- Identity and Access Governance
- Role Management
- Data Loss Prevention
Swiss private banks have to comply with FINMA 2008/21 regulation and specifically with the appendix 3 regarding Client Identifying Data (CID).
The client had to implement an access control framework in order to monitor its data visibility and apply it to each of its IT systems: core banking system, CRM, shared drives and ECM.
The private bank operating internationally, one of the challenges was to apply different data visibilities whether the client CID (Customer Identifying Data) was Swiss or foreign, and whether it was accessed from Switzerland or abroad.
Following regulator directives, the mission implemented the « need to know » principle in order to restrict access to the client data only to the persons who required in their daily tasks. To do so we:
- Conducted workshops to improve RBAC framework based on mined roles.
- Implemented a hybrid top-down & bottom-up approach for role-mining.
- Performed a segregation of duties (SoD) analysis to improve information risk management and data loss prevention.
The customer uses an access framework based on Rule-based RBAC for its operational security. The mission allowed to migrate some of its application into the framework in order to control specifically the Client Identifying Data and restrict its access to Switzerland only.
In regard to the FINMA regulator, this mission allowed to validate this compliancy requirement expressed in FINMA 2008/21 appendix 3.