BackOffice_UserGuide

RS A® Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide

Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.emc.com/domains/rsa/index.htm

Trademarks RSA, the RSA Logo, eFraudNetwork and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of RSA trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm#rsa .

License Agreement This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person. No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be construed as a commitment by EMC.

Note on Encryption Technologies This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product.

Distribution Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Copyright © 2013–2014 EMC Corporation. All Rights Reserved. Published in the USA. July 2013 Revised: March 2014

RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide

Contents Preface...................................................................................................................................9 About This Guide................................................................................................................ 9 RSA Adaptive Authentication (On-Premise) Documentation............................................ 9 Support and Service .......................................................................................................... 10 Before You Call Customer Support ........................................................................... 10

Chapter 1: RSA Adaptive Authentication Back Office Applications .....................................................................................................................11 Back Office Applications Overview ..................................................................................11 Back Office Application Suite ................................................................................... 12 Standalone Back Office Applications........................................................................ 13 Log On to a Back Office Application ............................................................................... 14 Log Off from a Back Office Application .......................................................................... 15 Password Change .............................................................................................................. 15 Change your Password...................................................................................................... 16 Reset a Forgotten Password .............................................................................................. 16 Localization and Internationalization of the Back Office Applications ........................... 17

Chapter 2: Managing Access to the Back Office Applications ........ 19 Access Management Application Overview ..................................................................... 19 User Management ............................................................................................................. 19 Access the Application Users Page ........................................................................... 21 Application Users Page.............................................................................................. 21 View User Details ...................................................................................................... 21 Add a User ................................................................................................................. 22 Edit User Details ........................................................................................................ 23 Unlock a User ............................................................................................................ 23 Remove a User........................................................................................................... 24 Role Management ............................................................................................................. 24 Access the Application Roles Page ........................................................................... 25 Role Details................................................................................................................ 25 View Role Details ...................................................................................................... 26 Add a Role ................................................................................................................. 26 Edit a Custom Role .................................................................................................... 27 Remove a Role........................................................................................................... 27 Access Management Roles ........................................................................................ 28 Case Management Role Permissions ......................................................................... 31 Policy Management Role Permissions ...................................................................... 32 Organization Management ................................................................................................ 33 Access the Application Organizations Page .............................................................. 34 View Organization Details......................................................................................... 34 Add an Organization .................................................................................................. 34 Edit Organization Details........................................................................................... 35

Contents

3


View Available Organizations ................................................................................... 35 Group Management........................................................................................................... 36 Access the Application Groups Page ......................................................................... 36 Application Group Page............................................................................................. 36 View Group Details ................................................................................................... 37 Add a Group............................................................................................................... 37 Edit Group Details ..................................................................................................... 37

Chapter 3: Managing Policies ............................................................................... 39 Introduction to Policy Management.................................................................................. 39 Policies for Organizations.......................................................................................... 39 Reference Policy ........................................................................................................ 40 Additional Configuration Elements ........................................................................... 41 Policy Refresh............................................................................................................ 41 Introduction to Rules......................................................................................................... 41 Event Types ............................................................................................................... 42 Conditions.................................................................................................................. 42 Expressions ................................................................................................................ 44 Facts ........................................................................................................................... 44 Operators.................................................................................................................... 44 Actions ....................................................................................................................... 47 Authentication Methods............................................................................................. 47 Risk Score .................................................................................................................. 48 Case Creation ............................................................................................................. 49 Rule Status ................................................................................................................. 49 Status Change ............................................................................................................ 50 Rule Management ............................................................................................................. 51 Manage Rules Table .................................................................................................. 52 Sorting and Filtering Rules ........................................................................................ 53 Add a Rule ................................................................................................................. 53 Comparing Policy Facts............................................................................................. 55 Edit a Rule ................................................................................................................. 57 Delete a Rule.............................................................................................................. 58 General Rule Parameters ........................................................................................... 58 Request a Status Change for a Rule........................................................................... 60 Cancel a Status Change Request for a Rule ............................................................... 60 Approve a Status Change Request for a Rule............................................................ 61 Reject a Status Change Request for a Rule................................................................ 61 Duplicate Rules to Another Organization.................................................................. 62 Policy Export and Import.................................................................................................. 63 Export Policy Data..................................................................................................... 63 Import Policy Data..................................................................................................... 64 List Management............................................................................................................... 65 Manage Lists Table.................................................................................................... 66 Add a List................................................................................................................... 67

4

Contents


Add a Single Value to a List...................................................................................... 67 Add a Range of IP Values to a List ........................................................................... 68 Import a Set of Values to a List ................................................................................. 69 Edit a List................................................................................................................... 70 Delete a List ............................................................................................................... 70 Hash the Values of a User ID List ............................................................................. 71 General List Parameters ............................................................................................. 71 Custom Facts Management............................................................................................... 72 Manage Custom Facts Table...................................................................................... 72 Add a New Custom Fact ............................................................................................ 73 Edit a Custom Fact..................................................................................................... 73 Delete a Custom Fact ................................................................................................. 74 Custom Fact Parameters ............................................................................................ 74 Custom Event Type Management..................................................................................... 75 Manage Custom Event Types Table .......................................................................... 76 Add a Custom Event Type ......................................................................................... 76 Edit a Custom Event Type ......................................................................................... 76 Custom Event Type Parameters................................................................................. 77 Policy Report..................................................................................................................... 78 Sample Policy Report ................................................................................................ 79 Generate a Policy Report ........................................................................................... 80

Chapter 4: Managing Cases ................................................................................... 83 Case Management Application Overview ........................................................................ 83 Case Management Functionality....................................................................................... 84 Flagged Activities ...................................................................................................... 84 Pending Activities and Cases..................................................................................... 85 Closed and Expired Cases.......................................................................................... 85 Actions Resulting from Triggered Rules ................................................................... 86 Terminating Open Authentication Sessions .............................................................. 86 Challenge Scenarios................................................................................................... 86 Case Assignment............................................................................................................... 88 Assign Manually Created Cases from the Lookup User Page ................................... 88 Assign Manually Created Cases from the Research Activities Page......................... 89 Case Grouping................................................................................................................... 89 Default Group ............................................................................................................ 89 Operator Group .......................................................................................................... 89 Lifecycle Milestones of Cases .......................................................................................... 90 Case Workflows ................................................................................................................ 90 Case Creation Workflow ........................................................................................... 90 Case Handling Workflow .......................................................................................... 90 Case Management Menu................................................................................................... 91 Recent Account Activity Fields ................................................................................. 94 Detailed Activity Information Fields ......................................................................... 95 Case Status ........................................................................................................................ 99

Contents

5


Case Mode....................................................................................................................... 100 Process Queue Management ........................................................................................... 101 Case Priority ............................................................................................................ 101 Access the Process Queue Page ............................................................................... 102 Stop Automatic Refresh of the Process Queue ........................................................ 102 Restart Automatic Refresh of the Process Queue .................................................... 102 Case Listing in the Process Queue ........................................................................... 102 Case Locking and Unlocking................................................................................... 102 View the Queue............................................................................................................... 103 Access the View the Queue Page ............................................................................ 103 Filter the Queue Using the Filter Tab ...................................................................... 103 Filter the Queue Using the Advanced Tab............................................................... 104 Advanced Tab Fields ............................................................................................... 105 Look Up an End User...................................................................................................... 106 Case Update .................................................................................................................... 108 Update a Case Using Lookup User .......................................................................... 108 Update a Case in the Process Queue........................................................................ 108 Update Case Example .............................................................................................. 109 Manually Set a Resolution for an Activity...................................................................... 109 Case Resolution ........................................................................................................110 Operator Group Management ..........................................................................................111 Access the Manage Operator Group Page ................................................................111 Operator Group Definition........................................................................................111 Filters for Defining Operator Groups .......................................................................112 Add an Operator Group ............................................................................................112 Edit Operator Group Criteria ....................................................................................112 Delete an Operator Group .........................................................................................113 Operator and Operator Group Filters........................................................................113 Set a Default Operator Group ...................................................................................114 Operator Groups for a New Organization.................................................................114 Operator Management......................................................................................................115 Access the Manage Operators Page ..........................................................................115 Add an Operator to an Operator Group ....................................................................115 Change the Operator Group of an Operator..............................................................115 Research Activities ..........................................................................................................116 Access the Research Activities Page ........................................................................116 Research Activities Filters ........................................................................................116 Search for Cases Using Research Activities Filters..................................................117 Display a Case ..........................................................................................................118 Edit a Case ................................................................................................................119 Update a Case Buttons ..............................................................................................119 Snooze Mode....................................................................................................................119 Apply Snooze Mode to a Case ..................................................................................119 Top Risk Score Contributors........................................................................................... 120

6

Contents


Custom Facts................................................................................................................... 120

Chapter 5: Managing End-User Accounts................................................... 121 Customer Service Application Overview ....................................................................... 121 Find an End User............................................................................................................. 122 End User’s Account History ........................................................................................... 123 End User Account History Information ................................................................... 123 Activities within the Account History Information ................................................. 124 Account Locking............................................................................................................. 125 Lock an End User’s Account ................................................................................... 125 Unlock an End User’s Account ............................................................................... 125 Terminate an End User’s Authentication Sessions ......................................................... 126 Reset an End User’s Account.......................................................................................... 126 Account Unenrollment .................................................................................................... 127 Unenroll an End User .............................................................................................. 127 Watch an End User’s Progress ........................................................................................ 127

Chapter 6: Viewing and Analyzing Reports ............................................... 129 Report Viewer Application Overview ............................................................................ 129 Reports Directory Structure for the Report Viewer................................................. 130 View and Download Reports .......................................................................................... 130 Report Characteristics ..................................................................................................... 132 Report Types ................................................................................................................... 132 Report Format ................................................................................................................. 133 Example of Elements Common to All Reports ....................................................... 133 CSV Files ................................................................................................................. 134 Standard Header and Footer .................................................................................... 135 Report Naming Convention ..................................................................................... 137 Report Content ................................................................................................................ 138 Billing Report .......................................................................................................... 139 Authentication Plug-In Billing Report..................................................................... 139 Blocked Users Report .............................................................................................. 140 Case Management and Case Management Trends Reports..................................... 141 eFraudNetwork Report ............................................................................................ 143 Forensic Summary Report ....................................................................................... 144 Policy Summary and Policy Summary Trends Reports........................................... 146 Risk Factor Report and Risk Factor Trends Reports ............................................... 147 System Usage and System Trends Reports.............................................................. 149

Appendix A: List of Facts ...................................................................................... 151 Appendix B: Rules in the Reference Policy ............................................... 167 Appendix C: List of Event Types ...................................................................... 175

Contents

7


Preface About This Guide This guide describes how to use the Back Office applications in RSA® Adaptive Authentication (On-Premise) 7.1. It is intended for administrators, Fraud Analysts, Customer Service Representatives, Case Management Operators, Policy Managers, and other trusted personnel. Do not make this guide available to the general user population.

RSA Adaptive Authentication (On-Premise) Documentation For more information about RSA Adaptive Authentication (On-Premise), see the following documentation:

Authentication Plug-In Developer’s Guide. Describes the Authentication Plug-In development process that enables external authentication providers to integrate their products with RSA Adaptive Authentication (On-Premise). Back Office User’s Guide. Provides an overview of the following Back Office applications: Policy Management, Case Management, Access Management, Customer Service Administration, and the Report Viewer. Bait Credentials Setup and Implementation Guide. Describes how to set up and implement RSA bait credentials, which help provide you with accelerated fraud detection and prevention capabilities. Best Practices for Challenge Questions. Describes the best practices related to challenge questions that RSA has evolved through experience at multiple deployments.

Installation and Upgrade Guide. Describes detailed procedures on how to install, upgrade, and configure RSA Adaptive Authentication (On-Premise). Integration Guide. Describes how to integrate and deploy RSA Adaptive Authentication (On-Premise). Operations Guide. Provides information on how to administer and operate RSA Adaptive Authentication (On-Premise) after upgrade. This guide also describes how to configure Adaptive Authentication (On-Premise) within the Configuration Framework. Performance Guide. Provides information about performance testing and performance test results for the current release version of RSA Adaptive Authentication (On-Premise). Product Overview Guide. Provides a high-level overview of RSA Adaptive Authentication (On-Premise), including system architecture.

P

reface

9


Release Notes. Provides information about what is new and changed in this release, as well as workarounds for known issues. It also includes the supported platforms and work environments for platform certifications. The latest version of the Release Notes is available on RSA SecurCare® Online at https://knowledge.rsasecurity.com. Security Best Practices Guide. Provides recommendations for configuring your network and RSA Adaptive Authentication (On-Premise) securely. Web Services API Reference Guide. Describes RSA Adaptive Authentication (On-Premise) services and parameters. guide also describes howweb to build yourAPI ownmethods web services clients and This applications using web services API to integrate and utilize the capabilities of Adaptive Authentication (On-Premise).

What’s New. Highlights new features and enhancements in RSA Adaptive Authentication (On-Premise) 7.1. Workflows and Processes Guide. Describes the workflows and processes that allow end users to interact with your system and that allow your system to interact with RSA Adaptive Authentication (On-Premise).

Support and Service RSA SecurCare Online

https://knowledge.rsasecurity.com

Customer Support Information

www.emc.com/support/rsa/index.htm

RSA Solution Gallery

https://gallery.emc.com/community/marketplace/rsa? view=overview

RSA SecurCare Online offers a knowledgebase that contains answers to common questions and solutions to known problems. It also offers information on new releases, important technical news, and software downloads. The RSA Solution Gallery provides information about third-party hardware and software products that have been certified to work with RSA products. The gallery includes Secured by RSA Implementation Guides with step-by-step instructions and other information about interoperation of RSA products with these third-party products.

Before You Call Customer Support Make sure that you have direct access to the computer running the Adaptive Authentication (On-Premise) software. Please have the following information available when you call:

10



Your RSA Customer/License ID.



Adaptive Authentication (On-Premise) software version number.



The make and model of the machine on which the problem occurs.



The name and version of the operating system under which the problem occurs.

Preface


1

RSA Adaptive Authentication Back Office Applications •

Back Office Applications Overview

•

Log On to a Back Office Application

•

Log Off from a Back Office Application

•

Password Change

•

Change your Password

•

Reset a Forgotten Password

•

Localization and Internationalization of the Back Office Applications

This chapter provides an overview of the RSA Adaptive Authentication (On-Premise) Back Office applications and describes how to log on to the Back Office applications.

Back Office Applications Overview The Back Office Applications are a set of GUI-based applications that enable users in your organization to interact with the Adaptive Authentication system. The applications in the Back Office Application Suite are connected to both the Core Database and the Back Office Database. In addition, the Case Management application is connected to the Case Management Database.

1:RSAAdaptiveAuthenticationBackOfficeApplications

11


Back Office Application Suite The following table describes the applications in the Back Office Application Suite. BackOfficeApplication Administration Console

Description

User

The Administration Console Administrator enables you to manage system configuration parameters according to your Adaptive Authentication implementation, business requirements, and system setup.

Database • Core Database • Back Office Database

Note: Although the

application is located in the Back Office Application Suite, for information about the Administration Console see the Operations Guide. Customer Service

The Customer Service Customer Service application helps the Representative Customer Service Representative search for and modify end-user account

• Core Database • Back Office Database

information theAdaptive end user interacts withasthe Authentication system. In this way, a representative can assist end users with online account troubleshooting. The Customer Service application provides logs of end-user activity within the Adaptive Authentication system for monitoring by the representative. A Customer Service Representative can delete end users and lock, unlock and reset accounts.

12



BackOfficeApplication Policy Management

Description The Policy Management application is used to create and manage rules, lists, custom facts, and custom event types. Together, these elements form an organizational policy, which is executed by the Policy Engine.

User Rule Manager


Standalone Back Office Applications The following table describes the Back Office applications that exist as standalone applications. BackOfficeApplication Access Management

Description

User

The Access Management System Administrator application allows you to manage access to the Back Office applications. You can use it to create and manage users, roles, organizations, and groups for the Back Office applications.


Note: You can also use the

External Identity Provider framework to manage users in an External Identity Store. For more information, see the Operations Guide. Case Management

WS Credentials

The Case Management application is used to review any events that have been flagged as risky by the Adaptive Authentication system and require review by a Fraud Analyst.

Fraud Analyst, IT Administrator, Fraud Analyst Manager

The WS Credentials application is used to create and manage users who can access Web Services and SOAP requests.

Administrator


• Core Database • Back Office Database • Case Management Database

• Core Database • Database Back Office

13


BackOfficeApplication Report Viewer

Description

User

With the Report Viewer application, you can view daily, weekly, and monthly reports created by the RSA Data Center. Reports from the RSA Data center are synchronized with the Report Viewer application for accurate reading of the files.

Security Analyst

Database Back Office Database

Log On to a Back Office Application To log on to a Back Office app lication:

1. Do one of the following: •

To log on to the Policy Management, Administration Console, or Customer Service applications, go to http:// /backoffice. Note: Fore more information about the Administration Console, see the

Operations Guide. •

To log on to the Access Management application, go to

•

http:///accessmanagement. To log on to the Case Management application, go to http:///casemanagement.

•

To log on to the WS Credential application, go to http:///wscredentialmanager.

•

To log on to the Report Viewer application, go to http:///reportviewer.

2. On the Logon page, enter your user name and password, and click Login.

14



3. From the Organization drop-down menu, select the organization that you want to view. The organizations are displayed hierarchically, with child organizations listed below parent organizations.

Log Off from a Back Office Application To log off from a Back Office application:

Click the Logout link in the top frame of any Back Office application page. Note: By default, Back Office applications log off users who are inactive for 30

minutes. You can configure this time period in the Administration Console. For more information, see the topic about configuring Back Office applications parameters in the chapter “Administration Console” in the Operations Guide.

Password Change When the system administrator defines a user password, the password is automatically assigned an expiration date. This date is configurable in the Administration Console. The default value is 90 days. For more information, see the Operations Guide. If you attempt to log on to a Back Office application using an expired password, a window opens in which you can define a new password. The new password is required for the next logon attempt. An administrator may change your password for any one of several reasons, for example: • The administrator suspects that your password was compromised. •

Your password is routinely changed for preemptive security reasons.


15


Change your Password You must change your password if the password has expired or if the system administrator resets your password. You are required to enter your current password before the system will allow you to change your password. If you forget your current password, you are not allowed to redefine the password or select a new password. For more information, see Reset a Forgotten Password on p age 16. The organization can configure the password length and valid characters. The new password must meet the requirement defined on the Change Password page. The requirement often involves choosing a password with a minimum of eight characters, including at least one number, one letter, and one special character from the following character set: ( ) * & ^ % $ # @ !. The password must not resemble the logon name too closely. The specific requirements can be configured locally. To change your password:

1. Log On to a Back Office Application. 2. Enter your logon name and original password in the appropriate fields. 3. Enter your new password. 4. In the Re-type New Password field, enter your new password to confirm the password. 5. Click Next to save your changes and return to the logon page.

Reset a Forgotten Password If you forget your password, your system administrator can provide you with a temporary password. You must reset your password again immediately upon your next logon. To reset your forgotten password:

1. Log on to the Back Office Application Suite using the temporary password. You are automatically directed to the Set New Password page. 2. In the New Password field, enter your new password. 3. In the Re-type New Password field, enter your new password to confirm the password. 4. Click Confirm to save your changes and continue. Note: You cannot access the Case Management application until you set a new

password.

16



Localization and Internationalization of the Back Office Applications The Adaptive Authentication system is designed so that the user interface, input, display, and other features of the Back Office applications can be adapted to various languages and regions. You can use any number of languages when interacting with the Back Office applications. You can add location-specific text to meet the needs of your user demographic. Note: The system supports localization of the Back Office applications to one

language. You cannot use different languages for different users, organizations, or applications. For more information, see the Operations Guide.


17


2

Managing Access to the Back Office Applications •

Access Management Application Overview

•

User Management

•

Role Management

•

Organization Management

•

Group Management

This chapter provides an overview of how to manage access to the Back Office applications using the Access Management application. It explains how to use the Access Management application to manage users, roles, organizations, and groups in the RSA Adaptive Authentication (On-Premise) system.

Access Management Application Overview The Access Management application allows you to manage access to the Back Office applications. The Access Management application allows you to create users, organizations, and groups for use within the Adaptive Authentication system. You can also use it to manage user roles and permissions, and associate users with roles and organizations. Note: You can also use the External Identity Provider framework to manage users in

an External Identity Store. For more information, see the Operations Guide.

User Management You can manage users and their ability to access the Back Office applications by adding users, viewing user details, editing user details, unlocking users, and removing users from the system. You use the Application Users page to perform tasks related to user management. Users created in Access Management are not end-user customers, but rather belong to an organization using the Adaptive Authentication system. The following users are created by the system by default: •

admin Note: Do not use the admin user provided by the system as a regular user. RSA

recommends that you use the admin user to create additional admin users that you can assign to people within your organization. You must maintain the system admin user as a superuser.

2:ManagingAccesstotheBackOfficeApplications

19


•

editor

•

fraudanalyst

•

reviewer

You cannot remove these users from the system or edit user details, as indicated on the UI. A newly created user can be associated with any of the following: Role. The level of authorization for a user. A role can be associated with one or

more module. Each role can be associated with different permissions. For more information, including a definition of predefined roles in the system, see Role Management on p age 24. Important: A user with an assigned role can only access a Back Office application

if the role is also associated with the corresponding module. Predefined roles are automatically associated with corresponding modules. The modules available correspond to the Back Office applications. For a list of modules associated with each role, see Access Management Roles on p age 28. Organization. An organization, along with a user name, is the unique identifier of an end user.

For more information, see Organization Management on p age 33. For more details about the configuration structure for organizations, see the Operations Guide. If a new Back Office application user is created or an existing Back Office application user’s updated, the permissions assignment to For that user are thepermissions same as the are permissions of the user who available creates orfor updates the user. example, if a user has Read/Create/Update/Delete permissions, the new or updated user can have only those permissions or a subset of them. A new user can never have a higher level of permissions than that of the person who created or updated that user. Important: Users cannot change their own permissions using the Access Management

application.

Default User Passwords Each predefined user is populated with a password that is the same as the user name, for example, user=operator, password=operator. The system automatically prompts the user to change the password at the initial logon. Important: If a user does not log on immediately after installation, RSA recommends

that the administrator change the default password to prevent security breaches.

20



Access the Application Users Page You use the Application Users page to perform tasks related to user management. The main page of the Access Management application, the Application Users page, is displayed by default when you log on to the application. To access the Application Users page:

From the Access Management menu, select User List.

Application Users Page

The Application Users page provides information about users in the Access Management system, as described in the following table. C o lu m n N a m e

D e s c r i p ti o n

User Name

User’s logon name. Sortable column.

First Name

User’s first name. Sortable column.

Last Name

User’s last name. Sortable column.

Organizations

Lists all of the organizations to which the user has access.

Modules

Lists the RSA Back Office applications that the user has permission to use.

Roles

Lists the user’s current roles.

Locked

Indicates if the user account is locked. If a user attempts to log on to any Back Office application with an incorrect password too many times, the user is locked out. For more information about password configuration, see the topic that discusses configuring Back Office applications parameters in the Operations Guide.

Action

Contains links to the View, Edit, and Remove pages, depending on the user’s permissions: • View. View all user details (read-only). • Edit. Edit all user details. • Remove. Remove user names from the system. Note: Predefined user names cannot be removed.

View User Details All roles can view user details for all users in the system. To view user details:

On the Application Users page, in the Action column for the user, click View. The View User Details section displays the user details in read-only format.


21


Add a User You add a user in the Access Management application to create a user who can access the Back Office applications. Note: On the initial logon to the system, a new user is required to change the default

password. To add a user:

1. On the Application Users page, click Add New User. The User Details page is displayed. 2. In the Add User Details section, enter the user details. The following table describes the actions required for each of the fields in the Add User Details section. F i e l d Na m e

Ac t i o n

User Name

Enter a unique name for the user. This is a required field. Note: A user name must be unique. You cannot enter a user name

that is identical to an existing user name. Password

Enter a password for the user. This is a required field. Note: The password must be at least 8 characters long and contain

at least digits, one character each of theasfollowing uppercase letters, special from characters such - _ . ! @groups: # %^ * $). Confirm Password

Enter the user password. This is a required field.

First Name

Enter the user’s first name.

Last Name

Enter the user’s family name (surname).

Email

Enter the user’s email address.

Phone

Enter the user’s phone number.

Locked At

Indicates lock out details, including the lock-out time, for a user who repeatedly enters an incorrect password and exceeds the allowed number of authentication attempts.

3. In the Organizations section, from the Available list, select the organizations to which you want the user to have access, and click the right-arrow to include them in the Selected list. For more information about Organizations, see Organization Management on page 33.

22



4. In the Roles section, from the Available list, select the roles that you want to assign to the user, and click the right-arrow to include them in the Selected list. 5. Click Save.

Edit User Details You can edit user details to change any relevant information about an Adaptive Authentication system user. The Edit User Details section enables authorized users to edit other user’s details including first name, last name, email address, phone number, organizations, and roles. A user’s permissions relate to all users below that user’s organization in the hierarchy. For example, if a user has permission to update users in the parent organization, the same user also has permission to update users in the suborganizations within the parent organization hierarchy. To edit user details:

1. On the Application Users page, in the Action column to the right of the user name, click Edit. The User Details page is displayed. 2. On the User Details page, in the Edit User Details section, edit the user details by modifying the user’s password, first name, last name, email address, and phone number in the relative fields, if necessary. Note: Completion of fields preceded by an asterisk (User Name, Password, and

Confirm Password fields) is mandatory. The fields are populated with existi ng entries, which you can edit.

