Financial institutions overseen by the Federal Financial Institutions Examination Council (FFIEC), National Credit Union Administration (NCUA), and Federal Deposit Insurance Corporation (FDIC) are required to implement robust configuration management programs.
Here are the key requirements and expectations:
Institutions must maintain a comprehensive inventory of all hardware devices. This includes tracking details such as device types, locations, and statuses.
A complete and up-to-date inventory of all software applications must be maintained. This includes identifying where each software application is installed and ensuring that only authorized software is present on the network.
Institutions must be able to identify where software has been installed and where it has not. This helps in ensuring that all necessary software is deployed across the organization.
A mechanism must be in place to alert the institution of any violations, such as missing critical software updates or the presence of unauthorized software. This helps in prompt identification and remediation of security gaps.
Institutions must implement standardized configurations for all endpoints (e.g., desktops, laptops, servers) to ensure uniformity and security.
The configurations assigned to each device must be clearly identified and documented. This includes maintaining records of configuration settings and profiles.
An automated system should be in place to detect and notify IT staff of any deviations from the standardized configurations. This ensures timely corrective actions to maintain compliance and security.
Though each institution will likely utilize commercially available configuration management tools to generate baselines, the Integrated Risk Management (IRM) platform offers the necessary capabilities required for comprehensive gap analysis, reporting, and ongoing oversight. These capabilities ensure that institutions can meet regulatory requirements and maintain a secure and compliant IT environment. The IRM platform provides automated notification of any deviations and supports continuous monitoring to keep institutions informed and within compliance.
These requirements ensure that financial institutions can maintain a secure and compliant IT environment, protecting sensitive data and adhering to regulatory standards.