TheFinancial Services
Authority (FSA)has warned companies to make
sure they have properly configured security systems and set user
policies to control access to IT systems.
In its Data Security in Financial Services 2008 report, the FSA
said properly configured IT access rights were essential to ensure
data was secured.
Inappropriate access to systems could lead to data theft and
fraud, it warned. The experience of French bank Société Générale,
where
trader Jerome Kerviel used his knowledge of IT systems to carry out
unauthorised trading that cost the bank £3.6bn, highlighted the
need to control access.
But just
having the right technology in place is not enough to satisfy
the financial services regulator. "There is too much focus on IT
controls and too little on office procedures, monitoring and due
diligence," the FSA said. "This scattered approach, further
weakened when firms do not allocate ultimate accountability for
data security to a single senior manager, results in significant
weaknesses in otherwise well-controlled firms."
In its report, the FSA assessed 39 UK companies and found
"insufficient procedures" were in place to ensure that only those
people who required information could access it.
"The most extreme examples included some firms that gave all
staff access to all of their customer data, regardless of whether
they needed the information to do their jobs," said the report.
Typically, line managers were permitting access on a
case-by-case basis with no independent checking, the FSA said.
"There is a risk that, without an independent check, this could
lead to some staff having inappropriate access to customer
data."
The regulator gave an example of a medium-sized insurance
company that had a customer database and a workflow monitoring
system containing a wide range of sensitive customer data.
"With the exception of medical information, access to this
personal data was not restricted according to business need," said
the report.
FSA examples of good and poor practice
when setting IT system access rights
Good practice
- Specific IT access profiles for each role in the firm, setting
out exactly what level of IT access is required for each
individual.
- When a staff member changes roles or responsibilities, all IT
access rights are deleted from the system and the user is set up as
if they were a new joiner at the firm. The complexity of this
process is significantly reduced if role-based IT access profiles
are in place - the old one can simply be replaced with the new.
- A clearly defined process to notify IT of forthcoming staff
departures so IT accesses can be permanently disabled or deleted in
a timely and accurate way.
- A regular reconciliation of HR and IT user records to act as a
failsafe if the firm's leavers process fails.
- Regular reviews of staff IT access rights to ensure there are
no anomalies.
- Least-privilege access to call recordings and copies of
scanned documents obtained for "know your customer" purposes.
- Authentication of customers' identities using, for example, a
touch-tone telephone before a conversation with a call centre
adviser takes place. This limits the amount of personal information
and/or passwords contained in call recordings.
- Masking credit card, bank account and other sensitive details,
such as customer passwords, where this would not affect employees'
ability to do their job.
Poor practice
- Staff having access to customer data they do not require to do
their job.
- User access rights set up on a case-by-case basis with no
independent check that they are appropriate.
- Redundant access rights allowed to remain in force when a
member of staff changes roles.
- User accounts being left "live" or only suspended (not
permanently disabled) when a staff member leaves.
- A lack of independent checking of changes made at any stage in
the joiners, movers and leavers process.