Portals and Rails, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Portals and Rails and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
July 22, 2013
Fighting the Enemy Within
Portals and Rails frequently focuses on external threats that pose risk for financial organizations and others involved in the payments value chain. However, insider threats can pose just as large of a risk as external threats. One need look no further than the recent National Security Agency (NSA) information leak to understand the magnitude of insider risk. These risks can be reputation-damaging and cause significant financial harm.
Although security and control procedures can mitigate the risk of insider threats, it is extremely challenging to thwart a rogue insider committed to stealing or leaking sensitive information or implanting malicious software. The following access and security management principles, while not exhaustive, provide a solid base for any organization maintaining sensitive data to mitigate the risk of an insider letting this data out the door.
- Never-alone: Certain sensitive and critical functions and procedures (such as modifying hardware and security software) should be carried out by more than one person, or they should be performed by one person then automatically reported and immediately checked by another.
- Access rights: Data access rights and system privileges should be based on job responsibility and the need to perform job duties properly, and should be kept current.
- Limited tenure: Employees with access to sensitive data or in security-related positions should never believe their position is exclusive or permanent. Some ideas for implementation include: employees in these roles should be randomly rotated and required to take mandatory leave without having access to the systems during their absence.
- Concurrent access: An employee should not have simultaneous access to production systems and backup systems, particularly data files and computer facilities.
- Close supervision: Employees with system and data access entitlements should be closely supervised and have all their system activities logged. Access to these logs should be off-limits for these employees. Changes to highly sensitive data records should be immediately reported through messaging to supervisors for immediate review.
On the heels of the leak, the NSA director stated that the agency would institute the "never-alone" policy going forward. This approach may be better late than never, but perhaps it is a signal that the leadership of this organization recognizes and values the importance of data security, an important overarching principle in the Risk Forum's opinion.
Has your organization incorporated all or some of these principles into data access and system security procedures? What other principles has your organization put into place to mitigate insider threat to data security?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Fighting the Enemy Within:
- Under Pressure: The Fate of the Independent ATM Operators
- What’s Unsettled in Faster Payments?
- Consumer Prepaid Protections May Be Catching Up with Prepaid Use
- Virtual Currency Environment Still Fluid after Latest Rulings
- ISO 20022 in the United States: What, When, Why, and How?
- Let's Talk Tokens, Part III: What Problem Does Tokenization Solve?
- Mobile Biometrics: Ready or Not, Here They Come
- Starting Off on the Right Note with Mobile Enrollment
- Let's Talk Token, Part II: Distinguishing Attributes
- New ACH Return Rate Threshold on the Horizon
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud