NCCoE Seeks Comment on Financial Services Use Cases

The NCCoE is inviting comments from industry on two proposed use cases detailing cybersecurity challenges faced by the financial services sector. Resolving these challenges will provide a set of tools to improve the security of financial networks and systems by providing comprehensive IT asset management and unified access control mechanisms. Using commercially available technology, and working in collaboration with the technology community, the NCCoE plans to create reference designs that demonstrate a standards-based, modular, usable, and repeatable way of addressing these challenges. 

The NCCoE works with industry, academic and government experts to create example solutions to cybersecurity challenges that are broadly applicable across a sector and help businesses more easily align with relevant standards and best practices. The work is organized around use cases that describe sector-specific challenges. “We want to refine the use cases to ensure that the resulting reference designs are as useful as possible, so we are seeking comments from the public,” said Nate Lesser, deputy director of the NCCoE. “Then the NCCoE will address these sector-wide cybersecurity challenges through collaboration with members of the financial services sector and technology partners.”

The first proposed use case is focused on financial services companies’ need to know what IT assets they have and what they are doing. This requires a method to combine existing data systems for physical assets and security and IT security and support into a comprehensive IT asset management system. A unified asset management system would centralize views of activity happening across a company and permit for company-wide security alerts and remediation, and save money by revealing underutilized machines—which might also be security vulnerabilities.

A resolution to the second use case would allow security analysts to join fragmented and disparate access control systems into one comprehensive identity and access management system. Such a system can centrally issue, validate, and modify or revoke access rights for an entire enterprise, thereby reducing opportunities for an attack and the damage from an insider threat by limiting the amount of data to which any one person has access. Copies of the two proposed use cases can be downloaded here. Comments on the proposed use cases should be submitted to by Dec. 18, 2013. The solicitation to participate in the development of reference designs will be announced in the Federal Register.