EBA/EIOPA: What are the security recommendations for Information and Communication Technology (ICT)?
In 2019, the European Banking Authority (EBA) set out to create guidelines about managing risks linked to technology security. These guidelines were subsequently adopted by the European Insurance and Occupational Pensions Authority (EIOPA).
Although the publication and implementation of these guidelines happened after the vote on the Payment Services Directive (PSD2) in 2015, they have a much broader scope because they relate to all financial institutions, including banks, credit unions, insurance companies, pension funds, and investment firms.
This article will explain the context, scope and nature of the guidelines, with a focus on user access rights and reviews, Brainwave GRC’s area of expertise.
Context and background of the EBA and EIOPA guidelines
What are EBA and EIOPA?
The European Banking Authority (EBA) is an independent authority of the European Union. It is responsible for ensuring an effective and consistent level of regulation and supervision throughout the European banking sector. The main tasks of the EBA include maintaining financial stability within the EU and ensuring the integrity, efficiency and proper functioning of the banking sector.
In this role, it issues a number of guidelines to assist participants in the banking sector and is intended to provide financial institutions with direction on how to ensure that ICT risks are properly managed.
Like the EBA, the European Insurance and Occupational Pensions Authority (EIOPA) is an independent European agency which is accountable to the European Parliament, the Council of the European Union and the European Commission. As an agency of the European Union, it performs specific legal, technical or scientific tasks and has an advisory role. It contributes to the development of informed policies and laws at both the European and national levels.
Key Dates in the EBA and EIOPA Guidelines
|2015||The Payment Services Directive (PSD2) is passed by the European Parliament. The aim of this directive is to standardize the regulations to which users of payment services are subjected within the European Union.|
|2017||The European Banking Authority (EBA) publishes a first set of guidelines on measures related to operational and security risks associated with payment services, supporting the PSD2.|
|2019||PSD2 is put into effect. At the same time, the EBA publishes new guidance on ICT and security risk management, which, unlike the initial 2017 framework, targets a wider range of financial institutions. Credit institutions, investment funds, the European Central Bank and national central banks of the European Union are now affected by these guidelines.|
|2020||New EBA guidelines replace those created in 2017.|
What are the regulatory obligations within the EBA/EIOPA guidelines?
Although the guidelines proposed by the EBA and the EIOPA do not, in themselves, constitute a regulation, any institution affected by them must refer to them.
Is there flexibility for financial institutions within the EBA guidelines?
Consider for a moment the choice of words in the introduction of the document which can be found in full by clicking here:
“In accordance with Article 16(3) of Regulation (EU) No 1093/2010, competent authorities and financial institutions must make every effort to comply with the guidelines.”
Simply put, financial institutions are encouraged to make every effort to comply with the guidelines which also contain a set of recommendations to which they should adhere.
The EIOPA guidelines: an aligned strategy with clear objectives
In fact, the guidelines as defined by the EIOPA are so similar to those of the EBA that the chapter on logical security is practically a carbon copy of the EBA guidelines. For more information, click here.
The similarity of the documents produced by the EBA and the EIOPA is intended to prevent inconsistencies between the banking and insurance sectors. The EIOPA has chosen to follow the guidelines provided by the EBA to make them applicable to all financial institutions. In the guidelines issued, EIOPA clarifies its approach and is transparent about its minimum expectations. Market participants are invited to:
- implement a standard set of information and cybersecurity measures, and
- implement independent and objective controls, dissociated from ICT operations.
What are the main directives?
In total, eight separate sections are detailed within the guidelines:
- Governance and strategy
- ICT and security risk management
- Information security
- ICT operations management
- ICT project and change management
- Business continuity management
- Payment service user-relationship management
These guidelines are based on existing frameworks and standards that are already applicable or used by a number of organizations, including COBIT and ISO 2700x.
The following is a closer look at the section dedicated to information security and more specifically the security of logical access rights.
What should be retained from information security and logical security?
While the guidelines defined by the EBA and the EIOPA deal with the security of information and communication technologies, our focus here is mainly on the fourth section, which deals more specifically with information security. The chapters that make up this section are discussed here.
What are the priorities for information security?
The section dedicated to information security is composed of seven sub-sections, mostly oriented towards organizational security and formulated as follows:
- Information security policies
- Logical security
- Physical Security
- ICT operations security
- Security monitoring
- Information security reviews, assessments, testing, training and awareness
Once again, the scope of coverage is relatively broad and in line with the core directives outlined above.
The products and solutions that deal with cyber threats are not of particular focus. The guidelines do not mention, for example, the need for organizations to implement antivirus software or intrusion detection that fights against malware. In fact, the principles discussed here are very general security principles that should be applied within organizations.
An explanation of the expectations directly related to the issues surrounding logical security follows.
What are the minimum requirements for logical security?
The EBA specifies its minimum requirements in the form of seven security principles.
Principles of least privilege, separation of duties and need-to-know
The principles of least privilege and need-to-know are based on the idea that the access rights granted to each employee must be limited to the scope of his or her job-related duties. This means that consistency between the role of each employee, their responsibilities and tasks, and the actual level of authorizations granted to them must be ensured. For instance, there is no need to have administrator access if read-only access to a resource is sufficient.
The principle of segregation of duties, on the other hand, points out that certain access rights and authorizations may not be compatible. In this case, the risk of information theft, cyber threats and fraud is high. To avoid this, it is necessary to document situations in which certain access rights can create toxic combinations and ensure that no such conflicts are detected for users within the organization.
How can one be sure that all accounts and access rights are granted to real people, in particular, to employees? The principle of user accountability specifically addresses this question. It is a matter of prohibiting the use of generic or shared accounts by ensuring that all business accounts and access rights in the organization are assigned to distinct employees with specific identities.
A number of measures should be favored in order to adhere to access control policies and procedures to which organizations are subjected. Two of these include requiring complex passwords and implementing a strong security policy using two-factor authentication. These measures should be adjusted in proportion to the degree of risk associated with the ICT systems and the information to which each employee has access.
Access management ensures that the granting and revoking of access is handled in a timely manner. When a new employee arrives, the organization must be able to grant him or her the access they need. Conversely, when someone leaves, their access should be revoked as quickly as possible.
Privileged access rights
Because they provide access to particularly sensitive resources and require a higher level of authorization, privileged access rights and accounts require the implementation of specific management processes to better protect them. These high-privilege accesses must be identified and properly assigned, and their use must be tracked over time and secured.
Recording user activities
In order to avoid unauthorized modification or deletion of sensitive data and assets, it is advisable to log and monitor all activities by privileged users and to keep a history of these activities for a period of time relevant to the critical nature of the resources involved.
The value of running access recertification campaigns
Unlike the first six guidelines, access recertification (also commonly known as user access review) is not a security principle or a business process. Instead, it is a control function that needs to be implemented.
While it can be tedious to perform, user access reviews should be considered a must-do activity, as evidenced by the EBA:
“Access recertification: access rights should be periodically reviewed to ensure that users do not possess excessive privileges and that access rights are withdrawn when no longer required.”
Besides using it to follow the given guidelines, the user access review can be easily adapted to any type of situation, including:
- when it is important to make sure that the operational processes (account management, access rights management) are risk-free and compliant,
- using it for various systems and applications (local or in the cloud) regardless of the size of the company due to the flexible nature of the process, and
- when it is based on the three-line of defense model widely used by financial institutions.
The user access review is one of the ways to adhere to the EBA and EIOPA guidelines with regards to the security of logical access rights. However, it is important to be able to fully grasp the issues and control its execution.