 |
 |
 |
 |
 |
|
In spite of doom-and-gloom predictions following the FFIEC’s guidance announcements, financial institutions are able to balance convenience with security As many U.S. banks and credit unions turn a corner on two-factor authentication deployments precipitated by last year’s Federal Financial Institutions Examination Council (FFIEC) guidance on the matter, they are still finding that they must balance customer satisfaction with customer security. However, online banking consumers are proving to be far more accepting of strong authentication than industry pessimists predicted—in spite of the fact that most of them are unaware of the new regulation.
The Check Clearing for the 21st Century Act (Check 21) has created new opportunities for financial institutions and customers. By eliminating the need to transport paper checks, remote check capture can provide significant cost savings for financial institutions. Customers benefit as well: retail customers can receive image proof-of-deposit at an ATM or other remote capture site, and commercial customers can deposit imaged checks directly at their own premises.
Today we're speaking with Alan Paller of the SANS Institute. For those of you who don't know, SANS is the most trusted and, by far, the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system, the Internet Storm Center. Their website is www.sans.org. Alan is the director of research for the Sans Institute, and he's responsible for overseeing all research projects ranging from the Sans' Step-by-Step Guides to the Sans Digest to the top 20 Internet Security Tricks. He's also the founder of the CIO Institute and earned his degrees in computer science and engineering from Cornell and MIT. Alan is the author of the EIS book Information Systems for Top Managers and How to Get the Best Presentation of your Life. In 2001, the President named Alan as one of the original members of the National Infrastructure Advisory Council; and in 2005, the Federal CIO Council chose him at its 2005 Azimuth Award winner, recognizing his vision and outstanding service to federal information technology.
In December, a milestone of sorts was reached when Boeing Co. disclosed that a laptop containing names, SSNs, home addresses, phone numbers and dates of birth of 382,000 current and former employees had been stolen from an employee's car. The theft pushed the number of records compromised due to security breaches over the 100 million mark, according to the Privacy Rights Clearinghouse, which tracks breaches dating to the ChoicePoint incident in 2005. The number of individuals affected isn't known, because some individuals may be the victim of more than one breach.
The arms race against phishers, strengthening firewalls, FFIEC authentication deadline issues and the constantly evolving risk management model were among the many topics covered by the FINSEC 2006 conference speakers last week in New York. The security strategies and tools and techniques presentations covered in the two-day conference were led by eleven information security experts from national banks and financial firms. The most highly-sought after seat was in the FFIEC Authentication Guidance talk led by Diana Kelley, VP and Service Director from the Burton Group. It was standing room only within five minutes of the start, showing many of the FIN SEC 2006 attendees wanted to know how the authentication guidelines will apply to their institutions. The Tower Group has estimated that only 20 percent of institutions will have security systems implemented by the end of the year.
In deciding to retain a managed security service provider, an organization needs to treat the potential action as a risk mitigation sharing decision. When weighing the risks, banks need to consider issues such as trust, dependence, and ownership. Establishing a good working relationship and building trust between a client and service provider is critical in deciding whether to outsource security services. Any service provider has access to sensitive client information and details about the client's security posture and vulnerabilities. The intentional or inadvertent public release of such information can be extremely damaging to the client. A signed confidentiality agreement enacted in the later stages of contract negotiations can help mitigate this risk.
As the threat of computer-initiated attacks increases, and as regulators put more pressure on banks to shore up their information assets, financial institutions are turning toward outsourcing their information security functions to third party processors. These outsourcing deals, which are often part of a larger IT infrastructure outsourcing deal but can also be standalone, are being done for the same reason banks have outsourced other parts of their operations, such as check processing: to mitigate risk by placing control of a key operation in the hands of highly-skilled practitioners. "The outsourcing of information security makes sense to organizations that have a highly developed concept of risk," says Prosenjeet Banerjee, VP and head of information security at HCL Technologies, an IT outsourcing firm based in India. More than half of its clients are financial institutions.
|
||||||||||||||||||||||||||||||||||||||||||||||
RSS SyndicationCopyright © 2007 BankInfoSecurity.com