Below are the main Application Security controls that should be implemented:
Access to the Application should use Secure Authentication Methods which meets or exceeds the Company’s authentication standards. The session should be ended and user logged-out after a stipulated period of inactivity. A stipulated number of consecutive failed login attempts should result in lockout of the account, which should only be unlocked by an administrator. Privileged Access to the Application should ideally be using a higher level of security than normal access (example: Multi-factor authentication, more stringent password criteria, etc). The Business Application Owner should define the following:
- Threshold of idle time before logout of user
- Number of consecutive failed logins before lockout
- Privileged Access vs Normal Access within the Application
Main Points: (Passwords, Inactivity Account Log-Out, Failed Login Attempt Account Lockout, Privileged Access Authentication)
Access Matrix defining the different Roles and their Privileges within the Application should be documented. The process through which access to the Application can be Requested/Modified/Deleted and the associated Approvals required should be defined and documented. The process should also cater for immediate removal of Leaver/Transferee accounts. Audit trails should be created for all access changes using the Company’s Standard Access Request Management platform.
Main Points: (Access Matrix, Access Management Process, Audit Trail Maintenance)
Normal and Privileged Accounts within the Application should be recertified periodically (Normal accounts – at least once a year; Privileged Accounts – at least once every quarter). Evidence of recertification and follow-up action taken to correct the access provisioning, should be retained. The process for carrying out recertification, responsible parties, timeframe of execution, follow-up actions, and evidence retention mechanism should be defined and documented.
Main Points: (Access Recertification Process, Evidence Retention)
Activity Logging should be enabled by the application. The logs should capture the following:
- Timestamp of occurrence of the activity
- User ID carrying out the activity
- Normal activity/transaction details (example: financial transactions, user login/logoff, configuration changes to the application, application exceptions, etc)
- Sensitive activity/transaction details (example: financial transactions beyond a threshold, adding/modifying/deleting customer/user accounts, sensitive configuration changes to the application, user account lockout, critical application exceptions, etc)
Logs should not capture passwords, sensitive Personally Identifiable Information (PII) or Payment Card Information. The Business Application Owner should define the activity/transactions to be captured by the Application.
Activity Log Retention
Activity Logs should be available readily for review by the responsible party. Activity logs should be retained in backup for a defined-lifetime. (as-is the current practice within the Company).
Privileged Account Identification
Privileged access gives an elevated level of access in order to perform a task on operating systems, databases, network devices and applications. These include accesses that:
- Have the ability to create other accounts, delete existing accounts or change the privileges of accounts; and/or
- Have the ability to modify system security and critical application configurations (examples: Password Requirements, Transaction limits, Portfolio limit, Watch List Monitoring Parameters, etc); and/or
- Bypass system security controls (example: delete logs, turn off security services, modify data in the backend application database directly).
Privileged Activity Review
Sensitive activity/transactions should be reviewed periodically by a Responsible Party. The process for carrying out review of sensitive activity/transactions, parties responsible for performing the review, timeframe for review, follow-up actions, format of storage of evidence of review and evidence retention mechanisms should be defined and documented.
Main Points: (Sensitive Activity Review Process, Evidence Retention)
Data Integrity and Confidentiality should be protected in transit, storage and in disposal. Secure electronic data transfer/access mechanisms (based on SSL/TLS) should be used.
FIs should implement two-factor authentication at login for all types of online financial systems and transaction-signing for authorizing transactions from customers.
Location based Access Control
Software-as-a-Service used by the Company over the Internet should restrict access to the Company’s staff by only allowing connection from the Company’s office locations (based on IP address).