If a Back Office user’s password is changed, a change of password is requested upon the user’s next logon to a Back Office application. 3. From the Available lists, select the organizations and roles that you want to associate with that user, and click the right arrow to move the selections to the Selected lists. 4. Click Save.

Unlock a User If a user attempts to log on, but access is locked, an administrator must reset the user password. Resetting the password unlocks the user immediately. If the administrator user does not change the password, the lock-out is released after a set period of time, and the user can try to log on again. Note: The default time frame is 30 minutes, but you can configure this time in the

Administration Console. For more information, see the section about configuring Back Office applications parameters in the Operation Guide.


23


To reset a password and unlock a user:

1. On the User Management page, in the Edit User Details section, in the Password field, enter a new password. 2. In the Confirm Password field, enter the new password to confirm the password. 3. Click Save.

Remove a User If a user can removedlink from the displayed system, theforRemove linkusers. is displayed in the user interface. ThebeRemove is not predefined To remove a user:

1. On the Application Users page, in the row for the user that you want to remove, click Remove in the Action column. 2. When prompted to confirm the removal, click OK.

Role Management Each user is assigned a role, and each role is associated with different permissions. You can manage the various Back Office user roles by adding roles, editing roles, and removing roles from the system. You use the Application Roles page to manage roles. For more information on system roles, see Access Management Roles on p age 28. For a user to access a Back Office application, you must assign the user one or more roles. Each role is associated with one or more modules. In the Access Management system, a module represents one of the Back Office applications. Important: The Access Management application supports the creation of custom

roles. However, RSA recommends applying only predefined roles to Access Management users. These roles reflect common user needs and include the appropriate permissions for each Back Office user. A user with an assigned role can only access a Back Office application if the role is also associated with the corresponding module. By default, roles are associated with their corresponding modules. In general, a user only sees interface elements that relate to the specific permissions assigned to the user. For example, if a user has PolicyManager permissions but does not have ListManager permissions, the user sees the Manage Lists screen but does not see the buttons used for creating and deleting lists or the blue hyperlinks used to edit lists. Similarly, a user without permissions related to the Policy Management module does not see the Policy Management tab in the Back Office Application Suite. Note: The spelling of the role names in the user interface do not include spaces. For

example, the fraud analyst role is written as “fraudanalyst,” and the operator manager role is written as “operatormanager.”

24



Access the Application Roles Page You use the Application Roles page to manage user roles. To access the Application Roles page:

From the Access Management menu, select Roles. The Application Roles page is displayed.

Role Details The Roles table displays all of the roles in the system and the related details. The following table describes the columns displayed in the Roles table. C o lu m n N a m e


Role Name

Name of a role in the system (both predefined and user-created roles). Sortable column.

Description

Description of the role, such as what a user with the role is allowed to do within the system.

Mode

Permissions associated with that role. Modes include create, read, update, and delete. The checkbox for a mode is selected if the mode is allowed for the role. Sortable column. Important: The modes available are only relevant for roles used within

the Access Management application. Modules

Lists the Back Office applications that the role has permission to use.


25


Co l u m n N a m e

Description

Action

• Custom roles contain View, Edit, and Remove links in this column. • Predefined roles contain the View link in this column. Note: Predefined roles cannot be removed.

View Role Details All roles can view details for all roles in the system. Role details are read-only. For more information, see Role Details on p age 25. To view role details:

On the Application Roles page, in the row of the role that you want to view, click View. The View Role Details page includes the role name, a role description, mode permissions, and accessible modules.

Add a Role You can create a role to associate a group of users with a given set of permissions. When you add a role in the Access Management application, you are creating a role within the Back Office applications. To add a role:

1. On the Applications Roles page, click Add New Role. The Role Details page is displayed. 2. In the Role Name field, enter a unique name for the new role. 3. (Optional) In the Description field, enter a description of the role. 4. In the Mode section, select one or more checkboxes to define the permissions for the role. The possible permissions are Create, Read, Update and Delete. Note: The Create, Read, Update, and Delete parameters in this section only affect

role permissions for the Access Management application. 5. In the Modules section, from the Available list, select one or more modules. 6. Click the right-arrow to move the modules into the Selected list. 7. Click Save.

26



Edit a Custom Role You can edit custom roles by changing the modes and modules associated with a particular role. You cannot edit predefined roles. To edit an existing role:

1. On the Application Roles page, from the Roles list, select the role that you want to edit. The Roles Details page is displayed. 2. In the Action column, click Edit. 3. Modify entries in the fields as necessary. 4. (Optional) To change your entries back to the original values, click Reset. The Edit Role Details page returns to the latest settings before you clicked Edit. 5. Click Save.

Remove a Role You can remove a role from the system if you do not need the role anymore. After you remove a role, the role no longer appears in the Roles list. You cannot remove predefined roles from the system. Important: Removing a role from the system may limit the ability of current users to

access certain Back Office applications. If a current user is assigned a role, and then that role is deleted, the user will no longer have the permissions associated with the deleted role. To remove a role:

1. On the Application Roles page, from the Roles list, select the role that you want to remove. 2. In the Action column, click Remove. 3. In the confirmation message, click OK.


27


Access Management Roles The following table describes the predefined roles that are available in the Access Management system. Important: A user with an assigned role can access a Back Office application only if

the role is also associated with the corresponding module. By default, roles are associated with the corresponding modules. RoleName admin

Description

AssociatedModule

An administrative role with access to all applications. A user with this role can perform most actions but does not necessarily have Update or Delete permissions in all applications. For example, in the Policy Management application, a user with the admin role can view rules and lists, but cannot create or edit rules and lists.

• accessmanagement • administration • casemanagement • csr • PolicyManagement • reports

csr (Customer Support Representative)

Note: If you used the AdminTool application in an earlier

• scheduler

version of Adaptive Authentication, you should now use the Policy Management menu to access functions available on the Lists Administration tab.

• wscredentialmanager

A user with this role can view and update activities in the Customer Service application, and can view the Lookup User page in the Case Management application. A user with the csr role can handle user calls, view recent activities of a user to troubleshoot the user problem, and search all users, not just those with cases.

• csr • casemanagement

For more information on the specific permissions associated with this rule, see Case Management Role Permissions on page 31. CMAPIExtract

A user with this role can retrieve and view Case Management data concerning events (activities) and cases.

casemanagementAPI

Note: If either this role, CMAPIUpdate, or both are the only

roles that exist for a user, the user’s password will not have an expiration date. Additionally, a user with this role does not need to change the password during the first logon.

28



RoleName CMAPIUpdate

Description A user with this role can retrieve, view, and update Case Management data concerning events (activities) and cases. With this particular role, a user can lock data retrieved for update purposes.

AssociatedModule casemanagementAPI

Note: If either this role, CMAPIExtract, or both are the only

roles that exist for a user, the user’s password will not have an expiration date. Additionally, a user with this role does not need to change the password during the first logon. fraudanalyst

A user with this role can research and analyze fraud patterns to define antifraud strategies, and verify whether cases include fraudulent activity.

casemanagement

For more information on the specific permissions associated with this rule, see Case Management Role Permissions on page 31. ListManager

A user with this role can view, edit, and delete lists. A List Manager user can view rules, custom facts, and custom event types but cannot create, edit, or delete these objects.

PolicyManagement

Note: A user with this role can only edit lists if the user has

access to the default organization. For more information on the specific permissions associated with this rule, see Policy Management Role Permissions on page 32. operator

A user with this role can review, work with, and manipulate cases in the Case Management application. A user with the operator role can search for a relevant case, update a case, and move to the next case. A user with this role might have specific expertise, such as with account takeover fraud.

casemanagement

Note: Before an operator is assigned cases or begins to update

cases, the operator must be assigned to an operator group. For more information, see Add an Operator to an Operator Group on page 115. For more information on the specific permissions associated with this rule, see Case Management Role Permissions on page 31.


29


RoleName operatormanager

Description

AssociatedModule

A user with this role can supervise activity in the Case Management application, and perform the following actions:

casemanagement

• Manage operators • Supervise case reviews performed by operators • Audit an operator’s work queue to increase productivity • Override operator decisions in cases • Define custom sorting and case filtering • Divide operators logically rather than randomly Note: By default, the Case Management application evenly and

randomly divides the work load of cases between operators. For more information on the specific permissions associated with this rule, see Case Management Role Permissions on page 31. PolicyManager

A user with this role can create, edit, and delete rules, custom facts, and custom event types. A user with the PolicyManager role can approve a status change made to a rule by another user. A user with the PolicyManager role can also view lists but cannot create, edit, or delete lists.

PolicyManagement

Note: Only a user with the PolicyManager role who has access

to the default organization can create, edit, or delete custom facts or custom event types. For more information on the specific permissions associated with this rule, see Policy Management Role Permissions on page 32 PolicyViewer

A user with this role can view rules, custom facts, custom event types, and lists.

PolicyManagement

For more information on the specific permissions associated with this rule, see Policy Management Role Permissions on page 32

30



RoleName RuleManager

Description

AssociatedModule

A user with this role can create, edit, and delete rules, custom facts, and custom event types but cannot approve pending rules.

PolicyManagement

Note: Only a user with the RuleManager role who has access to

the default organization can create, edit, or delete custom facts or custom event types. This user can view lists but cannot create, edit, or delete them. This user can submit a request to change the status of a rule, but a PolicyManager or SeniorPolicyManager user must approve the request before the status change occurs. For more information on the specific permissions associated with this rule, see Policy Management Role Permissions on page 32. SeniorPolicy Manager

A user with this role can create, edit, and delete rules, custom facts, and custom event types, as well as approve all pending rules. A user with this role can approve a status change made to a rule by another user, and can also perform self-approval on status changes made to a rule. This user can view lists but cannot create, edit, or delete lists.

PolicyManagement

Note: Only a user with the SeniorPolicyManager role who has

access to the default organization can create, edit, or delete custom facts or custom event types. For more information on the specific permissions associated with this rule, see Policy Management Role Permissions on page 32

Case Management Role Permissions The following table shows the permissions available for each role associated with the Case Management application. Case Management permissions are separated according to the various pages available in the application. Permission

Admin

Process Queue

XXXX

Lookup User View the Queue

X

Operator Manager

X X


Fraud Analyst

X X

O p e r a to r

X

C SR

X

X

31


Permission

Admin

Operator Manager

Manage Operator Group

X

X

Manage Operator

X

X

Research Activities

XXXX

Fraud Analyst

O p e r a to r

C SR

Policy Management Role Permissions The following table shows the permissions available for each role associated with the Policy Management application. Policy Management permissions are separated according to the various actions available in the application. Important: Some permissions are available only to users that are granted access to the

default organization.

Permission

View Rule

Policy Policy Manager / Policy Rule Manager / Senior Policy Viewer Rule Manager Senior Policy Viewer (Default Manager (Default Org) Org) Policy Manager Manager (Default Org)

X

X

X

Edit Rule / Request Status Change

X X

X X

Approve Status Change (for Others) View Custom X Fact

X

X

Edit Custom Fact View Custom X Event Type Edit Custom Event Type

32

X

X

X

X

X

X

X

X

X

X

X

X

X

X

List List Manager Manager (Default Org)

X

X

X

X

X

X

X

X

X



Permission

View List

Policy Policy Rule Manager / Policy Viewer Rule Manager Senior Viewer (Default Manager (Default Policy Org) Org) Manager

X

X

View List Content List

X

X

X

X

Policy Manager / Senior Policy Manager (Default Org)

X

X

X

X

X

Edit

X

X

Import / Export Create Policy Report

List List Manager Manager (Default Org)

X

X

X

X

Duplicate Rule

X

X

X

X

X

X

X

The following conditions also apply to the Policy Management role permissions: •

A user with the SeniorPolicyManager role can also perform self-approval on status changes made to a rule.

•

Only a user with access to the default organization can view the Last Modified By and Created By fields in the Manage Lists, Manage Custom Facts, and Manage Custom Event Types pages.

•

Any role that is associated with the PolicyManagement module receives the same permissions as the PolicyViewer role. A user with this role can view rules, custom facts, custom event types, and lists and can also create policy reports.

Organization Management Each organization consists of a collection of users. An organization can also have multiple groups. You can manage organizations by adding organizations, viewing organizational details, and editing organizational details. You use the Application Organizations page to display and manage all of the organizations that exist in the system. The hierarchy of organizations in the Access Management application and in the Adaptive Authentication system is defined as follows: • An organization identifies any user who belongs to the organization. •

A user of the Back Office applications is identified by a unique user name. This uniqueness allows a user to belong to more than one organization.


33


•

An end user is identified by a user name and organization. Two end users with the same user name can belong to different organizations.

•

Organizations can include suborganizations. The organization is the parent and each sub-organization is a child in the system hierarchy. Note: RSA supports up to four levels in the hierarchy of organizations. This

means that you can create up to three levels of suborganizations under the default organization. Adding additional levels of suborganizations has a negative impact on system performance and is not recommended. The limitation of the number of organization levels in the hierarchy does not relate to the total number of organizations allowed in the system. •

An organization cannot be deleted from the system. All organizations are stored in the database.

•

An organization can only be viewed by a user who has access to that organization or its parent organizations. A user with access to the default organization, can view all organizations.

Access the Application Organizations Page You use the Application Organizations page to display and manage all of the organizations that exist in the system. To access the Application Organizations page:

From the Access Management menu, select Organizations.

View Organization Details To view organization details:

On the Application Organizations page, in the Action column, click View in the row of the organization that you want to view. The link is only displayed if you have View permission. Details are displayed in the View Organization Details page.

Add an Organization When you add an organization in the Access Management application, you create a organization within the Adaptive Authentication system. After an organization is created in the system, you cannot remove the organization. You cannot edit the name of an organization. After you create an organization in the system, you cannot change the name. Only the organization description and parent can be changed. To add an organization:

1. On the Application Organizations page, click Add New Organization. The Organization Details page is displayed.

34



2. On the Organization Details page, do the following: a.

In the Organization Name field, enter a unique name for the organization. This is a mandatory field. Note: You cannot use the following characters:

[^<>&]*.

The maximum length of organization names is 50 characters. b. In the Organization Description field, enter a description for the organization. c.

From the Organization Parent list, select a parent organization for the new organization. In the list, default is the root organization in the system and is the parent of all organizations.

3. Click Save. Note: If you attempt to create a loop in the hierarchy, for example, an organization

is both a child and parent of the same organization, an error message appears and the organization is not saved.

Edit Organization Details You can edit a rule to change any of the details. You cannot edit the name of an organization. After you create an organization in the system, you cannot change the name. To edit organization details:

1. On the Application Organizations page, in the row of the organization that you want to edit, click Edit. The Edit link is only displayed if you have Edit permission. 2. On the Edit Organization Details page, edit the organization description or change the parent of the organization. Important: If you change the parent of the organization, it may take up to five

minutes for the change to be reflected in the system. 3. Click Save.

View Available Organizations You can view organizations in the Edit User Details page. Newly added organizations are available for viewing immediately. To view the available organizations:

Click Edit User > Organizations > Available.


35


Group Management A group is a subunit of an organization. Groups provide a way of further organizing end users within organizations. You can create a hierarchy of groups, but all groups in a hierarchy must belong to the same organization. Groups in the Access Management application relate to the Adaptive Authentication system as follows: • •

There is no default group. An end user can belong to any group within an organization.

•

An end user can be moved from one group to another within an organization.

•

An end user in a specific organization cannot belong to more than one group.

Any user with roles that allow read, write, or create in the Access Management application is permitted to correspondingly view, edit, or add groups.

Access the Application Groups Page You access the Application Groups page to add a group, view group details, and edit group details. For more information, see Application Group Page on p age 36. To access the Application Groups page:

From the Access Management menu, select Groups.

Application Group Page You can use the Applications Groups Page to add a group, view group details, and edit group details. The Application Groups page provides information about groups in the Access Management system, as described in the following table.

36

C o lu m n N a m e

Description

Group Name

Group name. Sortable column.

Organization Name

Name of the organization to which the group belongs. Sortable column.

Group Description

Description of the group. This description is editable, depending on the rights of the user. Sortable column.

Group Parent

The parent of the group in the group hierarchy. Sortable column.

Action

Lists the actions that the user is permitted to perform. A link for each available action is provided.



View Group Details All roles can view group details for all groups in the system. To view group details:

On the Groups Application page, in the table, click View. The Group Details page is displayed. Information in View Group Details section is not editable.

Add a Group You can add a group to organize end users within an organization. The Group Name and the Organization Name together serve as a unique key. Before You Begin

•

You must have Create permissions to add a group.

•

You can only add a group to a group that you create.

To add a group:

1. At the bottom of the Ap plication Groups page, click Add New Group. 2. On the Group Details page, in the Add Group Details section, do the following: a.

In the Group Name field, enter a name for the group. Note: You cannot use the following characters:

[^<>&]*. The maximum length of group names is 50 characters.

b. From the Organization Name list, select an organization. c.

In the Group Description field, enter a description for the group. Make the description unique so that the group can be easily identified.

d. (Optional) From the Group Parent list, select a group parent with which to associate the new group in the group hierarchy. e.

Click Save.

Edit Group Details You can edit only the group description and the group parent. You can create a hierarchy of groups, but all groups in a hierarchy must belong to the same organization. Note: If you create a loop in the hierarchy, for example, if a group is both a parent and a child of the same group, an error message appears.


37


To edit group details:

1. On the Application Groups page, in the row of the group that you want to edit, click Edit. The Edit link is only displayed if you have Edit permission. 2. On the Group Details page, edit the group description and change the group parent as necessary. You cannot edit the name of a group. Important: If you change the parent of the group, it may take up to five minutes

for the change to be reflected in the system. 3. Click Save.

38



3

Managing Policies •

Introduction to Policy Management

•

Introduction to Rules

•

Rule Management

•

Policy Export and Import

•

List Management

•

Custom Facts Management

•

Custom Event Type Management

•

Policy Report

The Policy Management application helps organizations create a risk-management policy in line with the unique security needs of the organizations. Well-defined policies help prevent harmful, fraudulent activity and keep the number of false positives to a minimum. Each policy contains a set of rules that define actions that take place in specific circumstances. For more information, see Introduction to Rules on page 41. The Policy Management application acts as an additional security layer on top of the Risk Engine, which provides the core functionality of determining the risk level of a given event. The Policy Management application uses the Risk Engine, along with other data, and allows you to define a policy based on this data. The rules that you create in your organizational policy are loaded into the Policy Engine of the Policy Management application, which then executes the policy.

Introduction to Policy Management A policy is made up of a set of rules. You can create a policy by adding rules in the Policy Management application. Each rule is applied for at least one event type and contains one or more conditions and an action. A rule defines the actions triggered by various event types, given specific sets of conditions. The specific rules that you create depend on the security needs of your organization. For more information, see Introduction to Rules on p age 41.

Policies for Organizations Each policy reflects a set of rules relevant for a specific organization. In a multi-organization environment, each organization haspolicy a policy. When you an organization on which you want to work, the relevant is displayed in select the Policy Management application. For more information about selecting an organization, see Log On to a Back Office Application on p age 14.

Managing 3: Policies

39


You can create an organization in the Access Management application. For more information, see Organization Management on p age 33. When you create an organization, a blank policy is automatically created to correspond with the organization. You can base the policy of a newly created organization on that of an existing one by duplicating rules from another organization. For more information, see Duplicate Rules to Another Organization on p age 62.

Reference Policy The Adaptive Authentication system includes a default reference policy that you can import into the Policy Management application. You can use the reference policy as a starting point for constructing the policy for your organization. The reference policy includes a predefined set of rules that are based upon both sign-on and transaction event types. The rules in the reference policy cover a broad range of end-user event types and protect against common fraud risks. For more information about the rules that make up the reference policy, see Appendix B, Rules in the Reference Policy. The rules in the reference policy are both risk-based and device-based. Risk-based rules rely on data taken from the Risk Engine, while device-based rules rely on device matching and data taken from end-user devices. Risk-based rules can be activated only after the necessary Risk Engine learning period. Before the learning period is over, the risk score is not consistent and may not reflect end-user behavior for the specific customer population. For more information, see Risk Score on p age 48. The rules in the reference policy have a status of Work in Progress. To activate the rules, you must change the status of the rules to either Test or Production. For more information, see Status Change on p age 50. Rules in the reference policy with an action of Challenge are assigned the following Authentication Methods, in order: •

OOB PHONE

•

OOB SMS

•

KBA

•

QUESTION

Note: You must configure Authentication Methods before the methods are applied to

end users. For more information, see the Operations Guide. The reference policy .zip file is available in the main_directory\utils_7.1.0.0.0 folder. The .zip file contains the file Reference_Policy.xml. A checksum file, Reference_Policy.xml.md5, is also created to check for any possible corruption in the plain file. For more information on how to import policy data, see Import Policy Data on page 64. Note: Depending on your organizational policy needs, RSA recommends that you

consider importing the reference policy after product installation. The rules in the reference policy help protect against many common fraud risks. After you import the reference policy, you can add rules and edit or delete rules as you see fit.

40



Additional Configuration Elements The Policy Management application enables the configuration of the following elements that you can use to construct rules: Custom Facts. You can add facts that are not included in the default fact list. For more information, see Custom Facts Management on p age 72. Custom Event Types.You can define event types that are not included in the standard delivery. For more information, see Custom Event Type Management. Lists. You can lists that are noton included in the standard delivery. For more information, seeadd List Management p age 65.

Policy Refresh The policy refresh process seamlessly implements changes made to a policy in the production environment, without the need to restart the application servers. The Adaptive Authentication system polls the Policy Management Database to check for policy revisions every sixty seconds. Types of policy revisions that trigger the policy refresh process include the creation of any rules or lists, changes made to any rules (edit, delete, or status change) or lists (edit, delete, or update values), duplication of a policy, and import of a policy. For more information on rule status changes, see Status Change on p age 50. A policy is loaded to the Policy Engine if both of the following conditions are met: •

Revisions have been made to the policy after the current version was loaded to the Policy Engine.

•

The status of the revised rule is, or was, Production or Test.

For more information on the policy refresh process, see the Operations Guide. Note: A policy refresh impacts the data that is available in a Policy Report. For more

information, see Generate a Policy Report on p age 80.

Introduction to Rules A rule contains an event type, a condition or set of conditions, and an action. The action is triggered by an event when the condition or conditions are met. For example, a Deny action can be triggered for the Sign In event type, if the Risk Score is above 900. A rule also contains other details, such as the name of the rule and the status of the rule. For more information about these rule details, see General Rule Parameters on page 58. You can assign a priority to each rule, and the rules are checked in the order of their priority. The lower the number, the higher the priority. For example, a rule with a priority of 3 is checked before a rule with a priority of 5. After one rule is found to be true, the action is triggered, and the system stops checking the rules with lower priority.


41


It is possible that no production rules will be activated when an end user performs a certain event. This may occur if an organization does not have any rules in its policy or if none of the existing rules are triggered. In such a case, a default, fallback rule is activated. When the fallback rule is activated, the Allow action is triggered. For more information, see Actions on p age 47.

Event Types An event type is an end-user activity that is protected by the Adaptive Authentication system. An event type triggers a rule when the conditions associated with the rule are met. For example, if the event type is Payment, the selected rule will apply when the end user makes a deposit online. The Adaptive Authentication system is shipped with a predefined list of event types. For more information, see Appendix C, List of Event Types. In addition to event types in this predefined list, you can create custom event types. For more information, see Custom Event Type Management on p age 75. Note: A single rule can be applied to multiple event types. In this situation, if any of

the events occur and all the conditions are met, the rule is triggered.

Conditions Conditions are built from the following logical elements: •

Expressions

•

Facts

• Operators A condition is a set of logically defined expressions that must be fulfilled for the action of a rule to be triggered. Each rule can contain multiple conditions, which are connected to each other by the AND operator. If all conditions are true, the rule is triggered and the defined action is performed. For more information, see Expressions on page 44.

Each condition consists of at least one expression. Multiple expressions within a condition can be logically connected to each other by the OR or AND operators. For more information, see Operators on p age 44.

42



The following figure shows the logical workflow of a condition after an event is performed.

Condition Logic Workflow t n e v E

Event performed as defined in rule

Yes

Yes

Is expression within condition true?

No

Does another expression exist within this condition?

Does another expression exist within this condition? Yes

Check Operator connecting expressions

n io it d n o C

Check Operator connecting expressions

No

AND operator

OR operator (default)

AND operator

No

Condition is not met

OR operator (default)

Condition is not met

Does another condition exist within this rule? No

n io t c A

Action is triggered

Action is not triggered

The following example shows the various components that can make up a condition. The sample expression represents the number of days that have passed since the account was opened:


•

Expression: IF days since end user changed the address is Equal to 5

•

Category: Account Details

•

Fact: # of Days Since Last Address Change (Integer)

43


•

Operators: Equal to

•

Value: 5

Expressions An expression is the basic building block of a condition and can be thought of as the first half of an If-Then conditional statement. The action is the second half. If the expressions within a condition are true, then the action is performed. Expressions can be made up of logically connected facts, operators, and values. Several expressions can be combined with the operators OR or AND.

Facts A fact is a core data element that the Policy Engine processes to determine if the rule is triggered. A fact might contain information about the device, the end user, or the end-user activities. Examples: •

Change from previous risk score.

•

Whether or not Java is disabled.

•

The city's IP city code.

The Adaptive Authentication system is shipped with a default fact list. For more information, see Appendix A, List of Facts. In addition to default facts, you can create custom facts. For more information, see Custom Facts Management on p age 72.

Categories Facts are grouped into categories for accessibility purposes. For example, the Risk Score category groups facts that relate to the risk score of the current event, such as Transaction Risk Scoreand Change From Previous Risk Score.

Values A value is a quantifiable attribute of a fact that defines the situation during which a rule is triggered. Values are divided into the following categories: Technical. For example, the contents of a predefined list. Numeric. For example, the Risk Score. Boolean. For example, whether the device IP is different from the event IP (A true or false value).

Operators An operator is a logical or mathematical function that connects multiple data elements. Operators can be used to define fact values, to connect multiple expressions, and to connect multiple conditions.

44



Fact Operators The following operators can be used when defining fact values. O p e r a to r

RelevantFactType

Equals

• Boolean • Country • Double • ENUM • Float • Integer • IP Address • Long • Risk Score • String

Not equal

• Country • Double • ENUM • Float • Integer • IP Address • Long • Risk Score • String

Empty

• Country • ENUM • String

Greater than

• Double • Float • Integer • Long • Risk Score

Greater or Equals

• Double • Long • Risk Score

Less than

• Double • Float • Integer • Long • Risk Score


45


O p e r a to r

RelevantFactType

Less or Equals

• Double • Long • Risk Score

ContainsinString

String

Not Contains in String

String

Between

• Double

Note: Between specifies a

• Float

• Integer range of values that includes the range boundaries. A value • IP Address • Long between x and y is greater than or equal to x and less • Risk Score than or equal to y.

Not Between Note: Not Between specifies

• Double • Float

• Integer values outside an inclusive range. A value not between x • IP Address and y is less than x or greater • Long than y. • Risk Score

Within

• String • User ID

Not within

• String • User ID

Note: The relevant operators will differ from fact to fact. The Within and Not Within

operators are relevant only for the List category.

Expression Operators The following operators are available for use between expressions.

46

Operator

Description

AND

Connects all expressions within a condition so that the rule is triggered only if all expressions are true.

OR

Connectsallexpressions within aconditionso thatthe rule is triggered if any of the expressions within a condition is true.



Condition Operator The following operator is available for use between conditions.

Actions

Operator

Description

AND

Connects all conditions within a rule so that the rule is triggered only if all conditions are true.

An action is a predefined outcome that occurs when the condition is fulfilled and the rule is triggered. Actions are performed only if the rule status is Production. For more information, see Rule Status on p age 49. Only one action can be defined for each rule. The exception to this is the Review action, which can be set to generate a case together with another action. The following table describes the different action types. To configure these parameters, see General Rule Parameters on p age 58. Ac t i o n

Description

CaseCreated

Allow

Allow the end user to access the system or to continue with the transaction.

Manually

Challenge

Request that the end user authenticate by selecting one of the authentication methods.

Manually (When authentication fails, succeeds, or in both

For more information, see Authentication Methods on page 47.

situations)

The Rule Manager can select whether a case is created in Case Management if authentication succeeds or fails. Deny

Deny the end user access to the system or deny the transaction.

Manually

Review

Flag the transaction for review by creating a case in the Case Management application.

Automatically

Authentication Methods You can use authentication methods to challenge end users to perform an action that verifies their identity before they are allowed to continue. These methods are used in high-risk situations to prevent fraudulent activity. The particular challenge method used depends upon which rule is triggered. The end user must successfully pass the challenge to continue with the current activity. The following authentication methods are available in the Adaptive Authentication system: Knowledge-Based Authentication (KBA). The end user is asked a series of personalized questions based on available data sources.


47


Email (OOBEMAIL). The end user receives an automated email with instructions to enter a confirmation code. Phone (OOBPHONE). The end user receives an automated phone call with instructions to enter a confirmation code. SMS (OOBSMS). The end user receives an automated text message with instructions to enter a confirmation code. One-time password (OTP). The end user is asked to enter a password that is only valid for a single session. Secret Questions (QUESTION).The end user is asked to provide answers to a number of security questions previously defined by the genuine user. Note: You can configure existing authentication methods using the c-config-mcf.xml

file. For more information, see the Operations Guide. You can install additional authentication methods for use in the Adaptive Authentication system. For more information, see the Authentication Plug-in Developer’s Guide. After you install additional authentication methods, you can add these methods to the list of methods available in the Policy Management application. You can do this using the Authentication Methods parameter located in the Authentication Methods component of the Administration Console. You can also use this parameter to remove existing, built-in authentication methods from the list that appears in the Policy Management application. For more information, see the chapter “Configure Authentication Methods” in the Operations Guide. Important: If you delete a method in the Administration Console that is currently

being used in rules, any rules with this action will still be triggered, but you will not be able to assign the deleted method to new rules. To completely delete an authentication method, you must remove the method from the configuration files. When you select the Challenge action, you can define which method is used to challenge the end user. You can select and prioritize multiple methods from the available list. The system selects the first available method relevant for the end user. The end user can only be challenged using authentication methods for which the end user is registered. For example, if SMS, email, and Phone are selected as Authentication Methods with SMS having highest priority, email second priority, and Phone lowest priority, an end user who is not registered for SMS is challenged with the email method.

Risk Score Risk Score is one of the fact categories that you can use to create a rule in the Policy Management application. The RSA Risk Engine evaluates each online activity, tracking over one hundred indicators to detect fraudulent activity. The Risk Engine produces a unique risk score, between 0 and 1,000, for each online activity. The higher the risk score, the greater the likelihood that an activity is fraudulent.

48



You can use the risk score to understand the risk level of an activity in relation to all end user activities. For example, if you choose to challenge any activity with a risk score greater than 900, you can expect 0.25 percent of all activities to be reviewed. This information also helps you estimate the number of cases that operators need to process. Risk-based rules should only be promoted to Production status after the necessary Risk Engine learning period. Until this period has finished, the risk score is not stable and may not be entirely accurate. During the learning period, you can run risk-based rules with a status of Test in order to examine the potential results of your policy. Note: If you upgrade from a previous version of Adaptive Authentication, you can

continue to use risk-based rules without waiting for the Risk Engine learning period to finish. For more information, see the section about Risk Engine Parameters in the Operation Guide.

Case Creation You can flag a transaction for review by creating a case. When a transaction is flagged, a case is created in the Case Management application when the rule is triggered. The Create Case feature performs the same action as the Review action but can be applied in addition to the actions that you apply to a rule. Creating a case is optional and does not need to be applied. If you select the Challenge action, you can choose to create a case when the end user passes authentication, fails authentication, or in both situations. For more information, see Chapter 4, Managing Cases.

Rule Status You can assign one of the following statuses when creating a rule: Work in Progress. The rule does not run on production data. Test. The rule runs on production data, but no action takes place (except for the option to create a case). Statistics are collected to analyze the effectiveness of test rules. When a rule is triggered, the activity is recorded in the database. Production. The rule runs on production data and actions take place.

In addition, the following status can also apply to rules: Suspended. The rule was recently running on production data (had a status of Test or Production) but was suspended for some reason.

To properly manage a policy, you can test rules before you put the rules into production. This testing allows you to view the potential results of a newly created rule without directly affecting the end-user activity. After a rule has been sufficiently tested and appears stable, you can move the rule to production, where the rule is fully implemented.


49


While a rule has a status of Test, it is still triggered if it has a higher priority than a rule with a status of Production. In such a situation, the action of the rule in production is triggered in addition to any case created by the rule.

Status Change Before the rule status can be changed, some rules require the approval of a user with PolicyManager or SeniorPolicyManager permissions. For more information on rule statuses, see Rule Status. The following figure shows the possible status changes that can be made for rules.

The following table lists all status changes that require the approval of a user with PolicyManager or SeniorPolicyManager permissions. Current Status (Change From)

50

Pending Status (Change To)

WorkinProgress

Test

WorkinProgress

Production

Test

Production

Test

Suspended

Production

Suspended

Production

Test



Current Status (Change From)

Pending Status (Change To)

Suspended

Production

Suspended

Test

If you want to change the status of a rule, you must first submit a status change request. If the status change requires approval, the pending status of the rule reflects the status that you requested. A user with sufficient permissions must approve the status change request for the current status to change. If the rule does not require approval, the current status is changed immediately. Each rule has an indication of the current and pending state of the rule, as follows: Current Status. The status that the rule has right now. Pending Status. The status that will be applied to the rule if a status change request is approved by a user with sufficient permissions.

You cannot edit or delete a rule with a status of either or Production, or any rule that has a pending status. To edit or delete such a rule, you must first change the status to either Suspended or Work in Progress.

Rule Management You can use the New Rule wizard to create rules. After you create and save a rule, the rule appears in the Manage Rules table. You can manage rules using the Manage Rules table.


51


Manage Rules Table From the Manage Rules table, you can view details of all rules in one location. The rules presented in the table belong to a policy that is defined by the user. For more information about policies, see Chapter 3, Managing Policies.

You can use the toolbar at the top of the table to perform relevant policy actions, such as adding a new rule or exporting a policy. After you create and save a rule, it appears in the Manage Rules table. After you delete a rule, the rule no longer appears in the Manage Rules table. You can also use the table to easily select and manage existing rules. After you select a rule, you can edit or delete the rule. When you select a rule from the Manage Rules tables, a detailed summary of the rule appears in the section under the Manage Rules table. Note: Only the last comment is displayed. If there are multiple comments, you can

click the hyperlink to view all comments. Note: You can use your mouse to hover overX items found on the toolbar to see a

breakdown of the number of rules according to the current status.

52



Sorting and Filtering Rules When you log on, the rules in the table are automatically sorted by the Date Modified column, but you can sort the rules by other columns as well. You can sort rules alphabetically in either direction. Note: You cannot sort rules by the Event Type column.

You can filter rules by Event Type, Current Status, Pending Status, and Action, using a checkbox to select the field or fields that you would like to view. For example, you can use the filter in the Action column to view only those rules that have Deny as the action. You can rearrange the columns on the Manage Rules table by dragging and dropping a column to another location.

Add a Rule You can add a rule to define what action the Adaptive Authentication system takes during online transactions. You can use the New Rule wizard to define and create these rules. Each rule dictates an action to be taken for a particular end-user behavior. Before You Begin

•

Select the relevant organization or group.

•

You must have Rule Manager, PolicyManager, or SeniorPolicyManager role permissions. For more information, see Role Management on page 24.

To add a rule:

1. Click the Manage Rules link in the Policy Management application. 2. Click New > New Rule. 3. Complete the fields on the General page. For a description of each field, see General Rule Parameters on p age 58. 4. Click Next. 5. On the Conditions page, do the following: a.

From the Category drop-down list, select a category. Note: The data in the Fact and Operator drop-down lists changes according

to the category selected. The order of the two lists varies according to the category selected. The Operator list might appear before the Fact list. b. From the Fact drop-down list, select a fact. For more information, see Appendix A, List of Facts. c.

From the Operator drop-down list, select an operator.

d. In each Value field, enter a value.


53


e.

(Optional) To add a new expression, click Add New Expression, and repeat steps a through d. To define how multiple expressions are connected to each other, from the Join Multiple Expressions bydrop-down list, select AND or OR. The selected operator will apply to all expressions within the condition.

f.

(Optional) To remove an expression, click Remove expression. Each condition must contain at least one expression. You can only remove an expression if there are at least two expressions.

g. (Optional) To duplicate an expression, click Duplicate. When you duplicate an expression, all the fields are copied except the value field or fields. h. (Optional) To add a new condition, click Add New Condition, and repeat steps a through e.

6. Click Next. 7. On the Actions page, do the following: a.

From the Action drop-down list, select an action. For a description of the available actions, see Actions on p age 47. Note: If you select Challenge, an Authentication Method section appears.

From the Available Methods list, highlight the method to use to challenge end users, and click the right arrow to move it to the Selected Method(s) list. You can add as many methods as you like. To prioritize the methods within the Selected Method(s) list, use the up and down arrows.

54



b. To create a case, select Create a Case. Note: If you select Challenge, two checkboxes appear, which allow you to

create a case when authentication fails or when it succeeds. Select the appropriate checkbox. 8. Click Next. 9. Review the rule details on the Summary page. To edit any part of the rule, click Edit at the top right of the section that you want to change. 10. Click Finish.

Comparing Policy Facts The Policy Management application allows you to compare between any two facts, regardless of the fact type (custom, built-in or calculated), as long as the two facts are of the same data type.

Fact Comparison Operators The following table lists the operators which you can use to compare facts. O p e r a to r EqualtoFact

CompatiblewithDataType Alldatatypes

FactTypes • Boolean • ENUM • String • Numeric • IP Address • User ID • Country

Not Equal to Fact

All data types

• Boolean • ENUM • String • Numeric • IP Address • User ID • Country

GreaterthanFact

Numericdatatypes

Numeric

GreaterthanorEqualtoFact

Numericdatatypes

Numeric

LessthanFact Less than or Equal to Fact

Numericdatatypes Numeric data types

Numeric Numeric

ContainsStringFact


Stringdatatypes

String

55


O p e r a to r

CompatiblewithDataType

Not Contains String Fact

String data types

FactTypes String

The following operators are not supported by the Comparison of Policy Facts enhancement: •

Between

•

Not Between

•

Within

•

Not Within

•

Is Empty

Compare Facts You can use the Rule wizard to compare facts within rules that you create. Before You Begin

•

Select the relevant organization or group.

•

You must have RuleManager, PolicyManager, or SeniorPolicyManager role permissions. For more information, see Role Management on page 24.

•

Perform the Add a Rule procedure, as described in Add a Rule on p age 53, until the step to define the rule expression on the Conditions page.

To compare facts:

1. Select a source category from the Category drop-down list. 2. Select the source fact from the Fact drop-down list. 3. Select a fact comparison operator from the Operator drop-down list. Note: This selection determines if the purpose of the rule is to compare facts. The

Rule wizard utility adjusts the user-interface accordingly. 4. Choose a target category, considering the following: •

The default selection for the target category is the same as the source category.

•

The target Category drop-down list includes all categories.

5. Choose a target fact, considering the following: •

The default selection for the Target fact is empty.

•

The target Fact drop-down list includes only the facts with the same data type

as the source fact. 6. The Rule wizard utility makes adjustments to the user-interface, if the following changes are made: •

56

If a target category other than the source category is selected, the target fact field is reset.



•

If the fact comparison operator is changed to a non-fact comparison operator, the target category and fact are reset to a non-fact comparison expression target format.

Edit a Rule You can edit a rule to change any of the details. All rule fields are available for editing. To edit a rule with a status of or Production, you must first change the status to Work in Progress or Suspended. For more information, see Status Change on p age 50. To edit a rule:

1. Click the Manage Rules link in the Policy Management application. 2. In the Manage Rules table, click the Rule Name of the rule that you want to edit. The Summary page is displayed.

3. Click Edit at the top right of the section that you want to change. 4. Change the section as necessary. Use the Next and Back buttons to navigate between sections, or click the section links at the top of the screen (General, Conditions, Actions, and Summary). 5. Click Save & Exit to save your changes and return to the Manage Rules table.


57


Delete a Rule You can delete a rule to remove the rule from the system and prevent the rule from functioning. When you delete a rule, the rule is no longer available in the Manage Rules table. To delete a rule:

1. Click the Manage Rules link in the Policy Management application. 2. Select the checkbox of the rule or rules you want to delete. 3. Click Delete.

General Rule Parameters The following table describes the general rule parameters, available on the General page of the New Rule wizard. Parameter

Description

Required

Rule Name

Unique name that you assign to the rule. The rule name is unique per policy. An informative name, for example, Challenge Forbidden IP Address, can help to quickly locate the rule and understand the purpose of the rule.

Yes

The maximum length of rule names is 80 characters. You can use special characters in the rule name. Description

An explanatory note describing the purpose or function of the rule.

No

The maximum length of the description is 500 characters. Status

The current status for this rule. The following options are available:

Yes

• Work In Progress . The rule can be edited but is not running on production data. • Test. The rule is running on production data, and cases can be created, but no action takes place. • Production. The rule is running on production data, and all actions take place.

Any rule assigned a status of Test or Production is initially saved with a status of Work In Progress. After a user with PolicyManager or SeniorPolicyManager permissions approve the status change, the rule will reflect the srcinally assigned status.

58



Parameter

Description

Required

Comment

A free-text field that can be used to explain changes or additions made to the rule.You can add several comments to a rule, which are displayed one after another.

No

The maximum length of a comment is 500 characters. You can view all comments associated with a rule by clicking the View Previous Comments link in the Summary section on the Manage Rules newtime window list of comments withscreen. the dateAand each displays commenta was added and the name of the person who added each comment. The table is sorted according to the most recently added comments. You can edit only the current comment. Previous comments are displayed as read-only. Event Type

The type of end-user activity that triggers a rule when all rule conditions are met.

Yes

In addition to predefined event types, custom event types appear in this list, marked with an icon. You can select one event type or several event types. Order

The priority assigned to a rule, indicating the order in which the rule is triggered. A lower number represents a higher priority and a higher number represents a lower priority. When a production rule is triggered, all rules with a lower priority will not be triggered.

Yes

The default value for this field is one position lower than the lowest-ordered existing rule. For example, if the lowest-ordered existing rule is 8, the default value is 9. To add a rule as last in line, leave the default value that is displayed in the field. If you choose a value currently assigned to an existing rule, the existing rule and all lower-ordered rules are moved one priority level lower. For example, if you assign a priority of 5 to a rule, the existing rule with a priority of 5 is assigned a lower priority of 6, and similarly with all other rules. The Available Range values represent the possible values that you can assign to the rule. The highest value in the range of values is automatically assigned as the order of the rule. The Policy Engine receives and evaluates only rules with a status of or Production. A rule with a status of Work in Progress is not sent to the Policy Engine. In such a case, the Policy Engine checks the relative order of the remaining rules. For example, if there are three rules in the system, and the rule with an order of 2 has rules a status of orders Work in the will Policy Engine receives the with ofProgress, 1 and 3 and assign the latter ruleonly a lower priority.


59


Request a Status Change for a Rule You can request a status change for a rule to redefine the purpose of a rule within your organizational policy. For example, you can change the status of a rule from Production to Suspended if you see that the rule is not furthering the security goals of your organization. Depending on the status change request that you make, the new status that you choose may initially appear as a pending status. If so, a user with sufficient permissions must approve the status change request for the status to change from pending status to current status. For more information, see Status Change on p age 50. To change the status of a rule:

1. Click the Manage Rules link in the Policy Management application. 2. From the Manage Rules table, select the rule for which you want to change the status. 3. From the Status drop-down list, select Request Status Change. 4. In the Request Status Change dialog box, select a new status from the New Status drop-down list. 5. (Optional) In the Comment field, enter a description related to the current status change. This comment will appear when a user with PolicyManager or SeniorPolicyManager permissions reviews the status change. The description should help the reviewer understand why the status was changed. 6. Click Set Status.

Cancel a Status Change Request for a Rule You can cancel a status change request to retract a previously sent request to change the status of a rule. When you cancel a status change request, the pending status is removed and the status of the rule remains the current status. You can cancel a status change request only if you are the user who made the request. You can only cancel a status change request of a rule with a pending status. To cancel a status change request for a rule:

1. Click the Manage Rules link in the Policy Management application. 2. From the Manage Rules table, select the rule for which you want to cancel the status change request. 3. From the Status drop-down list, select Cancel Request. 4. Click Yes. Note: You can cancel only one status change request at a time.

60



Approve a Status Change Request for a Rule You can approve a status change request for a rule to confirm a status change. You can only approve the status of a rule with a pending status. A pending status indicates that the status of the rule has been changed and requires approval before the new status takes effect. You can approve the status of only one rule at a time. Before You Begin

You must have PolicyManager or SeniorPolicyManager role permissions to approve the status of a rule. For more information, see Role Management on p age 24. Note: A user with PolicyManager permissions can approve the status of a rule only if

the request was made by another user. A SeniorPolicyManager can approve all status change requests. To approve the status of a rule:

1. Click the Manage Rules link in the Policy Management application. 2. From the Manage Rules table, select the rule for which you want to approve the status. 3. From the Status drop-down list, select Approve Status. 4. In the Approve Status dialog box, review the rule status details. If you approve the status change, the status listed in the Pending Status field will become the Current Status. The Pending Status field will then be empty. 5. (Optional) In the Comments field, enter a description related to the status approval. 6. Click Approve.

Reject a Status Change Request for a Rule You can reject the status of a rule to deny a status change and keep the rule status as is. You can only reject the status of a rule with a pending status. A pending status indicates that the rule’s status has been changed and requires review before the new status can take effect. You can reject the status of only one rule at a time. Before You Begin

You must have PolicyManager or SeniorPolicyManager role permissions to reject the status of a rule. For more information, see Role Management on p age 24. Note: A user with PolicyManager permissions can reject the status of a rule only if the

request was made by another user. A SeniorPolicyManager can reject all status change requests.


61


To reject the status of a rule:

1. Click the Manage Rules link in the Policy Management application. 2. From the Manage Rules table, select the rule for which you want to reject the status. 3. From the Status drop-down list, select Reject Status. 4. In the Reject Status dialog box, review the rule status details. If you reject the status change, the status listed in the Pending Status field will be removed, and the Current Status will remain as it is. 5. (Optional) In the Comments field, enter a description related to the status rejection. 6. Click Reject.

Duplicate Rules to Another Organization You can duplicate all rules to copy all rule data from one organization to another organization or from one organization to multiple organizations. You can then make changes or adjustments to the new policy as necessary. When you duplicate all rules to an organization, you replace all existing rules for that organization. This includes all rules with a status of Work in Progress and Suspended, in addition to those with a status of and Production. The rules are copied as is, with the same rule details, conditions, and actions. You must be logged on to an organization to duplicate the rules to another organization. When you duplicate rules, the last modified date is changed for the rules in the target organization. Important: Do not make any changes to the policy while you perform the duplicate

action.

Before You Begin

Ensure that you have PolicyManager or SeniorPolicyManager role permissions. You must also have these permissions for the organization to which you want to duplicate the rules. For more information, see Role Management on p age 24. To duplicate all rules to another organization:

1. Click the Manage Rules link in the Policy Management application. 2. Click New > Duplicate All Rules. 3. Select one or more target organizations. 4. Click Duplicate. Note: After the completion of the duplicate process, a policy refresh occurs. The

duplicated rules are immediately activated in the target organization, and the rule status of all rules remains the same. Policy data that existed before the duplicate action is removed from the database and will not appear on a Policy Report. For more information, see Policy Refresh on p age 41.

62



Policy Export and Import You can export all policy management data to duplicate all organizational policies in order to create parallel environments for both testing and production purposes. Additionally, you can export policy data to save a backup of your policy. When you export or import policy data, you transfer data from all organizational policies. This data includes rules, lists and their values, custom facts and custom event types. The system saves the exported file on the server as an XML file. An MD5 checksum file is also created during the export process to check for any possible corruption in the XML file. This ensures the integrity of the exported file during the import operation.Only users with permission to access the default organization can perform the export and import policy actions. When you export the policy data, the file is saved on the server and not locally. This is done for security reasons, in order to reduce the risk of unauthorized access to the file. You can configure the file location in the Administration Console. For more information, see the Operations Guide. To duplicate all policies from the source environment to the target environment, you must perform the following actions. 1. Export policy data from the source environment. 2. Copy the exported files to the target environment. 3. Import policy data on the target environment.

Export Policy Data You can export all policy data to duplicate all organizational policies in order to create parallel environments for both testing and production purposes. Additionally, you can export policy data to save a backup of your policy. When you export all policy data, you export data from all organizational policies. Exported data includes rules, lists and their values, custom facts, and custom event types. Before You Begin

You must have permission to access the default organization in order to perform the import policy action.


63


To export a policy:

1. Click the Manage Rules link in the Policy Management application. 2. Click Export Policy. The Export Policy dialog box displays the location of the export directory. The name of the exported file is aaboPolicyExportFile_.xml, where is the date and time that you performed the export. A checksum file is also created during the export process, named aaboPolicyExportFile_.xml.md5, to ensure the integrity of the exported file during the import operation. Note: The values contained in any hashed lists remain hashed. Otherwise, the

exported file is a readable XML file. 3. Click Export.

Import Policy Data You can import all policy data to duplicate all organizational policies and create parallel environments for both testing and production purposes. After you export your policy data to the server as an XML file and copy the exported files to the target environment, you can import the policy data on the target environment. When you import all policy data, you import data from all organizational policies. Imported data includes rules, lists and their values, custom facts, and custom event types. Important: To access the imported data, the new environment must contain the same

organizations that existed in the srcinal environment. If an organization does not exist, you cannot access the policy data of that organization. When you import all policy data, a policy refresh occurs. Policy data that existed in the new environment before the import is removed from the database and will not appear on a Policy Report. For more information, see Policy Refresh on p age 41. Before You Begin

•

Export your existing policy. This exported policy serves as a backup in the case of any mistake or emergency. This is important, since the import action cannot be undone.

•

You must have permission to access the default organization in order to perform the import policy action.

To import a policy:

1. Click the Manage Rules link in the Policy Management application. 2. Click New > Import Policy. 3. In the Import Policy dialog box, enter the filename that you want to import.

64



Important: When you import all policy data, you replace the existing policy data

for all organizations. The exported filename is aaboPolicyExportFile_.xml, where is the date and time that you performed the export. You should verify that the encoding and characters of the MD5 checksum file created during the export operation do not change when copying the file between different platforms. 4. Click Import.

List Management A list is a fact category that groups together facts of a specific type. You can use lists to define which countries, IP addresses, end users, and strings are considered malicious, safe, or suspicious. After you create lists, you can use the lists to build conditions in the New Rule wizard. You can either use the predefined lists or create custom lists. When you create a new lists in the system, the list will be available to all organizations, and not only for the organization that it was created for. If you add or delete a list, or change values in a list, it will affect all organizations that have rules which use that list. All facts in a list must have the same type of value, known as a List Type. For example, all facts in the IP on VIP List must have a List Type of IP Address. This means that all fact values in this list must be in the form of a valid IP address. The following List Types are available: •

Country

•

IP Address

•

String

•

User ID

After you create and save a list, the list appears in the Manage Lists table. You can manage lists using the Manage Lists table. For more information, see Manage Lists Table on p age 66.


65


Manage Lists Table From the Manage Lists table, you can view the details of all lists in one location. After you create and save a list, the list appears in the Manage Lists table. After you delete a list, the list will no longer appear in the Manage Lists table.

You can use the menu items at the top of the table to perform relevant policy actions, such as adding a list. You can also use the table to edit lists. You can perform the following actions from the Manage Lists table: •

Add a List

•

Edit a List

•

Delete a List

Sorting and Filtering Lists When you log on, the lists in the table are automatically sorted by the Date Modified column, but you can sort them by the List Name, List Type, and Status columns as well. You can sort lists alphabetically in either direction. You can filter lists by List Type or Status, using a checkbox to select the field that you want to view. For example, you can use the filter in the List Type column to view only those lists that have Country as the list type. You can rearrange the columns on the Manage Lists table by dragging and dropping a column to another location.

List Summary When you select a list from the Manage Lists table, a detailed summary of the list appears in the section below the Manage Lists table. The summary section contains the list name, the creator of the list, and the date modified, along with the information described in the following table.

66



Note: The information you see in the summary section depends on your role

permissions. For more information, see Role Management on p age 24. El e m e n t

Description

ListDetails

LastModifiedBy

List Content

A table that lists all the values in the list. • Value • Organization (User ID only) • Last Modified By • Date Modified

Related Rules

A table that lists all the active rules that use the list in one of the conditions.

Add a List You add a list to categorize a group of fact values together. You can then create rules based on these lists. To add a new list:

1. Click the Manage Lists page in the Policy Management application. 2. From the Manage Lists table menu, click New. 3. Complete the fields on the New List page. For a description of each field, see General List Parameters on p age 71. 4. Do one of the following: •

Add a Single Value to a List.

•

Add a Range of IP Values to a List.

•

Import a Set of Values to a List.

5. Click Save.

Add a Single Value to a List You can add a single value to an existing list to define the fact values that are categorized together in the list. The type of values that you can add depends on the list type that you select when you create the list. Before You Begin

Do one of the following:


•

Access the New List page. See Add a List on p age 67.

•

Access the Edit List page. See Edit a List on p age 70.

67


To add a single value to a list:

1. In the List Content section, from the Add Value drop-down list, select Add Value Manually. 2. In the Add Value Manually dialog box, enter the value, and click Add. If the List Type is User ID, you must also enter the organization name associated with the end user. If the List ID Masking parameter in the Administration Console is selected, you must first apply SHA1 hashing (to the end user name only) before you enter the value. For more information, see Hash the Values of a User ID List on page 71. 3. Repeat these steps for any additional values. Note: When entering values in a list of countries, use the two-letter code specified by

the ISO 3166 standard. These values are case-sensitive, and need to be capitalized.

Add a Range of IP Values to a List You can add a range of IP values to an existing list to define the fact values that are categorized together in the list. You can only add a range of values if you selected IP Address as the List Type. Before You Begin

Do one of the following: •


•


To add a range of IP values to a list:

1. In the List Content section, from the Add Value drop-down list, select Add Range of Values Manually. 2. In the Add Range of Values Manually dialog box, enter the IP address range, and click Add. You can use either IPv4 or IPv6 values, but both the From and To values must be the same version. 3. Repeat these steps for any additional value ranges. 4. (Optional) To delete values, select the checkboxes of the values that you want to delete, and click Delete. 5. Click Save.

68



Import a Set of Values to a List You can import a set of values to an existing list from a CSV file to add multiple values to a list. The type of values that you can add depends on the List Type that you select when you create the list. Be aware of the following factors when you import a set of values: •

Each value must be separated by a new line. All data in the same line is imported as a single value.

•

For most lists, you must enter all data in the first column. All other columns are ignored. If the List Type is User ID, you must also enter the organization name associated with the end user. Use the first column for the end user name, and the second column for the organization. If the List ID Masking parameter in the Administration Console is selected, you must first apply SHA1 hashing (to the end user name only) before you enter the value. For more information, see Hash the Values of a User ID Liston p age 71.

•

Any file containing non-Latin or non-numeric characters must use UTF-8 encoding.

•

The import action might take longer than expected if the number of values in the file is too high. The values must match the List Type selected. For example, if the List Type is IP Address, 171.16.0.0 is a valid value.

•

IP address files can contain single IPv4 or IPv6 values, IPv4 ranges, and IPv6 ranges. When importing IP address ranges, use a dash to separate values, for example, 10.0.0.0 - 10.255.255.255.

•

When entering values in a list of countries, use the two-letter code specified by the ISO 3166 standard. These values are case-sensitive, and need to be capitalized.

Before You Begin

Do one of the following: •


•


To import a set of values to a list:

1. In the List Content section, from the Add Value drop-down list, select Import Values to List. 2. Click Browse to select the CSV file containing the values to import. Important: You can choose to either add the imported values to the existing list

values or replace all existing content with the imported values. 3. Click Import. 4. (Optional) To delete values, select the checkboxes of the values that you want to delete, and click Delete. 5. Click Save.


69


Edit a List You can edit a list to change list details and revise or add new content. All list fields are enabled for editing except for the List Type field. While you are editing a list, the list is locked for editing, and no other user can edit the list. To edit a list:

1. Click the Manage Lists page in the Policy Management application. 2. From the Manage Lists table, in the List Name column, click the list that you want to edit. 3. In the List Details section, edit the details as necessary. For a description of each field, see General List Parameters on p age 71. 4. In the List Content section, do one of the following: •

Edit a single value or range of IP values: a.

In the Value column, click the value or range of values that you want to edit.

b. In the Edit Value dialog box, enter the new value or values, and click Update. If you are editing a range of IP values, you can use either IPv4 or IPv6 values. However, both the From and To values must be the same IP version. c.

Repeat these steps for any additional values.

•

(Optional) Add a Single Value to a List.

•

(Optional) Add a Range of IP Values to a List.

•

(Optional) Import a Set of Values to a List.

•

(Optional) To delete values, select the checkboxes of the values that you want to delete, and click Delete.

5. Click Save.

Delete a List You can delete a list to completely remove the list from the Manage Lists table. A deleted list is not available when you are using the New Rule wizard or editing a rule. You cannot restore a list that is deleted from the system. You cannot delete a list that is currently being used in a rule. You cannot delete multiple lists if any of the lists marked for deletion are currently being used in a rule. You must either remove those lists from any rules or delete the other lists separately. To delete a list:

1. Click the Manage Lists page in the Policy Management application. 2. Select the checkboxes of the lists that you want to delete. 3. Click Delete. 4. When prompted to confirm the deletion, click Yes.

70



Hash the Values of a User ID List You can hash the values of a list with a List Type of User ID to hide the identities of the end user names in the Policy Management Database. To hash the values of a User ID list:

1. Configure the List ID Masking parameter in the Administration Console. Important: You must select the checkbox for the user names to be recognized as

hashed. However, selecting the checkbox does not automatically hash the values. If you select the checkbox, you must manually enter hashed values to the list. If you clear the checkbox, you need to manually enter plain values to the list. You must manually reenter the appropriate values each time you select or clear the checkbox. For more information, see the Operations Guide. 2. Manually hash the user name values that you want to add to the User ID list using SHA1 hexadecimal encoding. 3. For each User ID, add the hashed user name and organization name (not hashed) to the User ID list. Note: The hashed user names are not case sensitive. The organization names are

case sensitive. For more information about adding values to lists, see Add a Single Value to a List on page 67 and Import a Set of Values to a List on p age 69.

General List Parameters The following table describes the general list parameters, available on the Add New List and Edit List pages. LisA t ttribute List Name

Description Unique name assigned to the list.

R e q u ir e d Yes

The maximum length of a list name is 50 characters. You can use special characters. List Type

The List Type designates the type of values contained in the list.

Yes

Note: You must select a List Type before you begin to

add values to the list. The following predefined List Types are available: • IP Address (or range of IP Addresses) • User ID • Country • String


71


LisA t ttribute Status

Description

R e q u ir e d

The current status for this list. The following options are available:

Yes

• Enabled (default). The list is available for use when creating new rules, appears in the Manage Lists table, and appears in existing rules. • Disabled. The list is not available for use when creating new rules, but still appears in the Manage Lists table, and still appears in existing rules. Description

An explanatory note describing the purpose or function No of the list. The maximum length of the description is 500 characters.

Custom Facts Management The Adaptive Authentication system is shipped with a predefined fact list. A fact is a core data element that the Policy Engine processes to determine if the rule is triggered. For more information, see Facts on p age 44. In addition to facts in this predefined list, you can create custom facts. After you create and save a custom fact, you can build rules with the fact in the Conditions stage of the New Rule wizard. You can add up to 20 different custom facts to the system. You can see manage custom factsFacts usingTable the Manage Facts table. For more information, Manage Custom on p ageCustom 72.

Manage Custom Facts Table From the Manage Custom Facts table, you can view details of all custom facts in one location. After you create and save a new custom fact, the fact appears in the Manage Custom Facts table. You can use the menu items at the top of the table to add or delete custom facts. You can also use the fact name links in the table to edit existing facts.

Custom Fact Summary When you select a custom fact from the Manage Custom Facts table, a detailed summary of the custom fact appears in the section below the table. The summary section contains information regarding the following elements.

72



Note: The information you see in the summary section depends on your role


Description

Custom Fact Details

Additional list details. • Last Modified By • Description

Related Rules

A table that lists all the active rules for the organization that use the custom fact in one of the conditions.

Add a New Custom Fact You can add a new custom fact to define a data element that can be used to create a rule. Note: You can add up to 20 different custom facts per SOAP API request. By default,

the application is configured for up to 1000 total custom facts for the Back Office application. Contact RSA to configure the maximum number of custom facts for the Back Office application. To add a new custom fact:

1. Click the Manage Custom Facts page in the Policy Management application. 2. From the Manage Custom Facts table menu, click New. 3. Complete the fields on the New Fact page. For a description of each field, see Custom Fact Parameters on p age 74. Important: The maximum length of a value for a custom fact, using the UTF-8

character set, is 90 bytes. 4. Click Save.

Edit a Custom Fact You can edit a custom fact to change the details of the fact. The Fact Name and Fact Type fields are not available for editing. To edit a custom fact:

1. Click the Manage Custom Facts page in the Policy Management application. 2. From the Manage Custom Facts table, in the Custom Fact Name column, click on the fact that you want to edit. 3. On the Edit Fact page, edit the details as necessary. For a description of each field, see Custom Fact Parameters on p age 74. 4. Click Save.


73


Delete a Custom Fact You can delete a custom fact to completely remove the fact from the Manage Custom Facts table. A deleted custom fact is not available when you are using the New Rule wizard or editing a rule. You cannot restore a custom fact that is deleted from the system. You cannot delete a custom fact that is currently being used in a rule. You cannot delete multiple custom facts if any of the custom facts marked for deletion are currently being used in a rule. You must either remove those custom facts from any rules or delete the other custom facts separately. To delete a custom fact:

1. Click the Manage Custom Facts page in the Policy Management application. 2. Select the checkbox of the fact you want to delete. 3. Click Delete. 4. When prompted to confirm the deletion, click Yes.

Custom Fact Parameters The following table describes the custom fact parameters, available on the Add Custom Fact page. Custom Fact Attribute

Description

Re q u i r e d

Category

The category name is Custom Facts.

N/A

This is a predefined field which is not editable. Fact Name

Unique name assigned to the Fact.

Yes

The maximum length of a fact name is 50 characters. You can use special characters. Fact Type

The fact type designates the type of value contained in the fact.

Yes

The following predefined fact types are available: • Boolean • Double • Float • Integer • IP Address • String

74



Custom Fact Attribute Status

Description

Re q u i r e d

The current status for this fact. The following options are available:

Yes

• Enabled (default). The fact is available for use when creating new rules, appears in the Manage Custom Facts table, and appears in existing rules. • Disabled. The fact is not available for use when creating new rules, but still appears in the Manage Custom Facts table, and still appears in existing rules. Description

An explanatory note describing the purpose or function No of the fact. The maximum length of a description is 500 characters.

Custom Event Type Management An event type is an end-user activity that triggers a rule when the conditions associated with the rule are met. A predefined list of event types is available within the Policy Management application. For more information, see Event Types on p age 42. You can create custom event types and then create new rules based on these event types. Important: To trigger rules that are based on custom event types, you must add the

appropriate custom event type to the online banking API and send the event type via the SOAP API to the Adaptive Authentication system. For more information, see the section that discusses Web Services API Data Elements in the Web Services API Reference Guide. You can create two kinds of custom event types: •

A new event type that does not exist in the list of predefined event types shipped with the Adaptive Authentication system.

•

A sub-event type that is linked to a predefined event type. For example, you can create a custom event type, International, and link it to the predefined event type, Payment. The new custom event type is named Payment - International.

You can manage custom event types using the Manage Custom Event Types table. For more information, see Manage Custom Event Types Tableon p age 76. After you create custom event types, the event types are available in the Event Type field in the General page of the New Rule wizard. Custom event types are marked with an icon to distinguish them from predefined event types.


75


Manage Custom Event Types Table From the Manage Custom Event Types table, you can view details of all custom event types in one location. After you create and save a new custom event type, the custom event type appears in the Manage Custom Event Types table. Use the menu items at the top of the table to add or delete custom event types. Click on the event type name links in the table to edit event types.

Custom Event Type Summary When you select a custom event type from the Manage Custom Event Types table, a detailed summary of the custom event type appears in the section below the table. The summary section contains information regarding the following elements. Note: The information you see in the summary section depends on your role


Description

Custom Event Type Details

Additional list details. • Last Modified By • Description

Related Rules

A table that lists each active rule that uses the custom event type in one of the conditions of the rule.

Add a Custom Event Type You can add a custom event type to define a customer activity that triggers a rule when the conditions associated with the rule are met. To add a new custom event type:

1. From the Policy Management drop-down list, select Manage Custom Event Types. 2. From the Manage Custom Event Types table menu, click New. 3. Complete the fields on the New Custom Event Type page. For a description of each field, see Custom Event Type Parameters on p age 77. 4. Click Save.

Edit a Custom Event Type You can edit a custom event type to change the details. While you are editing a custom event type, the event type is locked for editing and no other user can edit the event type. Note: The Custom Event Type Nameand Predefined Event Typefields are not

available for editing.

76



To edit a custom event type:

1. From the Policy Management drop-down list, select Manage Custom Event Types. 2. From the Manage Custom Event Types table, in the Custom Event Type Name column, click on the event type that you want to edit. 3. On the Edit Custom Event Type page, edit the details as necessary. For a description of each field, see Custom Event Type Parameters on p age 77. Note: You can only edit theStatus and Description fields.

4. Click Save.

Custom Event Type Parameters The following table describes the custom event type parameters, available on the Add Custom Event Type page and the Edit Custom Event Type page. Custom Event Type Attri bute

Description

Custom Event Type Name

Unique name assigned to the event type. This name Yes cannot be the same as any other event type in the system.

Required

The maximum length of an event type name is 50 characters. Note: Special characters are not permitted in the event

type name. Predefined Event Type

A list of all event types that are predefined in the system.

Status

The current status for this event type. The following options are available:

No

You can select an event type from the list to link a newly created custom event type to a predefined event type. For example, you can create a custom event type, International, and link it to the predefined event type, Payment. The new custom event type is named Payment - International. Yes

• Enabled (default). The event type is available for use when creating new rules, is included in the Manage Custom Event Types table, and is included in existing rules. • Disabled. The event type is not available for use when

creating new rules, but is included in the Manage Custom Event Types table, and is included in existing rules.


77


Custom Event Type Attri bute Description

Description

Required

An explanatory note describing the purpose or function of the event type.

No

The maximum length of the description is 500 characters.

Policy Report The policy of an organization contains rules that can trigger a wide variety of actions. To get a broad picture of the results of your organizational policy, you can generate a Policy Report. For example, by analyzing the Policy Report, you can make more informed decisions about whether or not to promote a test rule to production, whether to remove a rule from production entirely, or whether to add or remove event types from a rule. A Policy Report displays all rules that are running in a production environment (rules with a status of or production) for a given organization. For each rule, the Policy Report displays the following information: Rule Order. The priority assigned to a rule, indicating the order in which the rule is triggered. A lower number represents a higher priority and a higher number represents a lower priority. After a production rule is triggered, all production rules with a lower priority will not be triggered. All rules with a higher priority than the triggered production rule are also triggered. Note: Rules that are not running in a production environment are not displayed.

As a result, there may be gaps in the rule order. Rule Name. The unique name that you assigned to the rule. Associated Event Type(s).The type of end-user activity that triggers the rule when all rule conditions are met. Multiple event types can be assigned to a single rule. In the report, each row represents a different event type. Any rule may, therefore, be represented by multiple rows in the report. Status. The current status for this rule. Only rules with a status of Test or Production are evaluated by the Policy Engine and appear in the Policy Report. Rule Action. The predefined outcome that occurs when the condition is fulfilled and the rule is triggered. Number of times rule triggered. The number of times that the rule is triggered, irrespective of whether the rule status is or Production.

78



Allow, Challenge, Deny,and Review. These four columns list the number of times each respective action is applied to end users when this rule is triggered. When a rule is triggered, no action is applied to the end user, but one or more rules can be triggered at the same time that a production rule is triggered. When this production rule is triggered, an action is applied to the end user. These parameters, therefore, indicate the number of times a production rule results in an action for any given rule, whether the production rule itself or a rule that is triggered along with the production rule. You can use this number to evaluate the potential result of a rule if the status was changed to Production.

For more information on these parameters, see General Rule Parameters on p age 58. Note: If no production rules are triggered during a transaction, a fallback rule is

triggered. When triggered, the fallback rule appears in the Policy Report. For more information on the fallback rule, see Introduction to Policy Management on p age 39. You can use the data provided in the Policy Report to analyze and adjust the state of your policy. For example, you may see that your policy triggers too many instances of step-up authentication (challenge action). In other words, your policy may be consistently applying the challenge action to a large number of end users who pose no threat to the system. This can potentially cause unnecessary inconvenience for the end user and can create a preventable financial burden for your company. Using the Policy Report as a diagnostic tool, you can fine-tune your policy to improve the end-user experience. For example, you may have a rule that challenges any end user with a risk score of more than 800. After viewing the Policy Report, you may decide to raise the threshold of that rule to 850. Additionally, you may find that your policy results in the creation of too many cases in the Case Management application. Your organization may be unable or unwilling to handle the quantity of cases created by your current policy. Using the Policy Report, you can analyze the foreseeable case load and adjust your policy accordingly.

Sample Policy Report The table below shows a sample Policy Report based on the following scenario. Your policy contains the following three rules: Rule A. A test rule that is triggered if the end user performs the Add_Payee activity and receives a Risk Score of more than 800. If this condition is met, the action is Allow. Rule B. A test rule that is triggered if the end user performs the Add_Payee activity and receives a Risk Score of more than 850. If this condition is met, the action is Allow. Rule C. A production rule that is triggered if the end user performs the Add_Payee activity and receives a Risk Score of less than 900. The action is

Challenge.


79


If the end user performed the Add_Payee transaction one time and received a risk score of 899, the Policy Report would look as follows.

Rule Rule Order Name

Event Type

Status

Number of times A llo w rule triggered

Rule Action

Challenge Deny Review

1

Rule A

Add_PayeeT est

Allow

1

1

2

Rule B

Add_PayeeT est

Allow

1

1

3

RuleC

Add_Payee Production

Challenge 1

1

This Policy Report shows that each of the three rules was triggered once since the last policy refresh. The Challenge column indicates that, for each triggered rule, the Challenge action was applied once. You can use this information to analyze how the rules would perform if promoted to production. In this case, both Rule A (test) and Rule B (test) were triggered at the same time that the Challenge action was applied by Rule C (production). If either rule had been a production rule, the rule would have resulted in the associated rule action.

Generate a Policy Report You can generate a Policy Report to analyze the effects of your policy on end users. A Policy Report relates to the policy of a single organization. The Policy Report is generated to a CSV file. The Policy Report displays all policy information from the last policy refresh until 11:59 p.m. of the previous day. If you generate a report immediately after a policy refresh, the report does not accurately reflect the state of your policy. A policy refresh occurs when you create or edit a rule or when you import or export a policy. For more information, see Policy Refresh on p age 41. Note: You may want to generate and save your report before a policy refresh. You can

then compare this data with newer data. Before You Begin

To populate the report with rule details from the database, the Policy Report scheduled task must be enabled. This is performed using the Scheduled Tasks function in the Administration Console. The Policy Report scheduled task is enabled by default but can be manually disabled. If this task is disabled, the Policy Report will not contain rule data. The Policy Report scheduled task must be executed exactly one time each day. For more information, see the chapter on configuring scheduled tasks in the Operations Guide. To generate a Policy Report:

1. Click the Manage Rules link in the Policy Management application. 2. Select the organization for which you want to create the Policy Report. The Policy Report is specific to this individual organization.

80



3. Click Policy Report. 4. Click Download Report.


81


4

Managing Cases •

Case Management Application Overview

•

Case Management Functionality

•

Case Assignment

•

Case Grouping

•

Lifecycle Milestones of Cases

•

Case Workflows

•

Case Management Menu

•

Case Status

•

Case Mode

•

Process Queue Management

•

View the Queue

•

Look Up an End User

•

Case Update

•

Manually Set a Resolution for an Activity

•

Operator Group Management

•

Operator Management

•

Research Activities

•

Snooze Mode

•

Top Risk Score Contributors

•

Custom Facts

This chapter describes how to use the Case Management application.

Case Management Application Overview The Case Management application enables organizations to track and investigate end-user activity. Activities are end-user actions that are logged in the system. The application provides an environment for the research and analysis of activities, trends, and patterns and for case management, in order to identify suspected or confirmed fraud. The application provides feedback to the RSA ® Risk Engine. With the Case Management application, an organization can take action to help prevent fraud and make informed decisions regarding the fraudulent activities.

Managing 4: Cases

83


The Case Management application reflects a multi-organizational structure. A user can select which organization’s data to view in the application. For more information, see Organization Management on p age 33.

Case Management Functionality A case includes all of the activities of a specific end user within the time frame of the case. End user information, case information, and case history are available in a case. Cases are created automatically by the system or manually by the operator, depending on the following: •

If the rule that is triggered is configured to create a case, a case is created automatically.

•

If an operator manually flags a suspicious activity for an end user with no flagged activity, a case is created.

•

A new case is not created if an end user already has a case.

•

On the Research Activities page, you can choose several suspicious activities associated with different end users and create cases for the end users. For each selected activity, if the end user does not have an active case, a case is created. If the end user has an active case, the event is flagged.

The Event Puller component of the Scheduler web application creates cases in the RSA Adaptive Authentication (On-Premise) system based on the policy of an organization. The Event Puller periodically checks the Event Notification table and retrieves the relevant entries from the Event Log table. If the end user already has an open case, the event is added to the case. Otherwise, a case is opened for the end user. If the Scheduler becomes unavailable, cases are not created automatically and do not appear in the Case Management application. For more information, see the Operations Guide.

Flagged Activities Flagging of activities is done based on the following: •

An activity flag is triggered automatically by the system in the following situations: –

An end user is asked for additional authentication and fails to pass the challenge.

–

A triggered policy rule results in a system flag if the Create Case option is selected in the Policy Management application. For information about policy rules, see Chapter 3, Managing Policies.

–

System flags are read-only. The following system flags are used. SystemFlag

Icon

Flagged by production rule

84

Managing 4: Cases


SystemFlag

Icon

Flagged by test rule Flagged by both production and test rules

Not flagged

Note: There is no feedback sent to the Risk Engine for cases that are only

flagged by test rules and do not have any event resolution. •

If the system flags an activity for an end user who already has an open case, the newly flagged activity is added to the existing case for that end user.

•

Each end user with one or more flagged activities has only one case.

•

An operator can manually set a resolution for an activity in the Recent Activities section of Research Activities or in Case Management > Lookup User. This resolution overrides any flagging performed automatically by the system for case resolution and Risk Engine purposes only. For more information, see Manually Set a Resolution for an Activity on page 109.

Pending Activities and Cases If an upon activity requiresauthentication additional authentication and the user didapplication, not choose to case successful in the Policy Management thecreate a activity does not create a case until the results of the authentication are received. If the session time-out has passed without successful authentication, the activity is no longer pending and the activity either triggers the creation of a new case, is added to an existing case, or is added as a new activity. If the authentication is successful, the case creation request is deleted.

Closed and Expired Cases Note the following about closed and expired cases: •

A flagged activity cannot be added to an expired case.

•

A flagged activity will reopen a closed case but not an expired case. An operator can reopen a closed case and change the status.

