Utilizing Know-how to Meet Asset Administration Necessities for FFIEC Laws


The prior blogs on this collection, listed on the backside, have mentioned the varied laws affecting CIOs and their IT organizations. The aim of this plan was to grasp the applying and complexity of those laws as they apply to applied sciences, in order that we will consider applied sciences used to assist groups fulfill these necessities. The aim of this weblog is to debate a number of methods during which tooling and automation capabilities can be utilized to fulfill the asset administration necessities of the FFIEC Operations Information.

Monetary establishments are regulated to have the ability to handle, safe, and audit their IT belongings. They cowl a number of product units with completely different working techniques by nature, and are tasked to create a cohesive asset administration framework. At Cisco, we work with these completely different teams, and their deployments of greatest at school applied sciences. Nonetheless once we are dealing on the regulatory stage, we have to step again from our conventional method of doing enterprise and think about the larger image.

From the regulators perspective, they don’t care about the way you handle and patch your information heart switches.

They usually don’t care the way you handle and patch your campus switches.

Or the load balancers.

Or digital machines.

The regulatory our bodies and senior management care about ALL of it. From the bodily to the digital, from the endpoint to the cloud. Thus a framework to have the ability to merge collectively completely different techniques is prime to the function.

The IT Directors and their management are tasked with figuring out, patching, and securing all of their community.

Listed below are two completely different approaches that assist handle the belongings throughout the breadth of the property.

  1.  An enterprise-ready, multi-vendor cross-architecture answer that’s constructed on over a decade of doing this for Service suppliers.
  2.  A useful code instance of how present Cisco controller options may be pulled collectively on the API stage to create a framework (from which different distributors may be included), to have the ability to guarantee your information of your span of management is updated and may be assessed.

Utilizing Cisco Enterprise Course of Automation

The primary answer is Cisco’s Enterprise Course of Automation. It is a scalable, microservices based mostly platform that’s vendor AND controller agnostic. It’s pre-integrated with Cisco NSO and Ansible and is able to working with different Cisco and third get together orchestrators. It offers the power to automate and monitor working system automation and configuration compliance with golden photos.

The advantage of this method is you possibly can summary everything of the span of management and work on provisioning constant providers securely. It offers an API which may permit for simple auditing of all the breadth of the setting, from the bodily to the digital, together with third events. It helps a number of workflows to have the ability to handle a compliant infrastructure, from gadget onboarding with ztp, dealing with asset administration, and making certain golden software program and configurations are utilized and compliant.

BPA permits us to include the enterprise logic and combine change administration with stock administration, to satisfy the organizations necessities and transfer to an Infrastructure as Code mode of operation. Its inherent assist for a number of controllers matches in properly with the necessities monetary establishments need to assist their present infrastructure, together with legacy and trendy constructs.

Utilizing Controllers and API based mostly Options

The second method is to leverage a house grown answer the place a framework is created to have the ability to extract and monitor compliance of a whole property in a multi-controller and multi-vendor world. This may be helpful for organizations that have already got in home tooling or capabilities, and search to handle their controllers on the API stage

We intend to point out how this may be executed virtually utilizing numerous Cisco {hardware} and software program, and the framework would bolt in to every other third get together and supply useful, straightforward to make use of code, that may create a single asset administration desk for merchandise within the Cisco portfolio.

We do that by integrating the under controller options right into a single desk which may be cross referenced after which pushed, into ServiceNow:

  • ACI
  • A number of DNAC cases
  • Meraki
  • Intersight
  • Cisco SD-Wan

As of December 2022 it’s executed in cloud-based devnet sandboxes. There’s additionally a reference on how this may be reconciled and pushed into ServiceNow (in order that the system of report may be up to date following software program modifications, or reconciled). The code to have the ability to do that is all useful, with the one exception being you have to to provision a ServiceNow account or developer occasion (and modify the authentication/URL).

That is useful code, which is straightforward to run in opposition to actual sandbox environments, and may be validated and repurposed to your setting.

Whereas we can not management third-party merchandise and the way they combine, the framework would permit for different gear which assist REST API to create a state desk for stock asset administration. The framework is somewhat simple, seize stock from numerous techniques utilizing REST API, and normalize to a constant checklist of all belongings in these techniques. From there, you possibly can replace ServiceNow or one other system of report.

This course of is mentioned in larger element on this weblog, however the spotlight is it makes use of a simple to run (really easy a barista with no programming expertise can do it!), and makes use of our cloud infrastructure to point out the useful code and framework: Cross Area Stock Demo

The tip result’s a cross area stock of a number of Cisco merchandise and a framework for including different distributors, right into a constant desk of community state, which can be utilized to validate compliance. This may then be used to replace your system of report (ServiceNow) along with your system of reality, to make sure your documented state is updated along with your operational state.

Secondarily, the script makes use of an instance of pushing in ServiceNow to point out easy methods to evaluate of a system versus a system of report. In my instance it makes use of ServiceNow as a system of report, and will get the present documented state from ServiceNow. It then does a Pandas SQL be a part of to point out the distinction between the system and the system of report, and means that you can replace the system of report (ServiceNow).

The identical mechanics apply to evaluating the system versus an inventory of golden photos, validating software program throughout all techniques versus the golden photos required.

Evaluating present state versus ServiceNow

InventoryNotInSvcnow_df=theBigInventory.merge(svcnow_inventory_df, how = ‘outer’ ,indicator=True,left_on=[“Hostname”,”IP Address”,”Model”,”Version”], right_on=[“name”,”ip_address”,”model_number”,”firmware_version”]).loc[lambda x : x[‘_merge’]==’left_only’]

Evaluating present state versus checklist of normal photos (what’s versus what we anticipate)

InventoryNonConformant_df=theBigInventory.merge(GoldenImages, how = ‘outer’ ,indicator=True,left_on=[“Model”,”Version”], right_on=[“Model”,”firmware_version”]).loc[lambda x : x[‘_merge’]==’left_only’]

There are a number of methods to leverage Cisco merchandise in a holistic methodology to satisfy FFIEC asset administration necessities, through both the bottom API or by a whole turnkey answer (and completely different choices in between). The subsequent weblog will cowl easy methods to use the completely different controller based mostly merchandise to satisfy different areas of the regulatory necessities.

Prior Blogs

Introduction to Understanding FFIEC Laws

FFIEC Cybersecurity Maturity Device

The FFIEC’s Structure, Infrastructure, and Operations E-book



Leave a Reply