In August, the FFIEC released new guidance titled “Authentication and Access to Financial Institution Services and Systems”. Because the guidance replaces the previous “Authentication in an Internet Banking Environment (2005)” and the “Supplement to Authentication in an Internet Banking Environment (2011)”, many institutions believe that the guidance just pertains to Internet Banking. But the new guidance goes far beyond that, and institutions will likely need to enhance their risk assessment process to comply.
The new guidance requires institutions to assess authentication and access risk for users of all information systems, not just Internet banking platforms. The new guidance also expands the definition of “users” to include employees, board members, third parties, service accounts, and devices. The goal of the guidance is to encourage institutions to identify areas across the enterprise where authentication or access controls are not strong enough based on the capabilities of the user.
To perform an assessment of users, an Authentication and Access Assessment will need to start with an enumeration of who the users are for all systems and what those users can do. This will be easier for institutions that already have implemented role-based security in their systems, as they should already have most of the user inventory already grouped by user type. Those who do not currently have a solid user review process will find it much more difficult to get started. Even institutions that do have good user review processes may find that they currently do not consider service accounts.
Once users are inventoried, the assessment of their authentication and access controls should be based on the risk of each type of user. The risk of unauthorized access will be inherently lower for an inquiry-only user of the training system than it will be for a network administrator, so the assessment should require more controls for the network administrator.
The controls that should be considered as part of this assessment go well beyond simple password complexity and the existence of multifactor authentication. Other controls that might impact the likelihood of unauthorized access that could be included are conditional access configurations (where can a user access from?) and access rules (do users get locked out? Are users displaying suspicious behavior blocked?). Transaction controls (dollar limits, positive pay, etc.) should also be considered, as they could lower the impact of unauthorized access. The appendix of the guidance includes a long list of controls that could be included in the assessment. While most risk assessments currently include assessment of these controls at some level, few do so at the user level.
Because of the broad scope of this guidance in terms of systems and controls, we recommend that institutions embed the Authentication and Access Assessment directly into their risk assessment to avoid performing redundant (and potentially conflicting) assessments. The challenge will be that most existing risk assessment solutions do not go as deep as assessing by user groups, so we see full implementation of this guidance taking some time across the industry. Many institutions will attempt to meet this guidance by doing a separate assessment until their risk assessment product catches up. If you have a product that you use to facilitate your risk assessments today, this is the time to start reaching out to the vendor to find out what their plans are for the inclusion of this new guidance.
If you feel that your current risk assessment process will not meet the requirements of the Authentication & Access guidance, shoot us an email at support@bedelsecurity.com. We are currently enhancing our CySPOT™ Risk Assessment to incorporate the new guidance. The CySPOT™ Risk Assessment is performed by Bedel Security staff using our proprietary system and is built on decades of experience with risk assessments in the financial services industry.
Additional Resources:
Inherent and Residual Risk
https://www.bedelsecurity.com/blog/inherent-and-residual-risk
The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper
The Most Underrated Control in Information Security
https://www.bedelsecurity.com/blog/the-most-underrated-control-in-information-security
IT Risk Assessment vs. Vendor Risk Assessment Simplified
https://www.bedelsecurity.com/blog/it-risk-assessment-vs.-vendor-risk-assessment-simplified