Pub. 14 2019-2020 Issue 2

WWW.NEBANKERS.ORG 20 Quarterly Firewall Audits: What Do I Need to Do? Jeff Dice, Information Security Consultant - SBS CyberSecurity, LLC TECH TALK Meeting the Baseline Requirement When financial institutions are working on their FFIEC Cybersecurity Assessment, there are a few Baseline declara- tive statements that everyone seems to struggle with. One of the most common controls that causes confusion is “Firewall Rules are audited or verified at least quarterly.” What does this control mean, and what should you do to meet this baseline requirement? FFIEC CAT: Firewall Rules Audited or Verified At Least Quarterly The FFIEC Cybersecurity Assessment Tool (CAT) was originally released in June of 2015 and updated in May of 2017. It establishes a single process for banks to identify their Cybersecurity Risk and Maturity level. The Quarterly Firewall Audit control is a Detective control that falls under Domain 3: Cybersecurity Controls. It is considered a Baseline standard,