A financial institution's information security program should include an effective risk assessment methodology that includes an evaluation of risks relating to performing high-risk activities such as funds transfer and other payment-related activities. Management should use risk assessments based on a periodic review of high-risk activities to develop effective standards for adequate separation of duties, physical security, and logical access controls based on the concept of "least possible privilege." Refer to the IT Handbook's Information Security Booklet for more detail.
Management should establish logical access controls on the funds transfer application that assign appropriate access levels to staff members working in the wire room or funds transfer operation. Inappropriate access levels provide the opportunity to create and transmit unauthorized funds transfer messages. The risk is greater without adequate separation of duties. Management should ensure no employees have access to more than one assigned user code unless the code is under dual control. Management should configure message verification rights to ensure adequate separation of duties between employees initiating and employees verifying and sending funds transfer messages.
Business Continuity Planning (BCP)