Note: A case expires after the logical end time of the case has passed. This parameter

is defined by the date of the event that created the case + Y days forward. The default is 10 days. You can configure this, using the Case Management Logical End Time Offset parameter in the Back Office Applications section in the Administration Console.

Managing 4: Cases

85


Actions Resulting from Triggered Rules When a rule is triggered, a case enters the Case Management system if the case creation checkbox in the Actions stage of the Add New Rule wizard is selected. For some actions, such as Challenge, the case enters Case Management after a configurable time period. This time period is configurable by changing the Queue Visibility Time Offset parameter in the Case Management section of the Administration Console. For more information on how to configure this parameter, see the Operations Guide. When a user creates a rule using the Add New Rule wizard in the Policy Management application, the option to create or not to create a case is available in the Policy Management application. If the user selects the Challenge action, an option to create a case based on authentication success or failure is also available.

Terminating Open Authentication Sessions To facilitate optimal online performance, you can manage abandoned open authentication sessions, by terminating all open authentication sessions for a specific user, as needed. The notification type Session Reset is provided in the Case Management application. If the authentication method component parameter Open Case for Events on Session Termination in the Administration Console is set to True, a case is opened by the Event Puller for the following scenarios: •

The Adaptive Authentication Administration ResetOpenSessions API method is called. For more information, see the Web Services API Reference Guide.

•

A customer service representative initiates the termination of all open authentication sessions for a user. For more information, see Chapter 5, Managing End-User Accounts.

For more information about Administration Console parameters, see the Operations Guide.

Challenge Scenarios This topic describes various scenarios related to the Action type of Challenge and explains how and when a case enters Case Management for each scenario. In these scenarios, the Policy Management user selects the Create Case (when authentication fails) checkbox, and the end user then performs an activity that triggers a rule with an action of Challenge. The end user is allowed a certain amount of time to successfully complete authentication, during which the case has a status of Pending and is only visible on the Research Activities page. This time period is configurable by changing the Queue Visibility Time Offset parameter in the Case Management section of the Back Office Applications component of the Administration Console. For more information, see the Operations Guide.

86

Managing 4: Cases


End User Skips Authentication If the end user skips authentication, by closing the browser or performing no activity, the case enters Case Management at the end of the allowed time period.

End User Fails Authentication Irrespective of the exact time of the authentication failure, the case enters Case Management at the end of the allowed time period.

End User Fails and Then Completes Authentication within Allowed Time If the end user fails authentication within the allowed time period but then retries and completes authentication successfully within the same allowed time period, no case is created at the end of this time period. The workflow, assuming a default time period of 30 minutes, is as follows: 1. Authentication (challenge) leads to a 30-minute window. 2. End user fails authentication. 3. End user reauthenticates and succeeds within the 30-minute time frame. 4. No case is created for the end user activities. The following figure describes this scenario.

Note: In cases where both a production rule and a test rule are triggered for the same

transaction, the production rule has a higher priority. For example, if a Challenge production rule is fired together with a Decline test rule for a transaction and the end user passes authentication, no case is created in the Case Management application.

End User Fails and Then Completes Authentication After Allowed Time If the end user does not complete authentication successfully, opens a new browser or tries to perform the same activity, and passes authentication, a case still enters the Case Management application. Thethe case the activitypassed for which the end user failed authentication, even though endincludes user successfully authentication later for that same activity. A row listing the activity and the successful authentication result is displayed on the Case Details page, enabling the operator to see that the end user passed authentication for an activity after initial failure.

Managing 4: Cases

87


Case Assignment A case is assigned to an operator in an organization. If each organization has an operator, all cases are eventually assigned. Cases are assigned based on the following criteria: •

The system first attempts to assign a case to an operator according to a group filter. The default group filter is used if: – –

The case does not match any of the group filters. The case matches one of the group filters but there are no operators associated with that group.

•

A case that matches a non-default group filter is assigned to any operator associated with that group filter if the operator has access to the user organization for the group.

•

A case that does not match any of the non-default filters is assigned to an operator from the default group if the operator has access to the user organization.

•

An unassigned case is assigned to an operator from the organization of the case. If there is no operator for the organization, the case is assigned to an operator from the default organization.

•

A case that is manually created from events can be automatically assigned from either the Lookup User page or from the Research Activities page.

Assign Manually Created Cases from the Lookup User Page You canthe create case can manually then assign it to Case to or review case.a You assign and these cases either to athe userManagement who createduser the case to the next available Case Management user. To assign a manually created case from the Lookup User page:

1. From the Case Management menu, select Lookup User. 2. Do one of the following: •

To assign the case to the Case Management user who created the case, at the bottom of the page, click Me. Note: RSA recommends that you use this option if you want a case to be

handled promptly. •

To create a case and add the case to the queue for assignment to an available Case Management user, click Queue.

The new case is automatically added to the queue.

88

Managing 4: Cases


Assign Manually Created Cases from the Research Activities Page You can create a case manually and then assign it to a Case Management user to review the case. You can assign these cases either to the user who created the case or to the next available Case Management user. To assign a manually created case from the Research Activities page:

1. From the Case Management menu, select Research Activities. 2. Do one of the following: •

To assign the case to the Case Management user who created the case, at the bottom of the page, click Me.

•

To create a case and add the case to the queue for assignment to an available Case Management user, click Queue. The queue refreshes automatically and includes the newly opened case.

Case Grouping Each case is assigned to a group for case management purposes.

Default Group A case is assigned to the default group (DEFAULT_GROUP) if there are no other groups or if the case does not match the parameters specified for the existing group. The default group includes cases that do not fit into any other operator-created groups. The initial default system generated, but youto can a new If group default group. Yougroup must is assign at least one operator thedesignate default group. you as arethe working in a multi-organization environment, RSA recommends that at least one operator from each sub-organization is associated with the default group.

Operator Group Cases can be grouped according to case properties. You can filter the queue for cases with specific parameters. For more information, see Operator Group Management on page 111. RSA recommends that you create several operator groups with filters.

Managing 4: Cases

89


Lifecycle Milestones of Cases Cases within the Case Management application can reach different states or milestones. The following table describes the lifecycle milestones for cases in the Adaptive Authentication system. Case Milestone Open

Expired

Closed

Case Milestone Definition

Case Milestone Properties

Possible Case Milestone Combinations

Casehasno resolution.

Can add new events to the case (for active cases only).

• Open and A ctive. A case that has no resolution and has not expired.

Cannot add new events to the case. Need to create a new case, and add the events to the new case.

• Open and Expired. A case with no resolution that has expired.

Logicalendtimefora case has passed.

Casehasaresolution, either fraud or genuine.

• Open and Expired. A case with no resolution that has expired.

• Closed and Expired. A closed case that has expired.

Can reopen a case to • Closed and Active. A closed case that has not expired. add events to it (for active cases only). • Closed and Expired. A closed case that has expired.

Case Workflows There are system workflows in place that are related to case creation and to case handling.

Case Creation Workflow When new activities are flagged, the case creation workflow determines if a new case should be created or if the flagged activity can be added to an existing case. The process determines whether there is an existing case for the end user and, if there is, the status of that case (open, closed, or expired). If there is no active case (open or closed), a new case is created through this workflow.

Case Handling Workflow Cases are handled in the following order: 1. A new flagged activity causes a new case to be created. The status of the activity in Case Management is New. Before case investigation starts or during the case investigation process, more flagged activities can be added to the case. 2. An operator assigned to the case begins to investigate the case on the Process Queue page or Lookup User page. In the course of the investigation, the operator can perform any of the following tasks:

90

Managing 4: Cases


–

Choose resolutions for one or more of the events in the case.

–

Reassign the case to another operator or operator group.

–

Resolve the case and change the case status to Closed.

–

Mark the case for follow-up and set the status to Could not Contact User, and try to contact the end user later.

–

Try to contact the end user and set the status to In Progress. When the end user responds, the operator reviews the case on the Lookup User page.

Case Management Menu In the Case Management application, you can access pages of the application using the Case Management menu. The Case Management menu includes the following items. The permissions that you have determine which menu items are available to you.

The following table describes the Case Management menu and submenu items and the type of activities that you can perform in that area of the application. M e n u It e m Process Queue

Su b m e n u It e m

Ac t i v i t i e s • Review cases in the queue, investigate cases, and update cases in the system • Add reported fraudulent events to an existing case

Lookup User

• Find cases and end user data for a specific end user • Create a new case • Add reported fraudulent events to an existing case

View the Queue

• View cases in the queue • Search for specific cases within the queue based on search

parameters

Managing 4: Cases

91


M e n u It e m

Su b m e n u It e m

Manage

OperatorGroups

Ac t i v i t i e s • Create a new group • Choose and update a specific group

Operators

• Add users as operators • Assign operators to a group • View the list of available operators and the associated groups

Research Activities

• Search for activities using filters for case attributes • Create a new case • Add reported fraudulent events to an existing case

92

Managing 4: Cases


The Recent Account Activity section displays all end user activities that exist within the time range of the case. The time range of the case is defined by logical start time and logical end time. These times are defined when the case is created based on the date of the event that created the case. The following figure shows the Recent Account Activity section and the Detailed Activity Information section that appear on the Lookup User, Process Queue, and Research Activities pages.

Managing 4: Cases

93


Recent Account Activity Fields The following table describes the fields in the Recent Account Activity section.

94

F ie l d

Description

View details

Displays detailed account information.

Date/Time

The date or time that the event occurred.

Activity type

The event type.

Client-defined activity type

The client-defined activity type if provided.

Event Description

The event description if provided.

System Flag

An icon indicating what type of rule triggered the creation of a case or the marking of an event as suspicious.

Resolution

An icon indicating the Case Management resolution chosen by the user.

Risk Score

The risk score that this event received from the Risk Engine.

IP Address

The IP address from which this event was sent.

IP Country

The country connected to the IP address from which this event was sent.

Rule ID Policy Action

The name of the rule that was triggered. The action that the event received.

ATM Account

The account number of the card used during the ATM transaction.

Challenge Successful

If the policy action was Challenge, this field displays N if the challenge was not successful or Y if the challenge was successful. If the policy action was not Challenge, the field displays N/A.

Accumulated User-Payee Payments in USD

This field is mapped to the WSDL data element in event details that represent the accumulation of payments in USD made to the payee account.

IP Region

This field is mapped to the GeoIP Region Code of the srcinal IP address.

Managing 4: Cases


Detailed Activity Information Fields The following table describes the fields in the Detailed Activity Information section. Se c t io n

F ie ld

Risk Score Contributors Contributor Name

Contribution

De s c r i p t i o n The top four factors that contributed to the risk score. Impact of the contributor that can raise or lower the risk score.

AccountDetails

LoginID

Theenduser’slogonname.

User Account Number

The end user’s account number.

Account Open Date

The date that the last account was opened. This field is mapped to the WSDL data element user Data/last Account Open Date.

Online Enrollment Date The date that the end user enrolled in the service. Potential fraud predictor: cross channel fraud, new account fraud. This field is mapped to the WSDL data element user Data/online Service Enroll Date. Address Change Date

The date that the end user’s address record was last changed or created.

Password Change Date

The date the end user’s password record was last changed or created. Potential fraud predictor: cross channel fraud, account takeover fraud.

Account Number

The end user’s account number in standard format. Note: This field is only displayed if the

Channel Indicator is ATM. Card Age (days)

The age, in days, of the end user’s debit or credit card. Note: This field is only displayed if the

Channel Indicator is ATM.

Managing 4: Cases

95


Se c t io n

F ie ld

De s c r i p t i o n

Card PIN Change Date

The date when the card PIN was last changed. Note: This field is only displayed if the

Channel Indicator is ATM. Activity Details

Client Transaction ID

The client’s transaction ID value.

Original Transaction Amount

The amount of the transaction in cents. (The Currency is specified)

Transaction Schedule

How soon or how often the payee will receive payment. Possible values are: • IMMEDIATE—For immediate execution • SCHEDULED—Scheduled for a future date • RECURRING—A recurring transfer

Transaction Due Date

The scheduled date for a transaction.

Transaction Speed

This sets how soon the transaction needs to take place. Possible values are: • SEVERAL_DAYS • OVER_NIGHT • FEW_HOURS • REAL_TIME

Withdraw Amount

The amount withdrawn in a withdraw transaction or the amount transferred in a money transfer. Note: This field is only displayed if the

Channel Indicator is ATM. Payee Account Number (IBAN)

The account number of the party that will receive a certain amount of money through a payment or transfer. Note: This field is only displayed if the

Channel Indicator is ATM. Payee/Other Account

96

External Account Routing Code

The routing code of the payee or other account.

External Account Number

The payee or other account’s account number.

Managing 4: Cases


Se c t io n

F ie ld


External Account Type

The payee or other account's type. Possible values are: • BROKERAGE—The account is a brokerage account. • CD—The account is a certificate of deposit account (CD). • CHECKING—The checking account. account is a • CHECKING_WITH_OVERDRAFT— The account is a checking account with overdraft protection. • CREDIT_CARD—The account is for a credit card. • DEBIT_CARD—The account is for a debit card. • LINE_OF_CREDIT—The account is for a line of credit. • MORTGAGE—The account is for a mortgage. • RETIREMENT—The account is a retirement account. • SAVINGS—The account is a savings account. • USER_DEFINED—The account has been specifically defined by your company.

External Account Owner Name Location Details

The account name of the payee or other account.

IP City

The city of the IP address from the end user’s device.

IP Owner

The owner of the IP address from where the activity was made.

IP Connection Type

The connection type of the request. Could be cable, DSL, or TDM (Received from MaxMind).

IPISP

TheISPIDfromwhichtherequest came.

ATM ID

The unique identifier of the ATM. Note: This field is only displayed if the


Managing 4: Cases

97


Se c t io n

F ie ld


ATM Owner

This specifies if the owner of the ATM device is an RSA customer who is implementing the Adaptive Authentication ATM Protection Module. The two values for this field are: • FI the financial that owns the- ATM device institution and is implementing the Adaptive Authentication ATM Protection Module. • Other - the financial institution that owns the ATM device and is not implementing the Adaptive Authentication ATM Protection Module Note: This field is only displayed if the

Channel Indicator is ATM. Country

The country where the ATM is located. The value is a country code of up to three letters, depending on the value you send. Note: This field is only displayed if the

Channel Indicator is ATM. State

ThestatewheretheATMislocated. Note: This field is only displayed if the

Channel Indicator is ATM. City

ThecitywheretheATMislocated. Note: This field is only displayed if the

Channel Indicator is ATM. Zip Code

The ZIP code where the ATM is located. Note: This field is only displayed if the


98

Managing 4: Cases


Se c t io n

F ie ld


Location Type

The type of location where the ATM is deployed. Some location types are more or less risky than others. Possible values are: • BRANCH • PETROL_STATION • PUBLIC_TRANSPORT • STREET • CONVENIENCE_STORE • SUPERMARKET • LEISURE_FACILITY • DRIVE_THRU • ENTERTAINMENT VENUE • TRANSPORT TERMINAL • POST OFFICE • RETAIL OUTLET • CASINO • GOVERNMENT OFFICE • OTHER (specified in free text) Note: This field is only displayed if the

Channel Indicator is ATM. Device Details

Channel Indicator

Indication of the device type.

Case Status When a case is closed and assigned a resolution status, the information is updated to the Adaptive Authentication system using a web service call. The RSA Risk Engine is updated with case resolution information about closed cases. The following table describes the status of a case and its life cycle . Status

Description

Open Case New

When: Default, after creating, before processing. Next step: Start processing.

Couldn’t contact user

When: After processing started, tried to reach end user with no success. Next step: Contact again later (end user might call back).

Managing 4: Cases

99


Status

Description

In Progress

When: Case is being investigated but cannot be closed yet. Reasons case cannot be closed could include waiting internally to research, waiting for an answer, or other activity.

Closed

When: A user closes a case after resolving it. The case resolution is automatically chosen, and the event and case

resolution are sent to the Risk Engine. Next step: One of the fo llowing actions occurs: • The operator manually selects an event resolution from the drop-down list. • The case is automatically closed because the case was open for a number of days beyond that allowed for the maximum case duration. If the case is automatically closed, the default event resolution is Suspected Fraudulent. For more information, see Case Resolution on page 110. Note: You configure the maximum case duration in the

Administration Console. For more information, see the Operations Guide. Expired

When: The logical end time of the case has expired. Note: This parameter is defined by the date of the event

that created the case plus a specified number of days forward. The default is 10 days. You can configure this period using the Case Management Logical End Time Offset parameter in the Back Office Applications section in the Administration Console. For more information, see the Operations Guide.

Case Mode The mode identifies the status of the triggered rule from the Policy Management application that created the case in the Case Management application. A case can have a mode of either Test or Production. For more information, see Rule Status on page 49. You should be aware of the following issues regarding case modes:

100

•

There is no feedback sent to the Risk Engine for cases that are only flagged by test rules and do not have any event resolution.

•

A mode can automatically change from Test to Production if the same event that srcinally triggered the case for a particular end user is triggered again by a production rule or if you manually change the event resolution for the case.

Managing 4: Cases


•

If a Test case becomes a Production case, there is no automatic reassignment of the case to a different operator group. You must manually reassign the case to a different operator group.

•

It may be beneficial to use operator groups to assign cases with a mode of either Test or Production to specific operators. For more information, see Operator Group Management on pag e 111.

•

Cases with a mode of Test are prioritized below cases with a mode of Production. As a result, the highest priority Test case is listed below the lowest priority Production case.

Process Queue Management In the Process Queue tab, you can view and update all cases in the system. Cases are automatically filtered and prioritized in the Process Queue. When you log on, the cases that are assigned to you appear in the Process Queue. When a case is in snooze mode, the case does not appear in the queue until the snooze duration has passed. You can configure the snooze period in the Administration Console. When a case is assigned to an operator, the system first attempts to use the group filters. If none of the filters match, the default group is used. If you have no cases assigned to you in the Process Queue, the page refreshes automatically until a case is assigned to you. You can manually refresh the queue to check for new cases.

Case Priority In the View the Queue and Process Queue pages, the list of cases is organized by the time that the case must be reviewed, not by the risk associated with the case. This order is determined by an algorithm that analyzes the proximity of the case to the following two times: Review Deadline. Parameter that is defined for a case when the case is created. This value is taken from the parameter defined in the Administration Console. For more information, see the chapter “Administration Console” in the Operations Guide. Next Contact. Parameter chosen if an operator updates the case status to Could not contact user.

In general, the closer a case is to the times defined in these two parameters, the higher it will appear on the queue menu. Closed cases are not returned to either queue. Note: Cases with a mode of Test are prioritized below cases with a mode of

Production. As a result, the highest priority Test case is listed below the lowest priority Production case.

Managing 4: Cases

101


Access the Process Queue Page You access the Process Queue page to view and update cases in the system. To access the Process Queue page:

From the Case Management menu, select Process Queue. Cases assigned to you are displayed.

Stop Automatic Refresh of the Process Queue In the Refresh Progress section of the page, a progress bar indicates the refresh rate for the display of cases assigned to you. You can stop the refresh of the Process Queue page so that the queue does not refresh automatically. To stop automatic refresh of the Process Queue:

Click Stop automatic refresh.

Restart Automatic Refresh of the Process Queue In the Refresh Progress section of the page, a progress bar indicates the refresh rate for the display of cases assigned to you. You can restart the refresh of the Process Queue so that the queue refreshes automatically. To restart automatic refresh of the Process Queue:

Click Refresh queue now.

Case Listing in the Process Queue The Process Queue processes cases that are not in snooze mode and are unlocked. When you finish with a case and go to the next case in the list, the queue skips any locked or in-progress cases and continues to the next available case. If the queue is empty, the application displays a message indicating that there are no cases currently in the queue, with instructions to refresh the Process Queue for any new cases. To prevent a situation in which a case remains at the top of the list, RSA provides a snooze mechanism. After a case is processed, regardless of whether the case was updated or not, the case is removed from the queue for 30 minutes. For more information, see Display a Case on page 118.

Case Locking and Unlocking The case locking mechanism does the following:

102

•

Prevents a case from being locked for an overly long period of time.

•

If an operator starts to operator update alogs case,off theand case is locked forthat update to other operators. If the same logs back on, operator is not locked out of the case.

Managing 4: Cases


Case Locking During Case Update While a case is being updated, the following occurs: •

The case is locked and cannot be updated by any other operator.

•

The case does not appear in the Process Queue of any other fraud analyst or case operator. The case appears as read-only to anyone who tries to access the case.

•

On the View the Queue page, a lock icon operator is displayed.

and the operator ID of the assigned

Case Unlocking During Case Update In the following situations, a case is unlocked: Case is locked for more than two hours.Cases are locked for a period of two hours by default, after which time the lock expires and the case is released. You can configure this period using the Lock Case Expiration parameter in the Back Office Applications section in the Administration Console. An Operator saves changes made during the Case Update procedure. For more information about updating a case, see Update a Case Using Lookup User on page 108.

View the Queue Cases that can be viewed in the queue are dependent on the applied filter criteria. Columns are available in the View the Queue table, depending on filtering. When you filter, you are filtering by the current status of a case in the system during a specified time period. On the Filter tab, you can filter which cases you see in the queue by case status (Status) and by the last updated time of the case ( Period). For additional filters, you can use the Advanced tab.

Access the View the Queue Page You can view the queue to review and filter cases. To access the View the Queue page:

1. From the Case Management menu, select View the Queue. 2. (Optional) At the top right corner of the View Queue page, from the Show per page list, select the number of cases that you want displayed per page. The options are 5, 10, 15, 25, 50, 75, 100, 250, and 500 cases per page. You can scroll down the page of displayed cases.

Filter the Queue Using the Filter Tab

You can use the Filter tab on the View the Queue page to filter the queue by Status and by Period. The Filter tab only displays cases that have a Mode of Production. To search for cases which have a Mode of Test, you must use the Advanced tab.

Managing 4: Cases

103


To use the Filter tab to filter the queue:

1. From the Case Management menu, select View The Queue. 2. On the Filter tab, from the Status list, select the case status that you want to use to filter your queue. This is a required selection. The list includes: •

All open cases

•

New

•

Could not contact user

•

In progress

•

Closed

3. In the Period section, select a From date (the start date) and a To date (the end date) for the cases that you want to include. This period refers to the case creation date. This is a required selection. 4. Click Filter. All of the cases matching the search criteria are returned as results in the View the Queue table.

Filter the Queue Using the Advanced Tab You can use the Advanced tab on the View the Queue page to perform advanced filtering functions. To use the Advanced tab to filter the queue:

1. From the Case Management menu, select View The Queue. 2. Complete the fields on the Advanced tab. For a description of each field, see Advanced Tab Fields on page 105. Note: The Advanced tab does not include an organization filter. The organization

that you select from the Organization drop-down list during logon is used for the filter. 3. Click Filter. All cases matching the search criteria are returned as results in the View the Queue table.

104

Managing 4: Cases


Advanced Tab Fields The following table describes the fields available in the Advanced tab. To configure these parameters, see Filter the Queue Using the Advanced Tab on page 104. F ie l d

Description

Required

Status

Select from the following list of statuses:

Yes

• All open cases • New • Could not contact user • In progress • Closed

Period

Daterange.

Yes

From and To fields.

Resolution

Select from the following list of resolutions:

No

• Any (Any of the resolutions in the list) • Confirmed fraudulent • Suspected fraudulent • Unknown • Assumed genuine • Confirmed genuine

User ID

Select a User ID associated with the cases that you want to view.

No

Operator

Select an operator from the list of operators in the system.

No

Activity Type

Select from the list of activity types. For more information, see Appendix C, List of Event Types.

No

Note: The Activity Type filter does not support

Custom Event Types. RiskScore

Managing 4: Cases

Inthe From field, enter the minimum risk score for the filter. In the To field, enter the maximum risk score for the filter.

No

Production Rule ID Select a Rule ID associated with the cases you want to view.

No

105


F ie l d

Description

Required

Action

Select from the following list of action types:

No

• Any • ALLOW • CHALLENGE • DENY • REVIEW

IP Address

Enter an IP address associated with cases that you want to view.

No

IP Country

Enter the IP country code associated with cases that you want to view.

No

Mode

Select from the following list of modes:

No

• Any • Test • Production

Account ID

Enter the account ID associated with cases you want to view.

No

Look Up an End User Depending on your permissions, you can use the Lookup User page to perform the following actions: •

Search for end users

•

View and update cases

•

Flag events manually for suspicious activities

•

Create a case if an end user does not already have a case and assign the case to yourself or to the queue.

The Lookup Users page displays either of the following: Case. If the end user has a case. Activities only.End user activities are displayed if there is no case associated with the end user. Before You Begin

Make sure that you are viewing the correct organization level in which the user is associated. This association is specified in the Organization drop-down list, in Logged on as. You can change the Organization level view in this list.

106

Managing 4: Cases


To look up an end user:

1. From the Case Management menu, select Lookup User. The Lookup User page displays the User ID filter and shows the current Case Management user’s organization view. 2. Enter the User ID. 3. Click Search. The View Case page displays the most recent activities or case for this end user, and includes the following fields: • User D etails. User ID, Organization, User Status, User Type, and ATM Account. Note: The User Status field can have one of the following pre-defined values:

DELETE, LOCKOUT, NOTENROLLED, UNLOCKED, UNVERIFIED, or VERIFIED. The User Type field can have one of the following pre-defined values: PERSISTENT, NONPERSISTENT, BAIT, or N/A. •

Case Details. Date, Mode (Test or Production), Status, Must be reviewed before (date), Risk Score, Assigned to (user). Only displayed if a case exists for the end user. Note: The Must be reviewed beforefield represents the time remaining for

this case to be considered as high priority. If the case is not assigned before the time specified in this field, the case is displayed lower in the queue. •

Case H istory. Displays historical case data. Only displayed if a case exists for the end user.

