Finance

Access Risk Management for Finance

Access Risk Management for Banking

Banks and other financial institutions store a great amount of sensitive personal information, particularly customer's nonpublic personal information (NPI). It stands to reason that these organizations are at high risk for infromation security threats. The growing tide of attacks by hackers or fraudulent behavior by disgruntled former employees threatens the security of NPI.

New and evolving threats, along with a changing and complex regulatory environment, demand that financial organizations strengthen security protocols to comply with industry-specific requirements and regulations and ensure that their idenitity and acess risk management programs are strong.

Technical Complexity

Technology in the banking sector is shifting from closed, proprietary systems to open, flexible systems that allow greater and more meaningful interaction with the customer, headquarters, and business partners providing a range of back-office functions. Technologies, such as wireless networking, cloud-based applications, customer kiosks and mobile devices, carry with them greater security risk because the complexity of these systems and the ways they interact introduces greater potential for unauthorized access.

To make matters worse, the lack of accepted authentication and authorization standards has force commercial and in-house system developers to create application-specific security models for creating and managing access rights.

Regulatory Requirements

Spurred on by highly publicized security breaches, fraudulent reporting and other threats, legislators and industry organizations are publishing new laws and requirements affecting financial organizations at an increased pace. Compliance with regulations affecting banks and other financial organizations, such as GLBA, BSA, Basel II, FATCA, FFIEC, PCI DSS, SOX and state-based data privacy laws, requires these organizations to invest in security strategies, techniques and technologies designed to protect both internal and customer assets from the risks of unauthorized access.

What many of these requirements have in common is an underlying mandate to establish a security plan, processes andprocedures that ensure the right people have the right access to the right resources and are doing the right things. For example, in the Gramm-Leach-Bliley Act (GLBA) Congress established the principle that "each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” To enforce this mandate, Congress directed various financial regulatory agencies and authorities to establish appropriate standards to:

  • Ensure the security and confidentiality of customer records and information;
  • Protect against any anticipated threats or hazards to the security or integrity of such records; and
  • Protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

Accordingly, various regulatory agencies have published regulations and standards for safeguarding NPI as directed by Congress, such as "Standards for Safeguarding Customer Information" from the Federal Trade Commission (FTC). The accounting industry has responded with “Statement on Auditing Standards No.70” (SAS 70), which is an auditing standard used to report on operational controls placed in support of the GLBA Safeguard Rule.

Courion helps banking institutions meet the requirements of GLBA, the Safeguard Rule, SAS 70, PCI DSS, and other regulatory requirements through these features:

Regulatory Requirement

Courion Solution

Maintain and enforce a policy that addresses information security.

 

Courion enforces corporate information security policies, such as:

  • Access request authorization
  • User entitlements
  • Password security, strength and reuse
  • Enforcing compliance with security guidelines or gov’t regulations
  • Terminating ex-employee access rights, etc.

Adjust information security programs in light of material changes to the business that may affect safeguards.

Material changes that can affect a security program include changes in technology or changes to operations or business arrangements, such as mergers and acquisitions, alliances and joint ventures, or outsourcing arrangements.  Courion’s flexible and fully integrated identity and access management solutions enable organizations to quickly and easily realign user access rights to meet changing business conditions, such as a merger or reorganization.

Assign a unique ID to each person with computer access to NPI.

Courion creates a unique account for each user with access to NPI, including a unique user ID, password and set of access rights for that individual. Courion also supports multi-factor authentication products, such as security tokens. This ensures that only authorized individuals can access NPI.

Restrict access to customers' NPI to the minimum level necessary for the business.

Courion enforces least privilege access, detection of SoD violations and other access rights based on role definition or other business need-to-know requirements.

Block access when employees leave or are terminated.

Courion automatically disables or deletes user accounts on any designated target system containing NPI as the result of a change in employee status, such as termination of employment.

Track and monitor all access to IT resources containing NPI.

Integration with leading security and incident management (SIEM) solutions enables managers to review access to customer data and other information assets, and remediate inappropriate access.

Routinely test and verify user access rights, security systems and processes.

Courion enables security, IT administrators and line of business managers to review and certify user access rights. Roles can be periodically reviewed for accuracy, as well. Courion can also enforce end user policy awareness training and block access to users who fail to pass or complete the program.

