Document Sample
ffiec-application-access-control Powered By Docstoc
					FFIEC Application Access Control
No Procedures                                                           Status   Notes
  1 Implementing a robust authentication method consistent with the
    criticality and sensitivity of the application. Historically, the
    majority of applications have relied solely on user IDs and
    passwords, but increasingly applications are using other forms of
    authentication. Multi-factor authentication, such as token and PKI-
    based systems coupled with a robust enrollment process, can
    reduce the potential for unauthorized access.

  2 Maintaining consistent processes for assigning new user access,
    changing existing user access, and promptly removing access to
    departing employees.
  3 Communicating and enforcing the responsibilities of
    programmers (including TSPs and vendors), security
    administrators, and business line owners for maintaining
    effective application-access control. Business line managers are
    responsible for the security and privacy of the information within
    their units. They are in the best position to judge the legitimate
    access needs of their area and should be held accountable for
    doing so. However, they require support in the form of adequate
    security capabilities provided by the programmers or vendor and
    adequate direction and support from security administrators.

  4 Monitoring existing access rights to applications to help ensure
    that users have the minimum access required for the current
    business need. Typically, business application owners must
    assume responsibility for determining the access rights assigned
    to their staff within the bounds of the AUP. Regardless of the
    process for assigning access, business application owners
    should periodically review and approve the application access
    assigned to their staff.
  5 Setting time-of-day or terminal limitations for some applications
    or for the more sensitive functions within an application. The
    nature of some applications requires limiting the location and
    number of workstations with access. These restrictions can
    support the implementation of tighter physical access controls.

  6 Logging access and events (see “Log Transmission,
    Normalization, Storage, and Protection” in the Activity Monitoring
    section of this booklet).
  7 Easing the administrative burden of managing access rights by
    utilizing software that supports group profiles. Some financial
    institutions manage access rights individually and this approach
    often leads to inappropriate access levels. By grouping
    employees with similar access requirements under a common
    access profile (e.g., tellers, loan operations, etc.), business
    application owners and security administrators can better assign
    and oversee access rights. For example, a teller performing a
    two-week rotation as a proof operator does not need year-round
    access to perform both

Shared By: