Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
July 22, 2013
Fighting the Enemy Within
Portals and Rails frequently focuses on external threats that pose risk for financial organizations and others involved in the payments value chain. However, insider threats can pose just as large of a risk as external threats. One need look no further than the recent National Security Agency (NSA) information leak to understand the magnitude of insider risk. These risks can be reputation-damaging and cause significant financial harm.
Although security and control procedures can mitigate the risk of insider threats, it is extremely challenging to thwart a rogue insider committed to stealing or leaking sensitive information or implanting malicious software. The following access and security management principles, while not exhaustive, provide a solid base for any organization maintaining sensitive data to mitigate the risk of an insider letting this data out the door.
- Never-alone: Certain sensitive and critical functions and procedures (such as modifying hardware and security software) should be carried out by more than one person, or they should be performed by one person then automatically reported and immediately checked by another.
- Access rights: Data access rights and system privileges should be based on job responsibility and the need to perform job duties properly, and should be kept current.
- Limited tenure: Employees with access to sensitive data or in security-related positions should never believe their position is exclusive or permanent. Some ideas for implementation include: employees in these roles should be randomly rotated and required to take mandatory leave without having access to the systems during their absence.
- Concurrent access: An employee should not have simultaneous access to production systems and backup systems, particularly data files and computer facilities.
- Close supervision: Employees with system and data access entitlements should be closely supervised and have all their system activities logged. Access to these logs should be off-limits for these employees. Changes to highly sensitive data records should be immediately reported through messaging to supervisors for immediate review.
On the heels of the leak, the NSA director stated that the agency would institute the "never-alone" policy going forward. This approach may be better late than never, but perhaps it is a signal that the leadership of this organization recognizes and values the importance of data security, an important overarching principle in the Risk Forum's opinion.
Has your organization incorporated all or some of these principles into data access and system security procedures? What other principles has your organization put into place to mitigate insider threat to data security?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Fighting the Enemy Within:
- EMV Comments That Make Me Cringe
- Taking a Quantum Leap into Payment Security
- Looming Questions with the Rollout of NACHA's Mandated Same-Day ACH Rules Change
- AdmiNISTering Passwords: New Conventional Wisdom
- Mobile Banking and Payments—What's Changed?
- Risk Mitigation Isn't Just for Banks
- The Simple Consider Three but Four is the Key
- As with Nuclear Disarmament, So with ACH: Trust, but Verify
- The Personal Cost of Fraud
- When Fraud Hits Home: Questioning Today’s Authentication Methods
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud