[funsec] New Internet Banking guidance issued (FFIEC)

Gary Warner gar at askgar.com
Mon Oct 24 14:39:40 CDT 2005


In the US, the FFIEC is a group that measures compliance with FDIC rules 
for banking.  Its made up of the Board of Governors of the Federal 
Reserve, the FDIC, the National Credit union administration, the Office 
of the Comptroller of the Currency, and the Office of Thrift Supervision.

(There are 8,874 FDIC-insured institutions with more than $10 Trillion 
in assets)

Anyway, the FFIEC has released a 14 page PDF that basically says "one 
factor authentication is not adequate to protect access to online 
banking systems".

http://www.ffiec.gov/pdf/authentication_guidance.pdf

The accompanying press release, October 12th,

http://www.ffiec.gov/press/pr101205.htm

makes it clear that banks who do not "tighten up" their Internet 
authentication, may have trouble passing their Information Technology 
review.  Those doing the inspection use an FFIEC Information Technology 
Examination Handbook for "Just In Time" training, which is updated 
online to reflect current standards for examination.

===========
Gar was curious, so he tried to find out how FFIEC trains their 
Examiners . . . check this out . . .

===========

The Training "InfoBase" is here:

           http://www.ffiec.gov/ffiecinfobase/index.html

The "current" training presentations are indexed here:

            
http://www.ffiec.gov/ffiecinfobase/html_pages/presentations_frameset.htm

and it contains many "presentations" about particular topics, such as 
the "E-Banking" presentation:

(flash version) 
http://www.ffiec.gov/ffiecinfobase/presentations/ebanking_pres_page.html  
(August 2003)

(script) http://www.ffiec.gov/ffiecinfobase/presentations/ebank_pres.pdf

(You should also check out the "IT Security" training presentation -- 
the "current" version is December 2002).)

_-_
gar


More information about the funsec mailing list