Audit Trail In New PSD2 Requirements: EBA Guidelines on ICT and Security Risk Management

The financial sector is heavily regulated in all aspects imaginable. We have previously covered PSD2 and the corresponding EBA guidelines with regard to having a secure audit trail and related security functionalities.

Now there are new EBA guidelines on ICT and security risk management that banks must be compliant with very soon. Below is a quick overview of the audit trail aspects of the new guidelines.

EBA Guidelines on ICT and Security Risk Management and How SentinelTrails Covers Them

GuidelinesHow SentinelTrails helps
3.4.2 31.d. Logging of user activities: at a minimum, all activities by privileged users should be logged and monitored. Access logs should be secured to prevent unauthorized modification or deletion and retained for a period commensurate with the criticality of the identified business functions, supporting processes and information assets, in accordance with Section 3.3.3, without prejudice to the retention requirements set out in EU and national law. A financial institution should use this information to facilitate the identification and investigation of anomalous activities that have been detected in the provision of services.SentinelTrails allows the centralization of audit logs, including activities by privileged users. Logs are collected and shipped to a central, protected service with cryptographic integrity and non-repudiation guarantees. Once collected, anomaly detection can be performed using statistics and machine learning.
3.4.4. 36.e. [..] ensuring that mechanisms are in place to verify the integrity of software, firmware, and data.SentinelTrails can help guarantee and prove the integrity of any piece of data – once the data is created or updated, an audit log is stored with SentinelTrails and can then be regularly checked against the stored hashes. Due to the cryptographic guarantees of the audit log, if tampering occurs with the original data or software, the same tampering cannot be carried out in the audit log. SentinelTrails have dedicated API endpoints for tracking the history of modifications of data entities. Software and firmware are particular instances of data – their checksums can be sent and checked regularly against what’s stored in the audit trail.
3.4.5. 38. Financial institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions’ information security and to respond to these events appropriately. As part of this continuous monitoring, financial institutions should implement appropriate and effective capabilities for detecting and reporting physical or logical intrusion as well as breaches of confidentiality, integrity and availability of the information assets. The continuous monitoring and detection processes should cover: a) relevant internal and external factors, including business and ICT administrative functions; b) transactions to detect misuse of access by third parties or other entities and internal misuse of access; c) potential internal and external threatsOnce the audit trail is collected, SentinelTrails performs machine-learning based anomaly detection and allows internal users to define rules for detecting anomalous behavior. Because the audit logs that we collected are well structured and contain all the needed information, they can be analyzed efficiently in order to provide proper and timely alerts.
3.5. 53. Financial institutions should implement logging and monitoring procedures for critical ICT operations to allow the detection, analysis, and correction of errors.Critical operations can be easily monitored for anomalies with SentinelTrails as explained above. Additionally, we have dedicated features for critical operations that can allow each step in a critical operation to be immediately securely timestamped by a trust service provider (or stored in anonymized form on a public blockchain) to prevent any risk of tampering.

As any CISO knows, information security is much more than going through a checklist. Our product was built with exactly that philosophy – that checklists are never sufficient for real security. Checklists, however, like these new guidelines, exist, and organizations need to cover them. That’s why we are trying to make it easier for our clients to confidently tick the box and continue focusing on their primary duties.