Problem solve Get help with specific problems with your technologies, process and projects.

Has FFIEC made any VoIP-specific mandates?

Mike Rothman discusses the FFIEC risk management program and explains what FFIEC considerations should be made when using VoIP.

What FFIEC considerations must be made when looking at using a voice over IP solution in a bank environment? Does FFIEC require voice traffic to be encrypted?
To my knowledge, the FFIEC has not mandated anything specifically related to VoIP. That being said, voice over IP is a technology that would be subjected to the risk management program specified by FFIEC. Before I expand a bit on that topic, let me clearly address the second part of your question, which is no, the FFIEC does not specifically require voice traffic to be encrypted.

Let's dig a bit into the FFIEC risk management program and see what's there. Basically, banks need to implement a security program, which would include things like risk assessments, security controls and monitoring. Details about what is specified can be found on the FFIEC website. There are lots of structured programs that can help corporations adhere to these standards, like ISO 27002 or COBIT. If an organization has a sufficiently strong security posture, the FFIEC guidance is nothing new or out of the ordinary.

In 2006, there was a lot of activity relative to the mutual authentication requirement on online banking services relative to FFIEC guidance. But that is largely in the rearview mirror, as most banks have some sort of stronger authentication implemented, and there haven't been any examples of failed audits or other ramifications that would cause the banks to revisit their strategies.

And that really is the point relative to VoIP and any of these regulations. Voice traffic running on an IP network is just another data type and should be subjected to the same level of scrutiny and security controls as any other data or application. There are some specific attacks relative to voice, but they are unsophisticated and uncommon.

So if you work for a bank and FFIEC is a concern, go back and revisit your overall security program. If you are in good shape overall relative to what it outlines, you will be good relative to VoIP.

For more information:

  • In this tip, Mike Chapple examines virtualization and VoIP in 2008.
  • Learn if deploying VoIP on an 802.1x network causes security problems.
  • This was last published in February 2008

    Dig Deeper on IPv6 security and network protocols security

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.