What is the FFIEC authentication and access to financial institution services?
Attachment: FFIEC Authentication and Access to Financial Institution Services and Systems Guidance (PDF) The FFIEC was established in March 1979 to prescribe uniform principles, standards, and report forms and to promote uniformity in the supervision of financial institutions.
What does FFIEC stand for?
The Federal Financial Institutions Examination Council (FFIEC), on behalf of its members, today issued guidance that provides financial institutions with examples of effective authentication and access risk management principles and practices for customers, employees, and third parties accessing digital banking services and information systems.
What are the additional resources in the FFIEC management guidance?
Management may refer to the appropriate FFIEC member issuances and resources referenced in the “Additional Resources” section of this Guidance to learn more about sound authentication and information technology risk management practices. This Guidance also contains references to other authentication risk management resources, including publicati...
How can technology support financial institution management’s Authentication risk assessment?
While the financial sector continues to expand the number of systems and services that require effective authentication, advances in technologies and control frameworks can support financial institution management’s risk assessment and selection of authentication controls.
What is FFIEC in banking?
What is the CFPB?
About this website
What is FFIEC in banking?
WASHINGTON, D.C. – The Federal Financial Institutions Examination Council (FFIEC), on behalf of its members, today issued guidance that provides financial institutions with examples of effective authentication and access risk management principles and practices for customers, employees, and third parties accessing digital banking services and information systems.
What is the CFPB?
The Consumer Financial Protection Bureau (CFPB) is a 21st century agency that helps consumer finance markets work by making rules more effective, by consistently and fairly enforcing those rules, and by empowering consumers to take more control over their economic lives. For more information, visit www.consumerfinance.gov.
What is the new FFIEC guidance?
New FFIEC guidance highlights authentication and access risk management principles, with a focus on digital banking systems and financial institution information systems; it is not intended to provide a comprehensive risk management framework.
What are practices and controls expected to evolve as cyber threats evolve?
Practices and controls are expected to evolve as cyber threats evolve; controls applied under a layered security approach allow the severity of security measures to increase with identified levels of risk across users, services, or customers.
What is the purpose of the FFIEC assessment tool?
The FFIEC members issued a voluntary Cybersecurity Assessment Tool15 to help institution boards and management identify risks to their institutions and evaluate their institution’s cybersecurity preparedness. In addition, there are other resources available to help management develop and evaluate information security and cyber resilience, such as the NIST Cybersecurity Framework, common approaches developed by the Mitre Corporation, and the U.S. Computer Emergency Readiness Team’s (US-CERT)16 National Cyber Awareness System. Institution management can select a single framework or use a combination of resources to help identify its risks and determine its cybersecurity preparedness. Regardless of the source, frameworks can help management identify a cybersecurity and resilience posture that is commensurate with the institution’s risk and complexity.
What is access control?
These access controls allow authorized users and other applications to interface with related databases. Some security software programs integrate access control between the operating system and some applications. Such software is useful when applications do not have their own access controls or when the institution uses security software instead of the application’s native access controls. Management should understand the functionality and vulnerabilities of the application access control solutions and consider those issues in the risk management process.
What is electronic transmission?
Electronic transmission of information can include e-mail, file transfer protocol (FTP), secure FTP (sFTP), secure shell, dedicated line, short message service/texting, and transmission via the Internet. Management should determine the type of transmission method, sensitivity of the
What is configuration management?
Configuration management is a process to securely maintain the institution’s technology by developing expected baselines for tracking, controlling, and managing systems settings. To mitigate information security risk, management should control configurations of systems, applications, and other technology. Effective configuration management relies on policies and procedures to ensure compliance with minimally acceptable system configuration requirements. When information systems change, management should update baselines; confirm security settings; and track, verify, and report configuration items. Configurations should be monitored for unauthorized changes, and misconfigurations should be identified. Management can use automated solutions to help track, manage, and identify necessary corrections.
What is the purpose of a user access program?
Management should develop a user access program to implement and administer physical and logical access controls to safeguard the institution’s information assets and technology. This program should include the following elements:
What is the extent of interconnectivity?
The extent of interconnectivity is a function of network architecture, network complexity, traffic volume, and number of connections. Interconnectivity risk arises from misuse, mismanagement, or compromise of these connections.
How does funding help in information security?
Funding, along with technical and managerial talent, also contributes to the effectiveness of the information security program. Management should provide, and the board should oversee, adequate funding to develop, implement, and maintain a successful information security program. The program should be staffed by sufficient personnel who have skills that are aligned with the institution’s technical and managerial needs and commensurate with its size, complexity, and risk profile. Knowledge of technology standards, practices, and risk methodologies is particularly important to the success of the information security program. When third-party service providers supplement an institution’s technical and managerial capabilities, management oversight should be commensurate with the sensitivity and criticality of the information and business processes supported by the third-party service provider. Refer to the IT Handbook’s “Outsourcing Technology Services” booklet for more information.
What are the interagency guidelines for information security?
5The Interagency Guidelines Establishing Information Security Standards, which implement section 501(b) of theGramm–Leach–Bliley Act, 15 USC 6801, require banks and other financial institutions to safeguard the informationof persons who obtain or have obtained a financial product or service to be used primarily for personal, family orhousehold purposes, with whom the institution has a continuing relationship. Credit unions are subject to a similarrule.12 CFR 30, Appendix B (OCC); 12 CFR 208, Appendix D-2 and 225, Appendix F (FRB); 12 CFR 364,Appendix B (FDIC); and 12 CFR 748, Appendix A (NCUA). These principles also are consistent with resourcesprovided by the FFIEC members, and the “Joint Statement on Heightened Cybersecurity Risk” issued by the OCCand FDIC.
Why are financial institutions vulnerable to data breaches?
Data breaches at financial institutions, their service providers, and nonbanks, such as credit bureaus, have exposed information and credentials of customers and employees. Attackers use technologies, such as automated password cracking tools, and these compromised credentials in their attacks against financial institutions. In addition, older or unsupported information systems may be especially vulnerable to attacks because security patches and upgrades for authentication controls can be more difficult to obtain.
What is unauthorized access monitoring?
Monitoring, logging, and reporting of activities to identify and track unauthorized access.
What are the safety and soundness standards for financial institutions?
Financial institutions are subject to various safety and soundness standards, such as the standard to have internal controls and information systems that are appropriate to the institution’s size and complexity and the nature, scope, and risk of its activities.4
What is a threat identification?
Identify threats with reasonable probability of impacting financial institution information systems, data, and user and customer accounts. Common threats include, but are not limited to, malware including ransomware, man-in-the middle (MIM) attacks, credential abuses, and phishing attacks. Threat identification typically includes intelligence from Information Sharing and Analysis Organizations,16
What is FFIEC in banking?
WASHINGTON, D.C. – The Federal Financial Institutions Examination Council (FFIEC), on behalf of its members, today issued guidance that provides financial institutions with examples of effective authentication and access risk management principles and practices for customers, employees, and third parties accessing digital banking services and information systems.
What is the CFPB?
The Consumer Financial Protection Bureau (CFPB) is a 21st century agency that helps consumer finance markets work by making rules more effective, by consistently and fairly enforcing those rules, and by empowering consumers to take more control over their economic lives. For more information, visit www.consumerfinance.gov.
