Now that the FFIEC's updated online authentication guidance is out, banking institutions need to move forward in preparation for 2012 compliance, says Julie McNelley, banking fraud analyst for Aite Group.
"The FFIEC guidance does a good job of addressing today's and yesterday's threats and suggested techniques, but it is not sufficiently forward-looking," says Gartner's Avivah Litan. "Two years from now, the guidance will be sorely out of date."
For all the latest news and views, please visit the FFIEC Authentication Guidance Resource Center.
Aite's Julie McNelley says the final FFIEC online authentication guidance offers greater detail in areas such as layered security, but that institutions have much to do to prepare for regulatory assessments in 2012.
The Federal Financial Institutions Examination Council has formally released the long-awaited update to its "Authentication in an Internet Banking Environment" guidance. The new directives take effect January 2012.
The Final FFIEC Guidance has been issued and its main intent is to reinforce the 2005 Guidance's risk management framework and update the Agencies' expectations regarding customer authentication, layered security, or other controls in the increasingly hostile online environment.
Security experts at this week's Gartner Security and Risk Management Summit agree: Security, not compliance, has to be the new focus. Cyberintrusions cannot be stopped, and the RSA breach should be a lesson to the industry.
Greg Rattray, VP of Security at BITS, says we can't necessarily stop the spread of dangerous malware like Zeus, but banking institutions can do a better job of mitigating the risk and damage that follow such an attack.
The same approach governments and businesses employ to protect individuals from the dangers of secondhand smoke could be applied to safeguard cyberspace, says Scott Charney, Microsoft's vice president of trustworthy computing, engineering excellence and environmental sustainability.
Tips for Preventing Fraud and Complying With FFIEC Guidance
The onslaught of ACH/wire fraud incidents confirms what the researchers have long said: We're in a new wave of malicious code. This new wave is run by organized crime, and it's focused on one objective: Stealing personally identifiable information and...
Four years ago, the Council of Registered Ethical Security Testers began as an organization to bring standardization to the penetration testing industry. Today, CREST's scope is expanding across industries and global regions, says president Ian Glover.
It's been over three months since the accidental disclosure. When will the final FFIEC authentication update be released? "I don't think we're any less safe," says Gartner's Avivah Litan. "We just need to step up enforcements."