Infragard, FFIEC Solutions, Oh My!!!
I was at the NYC Infragard meeting yesterday where the discussion was all about the FFIEC Guidance that was put out in October of 2005 and what it really means and some solutions that had been implemented or were under consideration. I learned a ton while I was there and it was worth the time to be there. Plus I met some great FBI Agents and NYPD guys, as well as other business leaders who were in attendance.
Some of the things I learned while there:
1. The FFIEC guidance is guidance. It is NOT a mandate and is ENTIRELY dependent on a risk assessment
2. The risk assessment must be completed, along with a deployed solution by 12/31
3. The American Banking Association is recommending that their members implement compartmentalized access (zoning) of employees, service providers, contractors
4. Service providers xSP’s will be under heavier scrutiny, but the banks are ULTIMATELY responsible for implementing something based on their risk assessment
5. TNT will be considered a 2nd factor (something you have/machine ID), along with username & password
6. Section 326 of the Patriot Act comes into play
7. Applications/areas/systems covered – Internet banking, loan origination apps, accounting apps, call centers, and telephone banking
The guidance supposedly has to do with protecting the identity of customers and covering banks for high risk transactions (high risk being defined as anything to do with money transfer, so basically everything). But I couldn't help but think that at the end of the day it is another exaple of a governing body of a collection of institutions trying to protect us from ourselves.
There were some interesting data points that I learned as well.
70% of Identity theft is non-electronic and paper based (dumpster diving)
Phishing and farming will continue to grow for a few reasons - it's lucrative for the bad guys, people are suckers, and more people continue to increase their online activity. It's a numbers game basically. The more people that go online, mean more targets, and more chances of catching someone offguard or who has no clue what the internet or email is beyond penis enlargement offers and GEICO ads and popups.
The most interesting thing that I came out of the meeting with was this:
By that I mean there is so much focus on customer protection from the internet, when we all should be worrying about the disgruntled guy inside the bank (or Mumbai call center) with access to every piece of financial information of every customer that could be stolen in a single 8 hour shift.
If you are a 'Black ID' merchant or bad guy, then you want access to the most information with the least amount of effort. You will get this from the inside far easier than from the outside. At $2 per ID, getting 500,000 ID's downloaded and burned onto a DVD in 8 hours is not unlikely and guess what - that employee/contractor is gone with a cool million, and can move to North Korea, publish and sell his memoirs online, and make even more.
In the immortal words of Gordon Gekko - 'This is your wake up call, pal. Now get to work'...
Some of the things I learned while there:
1. The FFIEC guidance is guidance. It is NOT a mandate and is ENTIRELY dependent on a risk assessment
2. The risk assessment must be completed, along with a deployed solution by 12/31
3. The American Banking Association is recommending that their members implement compartmentalized access (zoning) of employees, service providers, contractors
4. Service providers xSP’s will be under heavier scrutiny, but the banks are ULTIMATELY responsible for implementing something based on their risk assessment
5. TNT will be considered a 2nd factor (something you have/machine ID), along with username & password
6. Section 326 of the Patriot Act comes into play
7. Applications/areas/systems covered – Internet banking, loan origination apps, accounting apps, call centers, and telephone banking
The guidance supposedly has to do with protecting the identity of customers and covering banks for high risk transactions (high risk being defined as anything to do with money transfer, so basically everything). But I couldn't help but think that at the end of the day it is another exaple of a governing body of a collection of institutions trying to protect us from ourselves.
There were some interesting data points that I learned as well.
70% of Identity theft is non-electronic and paper based (dumpster diving)
Phishing and farming will continue to grow for a few reasons - it's lucrative for the bad guys, people are suckers, and more people continue to increase their online activity. It's a numbers game basically. The more people that go online, mean more targets, and more chances of catching someone offguard or who has no clue what the internet or email is beyond penis enlargement offers and GEICO ads and popups.
The most interesting thing that I came out of the meeting with was this:
NO ONE IS WATCHING THE CASH REGISTER
By that I mean there is so much focus on customer protection from the internet, when we all should be worrying about the disgruntled guy inside the bank (or Mumbai call center) with access to every piece of financial information of every customer that could be stolen in a single 8 hour shift.
If you are a 'Black ID' merchant or bad guy, then you want access to the most information with the least amount of effort. You will get this from the inside far easier than from the outside. At $2 per ID, getting 500,000 ID's downloaded and burned onto a DVD in 8 hours is not unlikely and guess what - that employee/contractor is gone with a cool million, and can move to North Korea, publish and sell his memoirs online, and make even more.
In the immortal words of Gordon Gekko - 'This is your wake up call, pal. Now get to work'...
1 Comments:
Great point - training can only do so much for someone with a coke problem, mental illness, huge amounts of strees outside the workplace, or a way to make some serious extra coin selling names.
The issue is still that as good as managers are, they can't know everything about an employee without breaking the law or being a stalker, yet companies are held accountable for having to do just that - know their employees.
Why do you think there are all of these behavioral profiling applications popping up - they can know us without 'knowing' us by our behavior and those with similar behavior - good and bad.
Mark
Post a Comment
<< Home