Security Awareness Training MUST be taken every 365 days.

This Security Awareness Orientation addresses the following topics.

• The definition and importance of Security Awareness and information Security
• The Federal laws, regulations, and FDIC directives that relate to these topics
• And the consequences of user security violations

In addition, The CDR’s General Rules of Behavior provide instruction for using computer systems and safeguarding information. They address the following topics.

• The need for and preservation of confidentiality
• The creation and use of strong passwords
• Physical security
• Incident reporting
• Virus detection and prevention
• The importance and meaning of Access Control
• Dial-in access and telephone use
• Contacts

The topics listed below are covered in the sections to follow.

• The importance of security in the CDR
• The definition of “sensitive” information
• CDR Access Levels
• Gaining Access to the CDR
• The CDR’s password policies and procedures
• The CDR’s Rules of Behavior

Why is security important in the CDR?

• The CDR is a MAJOR application as defined by OMB A-130, Appendix III

…system that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application

• The CDR exchanges information with other applications
• The confidentiality of some CDR data is restricted

What is “Sensitive” Information?

According to FDIC Circular 1360.8, the characteristics of data sensitivity are: confidentiality, integrity, and availability.

• Confidentiality is defined as the degree to which data must be protected from unauthorized disclosure. The 3 levels of data confidentiality include: Public Use; Official Use, and Restricted Use.
• Integrity is defined as the degree to which data must be protected from unauthorized or unintentional alteration or destruction. The 3 levels of data integrity include: No Update; Limited Update; Controlled Update.
• Availability is defined as the degree to which data must be available and protected against loss of use to ensure uninterrupted business operations. The 3 levels of data availability include: Limited Impact; Important; Critical.

What CDR Data is Considered Sensitive?

The majority of Call data is public information, except for the Fiduciary and Related Services Income data in items 12-23 of Schedule RC-T (Fiduciary and Related Services) of FFIEC forms 031 and 041, all of Memorandum Item 4 (Fiduciary settlements, surcharges, and other losses) of the same Schedule , all entity contact information, edit explanations by institutions, and analyst’ comments. The confidentiality of Call data elements is determined by the FFIEC Task Force on Reports. The confidential determination of data elements is modified from time to time, i.e., a data element deemed confidential in one quarter may be classified to be non-confidential in a subsequent quarter and vice-versa.

Application Security Architecture

The application security architecture of the CDR is based on authentication, authorization, and role based access control (RBAC).

Authentication

The CDR calls for the following types of authentication.

• Authentication via web browser (used by users who directly access the CDR using the internet)
• Authentication via web services (used by users who access the CDR via software vendor’s applications)

Authentication methods include the following.

• User Name/password validation
• Certificates
• Kerberos

Authorization

The application security architecture is based on role based security. Consequently, a user is authorized to use a particular application resource if and only if the user has been authenticated and the user’s role is contained in the set of roles assigned to the resources. Roles may be assigned to a user only by the CDR Security Administrator or by the Delegated Site Administrator of an organization.

The CDR Security administrators have the ability to manage users across all the organizations that exist within the CDR. The CDR allows users that belong to the FFIEC agencies, Financial Institutions (banks) or Call Report Preparation Software Vendors the ability to register themselves with the CDR. Delegated Site Administrators (or DSA’s) are created for each organization within the CDR to manage the users that belong to their respective organizations. Registration requests for accounts within the CDR must be approved either by the Delegated Site Administrator for the organization that a user is registering for, or by the Security Administrators.

A Security Administrator or a Delegated Site Administrator assigns roles to a user based upon the access privileges that the user would need to perform their job function. Certain users within the CDR may perform more than one role. The CDR allows Site Administrators and Delegated Site Administrators the ability to assign roles based by a Role Group.

For example

The “Financial Institution” role group contains the following roles: Call Report Submitter, Data Series Viewer …etc. A CDR Security Administrator or a Delegated Site Administrator may assign one or more of these roles to a user within a Financial Institution. If a user were to be assigned the “Call Report Submitter” role; the user will gain the following entitlements (or rights ) : Access Call Report Submission Utility, Access Financial Data Processing, View Call Report Received Notification,, View Call Report Rejected Notification …etc.

CDR users will be automatically logged out of the application after 30 minutes of inactivity.

Gaining Access to the CDR

Individuals MUST request a CDR account in their own name. CDR accounts MUST not be shared by multiple users. Use the “Self Registration Utility” to request accounts within the CDR. To access the registration utility, click on the “Request Account” button on the CDR login page.

Delegated Site Administrators

All organizations within the CDR are required to have at least one Delegated Site Administrator. The DSA account request is the FIRST account request from any organization. The CDR Security Administrators receive account requests when there are not existing DSAs within an organization. The CDR Security Administrators verify the identity of the DSA account requestor and then create the account with appropriate roles.

Non- DSAs

Non-DSA accounts may be requested using the “Request Account” page as well. Requests for accounts are sent to the DSA of the organization that the user’s part of . The DSA creates the account and assigns appropriate roles.

CDR Password Rules

• Users create their passwords when registering with the CDR
• Passwords must meet length and complexity requirements.
• Users will be required to change their passwords regularly to meet security requirements.
• Never write passwords down

Memory tip

Use first letters of a saying with special characters and digits inserted between the 2 nd through 6 th character .(e.g. The dog ran too fast too catch = tdr2f!2c)

Conclusion

• CDR security is the responsibility of all users.
• Violating CDR security measures may cause harm to FFIEC and its clients and can lead to severe disciplinary actions, including civil and criminal charges for users.