Access Risk Management Solution

Financial institutions require the ability to:

  • Control access to applications and IT assets containing sensitive customer or employee information
  • Verify the proper use of that access
  • Safeguard sensitive data from unauthorized access
  • Demonstrate compliance with industry regulations
  • Protect the organization’s brand and reputation

Courion’s Access Risk Management solutions—deployed at some of the largest, most prestigious commercial banks and other financial institutions in the world—enable customers to improve the security of sensitive data, reduce IT overhead expenses, accelerate core business processes by making make it easier for personnel to manage their own identities, and enable managers to respond to regulatory demands for compliance data.

Access Risk Management Suite features that banks and other financial institutions rely on include:

Identify Unknown Accounts: Courion’s IdentityMap process locates user accounts on internal systems and associates those accounts with a known individual identified in a designated system of record, such as Peoplesoft HR. The initial IdentityMap scan can identify and resolve zombie accounts, which are accounts associated with someone who is no longer with the organization. Subsequent IdentityMap scans may reveal previously unknown accounts, which may indicate an attack from outside the organization. Courion can then alert the appropriate personnel to take remedial action.

Access Certification: Courion ComplianceCourier™ is used by line-of-business managers, compliance officers, security professionals, or IT administrators to review access rights of users they supervise and certify that access complies with policy. When a user’s access rights are out of compliance with policy or industry regulations, ComplianceCourier provides a range of options to block or restrict unauthorized access. Audit tracking capabilities also make compliance reporting and analysis faster, easier and cheaper.

Protect Sensitive Data: Courion’s Sensitive Data Manager module works in conjunction with industry-leading data loss prevention (DLP) technologies to verify that access is not being misused to cover up illegal or unethical activities. According to the Verizon Business 2009 Data Breach Investigations Report, 67 percent of breached records were in locations that the organization wasn’t aware of. Integration with DLP technologies enables your organization to find sensitive data, identify who has access to that data, determine how they obtained that access, and rectify access rights that are inconsistent with the individual’s business role.

Identify Suspicious Activity: Courion’s User Activity Manager module leverages leading security incident and event management (SIEM) technologies to perform deep analysis of prior user activity. Integration with SIEM technologies enables you to identify patterns of suspicious behavior – after-hours access, large data downloads, access from a previously unknown account, etc. – captured in system log files. Combine that data with information concerning the user engaged in that behavior, such as name, title, department, manager, and location, and you can then determine if the individual’s behavior is consistent with the needs of the business, and take the appropriate steps to terminate access to key applications if it is not.

Manage Employee Access Rights: Financial organizations must often cope with providing new employees with access to the systems they require to be productive on Day One, and automatically removing their access when they leave the organization. They use Courion’s RoleCourier® solution to manage the role definition process, which ensures that users within a particular role – such as a teller or loan officer – only have the access rights they require to be productive. AccountCourier® then automates the process of account creation and termination, using either pre-defined roles, or enforcing the existing access request and authorization process your organization uses. These solutions ensure that users have the appropriate access rights, prevent separation of duties violations, and significantly reduce the time, effort and cost of managing employee access rights.

Secure Passwords: Courion’s PasswordCourier® reduces potential access vulnerabilities by enforcing strong password policies, while also dramatically reducing costs associated with help desk calls because of its secure self-service password reset capability.

Benefits

Courion solutions allow banks and other financial institutions to:

  • Improve productivity: Create accounts for new permanent and contract employees quickly and easily, giving them immediate access to mission-critical business applications, while ensuring they have the minimum access to sensitive data required for their jobs.
  • Enhance security: Dynamically adjust access rights as employees change roles due to transfers, promotions, demotions or reorganizations. Courion’s transparent synchronization technology allows users to use the same username/password combination for all systems, reducing the potential that they will be tempted to write down their password.
  • Eliminate zombie accounts: Automatically suspend or discontinue access when employees are terminated.
  • Reduce costs: Enable users to securely reset a password if they forget it or it expires from their Windows workstation, over a web browser, or via a telephone, without having to call the help desk. Provisioning enables substantial reductions in busy IT staff overhead dedicated to managing the account creation, management and termination process.
  • Demonstrate compliance: Quickly and easily attest that employees have access rights that are consistent with organization policy, Sarbanes-Oxley, GLBA, PCI DSS, and other relevant industry or government requirements.