussion. Check out the section called Exercises, specifically the FDIC Cyber Challenge and the FS-ISAC Exercises.
- Information Sharing- Many of the institutions we work with are working through the Cybersecurity Assessment Tool (CAT) or Automated Cybersecurity Evaluation Toolbox (ACET) and struggle with the information sharing requirements. The requirement is having a formal process to share threat and vulnerability information with other entities. Several free sources for this sharing are listed in the Information Sharing section to get the process started.
- NIST CSF Assessment- It seems there are always strong feelings about NIST’s Cybersecurity Framework, some love it and strive to achieve it, and others tense up at the mention of it. If you’re one that tenses up, I apologize! Love it or hate it, it’s here to stay as much of the FFIEC guidance follows and points to NIST. This may be a good tool to map your program to and shore up any controls you may be missing.
- CISA Ransomware Guide- This is a two-part series that lists ransomware best prevention best practices and a detailed response guide. Both are very well-detailed, and the guide would be a great ransomware response playbook.
Below is a link to the updated guide, happy hunting!
https://www.ffiec.gov/press/pdf/FFIECCybersecurityResourceGuide2022ApprovedRev.pdf