NIST SPECIAL PUBLICATION 1800 -18 Privileged Account Management for the Financial Services Sector Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How -To Guide s (C) Karen Waltermire Tom Conroy Marisa Harriston Chinedum Irrechukwu Navaneeth Krishnan James Memole -Doodson Benjamin Nkrumah Harry Perper Susan Prince Devin Wynne DRAFT This publication is available free of charge from: https://www.nccoe.nist.gov/projects/use -cases/privileged -account -management NIST SPECIAL PUBLICATION 1800 -18 Privileged Account Management for the Financial Ser vices Sector Includes Executive Summary (A); Approach, Architecture, an d Security Characteristics (B) ; and How -To Guides (C) Karen Waltermire National Cybersecurity Center of Excellence Information Technology Laboratory Tom Conroy Marisa Harriston Chinedum Irrechukwu Navaneeth Krishnan James Memole -Doodson Benjamin Nkrumah Harry Perper Susan Prince Devin Wynne The MITRE Corporation McLean, VA DRAFT September 2018 U.S. Department of Commerce Wilbur Ross , Secretary National Institute of Standards and Technology Walter G. Copan, Undersecretary of Commerce for Standards and Technology and Director NIST SPECIAL PUBLICATION 1800 -18A Privileged Account Management for the Financial Services Sector Volume A : Executive Summary Karen Waltermire National Cybersecurity Center of Excellence Information Technology Laboratory Tom Conroy Marisa Harriston Chinedum Irrechukwu Navaneeth Krishnan James Memole -Doodson Benjamin Nkrumah Harry Perper Susan Prince Devin Wynne The MITRE Corporation McLean, VA September 2018 DRAFT This publication is available free of charge from: https://www.nccoe.nist.gov/projects/use -cases/privileged -account -management DRAFT NIST SP 1800 -18A: Privileged Account Management for the Financial Services Sector 1 Executive Summary 1 ▪ Privileged accounts are used to access and manage an organization’s information assets and 2 systems. Often described as the “keys to the kingdom ,” these accounts are used by trusted 3 users who perform tasks that ordinary users are not authorized to perform. 4 ▪ Controlling these accounts is challenging , as the very natur e of the functions that they perform 5 require s broad access and authority . Additionally, this broad access makes privileged accounts a 6 tempting target for external and internal malicious actor s and increases the impact of accidental 7 mistakes. 8 ▪ Malicious actors can inflict substantial harm , often without notice. Industry reports have 9 identified that privilege misuse is a major component of reported cyber incidents , with 10 estimates up to 80 percent of all data breaches ( Forrester 2016 ). 11 ▪ To address this challenge , the National Cybersecurity Center of Excellence (NCCoE) has 12 developed a reference design that illustrates how financial institutions can implement a 13 privileged account m anagement ( PAM ) system to secure, manage, control, and audit the use of 14 privileged accounts. 15 ▪ This National Institute of Standards and Technology ( NIST ) Cybersecurity Practice Guide 16 describes how financial -services companies can use commercially available technology to 17 implement PAM to reduce the risk associated with privileged accounts . 18 CHALLENGE 19 Financial organizations rely on privileged accounts to enable authorized users to perform their duties 20 with little to no direct oversight or technical control of their actions. Companies have difficulty managing 21 these accounts , which , in turn , opens a si gnificant risk to the business. If used improperly , these 22 accounts can cause subs tantial operational damage , including data theft, espionage , sabotag