|
 |
 |
 |
 |
|
In spite of doom-and-gloom predictions following the FFIEC’s guidance announcements, financial institutions are able to balance convenience with security As many U.S. banks and credit unions turn a corner on two-factor authentication deployments precipitated by last year’s Federal Financial Institutions Examination Council (FFIEC) guidance on the matter, they are still finding that they must balance customer satisfaction with customer security. However, online banking consumers are proving to be far more accepting of strong authentication than industry pessimists predicted—in spite of the fact that most of them are unaware of the new regulation.
The Check Clearing for the 21st Century Act (Check 21) has created new opportunities for financial institutions and customers. By eliminating the need to transport paper checks, remote check capture can provide significant cost savings for financial institutions. Customers benefit as well: retail customers can receive image proof-of-deposit at an ATM or other remote capture site, and commercial customers can deposit imaged checks directly at their own premises.
At the same time, remote check capture carries with it operational risks that left unmitigated could expose a financial institution to fraud losses. According to a 2006 white paper published by the BITS Fraud Reduction Steering Committee, the use of the Internet to transmit check image files could be exploited by criminals. “Remote deposit image files will be open to all the same attacks that online banking or online commerce face. Files could be intercepted on the Internet and either be edited for fraudulent submission or mined for fraud and identity theft.”
Information security risks include unauthorized access to and/or use of the imaged information, submission of edited or unauthorized files for clearing, and loss of data. Fortunately, strategies exist for mitigating these risks.
Today we're speaking with Alan Paller of the SANS Institute. For those of you who don't know, SANS is the most trusted and, by far, the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system, the Internet Storm Center. Their website is www.sans.org. Alan is the director of research for the Sans Institute, and he's responsible for overseeing all research projects ranging from the Sans' Step-by-Step Guides to the Sans Digest to the top 20 Internet Security Tricks. He's also the founder of the CIO Institute and earned his degrees in computer science and engineering from Cornell and MIT. Alan is the author of the EIS book Information Systems for Top Managers and How to Get the Best Presentation of your Life. In 2001, the President named Alan as one of the original members of the National Infrastructure Advisory Council; and in 2005, the Federal CIO Council chose him at its 2005 Azimuth Award winner, recognizing his vision and outstanding service to federal information technology.
In December, a milestone of sorts was reached when Boeing Co. disclosed that a laptop containing names, SSNs, home addresses, phone numbers and dates of birth of 382,000 current and former employees had been stolen from an employee's car. The theft pushed the number of records compromised due to security breaches over the 100 million mark, according to the Privacy Rights Clearinghouse, which tracks breaches dating to the ChoicePoint incident in 2005. The number of individuals affected isn't known, because some individuals may be the victim of more than one breach.
In deciding to retain a managed security service provider, an organization needs to treat the potential action as a risk mitigation sharing decision. When weighing the risks, financial institutions need to consider issues such as trust, dependence, and ownership. Establishing a good working relationship and building trust between a client and service provider is critical in deciding whether to outsource security services. Any service provider has access to sensitive client information and details about the client's security posture and vulnerabilities. The intentional or inadvertent public release of such information can be extremely damaging to the client. A signed confidentiality agreement enacted in the later stages of contract negotiations can help mitigate this risk.
As the threat of computer-initiated attacks increases, and as regulators put more pressure on financial institutions to shore up their information assets, financial institutions are turning toward outsourcing their information security functions to third party processors. These outsourcing deals, which are often part of a larger IT infrastructure outsourcing deal but can also be standalone, are being done for the same reason financial institutions have outsourced other parts of their operations, such as check processing: to mitigate risk by placing control of a key operation in the hands of highly-skilled practitioners. "The outsourcing of information security makes sense to organizations that have a highly developed concept of risk," says Prosenjeet Banerjee, VP and head of information security at HCL Technologies, an IT outsourcing firm based in India. More than half of its clients are financial institutions.
|
||||||||||||||||||||||||||||||||||||||||||||
RSS Syndication