- of
THE GOOD
Layered security in favor of just authentication
Gartner's Litan thought it great that the document made it clear "that virtually every authentication technique can be compromised." She believes the FFIEC's emphasis on urging banks to implement layered security is a big improvement.
THE GOOD
Advice on risk assessments
The document offers good leadership in promoting the updating of risk assessments "and what environmental and customer changes to take into account when doing so," Litan says.
THE GOOD
Focus on risk management
Litan says that by promoting a "risk-based approach where controls are strengthened as risk increases" will greatly aid banks to better face threats.
THE GOOD
Added focus on business banking
Las time the guidance came around, the FFIEC didn't differentiate between consumer and business banking customers, leading some within the financial sector to think they only needed to worry about consumer accounts. Litan says the agency did well to mention businesses this time around.
THE GOOD
Added best practices not directly tied to specific technology
The FFIEC added more process-oriented input to security strategies for banks this time, " including the use of ‘positive pay’, debit blocks, dual customer authorization, etc, and does not focus solely on technology measures," Litan says.
THE GOOD
Specifies details necessary to better reign in privileged access
Last time around the FFIEC didn't breathe mention privileged user accounts. Litan says the new word out from the agency does a better job laying out controls needed there.
THE GOOD
Offers wakeup call that old tools and practices don't cut it anymore
In this guidance the FFIEC was very forthright about the shortcomings of the old security regime. By mentioning simple device identification and challenge questions as weak protections, the agency does banks a favor, Litan says.
THE BAD
Too many trigger clauses
"Its wording is too wishy washy when it comes to delineating bank responsibility from customer responsibility," Litan says. "It uses words like ‘could have prevented’ or ‘suggestion’ too often. The regulators should be more matter of fact in setting out the guidelines and principles."
THE BAD
Small banks that don't do their own security are left in the dark
Small banks make up 80 percent of the U.S. bank population and they usually depend on third party services to administer online banking and its security. And yet there's no mention of them in this document. "Where’s the guidance for them?" Litan asks.
THE BAD
Customer education still inadequately discussed
While the guidance does say banks need to explain to customers about the protections it uses, it doesn't really specify how they do that.
THE UGLY
It still isn't future-proofed
Yes, it is hard to do this, but the FFIEC still isn't looking forward with this document, Litan says. "Surely the threats will change substantially over the next five years," Litan warns, saying there's not enough mention at how the mobile environment will change the online banking game. "Given that the guidance is specific in its discussion about the techniques used to prevent yesterday’s attacks, it should devote more time describing how those attacks are likely to change."
10 Key Ingredients That Have Made Apple So Successful
10 Reasons RIM`s New CEO Won`t Fix the Company
Eight IT Jobs Skills That Win Six-Figure Salaries
Social Media Best Practices to Land that Dream Job
Channel Executives On The Move: 2012
Why SOPA Is Such A Big Issue
See All Slideshows
