Ask the Expert

Has FFIEC made any VoIP-specific mandates?

What FFIEC considerations must be made when looking at using a voice over IP solution in a bank environment? Does FFIEC require voice traffic to be encrypted?

    Requires Free Membership to View

To my knowledge, the FFIEC has not mandated anything specifically related to VoIP. That being said, voice over IP is a technology that would be subjected to the risk management program specified by FFIEC. Before I expand a bit on that topic, let me clearly address the second part of your question, which is no, the FFIEC does not specifically require voice traffic to be encrypted.

Let's dig a bit into the FFIEC risk management program and see what's there. Basically, banks need to implement a security program, which would include things like risk assessments, security controls and monitoring. Details about what is specified can be found on the FFIEC website. There are lots of structured programs that can help corporations adhere to these standards, like ISO 27002 or COBIT. If an organization has a sufficiently strong security posture, the FFIEC guidance is nothing new or out of the ordinary.

In 2006, there was a lot of activity relative to the mutual authentication requirement on online banking services relative to FFIEC guidance. But that is largely in the rearview mirror, as most banks have some sort of stronger authentication implemented, and there haven't been any examples of failed audits or other ramifications that would cause the banks to revisit their strategies.

And that really is the point relative to VoIP and any of these regulations. Voice traffic running on an IP network is just another data type and should be subjected to the same level of scrutiny and security controls as any other data or application. There are some specific attacks relative to voice, but they are unsophisticated and uncommon.

So if you work for a bank and FFIEC is a concern, go back and revisit your overall security program. If you are in good shape overall relative to what it outlines, you will be good relative to VoIP.

For more information:

  • In this tip, Mike Chapple examines virtualization and VoIP in 2008.
  • Learn if deploying VoIP on an 802.1x network causes security problems.
  • This was first published in February 2008

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: