New InfoSec Guidelines Released by FFIEC
Last week, the Federal Financial Institutions Examination Council (FFIEC) released a new addendum, Strengthening the Resilience of Outsourced Technology Services (PDF), to address potential threats to financial data and security controls to ensure business continuity in the event of a breach.
Business continuity refers to maintaining or quickly resuming business functions in the event of a disruption or natural disaster - nowadays, a breach or online attack also fits the description, and is a reality for many companies that never planned for such an incident.
Protecting Against Threats Introduced by Third-Party Providers
The ongoing trend in compliance and regulatory updates has been security guidelines around using vendors. This can be seen in the upgrade of Payment Card Industry Data Security Standards (PCI DSS) to version 3.0, adding more specific testing procedures and clarity about security with third-party service providers.
For example, a Qualified Security Assessor (QSA) auditing for the control must inspect system and device configurations to ensure that two factor is set up and enabled. The guidelines also clarify who needs to have two factor enabled on their accounts:
- All remote access by personnel.
- All third-party/vendor remote access (including access to applications and system components for support or maintenance purposes)
Likewise for the Healthcare Insurance Portability and Accountability Act of 1996, which was updated (the Final HIPAA Omnibus Rule) to extend liability and scope of the guidelines to business associates, which have historically been involved in about 24 percent of total breaches reported to the Dept. of Health and Human Services.
Financial Institutions and Third-Party Security
In their Business Continuity Planning booklet, the FFIEC recommends thoroughly evaluating and performing due diligence before contracting with a third-party service provider.
While improvements in technology can strengthen business resilience against possible threats, new tech can also introduce new and different risks. That includes shared access to data, virtual exploits and authentication weaknesses.
Potential Threats to Financial Data
The guide also lists all of the different potential threats to financial data, to make sure that financial institutions are aware of why they need a business continuity plan in the event that they’re targeted with:
Malware can cause data corruption and unauthorized financial transactions, resulting in fraud. The FFIEC recommends that financial institutions and TSPs protect against malware by investing in integrity checks, anomaly detection, system behavior monitoring and employee security awareness training.
For resilience, they recommend using strong passwords, mobile devices with security controls, social network access control, hardened software and operating systems (config management, security patch management, removal of unnecessary programs/utilities), and controlled/monitored Internet access.
Disgruntled or rogue employees can carry out an attack from within financial institution walls. Employee screening, dual controls and segregation of duties are some controls that can help mitigate insider risks.
Data or Systems Destruction or Corruption To protect against the risk of data corruption or destruction, the FFIEC recommends backing up a replication of data using appropriate redundancy controls and segregation of replicated data backup files (typically part of an IT disaster recovery plan).
Another control is physically separating a computer, system or network to limit the exposure of data during an attack, and to restore data to a time before an attack.
Some attacks can disrupt communications and target underlying infrastructures, resulting in certain scenarios:
- Reliance on a single communications provide can create a single point of failure
- TSP concentration can result in a disruption to multiple financial institutions
- Converging voice and data services in the same network can result in simultaneous disruptions of telecommunications and electronic messaging
Prevention is key to avoiding a data breach, but having a business plan after a breach should also be part of an overall security strategy. The FFIEC's updates to their IT security guidance come after they piloted a cybersecurity examination work program (Cybersecurity Assessment) involving over 500 community financial institutions to measure their preparedness to mitigate cyber risks. Learn about their observations as a result of the assessments (PDF).
Learn more about the FFIEC and security in: FFIEC To Update Security Guidance for Banks After Assessments