Leveraging GRID for Compliance

By choosing DefenseStorm to help keep you safe, you’ve chosen to improve your ability to prove that compliance is top priority. The newest updates to the GRID are designed to show compliance to auditors and network security to board members. With our newest additions to the GRID: FFIEC CAT in Policy, Tasks and Task Schedules, and a new Reporting section, we give you the tools to gather and present requested information efficiently and effectively. 

To ensure efficient compliance, verify that your audit settings are properly set up through our FAQ article,  Windows Audit Log Recommendations.  Audit settings allow us to track and gather data on all important aspects of your network. If it is not setup properly, we can't see the necessary log data from the Windows systems. 

Potential Auditor Requests and How to Utilize the GRID

The following DefenseStorm best practices ensure your compliance with FFIEC guidelines while increasing efficiency, accuracy, verifiability, and ease of use.  Each procedure lists the accompanying FFIEC statements that are met by completing the procedure. Please note that while changing the timeframes is allowed, it may also change the compliance with FFIEC. 

Internal Audit: Document Requests

Part of your internal audit may be a substantial list of requested documents. Below is an example for a recommended process to help keep the documents organized within the GRID while providing an easily accessible audit document. 

FFIEC Statements Met: D1.RM.Au.B.1    /   D1.RM.Au.B.2   /    D1.RM.Au.B.3

GRID Features:  Tasks, Policy Reporting

Action, what do you do in the GRID? 

  1. Create a task with the title of your audit. For example, 'Internal Audit June 2018'. 
  2. Attach the FFIEC CAT policies to the task.
  3. Create a new task for each document request.
              Name the task exactly as shown on the request.
              Link the task to the master task, Internal Audit June 2018.
              Add FFIEC Policy D1.RM.Au.B.1
  4. Once you have finished creating the new tasks, your master task looks something like this,
  5. Upload the requested document into each task. Close it.
  6. Generate an FFIEC Evidence Report for a zip file of all documents.
            Go to Policy > Generate FFIEC CAT Evidence Report
            Check boxes to include Answer, Comments, Tasks, and Attachments
            Drill-down and only check the box for D1.RM.Au.B.1 
  7. Download FFIEC Evidence Report.
            Go to Reports > find the newly generated Evidence Report > download.
            This downloads a zip file that can be sent directly to auditors.

Ticket Review (Weekly)

FFIEC Statements Met: D3.DC.Ev.B.2 / D2.MA.Ma.B.1 / D2.MA.Ma.B.2 / D5.ER.Es.B.4  /  D5.ER.Es.B.1

GRID Features: Tickets, Task Schedule, Reports

Query:  app_name:"DefenseStorm Audit" category:ticket

Action, what do you do in the GRID?

  1. Create a task schedule as a weekly reminder to run a report showing all tickets.
           Include the query.
           Link the Task Schedules to the appropriate FFIEC Policies.
           Create a chart using the query.  Below is an example chart showing tickets from the last 7 days.
  2. Add the chart to a template.
      This template could also include other cybersecurity metrics you need to run on a weekly basis. For example,  Tickets closed, Total Events, Suspicious Event Spikes, etc, and name it Weekly Cybersecurity Metrics. 
  3. Generate the Weekly Cybersecurity Metrics template.
    *If you wish to view the log data of these events in addition to the statistical chart data, proceed to step 5. 
  4. Go to the Events page, use the same query and timeframe; in this case, last 7 days. From here you can download the CSV list of the log data


Incident Response Plan Review (Annually)

FFIEC Statements Met: D2.MA.Ma.B.2  /  D5.IR.Pl.B.1   /  D5.IR.Pl.B.2   /   D5.IR.Pl.B.3    /  D5.IR.Pl.B.4

GRID Features: Task Schedule, Reports

Action, what do you do in the GRID?

  1. Create a task schedule with a 12 month frequency to review and update your Incident Response Plan.
  2. Link the Task Schedule to the listed FFIEC statements above.
  3. When the annual task is generated from the task schedule, upload the most recent version of the Incident Response Plan and assign it to the appropriate person for review.


VPN Connectivity (Weekly)

FFIEC Statements Met:  D3.DC.Ev.B.3  /  D3.PC.Im.B.1  /  D3.PC.Im.B.2

GRID Features: Task Schedule, Reports

Query: app_name:fortigate subtype:vpn -category:alert taken_action:tunnel-up tunnel_type:ssl-tunnel

Action, what do you do in the GRID?

