With all eyes focused on AI regulations and the sunset of the Cybersecurity Assessment Tool (CAT), the recently released FFIEC Development, Acquisition, and Maintenance (DA&M) has almost slid under the radar. However, this new booklet is a complete rewrite of the 2004 guidance and brings with it almost 20 years of changes, making it critical for financial institutions to understand what the guidance entails and how it impacts their IT programs.
While the DA&M booklet itself is probably the most technical ever published, I want to dig into two key areas today: Information Technology Asset Management (ITAM) and User Access Management (UAM). Both ITAM and UAM are critical for ensuring a secure and well-managed IT environment, but they come with new expectations.
What Has Changed?
The new guidance places a much stronger emphasis on comprehensive Information Technology Asset Management. ITAM is now mentioned 24 times in this booklet. The term wasn’t in the previous version at all. The booklet defines ITAM using NIST terminology and states that ITAM “refers to a set of policies and procedures that an organization uses to track, audit, and monitor the state of its IT assets and maintain system configurations.”
We can understand that part. IT Asset Management is how you track and monitor everything. It’s what we’ve done for years. But the new booklet calls for you to think beyond your traditional IT assets and systems.
The guidance also expands ITAM’s scope, stating that financial institutions “must have an inventory of all systems and components (including open-source software, proprietary APIs, container images, and related licenses).” Not only that, but every component needs to be included in access authentication and authorization controls throughout the supply chain to ensure security.
This comprehensive view of asset management highlights the growing complexity of the IT environments financial institutions must oversee and emphasizes the need to identify, monitor, and protect every single asset. Essentially, you cannot protect what you do not know exists.
Why It Matters: Examiners Will Be Looking
With an increase in attacks targeting third-party service providers, the supply chain, and internal threats, examiners will be paying closer attention to how financial institutions are managing their IT assets and access controls. The Examiner Procedures in the back of the booklet give us some ideas as to what they are expected to look for:
- A Complete Asset Inventory: This includes everything from applications & hardware to software components, APIs, and configurations, and licenses and data storage locations.
- Access Management Practices: Institutions need to demonstrate that they have robust processes for managing who has access to what – particularly in areas like off-boarding users, securing third-party systems, and ensuring privileged access is tightly controlled.
- Integration of ITAM with UAM Programs: The booklet repeatedly emphasizes the need to align IT asset management with your User Access Management (UAM) program. Each asset’s access controls should be regularly reviewed and adjusted based on changes in roles, risks, or the asset’s lifecycle stage.
Also, just as a tip, if you ever want the test answers, jump to the back! All updated booklets have the examiner procedures listed.
What’s the Risk?
Access management is a core component of ensuring the security and integrity of a financial institution’s IT environment. Weak or inappropriate access controls can lead to unauthorized access, data breaches, and, ultimately, loss of trust and reputation. “Inappropriate access controls” are the first risk identified under its “Risks Related to APIs” section, but this concern extends far beyond just APIs. Access control issues exist in every area where sensitive data is stored or processed.
According to the FFIEC, “Management should provide current access and authentication lists and appropriate controls to minimize the potential for insider threats as entities develop and acquire systems and components.” This is a critical reminder that both internal and external access points need to be consistently monitored and reviewed.
In addition, the guidance warns that “attackers often exploit a third-party service provider’s supply chain to access multiple other victim businesses for subsequent attacks.” We’ve seen this be the case. Without strong authentication and authorization measures, banks risk becoming vulnerable to supply chain attacks that can quickly spiral out of control.
Practical Changes You Can Implement
To prepare for these changes and reduce the risk of non-compliance, community financial institutions should consider the following steps:
- Establish an Information Technology Asset Inventory: Finosec calls this the System Inventory Map. This single source of truth for all your IT assets allows you to track not only what exists but also its state, usage, and associated access controls. This list should include all applications, software components, development sites, and all third-party integrations.
- Enhance Your Access Review Program: Ensure that each asset is tied to your access management policies. Regularly audit permissions, particularly for privileged users and changes. With Finosec’s Governance 360 platform, the Access Management module can help streamline this process, making it easier to identify any potential gaps.
- Implement Strong Off-Boarding Procedures: Design a robust process for decommissioning assets and revoking access for employees and third-party providers. The new guidance specifically calls out this area as a point of weakness, making it crucial to have documented steps for every stage of the asset lifecycle.
- Integrate ITAM with UAM: Your IT Asset Management and User Access Management programs should not operate in silos. Ensure your access management policies are aligned with your asset inventory, so every asset has appropriate controls, and every change is documented and reviewed.
The Role of Governance 360 in Simplifying Compliance
Finosec’s Governance 360 solution is designed to support financial institutions in these areas. The System Inventory Map helps institutions build and maintain a comprehensive asset inventory, while the Access Management module provides the tools to manage, track, and review access controls for all systems. This combination ensures that financial institutions have a strong foundation to meet the new FFIEC guidance.
Looking Ahead
As your institution navigates these updates, it’s important to stay proactive. By focusing on developing a clear asset inventory and aligning it with robust user access controls, your institution will not only meet the new expectations but also be better prepared to protect against evolving cyber threats.
For more information on how Finosec’s platform can help your institution stay compliant, reach out to us today!
