Align Your AWS Account with FFIEC Cybersecurity Standards

Companies in the banking and finance industry must adhere to high security standards since they are high-value targets for bad actors. 

Industry-specific organizations like the Federal Financial Institutions Examination Council (FFIEC) have established guidelines to help companies ensure compliance with applicable laws and regulations.

In this guide, we’ll show you how to check if your AWS account adheres to the cybersecurity standards set forth by the FFIEC using automations in Blink.

Understanding the FFIEC Cybersecurity Standards

Established in 1979, the Federal Financial Institutions Examination Council (FFIEC) is a U.S. government interagency body of five organizations working together to ensure the safety and soundness of the banking system.

The FFIEC coordinates common standards for banks and develops uniform guidelines and examinations for all financial institutions. It also releases tooling, like the Cybersecurity Assessment Tool (CAT), to help financial institutions evaluate their cybersecurity risk and develop appropriate controls. The CAT is a document that provides a framework and guidance, but it does not interactively assess an AWS account for compliance.

FFIEC Cybersecurity Guidance for AWS

An audit of an organization's AWS environment is a critical part of FFIEC compliance requirements. AWS provides the tools and services necessary for financial institutions to adhere to FFIEC regulations, but each organization must ensure that its environment meets the specific requirements of the FFIEC.

AWS provides operational best practices for FFIEC compliance, including a list of control IDs, AWS configuration rules, and guidance.

Here are some examples of controls that organizations using AWS must follow to meet the FFIEC guidelines:

• An inventory of organizational assets is maintained.
• An information security and business continuity risk management function exists within the institution.
• The risk assessment identifies internet-based systems and high-risk transactions that warrant additional authentication controls.
• Information security threats are gathered and shared with applicable internal employees.
• Audit log records and other security event logs are reviewed and retained in a secure manager. 

For each of these controls, there are a few to several configuration rules in AWS that could apply to your organization, depending on the guidance.

Manually checking whether your EC2 volumes are all encrypted, your IP addresses are all private, or you have the right password policy in place could take days or weeks.

If you want to check your AWS environment for compliance quickly, you can use automation to get a comprehensive report based on these controls.

‍Automating FFIEC Compliance for AWS with Blink

With one automation in Blink, you could quickly scan your AWS environment to check your FFIEC compliance against the controls and generate reports with the findings.

When this automation runs, it executes the following steps:

1. Generates a Cyber Risk Management and Oversight Report.
2. Generates a Threat Intelligence and Collaboration Report.
3. Generates a Cybersecurity Controls Report.
4. Generates an External Dependency Management Report.
5. Generates a Cyber Incident Management and Resilience Report.
6. Sends Report results to a specified email.

You could set this automation to run weekly, monthly, or quarterly so you can validate that you are maintaining your compliance over time.

You may also have other compliance checks you need to run beyond this one with the Financial Federation Institutions Examination Council guidelines. What about SOC, ISO, or PCI compliance?

There are over 7K pre-built automations in the Blink Library that make it easy to gauge your environments against industry standards.

To start streamlining your compliance and security checks today, you can get started by signing up for a guided demo of Blink.