Password management best practices for financial services firms

Oversight and compliance
Businesses in general have come under increasing scrutiny to ensure they protect the interests of their shareholders, as well as their customers' personal and confidential information. Companies in the financial services sector also face additional oversight from various government agencies and must comply with mandates from a variety of sources.

For example, most financial institutions are subject to the mandates set forth in the Sarbanes-Oxley Act (SOX) and the Gramm-Leach-Bliley Act (GLBA), as well as the requirements put in place by the Payment Card Industry Data Security Standard (PCI DSS). In addition, the Federal Financial Institutions Examination Council (FFIEC) has umbrella responsibility over a variety of government agencies that monitor and maintain the financial sector. Password policies are not necessarily dictated by each of these, but as a primary component of data security, password management is still crucial to all of them.

Managing passwords
There are some general password practices that should be followed by any business, financial or otherwise, in order to secure and protect network resources and data. Some of the primary considerations for managing passwords are detailed below, but this list is by no means comprehensive:

Define policy -- Any password-management policy should begin by defining p...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Architecture Insider Multifactor authentication options to secure online banking Security benefits of virtual desktop infrastructures How to secure data backup Too many encryption methods make secure communications difficult How to streamline role-based access control Five considerations for choosing network access control products Fighting fraud: Understanding technology and threats How to shift to centralized authentication and ease compliance Winning the war: Personal information protection Why financials must implement Web application security best practices User IDs and passwords, privileges and federation Symark acquires BeyondTrust How to streamline role-based access control Audit requirements drive demand for privileged account management Study of banking malware analyzes underground economy Gartner advises banks to shore up online channels Emerging themes in identity access management Security on the street with SearchFinancialSecurity.com: Mobile banking IBM USB banking device stops keyloggers, malware Privileged password management steps to success Best practices in managing privileged access Secure user and consumer authentication methods Multifactor authentication options to secure online banking Survey: Consumers don't trust banks to keep their data secure Data breach lawsuit puts spotlight on bank's security measures Credit union launches online banking suite with strong authentication Winning the war: Personal information protection BITS releases guide for implementing email authentication protocols Banks, e-commerce sites use device identification to stop fraud Evolving authentication methods in the financial industry Identity management for financial firms in turbulent times Biometrics project studies ways to combat bank fraud

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

assword requirements. Passwords must be complex enough to provide adequate protection, and yet not so complex that they result in locked-out users or increased help desk calls.

Shared accounts -- In addition to password complexity, the policy should also require that no two users share a single user ID or password. When multiple users share an account, it is more difficult to maintain the confidentiality of the password, or determine who might be responsible when a security event occurs.

Secure storage -- A dedicated attacker may be able to crack even the most complex passwords when given access to the password files and enough time and computing power. Password storage must be restricted to only those users with the authority and need to access them. For added security, the passwords should be stored in an encrypted format.

Auditing -- The password management policy should take auditing requirements into account as well. One of the keys to maintaining passwords and protecting data is the ability to audit the passwords to ensure they meet policy requirements. In addition, there should be an audit trail detailing when and where each password is used. The details will provide forensic evidence in the case of any data compromise.

Password compliance
The general password-management considerations described above will generally help to protect data and network resources, but there are a couple additional password requirements related specifically to the financial industry.

The PCI DSS guidelines require that any business that accepts, processes, transmits or stores credit card information follow certain password restrictions. As with much of the PCI DSS, the restrictions are fairly logical and should be in place in most organizations, PCI DSS notwithstanding. Specifically, PCI DSS requires passwords that are a minimum of seven characters long, meet basic complexity requirements (such as using both upper and lower case letters, numbers and special characters), and that they be changed at least every 90 days.

In addition, the FFIEC has determined that weaknesses in single-factor authentication have been a root cause of many incidents of compromised accounts, identity theft and fraud. To ensure customer banking information is protected, the FFIEC requires that banks use some sort of two-factor authentication. The FFIEC does not specify any particular technology or product; it simply requires banks to use a minimum of two methods of authentication in order to provide increased protection for customer data.

Summary
Companies in general are entrusted with a variety of sensitive information about their customers. Businesses in the finance sector are entrusted with information of the most private and confidential nature, and have an even greater burden to ensure it is protected. Passwords are the key to ensuring that only authorized users gain access to data, and regulatory mandates spell out requirements for how passwords should be managed and protected. Financial institutions need to ensure that their password policies are compliant with the regulations that apply to them, and, more importantly, that they ensure the integrity and confidentiality of the data entrusted to them.

About the author:
Tony Bradley is a CISSP, and a Microsoft MVP. He is a Director with Evangelyze, a Microsoft Gold Certified and Voice Premier Partner focused on unified communications technologies. Tony is also a respected expert and author in the field of information security whose work is translated and read around the world. He contributes regularly to a variety of Web and print publications, and has written or co-written eight books. In addition, Tony is the face of the About.com site for Internet / Network Security, where he writes articles and tips on information security and has almost 40,000 subscribers to his weekly newsletter. Mr. Bradley has consulted with Fortune 500 companies regarding information security architecture, policies and procedures, and his knowledge and skills have helped organizations protect their information and their communications.