Is the authentication mechanism for end users (e.g., PIN, static password, dynamic password, digital certificate) implemented in accordance with the **Authentication Domain Standards (ADS)**? Guidance: If users are entitled only to read Internal non-PII data or Public data with no transaction capabilities, ...
Is the authentication mechanism for administrator (e.g., PIN, static password, dynamic password, digital certificate) implemented in accordance with CISS and Authentication Domain Standards (ADS)? Guidance : Since administrators are typically not only limited to read Internal non-PII, or Public data, ...
Does the application use an EATDS-approved mechanism for password resets? Guidance: It is a sound security practice to use a challenge/response mechanism to verify the user's identity for password reset, especially for high-criticality applications. Other mechanisms for low-criticality applications can ...
Does the application use an EATDS approved authentication protocol? Guidance : A secure mutual authentication protocol with a proper key management scheme to encrypt credentials (e.g., passwords) should be used. Examples include Kerberos or SSL/TLS or SSHv2. One-time or dynamic password can be sent in ...
If the intranet application is using shared authentication services, is an EATDS-approved solution a part of the design? Guidance : It can reduce a lot of overhead and reduce the development effort if the application can leverage and integrate with an existing SSO application or another approved SSO ...
Is data at the Confidential level or above (including Authentication data) protected during transmission in accordance with CISS and with an EATDS-approved solution? Guidance : Appendix A.1 establishes requirements as to when bank information must be encrypted. The following table describes the encryption ...
Does the application log all security relevant events in accordance with the applicable logging standards outlined in CISS and (Application Event Logging Standards [AELS] or Infrastructure Security Event Logging Standards [ISELS])? Guidance : The answer should be 'Yes' since to comply with CISS all attempted ...
Does the application prevent unauthorized access and modifications to the audit logs to ensure that logs cannot be overwritten or modified by the system users whose activity they track? Guidance: Audit Log Protection and Integrity. Does the application prevent unauthorized access and modifications to ...
If there is an admin/support interface for help desk users, are actions performed through that interface being logged according to AELS? Guidance : Administrative interfaces are desirable to make sure that proper procedures are followed and so that help desk activities can be directly audited through ...
Does the application protect/encrypt database connection strings (i.e., passwords) in local storage? Guidance : Database connection strings contain authentication data and, therefore, must be encrypted in storage. Encrypted connection strings and encryption keys must be protected. The function of decrypting ...
Does the application enable/implement a secure protocol (e.g., SSL) to protect database passwords in transit? Guidance : Database connection strings containing passwords must be encrypted in transit when the application and the database are not running on the same platform. In general, most database ...
Is the Legal Department approved banner text, when supported by the application, displayed at all entry points where a user initially signs on or is authenticated? Guidance: If there is a need to support banner text, Legal-approved banner text must be displayed at all entry points where a user initially ...
Is bank software (developed internally or externally) updated and patched in accordance with the VTM process? Guidance : Vulnerability and Threat Management Technical Standards
Does the application enforce a password strength policy of: - For Active Directory, Siteminder and LDAP, static passwords (other than PINS) must contain a minimum of 8 characters, which must contain both letters and numbers , and be case sensitive - Password different from the username - For all other ...
Does the application enforce a session timeout after a period of inactivity not exceeding 30 minutes? Are the users required to re-authenticate after session timeout? [Note that where enforcement is provided by the password protected screen saver, Application/SSO enforcement is not required for intranet ...
Does the application have a process to disable inactive accounts after a period of time not exceeding 100 calendar days? (Functional IDs and customer login IDs are exempt). Guidance: To comply with the CISS, user IDs must be disabled after a stated period of inactivity, except for customer-facing applications. ...
If digital certificates are used, are they issued by an EATDS approved CA? Guidance : Digital certificates used by the application should be issued by EATDS approved certificates providers. Self-signed certificates are strongly discouraged, but may be acceptable for testing purposes, PGP, and point-to-point ...
If the application supports an auto re-enablement of locked accounts, does it use CATE certified approved automatic soft lock out process? Guidance : Auto re-enablement of accounts (accounts which do not require explicit action to unlock) must be unlocked through either an Information Security Administration ...
Does the application mask/obfuscate Confidential PII and above data in the log files (if captured), and does it refrain from logging cryptographic key values and authentication data (e.g., passwords, PINs)? Guidance : Confidential PII and above data (including keys and passwords) must not be contained ...