Access Rights Management for the Financial Services Sector

An Access Rights Management system enables a company to give an employee, contractor, third party vendor, or visitor the right access to the right resources at the right time. Financial services sector organizations can benefit from the ability to centrally issue, validate, and modify or revoke access rights for an entire enterprise based on easy-to-understand sector and organizational requirements.

Enabling organizations to grant the right access to the right resources at the right time

A properly implemented and administered Access Rights Management (ARM) system can help your organization meet compliance requirements, limit opportunity for and reduce damage from an attack, and improve enforcement of enterprise information system access policies.
Status: Reviewing Comments

Companies in the financial services sector can use the Access Rights Management NIST Cybersecurity Practice Guide to coordinate and automate updates to, and improve, user access to information across an organization. Access Rights Management will be explored further in the NCCoE Zero Trust Architecture Project

Upon review, we recognize that this NIST/NCCoE publication contains potentially biased terminology. As new publications are developed, they will follow NIST’s inclusive language guidance.

NIST SP 1800-9: Complete Guide (HTML) (Draft)Web Version NIST SP 1800-9: Complete Guide (HTML) (Draft)
NIST SP 1800-9: Complete Guide (PDF) (Draft)Document Version NIST SP 1800-9: Complete Guide (PDF) (Draft)
NIST SP 1800-9A: Executive Summary (Draft)Document Version NIST SP 1800-9A: Executive Summary (Draft)
NIST SP 1800-9B: Approach, Architecture, and Security Characteristics (Draft)Document Version NIST SP 1800-9B: Approach, Architecture, and Security Characteristics (Draft)
NIST SP 1800-9C: How-To Guides (Draft)Document Version NIST SP 1800-9C: How-To Guides (Draft)

Project Abstract

The NCCoE developed an access rights management (ARM) system that executes and coordinates changes across the enterprise ARM systems to change the employee’s access for all data and systems quickly, simultaneously, and consistently, according to corporate access policies. The example implementation provides timely management of access changes and reduces the potential for errors. It also enhances directory security. Generally, an ARM system enables a company to give the right person the right access to the right resources at the right time. The ARM reference design and example implementation are described in this NIST Cybersecurity “Access Rights Management” Practice Guide.

Read the project description

The reference design allows a company to execute changes and coordinate employee access to data and systems quickly, simultaneously, and consistently—and in accordance with corporate access policies and industry regulations. 

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

Join the Community of Interest

A Community of Interest (COI) is a group of professionals and advisors who share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Share your expertise and consider becoming a member of this project's COI. 

Request to Join
Employee speaking on video call with colleagues on online briefing with laptop at home