Back to Blog

What Auditors and Examiners Expect You to Have Implemented For the Updated FFIEC Authentication Guidance

By Zach Duke

September 14, 2023

Get notified on new insights from Finosec now!

Be the first to know about new Finosec blogs to grow your knowledge of the cybersecurity governance industry today!

The Federal Financial Institutions Examination Council (FFIEC) updated its Authentication Guidance in August 2021, which aims to standardize and enhance security measures for financial institutions. We are seeing a focus on these areas during exams and audits, and understanding these new guidelines is crucial for compliance and risk management.

What’s New

Originally, FFIEC authentication handbooks from 2005 and 2011 primarily focused on customers and two-factor authentication. The updated guidance considerably expands its scope to include employees, third-party vendors, and system-to-system communications via APIs.

Risk Assessment

One of the key points made in the guidance is the importance of conducting a comprehensive risk assessment. Financial institutions must now identify all users, not just customers, in their risk assessment. A stale or outdated risk assessment can result in insufficient controls. The guidance encourages an enterprise-wide approach to risk assessment, including inventories of information systems and digital banking services.

Multi-factor Authentication

The update brings attention to the modern threat landscape, which has been influenced by the pandemic and a shift to remote work. In light of this, multi-factor authentication (MFA) emerges as a consistently recommended risk-mitigating control for all types of users, including high-risk users.

The Threat Landscape

The new guidelines also focus on devices and third parties accessing information. With an increase in connectivity to cloud services and an array of third-party providers like managed service providers, the need for robust security measures has never been greater.

Key Takeaways on Effective Risk Assessment

  • Inventory of Information Systems: Often, organizations lack a comprehensive system map or inventory. This is vital for effective risk management.
  • User Identification: The guidance insists on knowing which employees have access to different systems. Service accounts, which often have elevated privileges, pose significant risks and must be documented.
  • High User Risk Identification: Whether it’s network admins or those with specific roles in banking applications, identifying high-risk users is essential.
  • Role Based Access: The concept of ‘least privilege’—where users have the minimum levels of access, or permissions, they need to perform their job functions—is emphasized as foundational.
  • User Review Reporting: Validating access, permissions, and the review processes are vital for risk management and compliance.

Conclusion

The FFIEC Authentication Guidance is comprehensive and aligns with the complexities of today’s digital landscape. From risk assessments to multi-factor authentication, the guidelines offer a roadmap for financial institutions to secure their environments effectively.

Understanding and implementing the new FFIEC Authentication Guidance can be complex, especially with legacy banking applications. To get a deeper insight into these updates and how they could impact your financial institution, watch our full video summary. For customized solutions and professional assistance in navigating FFIEC compliance, learn how Finosec can help you. If you found this blog post useful, please like, comment, and share to help us spread the word.

More from Finosec

Partnering for Peace of Mind and Effective Oversight

Partnering for Peace of Mind and Effective Oversight

Pendleton Community Bank, a $700 Million Dollar Bank with 133 Employees in Franklin, WV, led by CEO Bill Loving, faced a critical challenge when their Information Security Officer departed, leaving a significant void in their oversight capabilities. Their goal was clear: establish an effective process for information security governance and cybersecurity oversight to ensure compliance and peace of mind.

Talk To An Expert Now
Talk To An Expert Now 770.268.2765