By now, the new FFIEC guidance should have found its way onto your desk and to the top of your ‘To Do List”. After all, the January compliance deadline is fast approaching, so it’s time to get busy. The question everyone is asking is no longer “What is this?”, but “How do I do this? Where do I begin?” To help you, we’ve identified five key starting points for financial institutions.
1. Enforce strong step-up authentication for risky activities:
It’s pretty clear that the FFIEC has shot down the most widely-used method of authentication – the Challenge/Response Questions – but they were nice enough to identify other means of stronger authentication. Included are “Out of Band” authentication and “Out of Wallet” authentication such as the RSA’s Identity Verification technology, as well as an one-time password technology such as RSA SecurID.
You need to ask yourself “what do we have?” vs. “what do we need?” This will help you choose the right authentication approach based on the application or service you’re applying it to. By using a variety of methods, you avoid deploying redundant layers, which leave gaping holes in other places.
2. Implement risk assessments into login & fund-handling transactions:
It’s about time the FFIEC not only recognized the threats to the consumers, but also commercial clients. Now that they’ve recognized these threats, they are pushing for more scrutiny on individual account and user activities. Once you tackle this requirement, you’ve accomplished what the FFIEC feels is most important; and luckily, there are a number of ways to address this, including InfoSight’s own services.
3. Lock your NOC:
This is a no brainer. Make sure security admins are aware of what individuals are or are not authorized to have access to a particular points in the system. Treat it like an audit activity and apply the correct access controls based on the outcome of the audit. It’s helpful and prudent to have an independent party review the security admin reports to ensure the necessary checks and balances are in place for managing a truly safe and secure system.
4. Develop a reoccurring risk assessment framework:
If you ever needed a shoulder to lean on, this is the time to engage the skills and experience of an IT security expert. It’s critical to build a relationship with your technology service provider that results in an ongoing process to review your authentication technology and ensure all the appropriate changes are applied.
5. Education is not a luxury, it’s a requirement:
Education is now a requirement for your staff. And, resulting from litigation over who is liable for wire fraud (the institution or the customer), banks are encouraged to provide Information Security Awareness Training for their customers, especially commercial clients. More and more institutions are offering Information Security Awareness Training to their commercial clients because it’s an excellent way to prove your effort to provide “reasonable security.” When you begin researching training options for your staff, and later for your customers, consider InfoSight-U. No one wants to buy training from multiple vendors. InfoSight-U provides an all-inclusive training solution for the diverse needs of your staff, as well as customized training for your customers.