Has FFIEC made any VoIP-specific mandates?
What FFIEC considerations must be made when looking at using a voice over IP solution in a bank environment? Does FFIEC require voice traffic to be encrypted?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

To my knowledge, the FFIEC has not mandated anything specifically related to VoIP. That being said, voice over IP is a technology that would be subjected to the risk management program specified by FFIEC. Before I expand a bit on that topic, let me clearly address the second part of your question, which is no, the FFIEC does not specifically require voice traffic to be encrypted.

Let's dig a bit into the FFIEC risk management program and see what's there. Basically, banks need to implement a security program, which would include things like risk assessments, security controls and monitoring. Details about what is specified can be found on the FFIEC website. There are lots of structured programs that can help corporations adhere to these standards, like ISO 27002 or COBIT. If an organization has a sufficiently strong security posture, the FFIEC guidance is nothing new or out of the ordinary.

In 2006, there was a lot of activity relative to the mutual authentication requirement on online banking services relative to FFIEC guidance. But that is largely in the rearview mirror, as most banks have some sort of stronger authentication implemented, and there haven't been any examples of failed audits or other ramifications that would cause the banks to revisit their strategies.

And that really is the point relative to VoIP and any of these regulations. Voice traffic running on an IP network is just another data type and should be subjected to the same level of scrutiny and security controls as any other data or application. There are some specific attacks relative to voice, but they are unsophisticated and uncommon.

So if you work for a bank and FFIEC is a concern, go back and revisit your overall security program. If you are in good shape overall relative to what it outlines, you will be good relative to VoIP.

For more information:

  • In this tip, Mike Chapple examines virtualization and VoIP in 2008.
  • Learn if deploying VoIP on an 802.1x network causes security problems.

    • This was first published in February 2008