Baseline Nonbank Cybersecurity Exam Program

Question 16

Are access controls sufficient for employees? Consider the following: • Length, complexity, expiration, and reuse requirements • Default/factory settings are changed • Screen lock after inactivity periods • Lockouts after incorrect login tries • Help desk procedures to deal with failed login attempts • Multi ‐ factor authentication • No shared accounts • Administrative privileges only assigned when needed

15

Question 17

Are appropriate access controls in place for consumer accounts and/or portals? Are the controls different from the access controls for employees?

16