The Service
FFIEC guidance calls for quarterly firewall policy audits or review. Significant network or rule changes may also warrant a firewall policy audit or review. NIST, PCI, HIPAA, and HITECH have similar requirements. We offer both quarterly and annual firewall reviews.
In today’s environments we often see the management of firewalls outsourced and all but forgotten by the institution. Most managed service providers are not conducting independent reviews of the managed firewall configuration or rules as part of the service agreement. A misconfiguration or undesirable rule will still affect your institution regardless of who’s managing it.
Rules are added, but rarely removed after they are no longer relevant. Over time, stale rules add to management overhead, and possible security issues. In the old days, firewalls were overly permissive out of the box. While this is generally not the case anymore, we still see firewalls configured to be wide open outbound so things will “just work,” going against established guidelines and best practices.
There are many reasons behind performing regular firewall reviews and all of them will serve to better protect your IT infrastructure as well as meet regulatory requirements.
For those not comfortable with doing this internally or for those that would just like to have an extra set of eyes review their firewall let us know, we will be glad to help.
