Managing User Access in the Financial Services Sector

New Draft Guide Published Demonstrates Potential Solution to Control Access Rights

Due to the wide variety of services offered and the often far-flung nature of their organizations, financial services firms are complex organizations with multiple internal systems managing sensitive financial and customer data. These internal systems are typically independent of each other, which makes centralized management and oversight challenging. Complicating matters further are the typical employee movements related to hiring, firing, promotions, and transfers. Roles and responsibilities constantly change within the organization—for example an admin transfers to another department, a new financial analyst starts tomorrow, and a manager receives a promotion the same day his boss retires.

This movement is normal and even expected for companies of such scale. The Human Resources department and user administrators manage these changes. Since each position requires a specific level of access to data, and information is often scattered in different silos across the organization, control over access rights needs to be reliable, consistent, and easy to manage.

In collaboration with the financial services community and technology collaborators, the National Cybersecurity Center of Excellence (NCCoE) developed draft cybersecurity guidance, NIST Special Publication 1800-9: Access Rights Management for the Financial Services Sector, which uses standards-based, commercially available technologies and industry best practices to help financial services companies provide a more secure and efficient way to manage access to data and system. The draft guide is now open for public comment through October 31, 2017.

“The ability to coordinate changes throughout an organization and thus reduce the risk of unauthorized access was the primary goal of this project,” said Jim Banoczi, lead NIST cybersecurity engineer. “We wanted to deliver an approach that increases resilience against malicious actors or human error. The guide outlines an example implementation of an Access Rights Management (ARM) system that enables a company to give the right person the right access to the right resources at the right time. By linking together disparate internal systems, financial services firms can centrally issue, validate, modify, and revoke access rights for their entire enterprise based on easy-to-understand business rules. Overall, this solution should free up time spent on access management and allow prioritization of other tasks, leading to faster and more accurate policy modifications and fewer violations due to access inconsistencies.”

Banoczi continued, “Of paramount importance to financial services firms is ensuring compliance with regulatory requirements. This draft practice guide references both NIST guidance and industry standards, including the Federal Financial Institutions Examination Council Cybersecurity Assessment Tool (FFIEC CAT), which is useful to financial organizations as they address compliance requirements.”

This guide is the second produced by the NCCoE that addresses issues facing the financial services sector. The first, NIST Special Publication 1800-5: IT Asset Management, was released in October 2015.

The guides do not endorse or dictate which products or designs should be used, but offer practical direction to help users better understand which security controls, standards, and capabilities will help them to achieve desired cybersecurity protections.