Authentication and access guidance for the 21st century

Last week, the FFIEC published guidance titled Authentication and Access to Financial Institution Services and Systems (the guidance). This guidance replaces previously issued statements (think back to pre-Twitter times) regarding best practices for authenticating users of internet-based financial services: Authentication in an Internet Banking Environment (2005) and the Supplement to Authentication in an Internet Banking Environment (2011). The FFIEC acknowledges that we live in a new technological world compared to when the last guidance was released. There are new threats and differences in approach for cybersecurity. Additionally, there are far more people using online and mobile applications, and assessing them from a range of computers, tablets, and smart devices.

In order to keep up with the changing landscape, the guidance emphasizes the importance of risk assessments, both initial assessments that are made before launching a new product or service and periodic assessments to measure the effectiveness of internal controls. The guidance gives examples of suggested risk assessment practices for credit unions offering digital services:

  • Inventory of Information Systems. Take account of all information systems and their components, such as the hardware, operating systems, applications, devices, data, cloud storage systems and other assets, that require authentication and control.

 

continue reading »