Compliance


Overview

Compliance Overview

Cybercompliance has become a hot topic item - especially around banking. The utilization of government guidelines such as FFIEC CAT and 20 Critical Security Controls have become industry standards, required for customer confidence. To decrease the required workload, the DefenseStorm GRID contains policy sections for the FFIEC CAT, 20 Critical Security Controls, and custom policies. While the 20 Critical Security Controls and the custom policies are good options, completing the FFIEC CAT provides a strong foundation for all network compliance. 

The Compliance homepage displays a dashboard with useful graphs and insightful information into your network security and its relation to your policies.  Incident Statistics gives information on the number of Active and Triaged incidents, as well as ones immediately closed and the average length of time before they are closed. Incidents is a customizable donut graph that shows comparison and percentage information for incidents within your specified criteria.


Creating a Policy

To create a policy, select Policies from the top navigation, and choose from one of the following,

  • FFIEC (recommended)
  • Custom Policies (internal policies not tied to the FFIEC) 
  • Critical Security Controls for Effective Cyber Defense (extra defense)


FFIEC CAT

FFIEC CAT

The FFIEC CAT has two main sections, Risk Profile and Maturity Evaluation. The risk profile section determines your risk (high or low). The maturity section determines how ready you are to deal with those risks. While you can complete the FFIEC in any order, the guidelines are written with the Risk Profile being completed first.

Risk Profile

This section of the FFIEC CAT determines your network infrastructure's risk. It is much shorter than the Maturity Evaluation, and the UI results are displayed instantaneously on the Results page.

Completing the Risk Profile Assessment

  1. Select Risk Profile to display the overview and begin your assessment.
  2. Select Category 1 > answer all questions. Repeat for categories 2 - 5. 
  3. View your results. The profile count is the raw number of answers per category.

Maturity Evaluation

The Maturity Evaluation is more complex than the Risk Profile. Here are some helpful tips for completing it efficiently, accurately, and with the ability to provide stellar reporting. 

Answering Statements

The following options are available for each statement:

  • Yes
  • No
  • Yes (C) - which means not exactly, but you do something to compensate. This option is best if used in conjunction with adding evidence, as described below.

Every answer in a maturity level has to be YES or YES (C) to be compliant. For example, if you have all baseline marked as YES or YES (C), and then have 4 out of 5 in Evolving, you are considered Baseline compliant.

Evidence

Add proof to your statements. There are three forms of evidence that can be combined or used alone. All methods of evidence can selectively be shown in reports. 

  • Comment 
    Statement relevant information. For example, if you select YES (C), you can explain, "I do x, y, and z instead."
  • Tasks
    Ability to assign a one-time job to somebody in order to comply with a statement. 
  • Task Schedule
    A reoccurring task necessary to comply with a statement. For example, you can create a task schedule to create a report every quarter.
Adding Evidence

To add evidence, select the statement you want to add evidence for, and then chose to add/edit evidence. From the drop-down, select the type of evidence you would like to add: Comments, Tasks, or Task Schedules. 

  • Comments: Select Comments > insert comments > click Save.
  • Tasks: Select Tasks > enter a title, owner, and description > click Create.
  • Task Schedules: Select Task Schedules > Fill out relevant information > click Create.
    Name: Your name
    Owner: Responsible party
    Description: What you want done
    Query: Search query that monitors events related to this policy.
    Schedule: When you want it done
    Policies: Current statement is added by default. You can add additional policies if desired.
    Tags: Terms you would use to search and/or organize. 

Viewing / editing evidence

All evidence can be viewed, edited, and reported on. For auditing purposes, no tasks can be deleted, but they can be closed or marked invalid.

Viewing individual statement evidence

To view all evidence associated with a specific statement, navigate to the statement, and select Show Evidence from under the statement. This displays a drop down list of all evidence added to the statement. To view specific evidence, click on the line item with the evidence name. 

Viewing Comprehensive Evidence

To view all tasks and task schedules, go to Tickets > Tasks (or Task Schedules). When you open a task or schedule created through FFIEC, you'll see the domain and control added as a policy to the task.

When the time comes for a task schedule to be completed, a task is created and displays in the task page. 

Completing the Maturity Evaluation Assessment

  1. Select Maturity Evaluation to display the overview and begin your assessment in Domain 1.
  2. Answer each statement for all five domains and their subsequent factors. 
  3. View Results.
    Results are separated by domain. To view comprehensive results, generate a Maturity Evaluation report.

FFIEC Reports

Generating FFIEC Reports

A major part of compliance is being able to prove it to external auditors. We assist by providing two different report options, FFIEC Report and the FFIEC Evidence Report.

FFIEC Report

This report provides detailed charts and graphical representations of your FFIEC results as well as an overview of the sections and what the charts represent. This works great for board meetings because it provides a good foundation of information and explanations plus critical security statistics. 

FFIEC Evidence Report

This report is great to show auditors proof of your compliance via added evidence. We know that security is key, and have provided the ability to select which sections are populated with evidence. The level of customization is as granule as providing evidence for a single control or as expansive as evidence for the entire report. 

When you select to download the evidence report, it displays in your download list as a zip file with all evidence added as well as a Word file of the entire report. 

Within the report, it lists all evidence associated with each control. It does not provide overview information, explanations, graphs, or charts. It is a list of evidence. 


Custom and Critical Security Control Policies

Custom and Critical Security Control Policies

The option to create custom policies and to enable policies for the top 20 Critical Controls is available through the UI. These are good options for extra security, or for creating policies that are specific to your office only, and not tied to government regulations.

Create a custom policy

  1. Click the + sign at the top right side of the Policies page.
  2. Insert Name and Description.
  3. Click Add Policy.
  4. Once the policy is added, the following window displays with the option to add Triggers, Incidents, Documents, and additional Control lines to the Policy.

Activate / Decativate Critical Controls Policy

  1. Go to Compliance > Polices.
  2. Scroll down to the Critical Security Controls for Effective Cyber Defense section.
  3. Select the desired policy.
  4. Chose either Active or Inactive status.

Adding a Trigger

  1. Go to Alerts > Triggers
  2. Find and click the desired trigger
  3. Click the pencil icon to edit the trigger.
  4. Scroll down to the Policy section. Click the drop-down arrow and add the desired policies.

Adding an Incident

  1. Go to Tickets > Incidents.
  2. Find and click the desired incident.
  3. Scroll down to the Policy section. Click the drop-down arrow and add the desired policies. 

Adding a Document

  1. Go to Policy > Policies and click the desired policy.
  2. Select Documents to view a list of already added documents and the option to upload new ones.

Adding a Control

  1. Go to Policy > Policies and click the desired policy.
  2. Select Add control, insert a title and description, click Add Control to save addition.