By: Christopher Salone, CISA CCSFP, MBA
This past year proved to be a year of rapid development for the cybersecurity and IT landscape. As new threats emerged, others continued to develop and evolve. Throughout the year, the FFIEC, in an effort to help its institutions combat these threats, issued new guidance for examiners and organizations in two major areas.
First, the Council renamed the previously existing “Operations” IT booklet to “Architecture, Infrastructure, and Operations” to incorporate updated information technology (IT) risk practices and frameworks. The members developed the booklet using a principles-based approach to IT risk management to allow the booklet’s central tenets to remain relevant to examiners even as innovation and technological changes in the financial services sector occur.
According to the FFIEC’s official press release, some of the major highlights and changes to the booklet include:
- Significant changes to the booklet include the additions of new architecture, infrastructure, and emerging technology sections, including cloud computing, to the narrative.
- Within the narrative, we developed a new section for governance and common risk management elements of architecture, infrastructure, and operations (AIO), as well as sections that contain specific risks applicable to architecture, infrastructure, and evolving technologies.
- The Operations section was updated to address key operational principles in IT environments. We included discussions of operational controls, IT operational processes, service and support processes, and ongoing monitoring and evaluation processes.
- The purpose of the Evolving Technologies section is to provide examiners with general information relating to newer technologies and topics that they may encounter during examinations.
In addition, in August 2021, the FFIEC issued new guidance, titled “Authentication and Access to Financial Institution Services and Systems” to provide financial institutions with examples of effective risk management principles and practices for access and authentication. These principles and practices address business and consumer customers, employees, and third parties that access digital banking services and financial institution information systems.
The Guidance acknowledges the emerging cybersecurity threat landscape, which reinforces the need for financial institutions to effectively authenticate customers, as well as the expansion of authentication considerations beyond customers to include employees, third parties, and system-to-system communications.
Some of the items the Guidance touches on include:
- Highlights the cybersecurity threat environment, including remote access by customers and users, attacks that leverage compromised credentials, and risks from push payment capabilities;
- Recognizes the importance of a financial institution’s risk assessment to determine appropriate user access and authentication practices;
- Supports financial institution adoption of layered security; and
- Addresses how multi-factor authentication or similar controls can mitigate risks more effectively than single-factor authentication.
Within the Appendix of the Guidance includes practices or controls related to access management and authentication, as well as a list of resources to assist financial institutions with authentication and access management.
The Guidance is intended to apply not only to financial institutions, but also to any third party acting on behalf of a financial institution that provides the accessed information systems and authentication controls.
FoxPointe Solutions, which is a division of The Bonadio Group, is equipped and prepared to help your organization prepare for these requirements. We would be happy to answer any questions you may have or provide you with additional information.