Back to Blog

What Auditors and Examiners Expect You to Have Implemented For the Updated FFIEC Authentication Guidance

By Zach Duke

September 14, 2023

Get notified on new insights from Finosec now!

Be the first to know about new Finosec blogs to grow your knowledge of the cybersecurity governance industry today!

The Federal Financial Institutions Examination Council (FFIEC) updated its Authentication Guidance in August 2021, which aims to standardize and enhance security measures for financial institutions. We are seeing a focus on these areas during exams and audits, and understanding these new guidelines is crucial for compliance and risk management.

What’s New

Originally, FFIEC authentication handbooks from 2005 and 2011 primarily focused on customers and two-factor authentication. The updated guidance considerably expands its scope to include employees, third-party vendors, and system-to-system communications via APIs.

Risk Assessment

One of the key points made in the guidance is the importance of conducting a comprehensive risk assessment. Financial institutions must now identify all users, not just customers, in their risk assessment. A stale or outdated risk assessment can result in insufficient controls. The guidance encourages an enterprise-wide approach to risk assessment, including inventories of information systems and digital banking services.

Multi-factor Authentication

The update brings attention to the modern threat landscape, which has been influenced by the pandemic and a shift to remote work. In light of this, multi-factor authentication (MFA) emerges as a consistently recommended risk-mitigating control for all types of users, including high-risk users.

The Threat Landscape

The new guidelines also focus on devices and third parties accessing information. With an increase in connectivity to cloud services and an array of third-party providers like managed service providers, the need for robust security measures has never been greater.

Key Takeaways on Effective Risk Assessment

  • Inventory of Information Systems: Often, organizations lack a comprehensive system map or inventory. This is vital for effective risk management.
  • User Identification: The guidance insists on knowing which employees have access to different systems. Service accounts, which often have elevated privileges, pose significant risks and must be documented.
  • High User Risk Identification: Whether it’s network admins or those with specific roles in banking applications, identifying high-risk users is essential.
  • Role Based Access: The concept of ‘least privilege’—where users have the minimum levels of access, or permissions, they need to perform their job functions—is emphasized as foundational.
  • User Review Reporting: Validating access, permissions, and the review processes are vital for risk management and compliance.

Conclusion

The FFIEC Authentication Guidance is comprehensive and aligns with the complexities of today’s digital landscape. From risk assessments to multi-factor authentication, the guidelines offer a roadmap for financial institutions to secure their environments effectively.

Understanding and implementing the new FFIEC Authentication Guidance can be complex, especially with legacy banking applications. To get a deeper insight into these updates and how they could impact your financial institution, watch our full video summary. For customized solutions and professional assistance in navigating FFIEC compliance, learn how Finosec can help you. If you found this blog post useful, please like, comment, and share to help us spread the word.

More from Finosec

Mastering Access Management: Best Practices for Effective User Access Reviews

Mastering Access Management: Best Practices for Effective User Access Reviews

Access management is a critical component of cybersecurity and compliance, especially for financial institutions where security expectations are paramount. The challenges surrounding permissions management, particularly during user access reviews, are increasing due to regulatory expectations and the complexity of banking applications. In this blog post, we’ll explore the regulatory expectations, common exam findings, and best practices that can help your organization manage user access effectively while adhering to the principle of least privilege – limiting user access to only the resources necessary to perform their job functions.

The Critical Link Between Third-Party Risk Management (TPRM) and Access Management

The Critical Link Between Third-Party Risk Management (TPRM) and Access Management

As highlighted in a recent article from the Federal Reserve, managing third-party relationships and the access associated with those relationships is a critical component of Third-Party Risk Management (TPRM). The associated access third party vendors have to banking systems is known as Access Management and is foundational for mitigating risks associated with third-party relationships. Access Management may be easy to overlook because it does not always reside with the same person or team as TPRM; making it difficult to provide critical oversight.

With increased regulatory focus, how should institutions be thinking of Access Management? Here are five steps your institution can take today to strengthen your third-party governance.

The Critical Foundation of Managing Access to Banking Systems

The Critical Foundation of Managing Access to Banking Systems

Managing access to banking systems has become increasingly complex as financial institutions navigate legacy reporting systems, API access, and cloud solutions. These challenges, along with the risks posed by unmanaged systems, emphasize the need for maintaining a...

Talk To An Expert Now
Talk To An Expert Now 770.268.2765