Skip to main content


Quarterly Firewall Audits: What Do I Need to Do?

Quarterly Firewall Audits: What Do I Need to Do?

When working with financial institutions on the FFIEC Cybersecurity Assessment Tool, there are a few Baseline declarative statements that everyone seems to struggle with. The most common “problem” control pertains to Data Flow Diagrams. SBS published a great Blog Post and Hacker Hour to help you understand those. The second most confusing CAT controls is “Firewall Rules are audited or verified at least quarterly.” What does this control mean, and what should you do to meet this baseline requirement?


FFIEC CAT: Firewall Rules Audited or Verified At Least Quarterly

The FFIEC Cybersecurity Assessment Tool (CAT) was originally released in June of 2015 and updated in May of 2017. The CAT establishes a single process for banks to identify their Cybersecurity Risk and Maturity level. The Quarterly Firewall Audit control is a Detective control that falls under Domain 3: “Cybersecurity Controls.” Quarterly Firewall Audit is a Baseline standard, meaning that if you aren’t able to answer yes, you will not meet the Baseline requirements for Domain 3. Additionally, the Quarterly Firewall Audit control ties back to the FFIEC Information Security Booklet, Page 46.

Unfortunately, the IS Booklet doesn’t give us much detail. It states, “Security operations activities can include the following: Security Software and Device Management (e.g., maintaining the signatures on signature-based devices and firewall rules.)” There is no other guidance or direction in the booklet, which furthers the confusion around this control.


Where to Start with Quarterly Firewall Audits

To better understand how to assess our firewalls, let’s start by asking a few basic questions. If you are unsure how to answer any of these questions, please make finding the answer a top priority. Work with your vendor(s) or IT department to answer these basic questions:

  • Do you have any idea what is happening on your firewall?
  • Do you receive reports on a regular basis from the firewall?
  • Who is administering your firewall, and do you have any control over this process?
  • What logs does your firewall generate, and how can you review those logs?


Things to Look for in Firewall Rules

Next, how do we audit firewall rules? If you only take one message from this blog post, let it be this: “Do something.” Start with some basic ideas and work forward from there. Below are six basic ideas to get you started:

  1. Evaluate your existing firewall change management procedures, ensuring all rule changes are logged, and procedures for making changes to the firewall rules or settings are adequate. Firewall change management procedures are especially important if your firewall is managed by a third party.
  2. Look for changes in current firewall rules vs. previous firewall rules. Has anything changed? If so, why? Were these changes tracked (see above)?
  3. Look for rules that seem out of place or odd. We’re talking about rules that are clearly out of place, like a rule allowing all traffic from a Russian IP address. If you don’t know enough about firewall rules to identify out-of-place rules, talk with a vendor or your IT department.
  4. Ensure you know why specific external IPs are being allowed by firewall rules. Resolve those specific IPs to be sure they are appropriate if they are being allowed.
  5. Look for hard coded passwords in rules. If there are passwords hard coded into firewalls rules, is there a need for such a rule? Could hard coding passwords be avoided? If not, has the password ever changed?
  6. Evaluate open ports and ensure there is a business need for those ports. Sometimes, certain communications require the use of specific ports in firewall rules. Is the need for these communications still applicable and current? Has the organization documented the need for these open ports and accepted the risk? If the open port is no longer needed, can the rule be removed?


As the Information Security Officer at your organization, you don’t have to have a complete knowledge of firewall configurations and reports to meet this Baseline CAT control. The key is to start with something. It’s nearly impossible to understand what is abnormal if you aren’t aware of what is normal. By regularly reviewing the items above, you will develop an understanding of what is normal. Once you’ve established normal, the key is to ensure you act on any deviations within the reports.

If you want to be able to answer “yes” to this baseline control honestly, you must develop a process for reviewing your firewall rules and/or having them tested. By reviewing the items above, you will go a long way towards creating that process.

Written by: Jeff Dice
Information Security Consultant
SBS CyberSecurity, LLC

SBS Resources:

  • {Solution} Cyber-RISKTM  FFIEC Cybersecurity Assessment Tool: Automate your FFIEC cybersecurity assessment with our web-based software solution, Cyber-RISK. This tool is based directly on FFIEC recommendations but goes beyond a simple spreadsheet. It is offered free of charge to any financial institution looking to efficiently complete their cybersecurity assessment.
  • {Service} IT Audit: If you are looking for assistance with firewall rule review and testing, SBS can help by reviewing your firewall rules from an IT Audit perspective or as a part of our comprehensive Network Security Audit.
  • {Service} Firewall Configuration Review: Assess the configuration and firmware in use on your institution's firewall device for common security misconfigurations.


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Security Manager


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Monday, October 22, 2018
Categories: Blog