Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

SP 1800-9 (DRAFT)

Access Rights Management for the Financial Services Sector

Date Published: August 2017
Comments Due: October 31, 2017 (public comment period is CLOSED)
Email Questions to: financial_nccoe@nist.gov

Author(s)

Jim Banoczi (NIST), Sallie Edwards (MITRE), Chinedum Irrechukwu (MITRE), Josh Klosterman (MITRE), Harry Perper (MITRE), Susan Prince (MITRE), Susan Symington (MITRE), Devin Wynne (MITRE)

Announcement

Due to the wide variety of services offered and the often far-flung nature of their organizations, financial services firms are complex organizations with multiple internal systems managing sensitive financial and customer data. These internal systems are typically independent of each other, which makes centralized management and oversight challenging. Complicating matters further are the typical employee movements related to hiring, firing, promotions, and transfers. Roles and responsibilities constantly change within the organization—for example an admin transfers to another department, a new financial analyst starts tomorrow, and a manager receives a promotion the same day his boss retires.

This movement is normal and even expected for companies of such scale. The Human Resources department and user administrators manage these changes. Since each position requires a specific level of access to data, and information is often scattered in different silos across the organization, control over access rights needs to be reliable, consistent, and easy to manage.

In collaboration with the financial services community and technology collaborators, the National Cybersecurity Center of Excellence (NCCoE) developed draft cybersecurity guidance, NIST Special Publication 1800-9: Access Rights Management for the Financial Services Sector, which uses standards-based, commercially available technologies and industry best practices to help financial services companies provide a more secure and efficient way to manage access to data and system.

Abstract

Keywords

access; authentication; authorization; cybersecurity; directory; provisioning

Control Families

Access Control;