Security Awareness Training (SAT) Text

Security Awareness Training MUST be taken every 365 days.

This Security Awareness Orientation addresses the following topics.

• The definition and importance of Security Awareness and information Security
• The Federal laws, regulations, and FDIC directives that relate to these topics
• And the consequences of user security violations

In addition, The CDR’s General Rules of Behavior provide instruction for using computer systems and safeguarding information. They address the following topics.

• The need for and preservation of confidentiality
• Physical security
• Incident reporting
• Virus detection and prevention
• The importance and meaning of Access Control
• Dial-in access and telephone use
• Contacts

The topics listed below are covered in the sections to follow.

• The importance of security in the CDR
• The definition of “sensitive” information
• CDR Access Levels
• Gaining Access to the CDR
• The CDR’s Rules of Behavior

Why is security important in the CDR?

• The CDR system is authorized and required to operate using NIST SP 800-53 Moderate level controls. The moderate impact level indicates that the loss of confidentiality, integrity, or availability of data could result in serious adverse effects on an agency's operations, assets, or individuals.
• The CDR exchanges information with other applications
• The confidentiality of some CDR data is restricted

What is “Sensitive” Information?

According to FDIC Circular 1360.9, Sensitive Information is:

Any information, where the loss, misuse, or unauthorized access to or modification of which could adversely impact the interests of the FDIC in carrying out its mission or the privacy to which individuals are entitled. It includes, but not exclusively, the following:

1. Information that is exempt from disclosure under the Freedom of Information Act (FOIA), such as trade secrets and commercial or financial information, information compiled for law enforcement purposes, personnel and medical files, and information contained in bank examination reports;
2. Information under the control of the FDIC and contained in a Privacy Act system of record that is retrieved using an individual's name or by other criteria that identifies an individual;
3. Personally Identifiable Information (PII) about individuals maintained by the FDIC that, if released for unauthorized use, may result in financial or personal damage to the individual to whom such information relates. Sensitive PII, a subset of PII, may be comprised of a single item of information (e.g., Social Security Number) or a combination of two or more items (e.g., full name along with, financial, medical, criminal, or employment information). Sensitive PII presents the highest risk of being misused for identity theft or fraud;
4. Information about insurance assessments, resolution and receivership activities, as well as enforcement, legal, and contracting activities; and
5. Information related to information technology specific to the FDIC that could be misused by malicious entities (e.g., internal IP addresses, server names, firewall rules, encryption and authentication mechanisms, and network architecture pertaining to the FDIC)

What CDR Data is Considered Sensitive?

The majority of Call data is public information, except for those items listed in the General Instructions section of the Call Report instructions, all entity contact information, edit explanations by institutions, and analyst comments. The confidentiality of Call data elements is determined by the FFIEC Task Force on Reports. The confidential determination of data elements is modified from time to time, i.e., a data element deemed confidential in one quarter may be classified to be non-confidential in a subsequent quarter and vice-versa.

Application Security Architecture

The application security architecture of the CDR is based on authentication, authorization, and role based access control (RBAC).

Authentication

The CDR calls for the following types of authentication.

• Authentication via web browser (used by users who directly access the CDR using the internet)
• Authentication via web services (used by users who access the CDR via software vendor’s applications)

Authentication methods include the following.

• User Name and multifactor authentication (MFA)
• Certificates

Authorization

The application security architecture is based on role-based security. Consequently, a user is authorized to use a particular application resource if and only if the user has been authenticated and the resource role is contained in the set of roles assigned to the user. Roles may be assigned to a user only by the CDR Security Administrator or by the Delegated Site Administrator (DSA) of the user's organization.

CDR Security Administrators manage users across all the organizations that exist within the CDR. The CDR allows users that belong to the FFIEC agencies, Financial Institutions (banks) or Report Data Preparation Software Vendors the ability to register themselves with the CDR. DSAs are created for each organization within the CDR to manage the users that belong to their respective organizations. Registration requests for accounts within the CDR must be approved either by the Organization's DSA for the organization that a user is registering for, or by the CDR Security Administrators.

