Let's dig a bit into the FFIEC risk management program and see what's there. Basically, banks need to implement...
a security program, which would include things like risk assessments, security controls and monitoring. Details about what is specified can be found on the FFIEC website. There are lots of structured programs that can help corporations adhere to these standards, like ISO 27002 or COBIT. If an organization has a sufficiently strong security posture, the FFIEC guidance is nothing new or out of the ordinary.
In 2006, there was a lot of activity relative to the mutual authentication requirement on online banking services relative to FFIEC guidance. But that is largely in the rearview mirror, as most banks have some sort of stronger authentication implemented, and there haven't been any examples of failed audits or other ramifications that would cause the banks to revisit their strategies.
And that really is the point relative to VoIP and any of these regulations. Voice traffic running on an IP network is just another data type and should be subjected to the same level of scrutiny and security controls as any other data or application. There are some specific attacks relative to voice, but they are unsophisticated and uncommon.
So if you work for a bank and FFIEC is a concern, go back and revisit your overall security program. If you are in good shape overall relative to what it outlines, you will be good relative to VoIP.
For more information:
Related Q&A from Mike Rothman, Contributor
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ...continue reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ...continue reading
When developing software securely, what role does gap analysis play? In this security management expert response, learn how to implement gap analysis...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.