The Federal Financial Institutions Examination Council (FFIEC) updated its Authentication Guidance in August 2021, which aims to standardize and enhance security measures for financial institutions. We are seeing a focus on these areas during exams and audits, and understanding these new guidelines is crucial for compliance and risk management.
Originally, FFIEC authentication handbooks from 2005 and 2011 primarily focused on customers and two-factor authentication. The updated guidance considerably expands its scope to include employees, third-party vendors, and system-to-system communications via APIs.
One of the key points made in the guidance is the importance of conducting a comprehensive risk assessment. Financial institutions must now identify all users, not just customers, in their risk assessment. A stale or outdated risk assessment can result in insufficient controls. The guidance encourages an enterprise-wide approach to risk assessment, including inventories of information systems and digital banking services.
The update brings attention to the modern threat landscape, which has been influenced by the pandemic and a shift to remote work. In light of this, multi-factor authentication (MFA) emerges as a consistently recommended risk-mitigating control for all types of users, including high-risk users.
The Threat Landscape
The new guidelines also focus on devices and third parties accessing information. With an increase in connectivity to cloud services and an array of third-party providers like managed service providers, the need for robust security measures has never been greater.
Key Takeaways on Effective Risk Assessment
- Inventory of Information Systems: Often, organizations lack a comprehensive system map or inventory. This is vital for effective risk management.
- User Identification: The guidance insists on knowing which employees have access to different systems. Service accounts, which often have elevated privileges, pose significant risks and must be documented.
- High User Risk Identification: Whether it’s network admins or those with specific roles in banking applications, identifying high-risk users is essential.
- Role Based Access: The concept of ‘least privilege’—where users have the minimum levels of access, or permissions, they need to perform their job functions—is emphasized as foundational.
- User Review Reporting: Validating access, permissions, and the review processes are vital for risk management and compliance.
The FFIEC Authentication Guidance is comprehensive and aligns with the complexities of today’s digital landscape. From risk assessments to multi-factor authentication, the guidelines offer a roadmap for financial institutions to secure their environments effectively.
Understanding and implementing the new FFIEC Authentication Guidance can be complex, especially with legacy banking applications. To get a deeper insight into these updates and how they could impact your financial institution, watch our full video summary. For customized solutions and professional assistance in navigating FFIEC compliance, learn how Finosec can help you. If you found this blog post useful, please like, comment, and share to help us spread the word.