With high profile security breaches in the news, financial services CIOs are under pressure to maintain customer and client confidence in their institution’s security policies.
Advances in technology, such as biometrics, have introduced new ways to access applications. However, the main method for access remains the password.
CIOs can make their job easier by implementing some of the following best practices for securely managing financial services user passwords.
Make the Passwords Auditable
Financial institutions face special regulatory and compliance mandates, such as SOX. CIOs need to ensure that any password procedures create a trail of when and where passwords are used. This is important, not only for compliance, but for tracking breaches if they occur.
Do Not Share Accounts
Multiple users having the same ID compromises auditing. Best practices also call for no reuse of IDs. Once assigned, an ID stays with that particular user and is taken out of service forever if there is deprovisioning.
Meet the Payment Card Industry Data Security Standard (PCI DSS)
Financial institutions have to meet certain password criteria to meet PCI DSS. While they are required for financial institutions, they make good sense as best practices for any enterprise.
Passwords need to be more than seven characters, use a combination of upper and lower case letters, numbers, and special characters, and need to be changed every 90 days, at the least.
Two-Factor Authentication Must Be Used
There are a number of ways to do this, but there has to be two different means of identification as part of the password process. Usually, this would be a unique password code and a unique identifier such as a PIN or card number. This helps reduce identify fraud or theft.
Assign Passwords and IDs to the Individual, Not the Position
Roles in an institution change, but by assigning the person’s ID and password to them and not their company position, the password will move with them to the new position. This helps prevent password duplication and aids in maintaining an audit trail for the password.
Identification Threats are Ever Changing
Financial services CIOs, in particular, must be aware of new hacking and phishing techniques. They should not be satisfied that their security is “good enough.” Password security is not something to put into place and forget.
New techniques can make passwords more secure, or in some cases, unnecessary. CIOs need to keep pace to stay ahead of attackers and keep customers and clients safe and confident in their services.
What do you feel are some best practices for managing financial services user passwords? Let us know your thoughts in the Comments box below.
And to follow-through on the tips introduced in this short article, be sure to download your free Financial Services CIO Guide to IT Security and Identity Management.