[funsec] New Internet Banking guidance issued (FFIEC)
Gary Warner
gar at askgar.com
Mon Oct 24 14:39:40 CDT 2005
In the US, the FFIEC is a group that measures compliance with FDIC rules
for banking. Its made up of the Board of Governors of the Federal
Reserve, the FDIC, the National Credit union administration, the Office
of the Comptroller of the Currency, and the Office of Thrift Supervision.
(There are 8,874 FDIC-insured institutions with more than $10 Trillion
in assets)
Anyway, the FFIEC has released a 14 page PDF that basically says "one
factor authentication is not adequate to protect access to online
banking systems".
http://www.ffiec.gov/pdf/authentication_guidance.pdf
The accompanying press release, October 12th,
http://www.ffiec.gov/press/pr101205.htm
makes it clear that banks who do not "tighten up" their Internet
authentication, may have trouble passing their Information Technology
review. Those doing the inspection use an FFIEC Information Technology
Examination Handbook for "Just In Time" training, which is updated
online to reflect current standards for examination.
===========
Gar was curious, so he tried to find out how FFIEC trains their
Examiners . . . check this out . . .
===========
The Training "InfoBase" is here:
http://www.ffiec.gov/ffiecinfobase/index.html
The "current" training presentations are indexed here:
http://www.ffiec.gov/ffiecinfobase/html_pages/presentations_frameset.htm
and it contains many "presentations" about particular topics, such as
the "E-Banking" presentation:
(flash version)
http://www.ffiec.gov/ffiecinfobase/presentations/ebanking_pres_page.html
(August 2003)
(script) http://www.ffiec.gov/ffiecinfobase/presentations/ebank_pres.pdf
(You should also check out the "IT Security" training presentation --
the "current" version is December 2002).)
_-_
gar
More information about the funsec
mailing list