The Financial Services Authority (FSA) has warned companies to make sure they have properly configured security systems and set user policies to control access to IT systems.
In its Data Security in Financial Services 2008 report, the FSA said properly configured IT access rights were essential to ensure data was secured.
Inappropriate access to systems could lead to data theft and fraud, it warned. The experience of French bank Société Générale, where trader Jerome Kerviel used his knowledge of IT systems to carry out unauthorised trading that cost the bank £3.6bn, highlighted the need to control access.
But just having the right technology in place is not enough to satisfy the financial services regulator. "There is too much focus on IT controls and too little on office procedures, monitoring and due diligence," the FSA said. "This scattered approach, further weakened when firms do not allocate ultimate accountability for data security to a single senior manager, results in significant weaknesses in otherwise well-controlled firms."
In its report, the FSA assessed 39 UK companies and found "insufficient procedures" were in place to ensure that only those people who required information could access it.
"The most extreme examples included some firms that gave all staff access to all of their customer data, regardless of whether they needed the information to do their jobs," said the report.
Typically, line managers were permitting access on a case-by-case basis with no independent checking, the FSA said. "There is a risk that, without an independent check, this could lead to some staff having inappropriate access to customer data."
The regulator gave an example of a medium-sized insurance company that had a customer database and a workflow monitoring system containing a wide range of sensitive customer data.
"With the exception of medical information, access to this personal data was not restricted according to business need," said the report.
FSA examples of good and poor practice when setting IT system access rights
- Specific IT access profiles for each role in the firm, setting out exactly what level of IT access is required for each individual.
- When a staff member changes roles or responsibilities, all IT access rights are deleted from the system and the user is set up as if they were a new joiner at the firm. The complexity of this process is significantly reduced if role-based IT access profiles are in place - the old one can simply be replaced with the new.
- A clearly defined process to notify IT of forthcoming staff departures so IT accesses can be permanently disabled or deleted in a timely and accurate way.
- A regular reconciliation of HR and IT user records to act as a failsafe if the firm's leavers process fails.
- Regular reviews of staff IT access rights to ensure there are no anomalies.
- Least-privilege access to call recordings and copies of scanned documents obtained for "know your customer" purposes.
- Authentication of customers' identities using, for example, a touch-tone telephone before a conversation with a call centre adviser takes place. This limits the amount of personal information and/or passwords contained in call recordings.
- Masking credit card, bank account and other sensitive details, such as customer passwords, where this would not affect employees' ability to do their job.
- Staff having access to customer data they do not require to do their job.
- User access rights set up on a case-by-case basis with no independent check that they are appropriate.
- Redundant access rights allowed to remain in force when a member of staff changes roles.
- User accounts being left "live" or only suspended (not permanently disabled) when a staff member leaves.
- A lack of independent checking of changes made at any stage in the joiners, movers and leavers process.