  1. Create a task schedule with the frequency of every 1 week.
           Include the query.
           Link FFIEC Policies to the schedule. 
  2. Create a chart with the query listed above. Just by creating the chart you can view the data in graphical format. To have a downloadable copy, you must add it to a template and generate the report. 
  3. Add the chart to a template. 
  4. Generate report.
  5. To view all associate log data, go to the Events page, search using the query above.


Hardware Inventory (Monthly)

FFIEC Statement(s) Met: D1.G.Ov.B.3

GRID Features:  Task Schedule, Assets

Action, what do you do in the GRID?

  1. Make sure Assets in the UI are up to date.
  2. Create a task schedule as a reminder to generate a CSV of all Assets once a month.
           Link the schedule to the appropriate FFIEC statement(s).
  3.  When the task generates, go to the Assets page and download a CSV of all Assets.  
  4. Insert the generated CSV Excel into the task to verify completion and keep track of each monthly CSV.  
    Make sure you have it linked to the appropriate policy so that when you generate an FFIEC Evidence report, it shows all information and documents added to each task.


New Assets (Weekly)

FFIEC Statements Met: D1.G.IT.B.1   /  D1.G.IT.B.4  /    D3.DC.Ev.B.3

GRID Features: Assets, Task Schedule, Reports

Query:  app_name:"defensestorm audit" category:asset

Action, what do you do in the GRID?

  1. Make sure your Asset list within the GRID is up to date. That includes either listing all assets as tracked, or removing them.
  2. Create a task schedule as a weekly reminder to run a report showing the new assets.
         Include the query.
         Link the schedule to the FFIEC policies.
  3. Create a chart using the query.  Below is an example chart showing what assets have been added in the last 7 days. 
  4. Add the chart to a template. This template could also include other metrics you need to run on a weekly basis. For example, new users added, account lockouts, etc, and we can name it Weekly Metrics. 
  5. Generate the Weekly Metrics template.
    *If you wish to view the log data of these events in addition to the statistical chart data, proceed to step 6. 
  6. Go to the Events page, use the same query and timeframe; in this case, last 7 days. From here you can download the CSV list of the log data.


Example for Task/Task Schedules

The following list provides examples of useful Task Schedules. In the near future, this information will be included in the GRID UI as a library where you can pick and choose the applicable tasks and/or task schedules. 

Annual 3rd Party Information and Cybersecurity Audit
Annual 3rd Party Internal and External Penetration Test
Annual 3rd Party Internal and External Vulnerability Test
Annual Business Impact Analysis
Annual Critical Vendor Board Report
Annual Critical Vendor Review
Annual Disaster Recovery / Business Continuity Plan Review
Annual Disaster Recovery Test
Annual Incident Response Test 
Annual Information and Cyber Security and E-Services Policy Reviews
Annual Information and Cyber Security Report to Board
Annual Information and Cyber Security Training
Annual Information and Cyber Security Training - Board
Annual Information and Cybersecurity Risk Assessment
Annual Review of Incident Response Program
Annual Review of IT Policies
Annual Training Records
Annual User Access Reviews
Annual Vendor Management Policy Review
Annual Vendor Risk Assessment
Audit Tracking
BCP Management Contract
BCP/DR Tests
Bi-Annual IT Risk Assessment
Bi-Annual Topology Review
Cybersecurity Training Transcripts
Daily Backup Checks
End User Policy Annual Review
File Access Review
Firewall Edits (auto)
GPO Changes (auto)
Incident Response Plan Review
Internal Cybersecurity Awareness Communications
IT Annual Budget
Monthly Asset Inventory Report
Monthly Core Systems Report Review
Monthly DefenseStorm Monitoring 
Monthly Email Security Reports
Monthly End Point Protection Reports
Monthly Firewall Admin Activity (auto)
Monthly Firewall Reporting
Monthly Hardware Inventory Review
Monthly Incident Response to Board
Monthly Internal Vulnerability Scan
Monthly Patch Management Report Review 
Monthly RDP Logins (auto)
Monthly Software Review 
Monthly User Account Changes (auto)
Quarterly Employee Meeting Agenda
Quarterly Firewall Policy Review
Quarterly Information Security Report to Board
Quarterly Internal Vulnerability Scan Review
Quarterly Penetration Test
Quarterly Social Engineering Exercise
Quarterly Technology Committee Report
Software Installed  (auto)
Vendor Management
VPN Connections (auto)
VPN Failed Connections (auto)
Website Security Center
Weekly Active Directory Review (auto)
Weekly Admin Logins (auto)
Weekly Domain Host Changes (auto)
Weekly Firewall Changes (auto)
Weekly New Asset Report (auto)
Weekly Review New User Accounts Created (auto)
Weekly Ticket Review (auto)
Weekly VPN Connectivity (auto)
WIFI Monthly Backup