Wednesday, March 16, 2011

Updates to FFIEC Authentication Guidelines

The FFIEC published draft guidelines that update their 2005 guidance for authentication in Internet banking environments.

This updated draft guidance calls for:

  • More risk assessments for banks to better understand and respond to emerging threats, such as man-in-the-middle or man-in-the-browser attacks, as well as keyloggers;
  • Increased multifactor authentication;
  • Layered security controls;
  • Improved device identification and protection;
  • Improved customer and employee fraud awareness.
The good news is that tools such as Oracle Adaptive Access Manager already provide many of the controls specified in the draft guidance. Check out the datasheet to see how OAAM can help meet the requirements of these updated guidelines.

This updated FFIEC guidance is consistent with another trend we've seen: more precise, prescriptive regulations that organizations need to meet in order to be in compliance. Typically more prescriptive regulations are seen in industry segments like financial services (or other highly regulated industries like healthcare) and then gradually spread to other industry segments.

No comments: