Download the Latest Draft Cybersecurity Practice Guide
We are excited to announce the release of draft National Institute of Standards and Technology Special Publication 1800-18: Privileged Account Management for the Financial Services Sector. The National Cybersecurity Center of Excellence (NCCoE) seeks your feedback. The comment period is open until November 30, 2018. Submit comments online or via email to financial_nccoe@nist.gov.
About the Guide
Privileged accounts provide elevated, often unrestricted access to an organization’s underlying information systems and technology, making them rich targets for both external and internal malicious actors. Often referred to as the “keys to the kingdom,” these accounts have been used in successful attacks to gain access to corporate resources and critical systems (e.g., “crown jewels”), resulting in data breaches.
Complex organizations, including financial services companies, face challenges in managing privileged accounts, which opens a significant risk to their business. If used improperly, these accounts can cause significant operational damage, including data theft, espionage, sabotage, ransom, or bypassing important controls.
To address these challenges, the NCCoE developed a draft practice guide providing practical guidance to financial services companies who are interested in implementing a Privileged Account Management (PAM) solution.
This draft practice guide demonstrates a PAM solution that uses commercially available products to appropriately secure and enforce organizational policies for the use of privileged accounts. The NCCoE developed a PAM reference design that outlines how monitoring, auditing, and authentication controls can combine to prevent unauthorized access to — and allow rapid detection of unapproved use of — privileged accounts. Our standards-based example solution uses commercially available products and can be used in whole or in part.
The comment period is open until November 30, 2018, and comments may be submitted online or via email to financial_nccoe@nist.gov.
