Multi-Factor Authentication (MFA) is one of the most powerful ways to strengthen an organization’s security infrastructure and we are constantly on the look out for new tools and techniques to help make MFA more accessible to businesses like yours.
A useful MFA tool we recently explored is from the company Neustar. They have produced a free MFA risk assessment tool that uses guidance from open standard publications to help businesses determine their overall MFA risk. We’ve downloaded this tool and will share insights about our experiences, but first, let’s take a look at why MFA has recently become such a hot topic.
MFA – (Now) A Legal Requirement to Do Business
As national cybersecurity regulations evolve to protect our digital resources, New York State has taken lead by publishing a set of laws to mandate the use of stronger MFA controls. To protect the U.S. financial system, NY now requires financial firms to implement a set of security controls or they will be subject to penalties. These requirements have been set forth in law 23 NYCRR 500.09, which state the following:
· Each covered entity shall conduct a periodic risk assessment of the covered entity’s information systems sufficient to inform the design of the cybersecurity program as required by this part.
· A risk assessment is designed for companies to evaluate their level of cybersecurity risk and possible threats. It’s important for the company to keep the nonpublic information and their information systems secure.
· Using the risk assessment as a baseline, they can acknowledge possible risks and the ways these risks can be mitigated.
· After completing the risk assessment, companies are then required to implement new levels of securing, depending on the results of their assessment.
Recognizing the urgency of cybersecurity needs, NY has aggressive timelines for implementation.
*Companies must perform the assessments and implement the required security controls by March 1, 2018.
The Neustar MFA Tool Accelerates the Risk Assessment Process
Originally designed to address New York cybersecurity rules and banking specific transactions, the Neustar MFA risk assessment tool is extremely beneficial to all business sectors because it has been developed using open standard MFA guidelines and principles from the most respected, independent security research organizations, including: National Institutes of Standards and Technology, Federal Financial Institutions Examination Council, and the New York State Department of Financial Services.
How Does the Tool Work?
The Neustar MFA risk assessment tool uses a Q&A flowchart to assess the way your business operates and using the answers provided, it will recommend what authentication level— single factor, two factor or multi-factor (based on NIST guidelines)—should be implemented based on your individual company’s risk level; the higher the risk level, the greater your authentication to be compliant with the law.
The next element of the tool is the Risk Rating Key. The Risk Rating Key uses a graph to show the residual risk after putting mitigating controls on the inherent risks. The color-coded guide will indicate whether your migrating controls are strong, adequate or in need of improvement and then these color-codes are used on the following pages to describe your enrollment, transaction, process, and overall rating.
Within the Enrollment, Transaction, Process, and Overall Rating sections, you will be asked to add:
- Your current authentication practices
- The business area your current authentication practices occur in
- Channels where your current authentication practices happen
Then, you will list your potential risks, threats, and vulnerabilities. Next, using a “high, medium, low” scale, you’ll rate:
- Probability of occurrence
- Impact severity
- Your inherent risk rating
You will then need to document possible mitigating admin/policy controls, mitigating technical controls, and compensating controls you are using.
Using the Risk Rating Key on the previous page, you rate the control effectiveness (needs improvement, adequate, strong).
To determine your Inherent Risk Rating for Enrollment, calculate your risk from one to five. (Note: The risk rating key will help you determine what number you should put down.)
The Migrating Controls Risk Rating for Enrollment is found by assessing the value of the mitigating admin/policy controls (-2, -1, or 0).
To calculate your Residual Risk Rating for Enrollment, you will subtract the Mitigating Controls Risk Rating from the Inherent Risk Rating. The lower the number is, the lower your residual risk. The bottom portion will tell you your average risk for all three categories.
The same calculation process is then repeated for the remaining Transaction and Process categories.The final page at the end of the assessment summarizes your total risk in all areas. You can refer to the Risk Rating Key if you need help determining what the numbers mean.
Now That I Know My Risk, What Do I Do?
Upon assessing your MFA risk, visit the NIST Digital Identity Guidelines for Authentication and Lifecycle Management to learn more about your authentication technology options. The NIST document does a remarkable job of explaining the various available MFA authentication technologies and their assurance level.
If you are at the phase where you need to implement an MFA system fast and want to explore more options, download our free guide, “MFA the PIV Way.” This guide explores how to use the NIST standards to implement the strongest MFA infrastructure in a way that is scalable and compatible.
We hope you found this information useful. If you want to comment or have any suggestions, please send an email to email@example.com.
This information is for informational purposes only. CYBER ARMED SECURITY, LLC MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. All other trademarks, service marks, and product or service names are trademarks or registered trademarks of their respective owners.