Security Awareness Training (SAT) Text

Security Awareness Training MUST be taken every 365 days.

This Security Awareness Training addresses the following topics:

• Why security is important in the CDR.
• What we are protecting.
• CDR's security architecture.
• Gaining access to CDR.
• The responsibilities of Delegated Site Administrators (DSA).

Why is security important in the CDR?

• The CDR system has received the Authority to Operate (ATO) and is required to operate using NIST SP 800-53 Moderate level controls. The moderate impact level indicates that the loss of confidentiality, integrity, or availability of data could result in serious adverse effects on an agency's operations, assets, or individuals.
• The CDR exchanges information with other applications.
• The confidentiality of some CDR data is restricted.

What We Are Protecting

• Sensitive Information (SI) is data that must be guarded from unauthorized access and unwarranted disclosure in order to maintain its Confidentiality, Integrity, and Availability. The loss or misuse of Sensitive Information could adversely impact the FFIEC's ability to carry out its mission.
• Personally Identifiable Information (PII) is a subset of SI that requires additional safeguarding. PII is information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual.

Cybersecurity refers to the protection of networks, systems, devices, and data from unauthorized access and use. There are three elements to protecting information systems:

1. Confidentiality: Protecting information from unauthorized disclosure to people or processes
2. Integrity: Assuring the reliability and accuracy of data and information technology (IT) resources
3. Availability: Defending information systems and resources from malicious and unauthorized users to ensure accessibility by authorized users

Cybersecurity and Privacy protection are interconnected. You are responsible for securing SI and PII when it is in transit AND when stored on a hard drive, laptop, flash drive, or archived.

What CDR Data is Considered Sensitive?

The majority of Call data is public information, except for those items listed in the General Instructions section of the Call Report instructions, all entity contact information, edit explanations by institutions, and analyst comments. The confidentiality of Call data elements is determined by the FFIEC Task Force on Reports. The confidential determination of data elements is modified from time to time, i.e., a data element deemed confidential in one quarter may be classified as non-confidential in a subsequent quarter and vice-versa.

Application Security Architecture

The application security architecture of the CDR is based on authentication, authorization, and role based access control (RBAC).

Authentication

The CDR calls for the following types of authentication.

• Authentication via web browser (used by users who directly access the CDR using the internet)
• Authentication via web services (used by users who access the CDR via software vendor’s applications)

Authentication methods include the following.

• User Name and multifactor authentication (MFA)
• Certificates

Authorization

The application security architecture is based on role-based security. Consequently, a user is authorized to use a particular application resource if and only if the user has been authenticated and the resource role is contained in the set of roles assigned to the user. Roles may be assigned to a user only by the CDR Security Administrator or by the Delegated Site Administrator (DSA) of the user's organization.

CDR Security Administrators manage users across all the organizations that exist within the CDR. The CDR allows users that belong to the FFIEC agencies, Financial Institutions (banks) or Report Data Preparation Software Vendors the ability to register themselves with the CDR. DSAs are created for each organization within the CDR to manage the users that belong to their respective organizations. Registration requests for accounts within the CDR must be approved either by the Organization's DSA for the organization that a user is registering for, or by the CDR Security Administrators.

A CDR Security Administrator or a DSA assigns roles to a user based upon the access privileges that the user would need to perform their job function. Certain users within the CDR may perform more than one role. CDR Security Administrators and DSAs may assign roles by a Role Group.

CDR users will be automatically logged out of the application after 30 minutes of inactivity.

Gaining Access to the CDR

Individuals MUST request a CDR account in their own name. CDR accounts MUST NOT be shared by multiple users. Users may request a CDR account by clicking the “Request An Account” link on the CDR Application Login page.

CDR User Accounts and Multifactor Authentication (MFA)

• After account creation, CDR users receive an invitation email from invites@microsoft.com to complete the registration process.
• The invitation link in the email prompts the user to authenticate using their credentials for their organization's identity provider (IDP) (i.e., email, password and MFA challenge) and then accept conditions for accessing the CDR system.
• After accepting, CDR users may log into CDR from the CDR Application Login page by entering their CDR username and then authenticating using their credentials for their organization's IDP.

Delegated Site Administrators (DSA)

A DSA manages user accounts for their organization.

The organization's DSA must be the FIRST account requested for the organization. The CDR Security Administrators verify the identity of the DSA account requestor and then create the account with appropriate roles. Subsequent user accounts for the organization are created and assigned roles by the organization's DSA. Each organization should set up and maintain two DSAs to ensure adequate user support.

DSAs are responsible for managing all user accounts for their organization. The CDR responsibilities and duties that all DSAs must accept on behalf of their organization include:

• Serve as an institution's delegated authority and liaison for access to the system by people (users) affiliated with the institution;
• Ensure that only people who are known to (identity-proofed by) the institution, deemed suitable (vetted) for access by the institution, and authorized by the institution have access to the system by:
  • Coordinating with other DSAs from the institution on all access management functions for users from the institution;
  • Identifying users from the institution who require access to the system to perform authorized actions on behalf of the institution;
  • Reviewing, validating, and adjudicating (approve/disapprove) requests to access the system by users in the institution;
  • Managing ongoing access to the system by users in the institution, including but not limited to:
    • managing which roles are assigned to users at the institution;
    • certifying at least annually that users from the institution still require access to the system;
    • promptly revoking access for institution users when it is no longer required, e.g., individual is no longer employed by the institution;
    • authorizing and maintaining the email domains the system uses to communicate with users affiliated with the institution;
• Promote good cybersecurity practices, including, but not limited to:
  • promptly reporting any incident of actual or suspected unauthorized access or malicious activity to 1-888-CDR-3111 or cdr.help@cdr.ffiec.gov;
  • taking all measures necessary to prevent unauthorized access to the system, e.g., prohibiting the sharing of accounts or login credentials, and ensuring that sessions are not left open on unattended systems.
  • promptly terminating any unauthorized access;
• Ensure that authorized users from the institution perform all required actions correctly and on time; and
• Advise institution users how to access the system and perform authorized actions.

Non- DSAs

Non-DSA accounts may also be requested using the “Request An Account” link on the CDR Application Login page. Requested accounts are sent to the DSA of the organization selected in the request. The DSA verifies the identity of the requestor and then creates the account and assigns appropriate roles.

Conclusion

• CDR security is the responsibility of all users.
• Violating CDR security measures may cause harm to FFIEC and its clients and can lead to severe disciplinary actions, including civil and criminal charges for users.