•

Recent Account Activity. Displays recent events i ncluding: date, activity, flagged by the system, Event Resolution, risk score, IP Address, IP Country, Rule ID, Policy Action, ATM Account.

•

Detailed Activity Information. Displays account details, activity details, payee/other account, location details, and device details.

Note: The default number of view details per page view is set to five. If you want to

change the default number of view detail lines on display, configure the Case Activities Per Page parameter in the Back Office Applications component of the Administration Console. For more information, see the Operations Guide. If an end user is found but does not have an associated case, the Case Management application displays all recent activities for that end user. Note: As is true for the overall system behavior, events that are presented and can be

flagged are limited in number and by date range.

Managing 4: Cases

107


Case Update There are two ways to update a case: Using Lookup User. For more information, see Update a Case Using Lookup User on page 108. Using the Process Queue. For more information, see Update a Case in the Process Queue on page 108.

Update a Case Using Lookup User Use Lookup User to locate the case associated with that end user. For more information, see Look Up an End User on page 106. To update a case using Lookup User:

1. On the View Case page, click Update. 2. On the Update Case page, modify the case status, reassign to another group or operator, enter notes about the case update, update the event resolution, and manually flag suspicious activities as needed. Note: If a Test case becomes a Production case, the case is not automatically

reassigned to a different operator group. You must manually reassign the case to a different operator group. For information about manual flagging, see Manually Set a Resolution for an Activity on page 109. 3. Click Save Changes to update the case and save Case Details and Recent Account Activity. Note: If you click Go in the Recent Account Activities section, you save the changes

made in the Event Resolution drop-down list and refresh the entire Update Case page. This resets any unsaved changes that you made in the Update Case page. If you click Cancel, you cancel changes made in the Case Details section only.

Update a Case in the Process Queue You can update a case in the Process Queue by modifying the case details. To update a case in the Process Queue:

1. From the Case Management menu, select Process Queue. 2. Do one of the following: •

108

In the Case Details section, modify the following details: – Status. Select from: New, Could not contact user, In progress, or Closed

Managing 4: Cases


•

–

Re-assign to. A case can be re-assigned to an operator or operator group that is part of the organization associated with the case. The list includes only the options permitted for the user. Select from: Operator Group, Operator, or Do not reassign.

–

Notes. Enter notes about the case.

–

Modify the event resolution.

–

Manually set a resolution for suspicious activities. For information, see Manually Set a Resolution for an Activity on page 109.

Click Skip to not handle this case and move to the next case.

3. Click Update and Move to Next to update the case. In the Case History section, the Update Time column displays the time at which you updated the case.

Update Case Example If you specify the status Could not contact user, the following options are displayed in the Next Contact drop-down menu on the View Case page, in the Updated Case section: •

In 2 hours

•

In the evening

•

Tomorrow morning

•

At any time

•

At a specific time

These options are derived from the casemanagement-config.xml configuration file in the next-contact-times section of the case-attributes element. If you specify any of these values, update the case, and skip the case (put the case in snooze mode). When you return to the case, the Next contact field includes the default setting At a specific time that corresponds to the srcinal date and time that you specified when you updated the case. For more information on the snooze mode, see Snooze Mode on page 119.

Manually Set a Resolution for an Activity A Case Management operator can manually set a resolution for an activity. This is commonly done after the operator contacts an end user to verify whether or not that end user performed a certain activity and the operator assesses other parameters related to the activity. To set a resolution for an activity:

1. From the Case Management menu, select Lookup User. 2. On the Search tab, provide the User ID and Organization. All cases or activities of the end user are displayed. For more information, see Look Up an End User on page 106.

Managing 4: Cases

109


3. In the Recent Account Activity section, choose an event by selecting the appropriate event details row. 4. Click Create Case from Events. 5. If a case exists, select the event resolution from the drop-down list, and click Set Event Resolution.

Case Resolution Case resolution defines the final conclusion regarding the case as reached by an operator. Case resolution can also refer to the case findings as confirmed or reported by the user. When an operator closes a case, the case resolution is automatically selected based on the event resolutions of the case. Only an operator can close a case and only if there is at least one event in the case that is flagged (system flagged or custom marked). The Event Resolution options are listed in the following table along with the icons that represent each option in the user interface. Event Resolution

I con

Confirmed Fraudulent Suspected Fraudulent Unknown Assumed Genuine Confirmed Genuine

An event that is flagged by the system based on rules from the Policy Management applicationisisset a system-flagged event. A system-flagged event is one where the case resolution to Suspected Fraudulent unless the operator manually sets the resolution to Confirmed Genuine or Unknown.

110

Managing 4: Cases


An event for which an operator manually sets the resolution is considered a custom-marked event.This means that a case resolution will be automatically set as Unknown if it includes only Unknown custom-marked events and does not have system or custom-marked events that are Confirmed Genuine or Confirmed Fraud. The resolution of a case is automatically set as Confirmed Fraudulent or Suspected Fraudulent, if there is at least one event in the case that is marked as Confirmed or Suspected Fraudulent. In this case, the operator is notified that all activities in such a case may be considered as Suspected Fraudulent by the Risk Engine.

Operator Group Management You use the Manage Operator Group page to define and edit operator groups. The Manage Operator Group page includes the following functionality: •

Add Operator Group

•

Save Operator Group

•

Delete Operator Group

•

Set default Operator Group

Access the Manage Operator Group Page You can use the Manage Operator Group page to define the following items: Group Detail. Select a group and edit the group description. Group Filter. Filter for various parameters To access the Manage Operator Group page:

From the Case Management menu, select Manage Operator Group.

Operator Group Definition To organize cases and define the cases as groups, you specify filter parameters to be used as criteria to select the cases for inclusion in a group. You cannot create a group without a filter because the organization is selected based on the organization that you selected during logon. Note: The list of available organizations can only be changed in the Access

Management application. For more information, see Chapter 2, Managing Access to the Back Office Applications. Defining operator group filters does the following:

Managing 4: Cases

•

Determines which types of new cases will be assigned to that group.

•

Defines at least one filtering criteria. Each group has one set of criteria with one or more criteria in that set. The set is defined based on its criteria.

•

Uses the same controls as custom filtering.

111


Note: Filtering of a case by activity-level attributes is performed based on the

activity in the case with the highest risk score and within the events that are flagged by the system or marked by the user as fraud.

Filters for Defining Operator Groups You can filter cases to be assigned to operator groups based on the following parameters: Organization. To change organizations, use the Organization drop-down menu. The filter first checks the organization of the case. Each organization must have at least one group and one operator. Additional filter. Select one or more of the following for additional filters that you want to use: • • • • • • • •

User Activity Action Risk Score User ID Production Rule ID IP Address IP Country System Flagging

Note: If you use default filtering of the queue, custom filtering fields also use the

default mode. If current settings are different from the default, they are reflected in the filtering field options.

Add an Operator Group You add an operator group to assign specific types of new cases to a particular group. To add an Operator Group:

1. From the Case Management menu, select Manage > Operator Gro up. 2. Click Add New Operator Group. 3. In the Operator Group Name field, enter a unique name for the operator group. 4. In the Group Description field, enter a description for the group. 5. Select the filters with which you want to filter. 6. Click Save Operator Group. The operator group is displayed on the Manage Group page and the Manage Operator page, in the Choose New Group and Select Group drop-down lists.

Edit Operator Group Criteria You can edit an operator group to change the criteria by which cases are selected for a group.

112

Managing 4: Cases


To edit operator group criteria:

1. From the Case Management menu, select Manage > Operator Gro up. 2. From the Select Operator Group drop-down list, select the name of the group that you want to edit. 3. In the Operator Group Description field, enter a new description for the group. 4. Update the selection of relevant filters. 5. Click Save Operator Group. The group is modified in the Select Operator Group drop-down list.

Delete an Operator Group To delete an operator group:

1. From the Case Management menu, select Manage > Operator Gro up. 2. From the Select Operator Group drop-down list, select the name of the group you want to delete. 3. Click Delete Operator Group. Note: You cannot delete a group that contains an operator. If an operator exists

within a group that you try to delete, an error message is displayed requesting that you remove the operator from the group.

Operator and Operator Group Filters Note the following regarding the Operator and Operator Group filters: •

You can define a group for one organization only.

•

You can select an organization from the drop-down menu of the organization.

•

When a user is logged on, the user can view operators who have access to the current organization, and operator groups within a matching organization.

•

When you add a new operator group, the organization is automatically added as part of the group filter.

•

On the Manage Operators page, in the Operators list, you can view operators who have access to the current organization.

•

On the Manage Operators page, in the Select Operator Group drop-down list, you can view the groups belonging to the organization that is defined within the group filter. The current organization is displayed in the drop-down list.

•

If there are operators in the Operators list that have access to more then one organization, you only see the operator group belonging to the current organization. If the group to which the operator belongs is from another organization, “Group from another organization” is displayed beside the operator name as the entry in the Operator Group column of the Edit Operator table.

Managing 4: Cases

113


Set a Default Operator Group When installing the system, the default operator group is DEFAULT_GROUP. If you are logged on to the default organization, this operator group name is displayed on the Set Default Operator Group tab. If the default operator group is from another organization, the following message is displayed on the Set Default Operator Group page: Current default operator group is from another organization. Note: Only operator groups belonging to the current organization appear in the Select

Operator Group drop-down list.

After editing the operator group, you can set the filter settings as the default operator group. To set the filter settings as the default operator group:

1. From the Case Management menu, select Manage > Operator Gro up. 2. From the Select Operator Group drop-down list, select the name of the group that you want to edit. 3. In the Group Description field, enter a new description for the group. 4. Update the selection of relevant filters. 5. Click Save Operator Group. 6. Click Set Default Operator Group. 7. Click Save Default Operator Group.

Operator Groups for a New Organization If you do not define an operator group for the currently selected organization, a user with admin or operatormanager role permissions cannot add an operator because an operator must belong to an operator group. If the administrator or operator manager tries to add an operator, the following message is displayed on the Manage Operator page: There are no operator groups defined for this organization.

If the administrator or operator manager tries to add an operator group, and there is no operator group for the organization, from the Manage Operator Group page, the Add New Operator Group opens automatically and the following message is displayed: Cannot find groups for the current organization. Add a new operator group.

114

Managing 4: Cases


Operator Management A user with admin or operatormanager permissions can manage the user activities of operator users in the system. Before you can assign an operator a case, you must assign the operator to an operator group. An operator must have the operator role assigned within the operator’s user profile. Role assignment is performed in the Access Management application. For more information, see Chapter 2, Managing Access to the Back Office Applications. The Manage Operators page includes the following functionality: • Add an Operator to an Operator Group •

Change the Operator Group of an Operator

Access the Manage Operators Page You use the Manage Operators page to manage user activities of operators in the system. To access the Manage Operators page:

From the Case Management menu, select Manage > Operator.

Add an Operator to an Operator Group You add an operator to a group in order to associate an operator with a particular set of incoming cases. Before you can assign an operator to a case, you must add the operator to an operator group. Every group must have an operator. To add an operator to a group:

1. From the Case Management menu, select Manage > Operator. 2. On the Manage Operator page, in the Add Operator section, enter the name of the operator that you want to add in the Operator Name field. This is a required field. 3. From the Select Operator Group drop-down list, select the name of a group for the operator. 4. Click Add Operator.

Change the Operator Group of an Operator You can change the operator group to which an operator is assigned. This limits the cases that an operator receives in his or her queue, based on the case parameters set up in the Operator Group description. For more information about adding case selection criteria in an Operator Group, see Add an Operator Group on page 112.

Managing 4: Cases

115


To change the operator group of an operator:

1. From the Case Management menu, select Manage > Operator. 2. On the Manage Operator page, in the Edit Operator table, from the Change Operator Group drop-down menu, select the group with which to associate the operator. 3. In the Edit Operator table, click the Update link in the Actions column for the operator.

Research Activities The Research Activities page allows research of end user activities and cases. You can define fraud policies that allow you to investigate and identify fraud patterns, so an organization can take action such as setting a new policy or rule. Research activities are performed at the activity level, not at the case level. All activities can be researched, not only flagged activities. The Research Activities page is used for fraud policy-making and allows you to investigate and identify fraud patterns, so an institution can take action such as setting a new policy or rule.

Access the Research Activities Page You use the Research Activities page to research end user activities and cases. To access the Research Activities page:

From the Case Management menu, select Research Activities.

Research Activities Filters The following research activity filters are available for use on the Research Activities page. •

116

Status: –

Open Cases (New & Couldn’t contact user)

–

All (With/Without Case)

–

All With Case

–

Not Part of a Case

–

Closed Case

•

Resolution (Required filter)

•

Period: – All dates. –

Last 24 hours.

–

Last 7 days.

Managing 4: Cases


•

–

Last 30 days.

–

Last 90 days.

–

Specific From and To dates selected using the calendar icons to define a date range in the format. From MM/DD/YYYY To MM/DD/YYYY.

Additional filters: Note: Select any relevant filter to enable that activity’s drop-down menu or text

box. The checkboxes are unavailable by default. –

User Activity. A complete list of end user activities.

–

Custom User Activity. A list of end-user activity types that are defined by the customer in the Policy Management application, not provided by RSA. For more information, see Chapter 3, Managing Policies.

–

Policy Action. Allow, Challenge, Deny, Review.

–

Risk Score. From Score and To Score fields for specifying a risk score range

–

Event Resolution. Any, Confirmed Fraud, Suspected Fraud, Confirmed Genuine, Assumed Genuine, Unknown.

–

User ID. Text field.

–

Production Rule ID. Text field.

–

IP Address. Text field.

–

IP Country. Text field.

–

System Flagging. Any, All flagged activities, Flagged by production rule, Flagged by test rule, Flagged only by test rule, Not flagged.

–

Account ID. Text field.

The Case Management application limits the number of results that can be displayed by each filter to 1,000. If the results are greater than 1000, you can add several filters to refine the search. For more information see Search for Cases Using Research Activities Filters on page 117. For information about customizing the user interface configuration, see the Installation and Upgrade Guide.

Search for Cases Using Research Activities Filters You can research case activities using one or more basic case information filters and additional filters on the Research Activities page. When you select a checkbox, the filter field or list becomes active. If a checkbox is cleared, the relevant filter field or list is unavailable. RSA recommends that you use several filters to limit the number of activities returned because no more than 1,000 results can be displayed.

Managing 4: Cases

117


To search for cases using research activities filters:

1. On the Research Activities page, select the filters with which you want to search by selecting filter options. 2. (Optional) In the Additional filters section, define any additional filters: a.

To select the type of additional filter, select the corresponding checkbox. The field or list becomes available.

b. Enter a value in the field or select a value from the list. For example, select the Policy Action checkbox, and, from the drop-down list, select CHALLENGE. 3. Click Run Filter. The total number of activities found is displayed above the Activities list. There is a limit to how many activities records can be displayed in the list. RSA recommends that you use several filters to limit the number of activities returned with a Research Activities search. For more information, see Research Activities Filters on page 116. 4. Click Display Case to view the details of a specific case. Twenty records are displayed on each page. If the activities list has more than one page, Next or Prev links are displayed on top of the activities list table on each page. For more information, see the Operations Guide. 5. Click Display Details to view the details of a specific event. The Detailed Activity Information page displays the following information: •

Risk Score Contributors. Contributor Name, Contribution.

•

Account Details. User Account Number, Account Open Date, Online Enrollment Date, Address Change Date, Password Change Date, Account Number, Card Age (days), and Card PIN Change Date.

•

Activity Details. Client Transaction ID, Transaction Amount, Transaction Schedule, Transaction Due date, Transaction Speed, Withdraw Amount, and Payee Account Number (IBAN).

•

Payee/Other Account. External Account Routing Code, External Account Number, and External Account Owner Name.

•

Location Details. IP City, IP Owner, IP Connection Type, IP ISP, ATM ID, ATM Owner, Country, State, City, Zip Code, and Location Type.

•

Device Details. Channel Indicator, Cookie.

•

Custom F acts. Fact Name, Value.

Display a Case You display a case to read and analyze case details. To display a case:

On the Research Activities page, click Display Case. The View Case page opens. The View Case page is a read-only view of case information. The edit fields and drop-down menus are disabled, and checkboxes are not displayed.

118

Managing 4: Cases


Edit a Case Before You Begin

Make sure that you have the required permissions to update a case. To edit a case:

On the View Case page, click Update to edit the case.

Update a Case Buttons

Depending on which workflow you are using, the buttons that are enabled on the Update Case page vary. The following changes may appear in the buttons in the interface on this page: •

Update and move to next case or Update

•

Skip to next case or Cancel

Snooze Mode Snooze mode allows you to skip a case in the queue and return to the case at a later time. When you skip a case, the case is put into snooze mode for a set period of time. The default time period is 30 minutes. This period can be configured in the Case Management section of the Back Office Applications component within the Administration Console. The Snooze iconsnooze appears next to the case on the View Queue page. Totime see the start time of the period, move your cursor over thethe Snooze icon. The that is displayed is 24-hour time. A case in snooze mode will be moved to next in line for processing after the snooze time has ended, based on the case priority.

Apply Snooze Mode to a Case You can put a case in the queue into snooze mode if you want to return to the case at a later time. To put a case into snooze mode:

Do one of the following:

Managing 4: Cases

•

On the Process Queue page, select the case, and click Skip. The current case is not handled, and the next case appears.

•

On the Process Queue page, select the case, and click Update and Move to Next. Any changes made to the case are updated, and the next case appears. For more information, see Update a Case in the Process Queue on page 108.

119


Top Risk Score Contributors When viewing activity information on the Research Activities page, you can view the top contributors to the risk score in the Detailed Activity Information section. The factors that have the strongest effect on the risk score of the activity are listed under the contributor name in descending order of impact. An up arrow indicates a contributor that raised the risk score, and a down arrow indicates a contributor that lowered the risk score. Note: The list of risk score contributors was updated in version 7.0.

Custom Facts You can define custom facts in the Policy Management application. A fact is a core data element which the Policy Engine processes to determine if the rule is triggered. Once you create and save a custom fact successfully, you can build rules with the fact. You can add up to 20 different custom facts to the system. Defining these facts adds new fact names and the associated values to the Detailed Activity Information section. For more information, see the topic about custom facts in Chapter 3, Managing Policies.

120

Managing 4: Cases


5

Managing End-User Accounts •

Customer Service Application Overview

•

Find an End User

•

End User’s Account History

•

Account Locking

•

Terminate an End User’s Authentication Sessions

•

Reset an End User’s Account

•

Account Unenrollment

•

Watch an End User’s Progress

This chapter describes how to manage end-user accounts using the Customer Service application, a component of the RSA Adaptive Authentication (On-Premise) Back Office Application Suite.

Customer Service Application Overview The Customer Service application enables customer service representatives to help end users who are having trouble with their secure logon settings. Using the Customer Service application, you can: •

Search for an end user

•

View an end user’s account history This includes watching an end user ’s progress in the Adaptive Authentication system (the logged results of end user actions, not real time).

•

Lock an end user’s account

•

Unlock an end user’s account

•

Reset an end user’s account

•

Unenroll an end user

•

Terminate an end user’s authentication sessions

5: Managing End-User Accounts

121


Find an End User You can search for an end user’s account to help resolve problems with logon settings. Before You Begin

You need to know the following information: •

The organization to which the end user belongs

• The end user’s user name The following figure shows the Customer Service application home page.

To find an end user:

1. Use the Organization drop-down menu in the upper right corner of the page to select the end user ’s organization. 2. In the Username field, enter the user name. 3. Click Search. Note: The Customer Service application logs you off after a set period of inactivity.

Keep this in mind while viewing an end user’s information. For more information, see Log Off from a Back Office Application on p age 15.

122



End User’s Account History After the end user is found, the following information about the end user’s account is displayed: •

The end user’s user name

•

The end user’s organization

•

The current status of the end user’s account

•

The account history, sorted by the date that the activity occurred

The following figure shows an end user’s details and account history information.

End User Account History Information The end user’s account status can only be one of the following values: •

VERIFIED

•

UNVERIFIED (either started enrollment but did not finish, or was unlocked and reset by a Customer Service Representative)

•

LOCKOUT

•

UNLOCKED

•

DELETED

Note: Changes to an end user’s account status may occur due to activities performed

in Case Management and may not be reflected in the Customer Service application. For example, if a case is changed to Genuine Confirmed in Case Management, authentication is unlocked. Depending on the current status of the account, different buttons are available above the activity table. The availability of the following buttons is dependent on the account status type for which they are needed: Unenroll. Available in all end user account states except Deleted. Terminate authentication sessions.Available in all end user account states except Deleted.


123


Lock. Available in Verified and Unlocked states only. Unlock. Available in Lockout state only. Unlock and Reset. Available in Unlocked and Lockout states only. Note: The Refresh and Search buttons are always active.

Activities within the Account History Information There are multiple types of activities that can be listed within the end user’s account history information. Normal transactions, such as deposits and withdrawals are not listed. You can see only security-related activities. Activities, which are identified by a letter and a description, include: A. End user modified one or more challenge answers. B. End user’s locale has changed. C. End user's account was created. D. End user's account was deleted. F. End user preference was modified. G. End user modified the group membership. L. End user's account was locked. M. One or more of the end user's settings was modified. N. End user has not completed enrollment successfully (the account is unverified). Q. End user modified one or more challenge questions. R. End user's account was unlocked or reset. T. End user contact was modified. U. End user changed the user name. V. End user completed enrollment successfully (the account was verified).

These letters can be combined to indicate several activities, for example: CV. The end user's account was created and verified. MIQA. The end user modified the questions and answers.

All actions, taken by either you or the end user, create a new entry in the activity table. When you perform an action on the account, such as unlocking the account, the Account History page automatically refreshes and displays the new action in the table. You can click Refresh if you need to refresh faster.

124



Account Locking You can lock end user accounts if any of the following occur: •

An end user fails authentication.

•

An end user calls and wants to lock the account because the account information was stolen or there was unauthorized access to the account.

•

An end user is delinquent in payments and the account needs to be locked.

•

An end user is no longer a member of the organization and the account needs to be deleted. You can lock the account before deleting it.

An end user’s account can also be locked if the end user incorrectly answered the challenge questions too many times. The Adaptive Authentication system automatically locks an account in that case.

Lock an End User’s Account You can lock an end user ’s account so that the end user can no longer access the account online. Your company policies may define other reasons to lock an end user's account. Refer to the policies of your company for a full list of reasons to lock an end user’s account. To lock an end user’s account:

1. Find an End User. The account information is displayed. 2. Click Lock.

Unlock an End User ’s Account You can unlock an end user’s account that is locked. For information on why an end user’s account might be locked, see Account Locking on page 125. Use the following procedure if the end user locks his or her account, but believes that he or she knows the correct answer to the challenge questions. Before You Begin

Verify the end user’s identity before unlocking the end user’s account. To unlock an end user’s account:

1. Find an End User. The account information is displayed on screen. 2. Click Unlock. The end user’s account information is refreshed and the last activity is now listed as Unlocked.


125


Terminate an End User’s Authentication Sessions You can use the Terminate Authentication Sessionsbutton in the User Details window to terminate all open authentication sessions for an end user. When you press this button, the application terminates all open authentication sessions for the end user specified in the User Details window. The application calls the API method ResetOpenSessions to perform this task. For more information about this API method, see the Web Services API Reference Guide . Before You Begin

Verify the end user’s identity before resetting the end user’s account. To terminate authentication sessions for an end user’s account:

1. Find an End User. The account information is displayed. 2. Click Terminate Authentication Sessions.

Reset an End User ’s Account This option allows you to unlock and reset an end user’s account so that, the next time the end user logs on, the end user must choose new challenge questions. This leaves the end user’s account in an unverified state. Use the following procedure if the end user has locked the account and does not know the answers to the challenge questions. Before You Begin

Verify the end user’s identity before resetting the end user’s account. To reset an end user’s account:

1. Find an End User. The account information is displayed. 2. Click Reset. The end user’s account information is refreshed and the last activity is now listed as Reset. 3. Inform the end user that he or she can log on to the account, but must choose new challenge questions and provide the necessary answers.

126



Account Unenrollment When you unenroll an end user, the end user’s account information is made inaccessible but it is not removed from the database. Although the account information is flagged for deletion, the actual information is never removed from the Adaptive Authentication system. If the end user tries to log on to an account that is unenrolled, the end user cannot access the account information. Deleted accounts are removed from the system if the scheduled task DeleteUsers is configured to run after the billing period is over. If the end user is in the DELETED status, you must use the createUser or analyze AutoCreate request to re-create the deleted end user.

Unenroll an End User Use the following procedure if the end user is no longer a member of the organization and the account needs to be deleted or if there are other conditions requiring that the end user be unenrolled. Important: Unenrolling an end user is not reversible by a customer service

representative. To unenroll an end user:

1. Find an End User. The account information is displayed. 2. Click Unenroll. The end user’s account information is deleted.

Watch an End User’s Progress You can watch an end user’s progress in near real time to help an end user with any problems that arise during enrollment or while accessing the security settings. To watch an end user’s progress:

1. Find an End User. The account information is displayed. 2. Click Refresh. The account information updates and any new information displays automatically. You can verify for the end user that questions are updated and recognized by the system.


