zagandesign - Fotolia

Get started Bring yourself up to speed with our introductory content.

What do organizations need to know about the final FFIEC guidance?

The final FFIEC guidance covers a wide range of security subjects, but there are specific takeaways regarding authentication that enterprises should pay attention to.

In an attempt to reinforce its 2005 guidance, the final FFIEC guidance was recently released. This release includes information about customer authentication, layered security and other online controls. What should my enterprise take away from the guidance, specifically in regard to authentication? What action do we need to take?

The release of this guidance from the Federal Financial Institutions Examinations Council (FFIEC) is an attempt to update the 2005 version to reflect the need for stronger security processes in this ever challenging Internet-based world. When the 2005 guidance was issued, Internet banking was in its infancy and a lot of the malcontents on the Internet attacking organizations on a daily basis weren't in operation. With that said, these aren't just banking controls; even though this guidance is directed at the financial world, other industries, such as healthcare, retail, manufacturing, education and pharmaceuticals can benefit from the security guidelines provided. Also, while there are many recommendations, the bottom line is a call for stronger controls and more mature risk-based approaches. The security field has matured a lot since 2005 and like Spiderman's uncle is often quoted, "With great power comes great responsibility."

The FFIEC guidance is straight-forward and easy to understand. The first important point is that authentication frameworks should be created using a risk-based approach. There are many questions of how to control administrative access, two-factor authentication, third-party created credentials, among others. The one common thread to all of these responses is to ensure the authentication services, processes and credentials created equal the protection required for the value of the information they protect. This is echoed in the recent guidance document. Not only does the guidance recommend that the security mechanisms be matched to the value of the financial transaction they are protecting, the guidance recommends a strong risk-based approach as well as rigor in assessing the capabilities and protections these controls provide. This includes not only knowing the identity of who is conducting a transaction, and on what machine, but also having a strong remediation plan should things go wrong. And specifically for authentication, should there be doubt of a credential, there will be a need for a challenge questions-based response process to prevent identity spoofing.

Finally, the FFIEC authentication guidance devotes time to ensure organizations are aware that even though they have custodianship of the authentication processes and credentials, they also have a responsibility to educate and ensure their customers are aware of the various parties' responsibilities. This includes informing the customer of their responsibilities and how to protect their account logins, as well as how to report any potential fraudulent activities.

Financial transactions are truly a partnership between the financial institution and their customers and each plays an important role to ensure the protection and proper use of authentication credentials.

What's your question?
Got a question about identity and access management technology and strategy in your organization? Submit your question via email today and our experts will answer it for you. (All questions are anonymous.)

Next Steps

Check out this podcast explaining FFIEC compliance

This was last published in June 2015

Dig Deeper on Information security policies, procedures and guidelines