The private bank operating as a wealth management firm. The company offers banking, financing, and investment management services to individuals and institutional investors worldwide.
Swiss private banks have to comply with FINMA 2008/21 regulation and specifically with the appendix 3 regarding Client Identifying Data (CID).
The client had to implement an access control framework in order to monitor its data visibility and apply it to each of its IT systems : core banking system, CRM, shared drives and ECM. The private bank operating internationally, a specific challenge was to apply different data visibilities whether client CID are Swiss or foreigner, and whether they are accessed from Switzerland or abroad.
Following regulator directives, the mission implemented the « need to know » principle in order to restrict access to the client data only to the persons for which its required in their daily tasks.
- Conduct workshops to improve RBAC framework based on mined roles.
- Hybrid top-down & bottom-up approach for role-mining.
- Segregation of duties (SOD) analysis to improve information risk management and data loss prevention.
To address the international challenge we used a multi-dimensional RBAC framework defining business roles through user attributes, application permissioning and specific context like the location.
The project was conducted over 122 man-days. The delivery time was extended to 6 months.
The project consisted of a project manager.
- IBM Ondemand
- Varonis DatAdvantage
- Symantech Data Loss Prevention
We were involved in a Time & Material Project.