Security Awareness Training will need to be taken every 365 days.

This Security Awareness Orientation addresses the following topics.

In addition, The CDR’s General Rules of Behavior provide instruction for using computer systems and safeguarding information. They address the following topics.

The topics listed below are covered in the sections to follow.

Why is security important in the CDR?

…system that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application

What is “Sensitive” Information?

According to FDIC Circular 1360.8, the characteristics of data sensitivity are: confidentiality, integrity, and availability.

What CDR Data is Considered Sensitive?

The majority of Call data is public information, except for the Fiduciary and Related Services Income data in items 12-23 of Schedule RC-T (Fiduciary and Related Services) of FFIEC forms 031 and 041, all of Memorandum Item 4 (Fiduciary settlements, surcharges, and other losses) of the same Schedule , all entity contact information, edit explanations by institutions, and analyst’ comments. The confidentiality of Call data elements is determined by the FFIEC Task Force on Reports. The confidential determination of data elements is modified from time to time, i.e., a data element deemed confidential in one quarter may be classified to be non-confidential in a subsequent quarter and vice-versa.

Application Security Architecture

The application security architecture of the CDR is based on authentication, authorization, and role based access control (RBAC).


The CDR calls for the following types of authentication.

Authentication methods include the following.


The application security architecture is based on role based security. Consequently, a user is authorized to use a particular application resource if and only if the user has been authenticated and the user’s role is contained in the set of roles assigned to the resources. Roles may be assigned to a user only by the CDR Security Administrator or by the Delegated Site Administrator of an organization.

The CDR Security administrators have the ability to manage users across all the organizations that exist within the CDR. The CDR allows users that belong to the FFIEC agencies, Financial Institutions (banks) or Call Report Preparation Software Vendors the ability to register themselves with the CDR. Delegated Site Administrators (or DSA’s) are created for each organization within the CDR to manage the users that belong to their respective organizations. Registration requests for accounts within the CDR must be approved either by the Delegated Site Administrator for the organization that a user is registering for, or by the Security Administrators.

A Security Administrator or a Delegated Site Administrator assigns roles to a user based upon the access privileges that the user would need to perform their job function. Certain users within the CDR may perform more than one role. The CDR allows Site Administrators and Delegated Site Administrators the ability to assign roles based by a Role Group.

For example

The “Financial Institution” role group contains the following roles: Call Report Submitter, Data Series Viewer …etc. A CDR Security Administrator or a Delegated Site Administrator may assign one or more of these roles to a user within a Financial Institution. If a user were to be assigned the “Call Report Submitter” role; the user will gain the following entitlements (or rights ) : Access Call Report Submission Utility, Access Financial Data Processing, View Call Report Received Notification,, View Call Report Rejected Notification …etc.

CDR users will be automatically logged out of the application after 30 minutes of inactivity.

Gaining Access to the CDR

Use the “Self Registration Utility” to request accounts within the CDR. To access the registration utility, click on the “Request Account” button on the CDR login page.

Delegated Site Administrators

All organizations within the CDR are required to have at least one Delegated Site Administrator. The DSA account request is the FIRST account request from any organization. The CDR Security Administrators receive account requests when there are not existing DSAs within an organization. The CDR Security Administrators verify the identity of the DSA account requestor and then create the account with appropriate roles.

Non- DSAs

Non-DSA accounts may be requested using the “Request Account” page as well. Requests for accounts are sent to the DSA of the organization that the user’s part of . The DSA creates the account and assigns appropriate roles.

CDR Password Rules

Memory tip

Use first letters of a saying with special characters and digits inserted between the 2 nd through 6 th character .(e.g. The dog ran too fast too catch = tdr2f!2c)