Utilizing Know-how to Meet Asset Administration Necessities for FFIEC Rules


The prior blogs on this collection, listed on the backside, have mentioned the varied laws affecting CIOs and their IT organizations. The aim of this plan was to grasp the applying and complexity of those laws as they apply to applied sciences, in order that we are able to consider applied sciences used to assist groups fulfill these necessities. The aim of this weblog is to debate a number of methods wherein tooling and automation capabilities can be utilized to fulfill the asset administration necessities of the FFIEC Operations Information.

Monetary establishments are regulated to have the ability to handle, safe, and audit their IT belongings. They cowl a number of product units with completely different working programs by nature, and are tasked to create a cohesive asset administration framework. At Cisco, we work with these completely different teams, and their deployments of finest in school applied sciences. Nonetheless once we are dealing on the regulatory stage, we have to step again from our conventional means of doing enterprise and contemplate the larger image.

From the regulators perspective, they don’t care about the way you handle and patch your knowledge heart switches.

And so they don’t care the way you handle and patch your campus switches.

Or the load balancers.

Or digital machines.

The regulatory our bodies and senior management care about ALL of it. From the bodily to the digital, from the endpoint to the cloud. Thus a framework to have the ability to merge collectively completely different programs is key to the position.

The IT Directors and their management are tasked with realizing, patching, and securing all of their community.

Listed below are two completely different approaches that assist handle the belongings throughout the breadth of the property.

  1.  An enterprise-ready, multi-vendor cross-architecture resolution that’s constructed on over a decade of doing this for Service suppliers.
  2.  A useful code instance of how present Cisco controller options will be pulled collectively on the API stage to create a framework (from which different distributors will be included), to have the ability to guarantee your data of your span of management is updated and will be assessed.

Utilizing Cisco Enterprise Course of Automation

The primary resolution is Cisco’s Enterprise Course of Automation. This can be a scalable, microservices primarily based platform that’s vendor AND controller agnostic. It’s pre-integrated with Cisco NSO and Ansible and is able to working with different Cisco and third occasion orchestrators. It supplies the flexibility to automate and monitor working system automation and configuration compliance with golden photographs.

The good thing about this method is you may summary everything of the span of management and work on provisioning constant providers securely. It supplies an API which may enable for simple auditing of your complete breadth of the setting, from the bodily to the digital, together with third events. It helps a number of workflows to have the ability to handle a compliant infrastructure, from gadget onboarding with ztp, dealing with asset administration, and guaranteeing golden software program and configurations are utilized and compliant.

BPA permits us to include the enterprise logic and combine change administration with stock administration, to satisfy the organizations necessities and transfer to an Infrastructure as Code mode of operation. Its inherent assist for a number of controllers suits in properly with the necessities monetary establishments should assist their present infrastructure, together with legacy and trendy constructs.

Utilizing Controllers and API primarily based Options

The second method is to leverage a house grown resolution the place a framework is created to have the ability to extract and monitor compliance of a whole property in a multi-controller and multi-vendor world. This may be helpful for organizations that have already got in home tooling or capabilities, and search to handle their controllers on the API stage

We intend to indicate how this may be executed virtually utilizing numerous Cisco {hardware} and software program, and the framework would bolt in to another third occasion and supply useful, simple to make use of code, that may create a single asset administration desk for merchandise within the Cisco portfolio.

We do that by integrating the under controller options right into a single desk which will be cross referenced after which pushed, into ServiceNow:

  • ACI
  • A number of DNAC cases
  • Meraki
  • Intersight
  • Cisco SD-Wan

As of December 2022 it’s executed in cloud-based devnet sandboxes. There may be additionally a reference on how this may be reconciled and pushed into ServiceNow (in order that the system of file will be up to date following software program modifications, or reconciled). The code to have the ability to do that is all useful, with the one exception being you will want to provision a ServiceNow account or developer occasion (and modify the authentication/URL).

That is useful code, which is simple to run towards actual sandbox environments, and will be validated and repurposed in your setting.

Whereas we can’t management third-party merchandise and the way they combine, the framework would enable for different tools which assist REST API to create a state desk for stock asset administration. The framework is reasonably simple, seize stock from numerous programs utilizing REST API, and normalize to a constant record of all belongings in these programs. From there, you may replace ServiceNow or one other system of file.

This course of is mentioned in higher element on this weblog, however the spotlight is it makes use of a straightforward to run (really easy a barista with no programming expertise can do it!), and makes use of our cloud infrastructure to indicate the useful code and framework: Cross Area Stock Demo

The top result’s a cross area stock of a number of Cisco merchandise and a framework for including different distributors, right into a constant desk of community state, which can be utilized to validate compliance. This may then be used to replace your system of file (ServiceNow) together with your system of fact, to make sure your documented state is updated together with your operational state.

Secondarily, the script makes use of an instance of pushing in ServiceNow to indicate the right way to evaluate of a system versus a system of file. In my instance it makes use of ServiceNow as a system of file, and will get the present documented state from ServiceNow. It then does a Pandas SQL be a part of to indicate the distinction between the system and the system of file, and permits you to replace the system of file (ServiceNow).

The identical mechanics apply to evaluating the system versus an inventory of golden photographs, validating software program throughout all programs versus the golden photographs required.

Evaluating present state versus ServiceNow

InventoryNotInSvcnow_df=theBigInventory.merge(svcnow_inventory_df, how = ‘outer’ ,indicator=True,left_on=[“Hostname”,”IP Address”,”Model”,”Version”], right_on=[“name”,”ip_address”,”model_number”,”firmware_version”]).loc[lambda x : x[‘_merge’]==’left_only’]

Evaluating present state versus record of normal photographs (what’s versus what we count on)

InventoryNonConformant_df=theBigInventory.merge(GoldenImages, how = ‘outer’ ,indicator=True,left_on=[“Model”,”Version”], right_on=[“Model”,”firmware_version”]).loc[lambda x : x[‘_merge’]==’left_only’]

There are a number of methods to leverage Cisco merchandise in a holistic methodology to satisfy FFIEC asset administration necessities, by way of both the bottom API or by means of an entire turnkey resolution (and completely different choices in between). The subsequent weblog will cowl the right way to use the completely different controller primarily based merchandise to satisfy different areas of the regulatory necessities.

Prior Blogs

Introduction to Understanding FFIEC Rules

FFIEC Cybersecurity Maturity Device

The FFIEC’s Structure, Infrastructure, and Operations Guide



Please enter your comment!
Please enter your name here