127


6

Viewing and Analyzing Reports •

Report Viewer Application Overview

•

View and Download Reports

•

Report Characteristics

•

Report Types

•

Report Format

•

Report Content

RSA provides reports, which consist of basic, unfiltered data, to help you evaluate RSA Adaptive Authentication (On-Premise) system performance and end-user behavior. RSA uses the log files sent by your organization to create different report types. The Adaptive Authentication version that you use and the type of information you send to the logs impact the types of information and data that the reports contain. This chapter describes the Report Viewer application.

Report Viewer Application Overview The Report allows select view that summarize user data, such asViewer the number ofyou end to users perand month orreports the number of end userssystem challenged in a week. The Report Viewer accesses the reports, displays the reports, and presents the reports in downloadable formats. The Report Viewer does not generate the reports. The Report Viewer enables you to: •

View a list of reports filtered by organization and month

•

View a list of data ranges for report types based on report naming conventions (daily, weekly, monthly, or all)

•

Filter a list of reports based on the your access

The Report Viewer displays reports and provides the necessary access control for those reports. The reports, in either PDF or comma-separated value (CSV) format, are put into a specified directory. These reports are retrieved from the file system after you have extracted and synchronized the report directory structure. For more information, see the chapter on logs and reports setup in the Operations Guide.

6: Viewing and Analyzing Reports

129


Reports Directory Structure for the Report Viewer For proper operation of the report viewer, a directory structure must be created in the reports directory that you configure for the Report Viewer. The following figure shows a typical directory structure.

For more information, see the chapter on logs and reports setup in the Operations Guide.

View and Download Reports You can view and download a report to see a summary of system user data. The Report Viewer retrieves information about each organization to which a user has access, and it presents an organization summary with report type listings for each organization. Note: If you do not see a particular organization or its reports, contact the

appropriate party within your company for access to view the reports.

130



To view and download a report:

1. On the Reports page, select the organization for which you want to view a report.

2. Select a report type from the following available report types: •

Monthly

• •

Weekly Daily

•

All

3. Select a report name or ALL to view a list of names. 4. Select the From and To dates to define the range of the reports 5. Click Search. The system retrieves and presents the reports that meet your conditions. You can sort the retrieved reports according to the following fields: •

Report Type (default)

•

Report Name

•

Generated

•

Date From

•

Date To

•

Format

6. Choose the format (PDF or CSV) for the selected report. Organization names appear as designated in the database. In some cases, for example, this is a number.


131


Report Characteristics Note: Reports are generated for each organization.

Reports are generated from processed activity logs. Each report covers the end-user sessions for a specific range of time. Typically, the time range is daily, weekly, or monthly, except for system trends, which are weekly and monthly. Note: In a report that covers multiple days, some rules do not fire every day. The

report designates no firing of a rule on a day by a zero (0), which appears periodically throughout the report. Time ranges are not configurable. Set up the reporting schedule and time period by working with RSA Customer Support. If you are viewing the reports with the Report Viewer, make sure to maintain the directory structure provided by RSA Central. For more information, see the chapter on logs and reports setup in the Operations Guide. Important: In general, these logs do not contain sensitive customer data. Data is only

used to examine aggregate behavior and User IDs can be obscured through a hashing algorithm. To hash User IDs, you must configure the ID Masking parameter in the Administration Console. Consequently, individual users cannot be identified by User IDs. For more information about the ID Masking parameter, see the chapter “Administration Console” in the Operations Guide.

Note: If dates in a week straddle two months, reports from that one week period are

grouped inside the directory of the first of the two months. For example, if March 31 is a Wednesday and April 1 is a Thursday, a report that focuses on activities during this time period are grouped inside the March directory.

Report Types The following report types are available: Billing Report. Includes statistics used for billing purposes. A roll-up version of the report contains data from several customers. Customers with multiple organizations or service providers may find the roll-up version useful for billing each organization. Authentication Plug-In Billing Report. Statistics used for billing of the Authentication Plug-In service. There is a roll-up version of this report. Blocked A detailed report that shows the the hashed IDs foreach end users whoUsers were Report. denied access to your online application, rule User that caused end user to be blocked, and the date and time that each end user was blocked. Case Management Report. Statistics on case activity and fraudulent transactions as represented by the Case Log and Events Marking Log from the Case Management application.

132



Case Trends Report. A summary of the Case Management Report over a period of time. This report is generated for weeks and months, instead of days. eFraudNetwork Report. Counts attempts to access the online system by people from IP addresses identified in the RSA eFraudNetwork TM service as high risk and records the result of the attempt. Forensics Summary Report. Statistics on Risk Analysis parameters, such as usage by geographical location. Policy Summary Report. A count of the recommended policy actions and reasons for each recommendation. The report includes the rules that fired a given recommended action. Policy Trends Report.A summary of the Policy Summary Report over a period of time. This report is generated for weeks and months, instead of days. Risk Factor Report. Includes the total count of the risk factors that are fired regarding a transaction, not only the ones that result in recommended actions. Risk Factor Trends Report.A summary of the Risk Factor Report over a period of time. This report is generated for weeks and months, instead of days. System Usage Report. A summary of the business events, such as total logon attempts, challenges, and lockouts. System Trends Report.A subset of the System Usage Report, which provides a breakdown of the events in the System Usage Report by day.

Report Format RSA provides access to reports every day. To access reports, you must send the log files to RSA and then download the reports. Reports are available as PDF or CSV files. Note: The Blocked Users Report is available only in CSV format.

A report consists of a data table that provides the bulk of the report information. The report structure is: •

Header

•

One section for each different transaction type

•

An overall section for all transaction types

•

Footer

Example of Elements Common to All Reports Name of Report ================================== Report Version 6.0 Reporting Period Start Date 7/15/2012 12:00 AM Reporting Period End Date 8/1/2012 12:00 AM Timezone PST


133


Report Creation Date 8/11/2012 Customer Large Bank Organization LargeBank Start Report: ============================== Transaction Type: X (report content with potentially multiple sections) ============================== End of Report

CSV Files CSV format is recognizable by many analysis software packages, so the data from the reports can be easily be exported to such a tool for further analysis. RSA consistently maintains the structure of each report and notifies customers in advance if there are unavoidable changes to the structure.

CSV File Example (Microsoft Excel) You can use the Excel grid line identifiers as reference points when exporting to other programs.

134



The following figure is an example of a CSV in Excel.

Standard Header and Footer Header Description All reports start with a standard header that identifies the report and any pertinent information about the report. The header contains the following: Report Name. Identifies the report. Report Version. Each report has a version number that signifies the Adaptive Authentication version used to generate this report.


135


Reporting Period Date and Time. Each report shows activity for a specific time range. The values show the date and time zone: •

•

•

Daily reports list two dates, which indicate a 24-hour period starting on the first date. For example, December 30 to December 31 is equivalent to a one day period. Weekly reports start with Sunday and end the following Sunday. The report covers a 7-day calendar week that includes Sunday through to and including the following Saturday. For example, June 18 (Sunday) to June 25 (Sunday) covers one calendar week which includes June 18, 19, 20, 21, 22, 23, and 24. Monthly reports list two months. The report covers a period of a full month. The period begins from the beginning of the first month and continues through to the start of the first day of the next month. For example, January 1 to February 1 is listed as the report period for the month of January.

Report Creation Date. The date on which the report was generated. Customer Name. Your name. Organization. If your organization includes multiple layers of organizations, Organization is the specific institution to which the report applies. Otherwise, Organization is the same as the Customer Name.

Header Format The following is the report header format: Report Name Version Start Date

# Month Day, Year

End Date Timezone Creation Date Customer Organization

Month Day, Year XXX Month Day, Year Name Name

Report Header Example The following figure shows an example of a PDF report header.

Footer Description All reports end with an end tag line so that you are assured that you received the entire report.

136



Report Naming Convention The report naming convention is: []____. Note: If the report is an aggregative report for all organizations under the default

organization, the OrganizationName parameter does not appear in the report name. The following table describes the naming convention parameters. Parameter

Description

The range of dates covered by the report. The parameter has two formats: • YYYYMMDD—This format only applies to Daily and Custom Report types. For example, the date April 16 2012 is shown as 20120416 and represents a report generated for data on April 16, 2012. • YYYYMMDD-YYYYMMDD—This format has a start date and an end date. This format applies to Weekly, Monthly, and Custom Report types. The range is assumed to be inclusive of the start date and end date.

The name of the customer.

The name of the organization for which the report was run. The report contains data on the parent organization all its suborganizations. This parameter does not appear in an aggregated report, which contains data for all customer organizations.

The name of the report.

The reporttype: • Daily • Weekly • Monthly

The date and time that the report was run. The parameter is a single unit representing date and time in YYYYMMDDHHMMSS format. A report run at 1:01 p.m. on April 16, 2012 is shown as 20120416130100. If two reports exist with the same name, view the one with the latest DateTimeGenerated stamp for the most up-to-date report.

The report format: • CSV • PDF—An Adobe Acrobat formatted document, which can be viewed using Adobe Reader. To download the free application, go to http://www.adobe.com.


137


The following table lists examples of valid report types and the naming conventions that the reports use. Note: If the report is an aggregative report for all organizations under the default

organization, the OrganizationName parameter does not appear in the report name. ReportType

ReportName

Billing

20120331_BillingReport_DAILY_20120403041822.pdf

Authentication Plug-In Billing

20120301-20060331_AcspBillingReport_MONTHLY_20120403041822.pdf

Blocked Users

20120920_BlockedUsersReport_DAILY_20120927114219.csv

Case Management

20120411_CaseSummary_DAILY_20120422131617.csv

Case Management Trends

20120701-20120707_CaseManagementTrends_WEEKLY_20120815131254.pdf

eFraudNetwork

20120521_EFNSummary_DAILY_20120612141617.csv

Forensic Summary

20120416_ForensicSummary_DAILY_20120418131554.pdf

Policy Summary

20120409-20120415_PolicySummary_WEEKLY_20120416231809.pdf

Policy Trends

20111224-20111230_PolicyTrends_WEEKLY_20120223051419.pdf

Risk Factor

20120409-20120421_RiskFactor_WEEKLY_20120422231809.csv

Risk Factor Trends

20111224-20111230_RiskFactorTrends_WEEKLY_20120223051425.csv

System Usage

20120416_SystemUsageReport_DAILY_20120417131554.pdf

System Trends

20111224-20111230_SystemTrendsReport_WEEKLY_20120117131554.csv

Report Content

138

•

Billing Report

•

Authentication Plug-In Billing Report

•

Blocked Users Report

•

Case Management and Case Management Trends Reports

•

eFraudNetwork Report

• •

Forensic Summary Report Policy Summary and Policy Summary Trends Reports

•

Risk Factor Report and Risk Factor Trends Reports

•

System Usage and System Trends Reports



This topic describes the content of the reports and provides report examples.

Billing Report RSA generates a Billing Report for your institution based on the Billing Logs sent by your company. RSA uses the data from these daily reports to create the billing invoices that are sent to your company. Billing report information can vary due to: •

The number of end users enrolled in the Adaptive Authentication system

•

The number of active end users during a given billing period

RSA consolidates billing information based on different parameters, such as: •

All the data for a given customer

•

All the data centers for a particular institution

Note: If no recent billing data is available, RSA uses the most recent data but notifies

you in the report that the most recent logs for that period were not received. The following figure shows an example of a Billing Report.

Authentication Plug-In Billing Report RSA generates daily Authentication Plug-In Billing reports for your institution based on the Authentication Plug-In Billing Logs sent by your company. From these reports, RSA validates billing information sent by the Authentication Plug-In and creates billing invoices that are sent to your company. Authentication Plug-In Billing Report information includes the following information: •

Total number of successful calls made to the Authentication Plug-In for your company

•

Total number of failed calls made to the Authentication Plug-In for your company


139


•

Total number of calls made to the Authentication Plug-In for your company

Note: Calls that the Authentication Plug-In triggers are billed regardless of the result.

Possible results include successful authentication, failed authentication, unreachable numbers, busy lines, and rejected calls. The following figure shows an example of an Authentication Plug-In Billing Report.

Blocked Users Report The Blocked Users Report is only available in CSV format. The report contains a section for each transaction type that includes the following: Hashed UserID. The hashed User IDs of end users blocked from accessing your online system. Note: The User ID will only be hashed if the ID Masking parameter is selected in

the Administration Console. For more information, see the Operations Guide. Rule. The rule that caused the end user to be blocked Date. The date and time of day that the end user was blocked Note: The Blocked Users Report gives you a complete date and time stamp. Make

sure that your CSV reader, for example, Microsoft Excel, can import this complete date and time stamp without any modification.

140



The following figure shows an example of a Blocked Users Report.

Case Management and Case Management Trends Reports

The Case Management Report uses Case Logs and Event Marking Logs to create the report. The Case Management Report relates to the total number of cases: •

Opened in this period that srcinated from the Risk Engine

•

Opened in this period by fraud analysts

•

Closed in this period that srcinated with the Risk Engine

•

Closed in this period that srcinated with a fraud analyst

•

Closed as fraud in this period that srcinated with the Risk Engine

•

Closed as fraud in this period that srcinated with a fraud analyst

•

Open at the beginning of the report period that srcinated with the Risk Engine

•

Open at the beginning of the report period that srcinated with a fraud analyst

The Case Management Report also displays the following information related to fraudulent transactions: • •

Fraudulent Transactions Suspected Fraudulent Transactions

•

Genuine Transactions

•

Assumed Genuine Transactions


141


•

Unknown

•

Total

Note: The Events Marking Log contains a list of all cases closed on the day the log

was run. For events that were manually flagged, the specific resolution is listed. For all other events, the resolution is listed as Unknown. The following figure shows an example of a Case Management Report.

The Case Management Trends Report is a subset of the Case Management Report and provides a breakdown by day within the reporting period. These reports break down the Case Management activities into statistics that you can use to track the number of cases being created and closed while also tracking the instances of fraud.

142



The following figure shows an example of a Case Management Trends Report.

eFraudNetwork Report The eFraudNetwork (EFN) Report uses the Audit Logs and identifies the IP addresses listed in the eFraudNetwork service that pose a potential risk. Based on this information, this report provides risk analytic information on the following: •

The number of logons that correspond to IP addresses listed in the eFraudNetwork service.

•

The logons not challenged that correspond to those potentially high-risk IP addresses listed in the eFraudNetwork service.

The report consists of a table that shows the range of risk scores relative to the number of times the following elements occurred: Logon. The number of end users logging on to your online system that have a high eFraudNetwork score. Unchallenged. The number of instances in which end users log on without being challenged, despite using IP addresses listed in the eFraudNetwork service. Important: End users from high-risk IP addresses listed in the eFraudNetwork

service who enter your online system unchallenged can cause security concerns for your company. It is important to track the number of unchallenged end users with a high eFraudNetwork score. If the Unchallenged element of the report is empty, this indicates that no end users from high-risk IP addresses accessed your online system during the reporting period listed on the report. Denied. The number of instances in which end users do not gain access to your online system, based on the documented IP addresses listed in the eFraudNetwork service. Challenge Failed. The number of instances in which end users are challenged during logon and fail the challenge. Challenge Succeeded. The number of instances in which end users are challenged during logon and successfully meet the challenge requirements.


143


You can use this report to assess the effectiveness of your company policies and procedures in preventing access by end users with high-risk IPs. The following figure shows an example of an eFraudNetwork Report.

Forensic Summary Report This high-level report provides a summary of the forensic information for a reporting period. The report breaks down the locations from where the main end user population is accessing the online system. The information in the Forensic Summary Report is based on the Forensic Logs. Forensic information is taken from the MaxMind data processed in RSA Central. This information is updated monthly by the customer. For more information on the Forensic Logs, see the Operations Guide. The elements of this report are: •

•

IP geographical location distribution: –

Number of unique totalare number of regions (states, provinces, and counties) from regions—the which end users accessing the system

–

Number of unique countries—the total number of countries from which end users are accessing the system

–

Number of unique cities—the total number of cities from which end users are accessing the system

Top 40 IP addresses, listed in descending order, used to log on to your online system, including: –

Number of times the specific IP address was used to log on to your system

–

Number of end users who logged on from each IP address

–

Date end users logged on to your system with a particular IP address

Note: An Internet Protocol Version 6 (IPv6) address that can be represented as

an IPv4 address is transformed to the IPv4 format. The address is counted only once.

144

•

Top 10 unique ISPs that logged on to your system and the total number of times for each ISP, listed in descending order.

•

Top 10 unique regions (states, provinces, and counties) that accessed your system and the total number of times for each region, listed in descending order.



•

All countries that accessed your system and the total number of times for each country, listed in descending order. Each country is identified by its two-digit Alpha-2 ISO 3166-1 country code. Note: Non-standard country codes do not appear in reports. The following

codes are used for non-standard country codes: “--”: Private and experimental reserved addresses A1: Anonymous proxy A2: Satellite provider O1: Other These statistics are not included in the Summary Statistics Count section. •

Top 10 unique cities that accessed your system and the total number of times for each city, listed in descending order.

Note: The top number counts are based on the assumption that Forensic Logs contain

forensic information for a minimum of 10 cities, 10 regions, 10 ISPs, and 40 IP addresses. A report may contain less than these minimum values if your Forensic Logs did not receive the preset minimum values. The following figure shows an example of a Forensic Summary Report.


145


Policy Summary and Policy Summary Trends Reports The Policy Summary Report provides a summary of logon transactions that resulted in recommended actions. The report also provides the reasons for each recommendation. The Policy Summary Trends Report is a summary of the Policy Summary Report over a period of time and provides a breakdown by day within the reporting period. The information in the Policy Summary Report and the Policy Summary Trends Report is based on the Forensic Logs. Your policies are the main contribution to the Policy Summary and the Policy Summary Trends Reports. you have a simple of policies, policies, resulted you willin see simple report. These reports show If which rule, based onset your anaaction that allowed, challenged, strongly challenged, or denied end users access to your online system. The reports display a table containing the following components: •

Action—the four types of actions that can occur when rules fire depending on which rules brought up these actions: –

Allow—rules that fired and allowed end users to log on successfully

–

Challenge—rules that caused some end users to be challenged

–

Strong Challenge—rules that caused some end users to be strongly challenged, which takes the challenge further when needed

–

Deny—rules that prevent some end users from being allowed to log on

•

Rule—the rule that fired to allow the action to occur

•

Count—number of times that a particular rule fired that resulted in an action

•

occurring Percentage—breakdown of the count (not part of the Policy Summary Trends Report)

•

Grand Total—two totals are provided (not part of the Policy Summary Trends Report): –

Total Count—total number of rules that fired

–

Total Percentage—total percentage for each rule that fired

The following figure shows an example of a Policy Summary Report.

146



The following figure shows an example of a Policy Summary Trends Report.

Risk Factor Report and Risk Factor Trends Reports The Risk Factor Report provides a summary of all of the risk rules that fired against all logon transactions (not just ones that resulted in recommended actions). The Risk Factor Trends Report is a summary of the Risk Factor Report over a period of time and provides a breakdown by day within the reporting period. The information in the Risk Factor Report and the Risk Factor Trends Report is based on the Forensic Logs. Unlike the Policy Summary Report, which focuses only on the first rule that fired and had a resulting action, the Risk Factor and Risk Factor Trends Reports focus on all the rules that fired in the chain of rules that allowed or prevented end users from logging on, along with analyzing the risk values of the rules. The Risk Factor Report provides risk factor information for: •

The total of all transaction types

•

Each individual transaction type

Each section contains the following elements: •

Bar Graph or Table (not part of the Risk Factor Trends Report) Compares the risk scores to all of the transactions or to a particular transaction to show the Forensic Score Distribution. The risk score is a quantifiable number that weighs all the rules that fired and the risk values to a transaction. The graph presents the distribution of risk scores of risk factors in a specific transaction. The manner in which you rank the risk factors when setting up your policies can impact the risk scores. Includes all the transactions that are evaluated by the Forensic Log. All the rules do not necessarily corollate to spikes in the bar graph or high numbers in the table.

•

Summary Table: –

Total Forensics Evaluations—the transactions that occurred.


147


– •

Count—the number of transactions that took place in this reporting period.

Risk Factor Table: –

Risk Factor—a list of all of the rules that fired (not necessarily acted upon).

–

Count—how many times each particular rule fired but was not necessarily acted upon.

–

Percentage—each risk factor count is measured individually to determine the percentage that caused a particular rule to be counted, not necessarily acted upon (not part of the Risk Factor Trends Report).

Important: Percentages refer to the percentage of times a risk factor occurs out of all

potential risk factors for a specific transaction type. Because the percentage relates to one transaction type, the total of percentages for all transaction types is not 100 percent and has no significance. The following figure shows an example of a Risk Factor Report.

148



The following figure shows an example of a Risk Factor Trends Report.

System Usage and System Trends Reports The System Usage Report gives an overall summary for each activity for the reporting period. The report relies on the corresponding business events being logged to the Audit Logs at your site. The System Trends Report is a subset of the System Usage Report, which provides a breakdown of the events in the System Usage Report by day. System Usage reports provide the percentage of daily alternative authentications. This is determined by dividing the number of challenges by the number of end user logons. The report contains these main parts: •

Logon Frequency Graph—counts the number of times end users logged on for the given period of time that the report covers (not in CSV format or the System Trends Report)

•

Generated amounts or percentages for certain business events (not part of the System Trends Report): –

Total User Logons—the number of successful logons Note: For Web Services customers, the appearance of a zero (0) in the Total

User Logons count is normal, because RSA does not receive a successful end user logon reported in the logs. See USER_SIGNIN in the events table for a count of the number of end users logging onto your system. This count is a close approximation to Total User Logons. –

New User Enrollments (Estimated)—the approximate number of new end users that enrolled in the Adaptive Authentication system

– –

Users Who Changed Their Challenge Questions Users Denied Access Due to RSA AdaptiveAuth Lock Out

–

Percentage of daily alternative authentication—determined by number of challenges divided by number of end user logons


149


– •

Percentage of daily failed logons—determined by number of lock outs divided by number of end user logons

Event table: –

Event—the activity that occurred. Not all event types are available in all instances of the application.

–

Total Users—the number of times a particular event occurred across all end users.

–

Unique Users—the number of individual end users that came across a particular event. Note: Unique Users are counted differently than Total Users. The Unique

Users element counts only those end users who are unique. For example, if User XYZ logs on five times in one day, Unique User only counts User XYZ once, but Total User counts User XYZ five times. –

Description—explains the meaning of each event.

Events by Process Type The following is a list describing some of the events of this report by process type: •

•

•

•

150

Logons: –

Count of total logon attempts

–

Count of unique end users who attempted to log on

– –

Count of logons challenged Count of end users locked out because of failed challenge

–

Count of logon attempts by end users already locked out

–

Count of logon attempts by end users not enrolled in the Adaptive Authentication database

–

Count of end users declining to be bound to their device

Enrollment: –

Count of new end user enrollment attempts

–

Count of enrollments cancelled

–

Count of enrollments completed

–

Count of reenrollments after a customer reset

Maintenance: –

Count of completed Challenge Question Maintenance attempts

–

Count of cancelled Challenge Question Maintenance attempts

Devices: –

Total devices used

–

Total new devices registered



A

List of Facts The following table shows the fact categories, the name for each fact, the name of the fact in previous versions, the fact type, and a description of the fact. For more information, see Facts on p age 44.

C a te g o r y

Fact N am e

Account Details # of Days Since First Logon

Pr e v io u s F a c t N a m e

Type


DaysSinceFirstHit

Integer

The number of days that passed since the first time the end user was detected.

# of Days Since Last Address Change

DaysSinceAddressChan ge

Integer

The number of days that passed since the end user changed the address.

# of Days Since Last E-mail Change

DaysSinceEmailChange

Integer

The number of days that passed since the end user changed the email address. Note: This fact is applicable

only to the event types CHANGE_EMAIL, USER_DETAILS, and UPDATE_USER.

A: List of Facts

# of Days Since Last Password Change

DaysSincePasswordCha nge

Integer

The number of days that passed since the end user changed the password.

# of Days Since Last Phone Number Change

DaysSincePhoneChange

Integer

The number of days that passed since the end user changed the phone number.

# of Challenge Questions Failed

challengeTryCount

Integer

The a ccumulative n umber o f failed challenge questions in all sessions.

# of Hours Since User ACCT was Opened

N/A

Integer

The number of hours since the user account was opened, using the on-line application of their financial institution.

# of Hours Since User Enrollment

N/A

Integer

The number of hours since the user enrolled in the on-line application, which is integrated with Adaptive Authentication.

151


C a te g o r y

Fact N am e


AccountType

N/A

Client-Defined User Account Type

GroupName

User Account Number (IBAN)

N/A

N/A

N/A

Type List

String

String

String

UserID

N/A

UserID

UserStatus

N/A

List

D e s c r i p ti o n Thetypeofuseraccountfrom which funds are transferred. This fact has a pre-defined list of account classifications such as Credit card, Debit card, and Checking. Account classifications for a user account defined by your organization. Identifieswhichspecific group an end user belongs to in a given organization, such as Small Business, High Worth, or Retail. Groups do not define unique end users, as end users can be moved from one group to another. The end user’s account number in IBAN format. TheIDoftheenduser,assent in the SOAP request. Thestatusofauserfroma pre-defined list that includes the following values: • DELETE • LOCKOUT • NOTENROLLED • UNLOCKED • UNVERIFIED • VERIFIED

UserType

N/A

List

Theclassificationofusers from a pre-defined list of values such as: • PERSISTENT • NONPERSISTENT • BAIT

Persistent User

152

userPersistent

Boolean

Specifies whether the end user is a registered user of the system according to the API request.