A CDR Security Administrator or a DSA assigns roles to a user based upon the access privileges that the user would need to perform their job function. Certain users within the CDR may perform more than one role. CDR Security Administrators and DSAs may assign roles by a Role Group.

For example

The "Financial Institution" role group contains the following roles: Call Report Submitter, Data Series Viewer, etc. A CDR Security Administrator or a DSA may assign one or more of these roles to a user within a Financial Institution. If a user were to be assigned the "Call Report Submitter" role; the user will gain the following entitlements (or rights): Access Call Report Submission Utility, Access Financial Data Processing, View Call Report Received Notification, View Call Report Rejected Notification, etc.

CDR users will be automatically logged out of the application after 30 minutes of inactivity.

Gaining Access to the CDR

Individuals MUST request a CDR account in their own name. CDR accounts MUST NOT be shared by multiple users. Users may request a CDR account by clicking the "Request An Account" link on the CDR Application Login page.

Delegated Site Administrators (DSA)

A Delegated Site Administrator (DSA) manages user accounts for their organization.

The organization's DSA must be the FIRST account requested for the organization. The CDR Security Administrators verify the identity of the DSA account requestor and then create the account with appropriate roles. Subsequent user accounts for the organization are created and assigned roles by the organization's DSA. Each organization should set up and maintain two DSAs to ensure adequate user support.

DSAs are responsible for managing all user accounts for their organization. The CDR responsibilities and duties that all DSAs must accept on behalf of their organization include:

• 1. Serve as an institution?s delegated authority and liaison for access to the system by people (users) affiliated with the institution;
• 2. Ensure that only people who are known to (identity-proofed by) the institution, deemed suitable (vetted) for access by the institution, and authorized by the institution have access to the system by:
  • a. Coordinating with other DSAs from the institution on all access management functions for users from the institution;
  • b. Identifying users from the institution who require access to the system to perform authorized actions on behalf of the institution;
  • c. Reviewing, validating, and adjudicating (approve/disapprove) requests to access the system by users in the institution;
  • d. Managing ongoing access to the system by users in the institution, including but not limited to:
    • i. managing which roles are assigned to users at the institution;
    • ii. certifying at least annually that users from the institution still require access to the system;
    • iii. promptly revoking access for institution users when it is no longer required, e.g., individual is no longer employed by the institution;
    • iv. authorizing and maintaining the email domains the system uses to communicate with users affiliated with the institution;
• 3. Promote good cybersecurity practices, including, but not limited to:
  • a. promptly reporting any incident of actual or suspected unauthorized access or malicious activity to 1-888-CDR-3111 or cdr.help@cdr.ffiec.gov;
  • b. taking all measures necessary to prevent unauthorized access to the system, e.g., prohibiting the sharing of accounts or login credentials, and ensuring that sessions are not left open on unattended systems.
  • c. promptly terminating any unauthorized access;
• 4. Ensure that authorized users from the institution perform all required actions correctly and on time; and
• 5. Advise institution users how to access the system and perform authorized actions.

Non- DSAs

Non-DSA accounts may also be requested using the "Request An Account" link on the CDR Application Login page. Requested accounts are sent to the DSA of the organization selected in the request. The DSA verifies the identity of the requestor and then creates the account and assigns appropriate roles.

CDR User Accounts and Multifactor Authentication (MFA)

• After account creation, CDR users receive an invitation email from invites@microsoft.com to complete the registration process.
• The invitation link in the email prompts the user to authenticate using their credentials for their organization's identity provider (IDP) (i.e., email, password and MFA challenge) and then accept conditions for accessing the CDR system.
• After accepting, CDR users may log into CDR from the CDR Application Login page by entering their CDR username and then authenticating using their credentials for their organization's IDP.

Conclusion

• CDR security is the responsibility of all users.
• Violating CDR security measures may cause harm to FFIEC and its clients and can lead to severe disciplinary actions, including civil and criminal charges for users.