Facts ofListA:


C a te g o r y

Fact N am e


Application Details

Browser Cookie

clientGenCookie

String

The client's cookie, which is received using the API.

Browser Language is Diff from Usual

BrowserLanguageSettin gsDifferentNorm

Boolean

Specifies whether the browser language is different from the most commonly used browser language.

Browser Language is Diff from Previous

BrowserLanguageSettin gsDifferentPrevious

Boolean

Specifies whether the browser language is different from the browser language in the previous session.

Browser Time Zone is Diff from Usual

browserTimeZoneDiffer entNorm

Boolean

Specifies whether the current time zone is different from the most commonly used time zone for the end user.

Browser Time Zone browserTimeZoneDiffer is Diff from Previous entPrevious

Boolean

Specifies whether there is a difference between the time zone in the event and the time zone that appeared in the previous session.

ATM Details

A: List of Facts

Type


Difference (hrs) from Usual Time Zone

BrowserTimeZoneDiffer Double enceNorm

The difference in hours between the time zone in the event and the most commonly used time zone.

Difference (hrs) from Previous Time Zone

BrowserTimeZoneDiffer Double encePrevious

The difference in hours between the time zone in the event and the time zone that appeared in the previous session.

User Agent String is Diff from Usual

userAgentStringDifferen Boolean tFromNorm

Specifies whether the current user agent is different from the end user's most common user agent.

User Agent String is Diff from Previous

UASNotPrevious

Boolean

Specifies whether the current user agent is different from the user agent of the previous session.

# of Days Since Card Issued

N/A

Integer

The number of days that passed since the end user’s card was issued.

153


C a te g o r y

154

Fact N am e


Type


# of Days Since First ATM Location Use

N/A

Integer

The number of days that passed since the first time the end user made an ATM transaction at a specific location. The location is defined by ZIP code, city, state, and country.

# of Days Since First ATM Use

N/A

Integer

The number of days that passed since the first time the end user made a transaction at a specific ATM. The ATM is identified by ATM ID.

ATMCity

N/A

String

ThecityinwhichtheATMis located.

ATMCountry

N/A

String

Thecountryinwhichthe ATM is located. The value is a three-letter country code.

ATMID

N/A

String

Thegloballyunique identification of the ATM device.

ATMOwner

N/A

Boolean

Specifieswhethertheowner of the ATM device is an RSA customer who is implementing the RSA Adaptive Authentication (On-Premise) ATM Protection Module or not.

ATMState

N/A

String

ThestateinwhichtheATMis located.

Facts ofListA:


C a te g o r y

Fact N am e ATMLocationType

Pr e v io u s F a c t N a m e N/A

Type Location Type

D e s c r i p ti o n The type of location where the ATM device resides. The possible values are: • BANK BRANCH • PETROL STATION • PUBLIC TRANSPORT • STREET • CONVENIENCE STORE • SUPERMARKET • LEISURE FACILITY • DRIVE THRU • ENTERTAINMENT VENUE • TRANSPORT TERMINAL • POST OFFICE • RETAIL OUTLET • CASINO • GOVERNMENT OFFICE • OTHER

WithdrawalAmount

Withdrawal Amount in USD

ATMZIPCode

Payee Account Number (IBAN)

A: List of Facts

N/A

N/A

N/A

N/A

Long

Long

String

String

Theamountofcash withdrawn in the ATM transaction. The amount is in the lowest denomination of the local currency. The amount of cash withdrawn in the ATM transaction, in US dollars. The10-digitcodeforthe neighborhood in which the ATM is located. The payee’s account number in IBAN format.

155


C a te g o r y

Fact N am e


Channel Indicator

Activity Channel Indicator

ChannelIndicatorType

Type String

D e s c r i p ti o n The channel from which the event is coming. The possible values are: • ATM • BRANCH • CALL_CENTER • IVR • MOBILE • OTHER • WEB Note: Although BRANCH,

CALL_CENTER, IVR, and OTHER are available as values in the Policy Management application, they are not fully supported by the Adaptive Authentication system. You can use these values in rules, but the Risk Engine cannot produce an accurate score based on these specific channels. Device Details

156

Cookie Less than 5 Days Old

cookieLT5DaysOld

Boolean

Specifies whether the cookie is less than 5 days old.

Cookies Disabled in User Browser

cookiesNotEnabled

Boolean

Specifies whether the cookies in the end user's browser are disabled according to the device print attributes.

Device Bound to a User

newCookieForUser

Boolean

Specifies whether the device is bound to an end user.

Device Recovery Confidence Level

deviceRecoveryRisk

Double

The c onfidence level w ith which the device has been recovered. Possible values are between 0 and 1.

Event Comes from Aggregator Device

AggregatorDevice

Boolean

Specifies whether the event is coming from an aggregator device.

Java Not Enabled

javaNotEnabled

Boolean

Specifies whether Java is not enabled according to the device print attributes.

Facts ofListA:


C a te g o r y

Fact N am e


JavaScript Not Enabled

javascriptNotEnabled

New and Past Device devicePrintMisMatch Print Mismatch

Type


Boolean

Specifies whether JavaScript is not enabled according to the device print attributes.

Double

Specifies whether there is a mismatch between the new device print and the device print known from the past. Possible values are between 0 (match) and 1 (mismatch).

# of Bound Devices for User

numDevicesBoundUser Account

Integer

Specifies the number of bound devices the end user has (taken from the users table).

# of Bound Users for Device

numUserAccountsBoun dDevice

Integer

Specifies the number of bound end users the device has.

Screen Setting is Diff from Usual

screenSettingsDifferentF Boolean romNorm

Specifies whether the current screen setting from the device print is different from the most commonly used screen setting.

Screen Setting is Diff from Previous

screenSettingsDifferFro mPrevSession

Boolean

Specifies whether the current screen setting from the device print is different from the previous screen setting.

User's Device Not Bound

userDeviceNotBound

Boolean

Specifies whether the end user's device is not bound.

N/A

Integer

The risk score of a device fingerprint detected as fraudulent, as received from the eFraudNetwork service. The possible values are: 800, 900, 920, 950, 970 and 1000

eFraudNetwork Device Fingerprint Risk Score

IP Risk Score

efraudNetworkScore

Integer

The risk score of an IP address detected as fraudulent, as received from the eFraudNetwork service. The possible values are: 800, 900, 920, 950, 970 and 1000

A: List of Facts

157


C a te g o r y

Fact N am e PayeeRiskScore

IP Details

Pr e v io u s F a c t N a m e N/A


Integer

Theriskscoreofapayee detected as fraudulent, as received from the eFraudNetwork service. The possible values are: 800, 900, 920, 950, 970, and 1000

IP Location is Diff from Usual

cookieIPGeoDifferentFr omNorm

Boolean

Specifies whether the geographic location of the incoming IP address is different from the geographic location of the IP address that the end user most commonly uses. A match is made if the city and country names are the same, and the latitudinal and longitudinal differences are less than 0.1 degrees.

# Miles Between Device IP and First User IP

cookieIPGeoDistanceFr omFirst

Double

The distance between the location of the IP address of the device from the first session (represented by this cookie) and the location of the IP address in the event.

# Miles Between Device IP and Usual User IP

cookieIPGeoDistanceFr omNorm

Double

The distance between the most commonly used location of the IP address of the device (represented by this cookie) and the location of the IP address in the event.

# Miles Between Device IP and Prev User IP

cookieIPGeoDistanceFr omPrevious

Double

The distance between the location of the IP address of the device from the previous session (represented by this cookie) and the location of the IP address in the event.

Bank IP and User IP in Diff Countries

foreignIP

Boolean

Specifieswhetherthe IP address of the bank and IP address of the end user are in different countries.

Class A IPAddresses classA

158

Type

String

The first segments of the IP address.

Facts ofListA:


C a te g o r y

Fact N am e


Type


Class B IP Addresses classB

String

The first two segments of the IP address.

Class C IP Addresses classC

String

The first three segments of the IP address.

DeviceIP

String

TheIPaddressfromwhich

ip

the device is coming. Device IP is Diff from Event IP

sourceIPNotCookieIP

Boolean

Specifies whether the IP address of the device (represented by this cookie) is different from the IP address of the event.

Device IP is Diff from Previous IP

cookieIPDifferentFromP Boolean revious

Specifies whether the IP address of the device from the previous session (represented by this cookie) is different from the IP address in the event.

Device IP Not Found in GeoIP File

userIPNotLocated

Specifies whether the device is coming from an IP address that is not found in the GeoIP file, for example, internal IP addresses.

# Miles Between Input Device IP and Average User IP

sourceIPDistanceFromA Double verage

The distance in miles between the current coordinate and the average of all past coordinates.

# Miles Between Input Device IP and Prev User IP

sourceIPDistanceFromPr Double evious

The distance in miles between the current coordinate and the previous coordinate.

# Miles Between Input Device IP and First User IP

sourceIPDistanceFromFi Double rst

The distance in miles between the location of the IP address of the device from the first session (represented by the cookie) or by device recovery and the location of

Boolean

the IP address in the event.

A: List of Facts

159


C a te g o r y

Location Details

Fact N am e


Type


# Miles Between Input Device IP and Usual User IP

sourceIPDistanceFromN Double orm

The distance between the most commonly used location of the IP address of the device (represented by this cookie) and the location of the IP address in the event.

# Miles Between Input Device IP and First Device IP

geoDistanceFromSource Double IPToCookieIP

The distance in miles between the location of the IP of the device from the previous session (represented by the cookie) and the location of the IP address in the event.

IP Comes from Anonymizer

IPAnonymizer

Boolean

Specifies whether the IP address is coming from an anonymizer.

Moved to New IP Too Fast

sourceIPMovedTooFast

Boolean

An internal calculation that assesses whether moving to the new IP address from the previous IP address happened too fast.

City Name from GeoIP

ipCityCode

String

Thecity name taken from the GeoIP. Refer to MaxMind documentation for supported values.

Country Code from GeoIP

IPCountryCode

String

The country code taken from the GeoIP. Refer to MaxMind documentation for supported values.

Country Code from Geolocation File (Mobile) ISPfromGeoIP

N/A

ipIsp

String

String

The country code taken from the geolocation file.

TheInternetserviceprovider taken from the GeoIP. Refer to MaxMind documentation for supported values.

160

Facts ofListA:


C a te g o r y

Fact N am e


Type


ISP not in Geolocation File for Device

ISPGeoNotFoundForDe vice

Boolean

Specifies whether the Internet Service Provider is not found in the geolocation file for the historical IP addresses of the specified device.

ISP not in

ISPGeoNotFoundForUs

Boolean

Specifies whether the Internet

Geolocation File for User

er

Region Code from GeoIP

IPAddress

service provider is not found in the geolocation file for the historical IP addresses of the specified end user. String

Theregioncodeofthe location from which the user issued their request, as defined by GeoIP. Refer to Max Mind documentation for supported region code values.

Region Code from GeoIP

IpRegion

String

Theregioncodetakenfrom GeoIP. Refer to MaxMind documentation for supported values.

Payee Details

# of Days Payee is payeeProfileAge Associated with User

Integer

The number of days that the payee is associated with the end user.

# of Hours Since Payee ACCT was Opened

Integer

The number of hours since the payee account was opened, using the on-line application of their financial institution.

String

The classification of a payee account, defined by your organization, to which the user directs funds.

N/A

Client-Defined Payee N/A Account Type

A: List of Facts

161


C a te g o r y

Fact N am e


Type


Level of Auth Method Passed or Failed

payeeAuthStatus

String

Specifies the relationship between the authentication method requested and the level of the authentication method passed or failed by a payee account to which funds are transferred. The possible values are: • NA. Authentication not requested • FL. Failed authentication • FL_PWD. Failed low-level authentication • PS. Passed authentication • COL. Passed medium-level authentication • GEN. Passed maximum level authentication • H_FL. Failed mobile authentication.

Payee Account Owner

PayeeOwnershipType

String

The owner of the other account to which the end user is sending funds. Possible values are: • ME_TO_ME • ME_TO_YOU

Payee Account Type

PayeeType

String

The type of payee account to which the end user directs funds. Possible values are: • BILLER. Used for bill payment. • PERSONAL_ACCOUNT. Used for transfer to a different personal account.

162

Facts ofListA:


C a te g o r y

Fact N am e


Payee Bank Type

PayeeBank

Type String

D e s c r i p ti o n The type of bank account to which funds are transferred or deposited. Possible values are: • OTHER_BANK. The payee's account is with

another bank. • SAME_BANK. The payee's account is with the same bank.

Risk Score

A: List of Facts

Total Amount of Transfer or Payment in USD

N/A

Double

Accumulated payment amounts are transferred or deposited into the payee account, in values of USD and USD cents, using specific SOAP calls. These values are accumulated by Adaptive Authentication over an unlimited amount of time.

Total Amount of Transfer or Payment in Whole USD

N/A

Long

Accumulated payment amounts are transferred or deposited into the payee account, in whole USD values, using specific SOAP calls. These values are accumulated by Adaptive Authentication over an unlimited amount of time.

score

Number

Theriskscorereceivedfrom the RSA Risk Engine. Possible values are between 0 and 1,000.

RiskScore

163


C a te g o r y

Fact N am e


Transaction Details

Day of the Week

CurrentDayOfWeek

Type String

D e s c r i p ti o n The day of the week of the transaction. Possible values are the numbers 1-7, corresponding to the days of the week: • 1. Sunday • 2. Monday • 3. Tuesday • 4. Wednesday • 5.Thursday • 6. Friday • 7. Saturday

# of Payments During Last 3 Days

payeeAccumulated3Day Double sAmount

The number of payments made by the end user through the account during the last three days.

# of Payments Made by User

payeeNumberOfPaymen Integer ts

The number of payments made by the end user through the account.

Transaction Amount

transactionAmount

Long

The amount of the transaction, in local currency, as received using the API.

Transaction Amount in USD

transactionAmountInUS D

Long

The amount of the transaction in US dollars.

String

Defines how soon and how often the payee receives payment. The possible values are:

Transaction Schedule TransactionSchedule

• IMMEDIATE. For immediate execution. • SCHEDULED. Scheduled for a future date. • RECURRING. A recurring transfer.

164

Facts ofListA:


C a te g o r y

Fact N am e


TransactionSpeed

ExecutionSpeed

Type String

D e s c r i p ti o n Determines how fasta transaction takes place. The possible values are: • FEW_HOURS. Execution of the action takes place within a few hours. • OVER_NIGHT. Execution of the action takes place overnight. • REAL_TIME. Execution of the action takes place in real time. • SEVERAL_DAYS. Execution of the action takes place within several days.

Transaction Type

transactionMedium

String

The type of transaction made. The possible values are: • BILLPAY_MAIL • BILLPAY_ELEC • WIRE • ACH • INTERNAL • BALANCE_TRANSFER • INTL_WIRE • CHECK

TRANS AMT in Local CURR Decimal format

A: List of Facts

N/A

Double

The amount of the transaction, in decimal-based values of the local currency, as received using the API.

TRANS AMT in N/A USD Decimal format

Double

The amount of the transaction, in decimal-based values in US cents, as received using the API.

TRANS AMT in Whole Local Currency

N/A

Long

The amount of the transaction, in whole values of the local currency, as received using the API.

TRANS AMT in Whole USD

N/A

Long

The amount of the transaction, in whole USD values, as received using the API.

165


C a te g o r y

Fact N am e


Type


Trojan Activity

# of Days Since Trojan Infection

N/A

Integer

The number of days that have passed since the time that a Trojan infection was detected on the end user’s computer.

Trojan Attack Occurred

N/A

Boolean

Specifies whether a Trojan attack was detected on the end user’s computer.

166

Facts ofListA:


B

Rules in the Reference Policy The following table shows the names and details of the rules in the reference policy. For more information, see Reference Policy on p age 40.

Order RuleName EventTypes 1

2

3

VeryHigh Risk Activities

• All Logon event types

C o n d i ti o n Condition 1

• All Transaction event types

Enrollment and Profile Update Protection

• Create User

GoldList


Ex p r e s s io n

A c ti o n

Category: Risk Score

Action: Deny

Fact Name: Risk Score

Create a Case: Yes

Operator: Greater Than Value: 990 Category: Risk Score

Action: Deny

• Enroll

Condition 1


Create a Case: Yes

• Update Use

Operator: Greater Than Value: 900 Condition 1


Expression 1

Action: Allow

Expression Operator: OR

Create a Case: No

Category: IP Details Fact Name: Device IP Operator: Within Value: IP on Gold List Custom List: IP on Gold List Condition 1

Expression 2 Expression Operator: OR Category: Account Details Fact Name: User ID Operator: Within Value: User on Gold List

B: Rules in the Reference Policy

167



BlackList




Ex p r e s s io n

A c ti o n

Expression 1

Action: Deny

Expression Operator: AND

Create a Case: Yes

Category: IP Details Fact Name: Device IP

• Session Sign-in

Operator: Within

• Create User

Value: IP on Black List • Enroll • Update User

Custom List: IP on Black List Condition 1

Expression 2 Expression Operator: AND Category: Device Details Fact Name: User Device Not Bound Operator: Equals Value: TRUE

Condition 2

Expression 1 Expression Operator: AND Category: Location Details Fact Name: Country Code from GeoIP Operator: Within Value: Country on Black List Custom List: Country on Black List

Condition 2


168




WatchList




Ex p r e s s io n

A c ti o n

Expression 1

Action: Challenge


Create a Case: Yes (When Authentication Fails)

Category: IP Details Fact Name: Device IP

• Session Sign-in

Operator: Within Value: IP on Watch List Custom List: IP on Watch List Condition 1


Condition 2

Expression 1 Expression Operator: AND Category: Location Details Fact Name: Country Code from GeoIP Operator: Within Value: Country on Watch List Custom List: Country on Watch List

Condition 2


6

UserNot Persistent

Session Sign-in

Condition 1

Category: Account Details

Action: Review

Fact Name: Registered User of the System

Create a Case: Yes

Operator: Equals Value: FALSE


169



Logon Protection Aggregator Device

Session Sign-in


Ex p r e s s io n

A c ti o n

Category: Device Details

Action: Allow

Fact Name: Event Comes from Aggregator Device

Create a Case: No

Operator: Equals Value: TRUE

8

Logon Protection IP in eFN and Device Not Bound

Session Sign-in

Condition 1

Expression 1 Expression Operator: AND Category: eFraudNetwork Fact Name: eFraudNetwork Risk Score

Action: Challenge Create a Case: Yes (When Authentication Fails)


Expression 2

Action: Challenge



Category: Device Details Fact Name: User Device Not Bound Operator: Equals Value: TRUE 9

Logon Protection

Session Sign-in

Condition 1

Category: Risk Score Fact Name: Risk Score

Action: Challenge Create a Case: Yes

Operator: Greater Than Value: 900 10

Logon Protection Device Not Bound

Session Sign-in

Condition 1

Category: Device Details

Action: Challenge

Fact Name: User Device Not Bound


Operator: Equals Value: TRUE

170




Logon Protection Device Fingerprint Mismatch

Session Sign-in


Ex p r e s s io n

A c ti o n

Expression 1

Action: Challenge



Category: Location Details Fact Name: ISP not in Geolocation File for User Operator: Equals Value: TRUE Condition 1

Expression 2

Action: Challenge



Category: Device Details Fact Name: Mismatch between New and Past Device Print Operator: Greater Than Value: 0.75 12

13

Logon Protection Medium Risk

Session Sign-in

Logon Protection Bound Device

Session Sign-in

Condition 1


Action: Review


Create a Case: Yes


Category: Device Details Fact Name: User Device Not Bound

Action: Allow Create a Case: No

Operator: Equals Value: FALSE

14

NewPayee Payment Protection

Payment

Condition 1

Expression 1

Action: Review


Create a Case: Yes

Category: Risk Score Fact Name: Risk Score Operator: Greater Than Value: 600 Condition 1

Expression 2

Action: Review


Create a Case: Yes

Category: Payee Details Fact Name: Days That Payee is Associated with User Operator: Equals Value: 0


171



MailBill Payment Protection

Payment


Ex p r e s s io n

A c ti o n

Expression 1

Action: Review


Create a Case: Yes


Expression 2

Action: Review


Create a Case: Yes

Category: Transaction Details Fact Name: Transaction Type Operator: Equals Value: BILLPAY_MAIL 16

Electronic Bill Payment Protection

Payment

Condition 1

Expression 1

Action: Review


Create a Case: Yes


Expression 2

Action: Review


Create a Case: Yes

Category: Transaction Details Fact Name: Transaction Type Operator: Equals Value: BILLPAY_ELEC

172




Wire Payment Protection

Payment


Ex p r e s s io n

A c ti o n

Expression 1

Action: Review


Create a Case: Yes


Expression 2

Action: Review


Create a Case: Yes

Category: Transaction Details Fact Name: Transaction Type Operator: Equals Value: WIRE 18

ACH Payment Protection

Payment

Condition 1

Expression 1

Action: Review


Create a Case: Yes


Expression 2

Action: Review


Create a Case: Yes

Category: Transaction Details Fact Name: Transaction Type Operator: Equals Value: ACH 20

Change Email

Change_Email

Condition 1


Action: Review


Create a Case: Yes


Change Phone

Change_Phone

Condition 1


Action: Review


Create a Case: Yes

Operator: Greater Than Value: 599


173



Change Address

Change_Address


Ex p r e s s io n

A c ti o n


Action: Review


Create a Case: Yes


Change

Change_Password

Condition 1

Password


Action: Challenge

Fact Name: Risk Score Operator: Greater Than

Create a Case: Yes

Value: 899 24

Edit Payee

Edit_Payee

Condition 1


Action: Review Create a Case: Yes


Add Payee

Add_Payee

Condition 1


Action: Review Create a Case: Yes


Request New PIN

Condition 1


Action: Review


Create a Case: Yes


Request Credit

Condition 1


Action: Review


Create a Case: Yes

Operator: Greater Than Value: 900

174



C

List of Event Types The following table lists the event types supported by the RSA Adaptive Authentication (On-Premise) system. For more information, see Event Types on page 42.

EventType

Description

ACTIVATE_CARD

The user attempts to activate a card (for example, debit, credit)

ADD_PAYEE

The user attempts to add a new payee to their list of payees

CARD_PIN_CHANGE

The user attempts to change the PIN of a credit or debit card.

CHANGE_ADDRESS

The user attempts to change their standard mailing address

CHANGE_ALERT_SETTINGS

The user attempts to change their settings for receiving alerts (for example, an alert when a change is made to their account)

CHANGE_AUTH_DATA

The user attempts to change their authentication data (for example, phone number, challenge questions)

CHANGE_EMAIL

The user attempts to change their contact email address

CHANGE_LIFE_QUESTIONS

The user attempts to change the questions/answers they want to see if they are challenged by this form of additional authentication

CHANGE_LOGIN_ID

The user attempts to change their login ID

CHANGE_PASSWORD

The user attempts to change the password they use to access the organization’s online system

CHANGE_PHONE

The user attempts to change their contact phone number

CHANGE_STATEMENT_SETTINGS

The user attemp ts to change thei r settings for sta tement display or receipt

CLIENT_DEFINED

The organization attempts to define their own event type to use instead of or in addition to the RSA default event types. The RSA Risk Model is run on the event type combination.

CREATE_USER

The organization attempts to add an online user

DEPOSIT

Theuserattemptstoinitiateadeposit

EDIT_PAYEE

The user attempts to edit a payee in their list of payees

ENROLL

The user attempts to enroll into the organization’s online system

Event List of C: Types

175


EventType

Description

EXTRA_AUTH

The organization notifies the Adaptive Authentication system of the result of external authentication. The system is informed if the authentication is successful and if the user's profile is updated to determine whether the transaction is genuine or fraudulent.

FAILED_CHANGE_PASSWORD_ ATTEMPT

The user's attempt to change the password fails.

FAILED_LOGIN_ATTEMPT

The user's attempt to be authenticated when logging into the organization’s online system is unsuccessful.

FAILED_OLB_ENROLLED_ ATTEMPT

The user's attempt to enroll online is unsuccessful.

NULL

NA

OLB_ENROLL

Theuserattemptstoenrollonline.

OLB_PASSWORD_CHANGE

The user attempts to change the on-line banking password.

OPEN_NEW_ACCOUNT

The user attempts to open a new account.

OPTIONS_TRADE

The user attempts to initiate a stock options trade.

PAYMENT

Theuserattemptstoinitiateapaymenttoapayee.

READ_SECURE_MESSAGE REQUEST_CHECK_COPY

The user attempts to read secure messages. The user requests a copy of their checks.

REQUEST_CHECKS

The user requests to order checks.

REQUEST_CREDIT

Theuserrequestscredit.

REQUEST_NEW_CARD

The user requests a new card (for example, debit, credit).

REQUEST_NEW_PIN

The user requests a new PIN.

REQUEST_STATEMENT_COPY

The user request for a copy of the statement.

SEND_SECURE_MESSAGE

The user attempts to send a secure message.

SESSION_SIGNIN

The user attempts to sign into an online session.

STOCK_TRADE

The user attempts to initiate a stock trade.

UPDATE_USER

The user attempts to update user information.

USER_DETAILS

The user attempts to view user details.

VIEW_CHECK

Theuserattemptstoviewacheck.

176



EventType

Description

VIEW_STATEMENT

The user attempts to view account statement.

WITHDRAW

The user attempts to initiate a withdrawal from the user’s account.


177

BackOffice_UserGuide

Recommend Documents