Compliance guidelines, issued by the Federal Financial Institutions Examination Council (FFIEC) in late 2005, mandate the standards for online banking. Tracking changes to IT systems is now required for documenting alterations and creating an audit trail. The goal is to ensure that any change, whether planned or unplanned, is detected and reviewed.
2014 Recent Advancements
In December, the Federal Financial Institutions Examination Council released its updated Bank Secrecy Act compliance guidelines. They attempt to clarify the supervisory expectations and incorporate regulatory changes covering the risk of money laundering, which was revised and updated for the first time since 2010.
Cyber Security Assessment Project
FFIEC members organized a pilot project to examine the cyber security assessment at more than 500 plus community financial institutions. The objective of the assessment project was to evaluate the state of financial institutions’ preparedness to reduce cyber security risks.
Based on the assessment findings, FFIEC issued a recommendation to share information security developments for regulated financial institutions by their participation in the Financial Services Information Sharing and Analysis Center (FS-ISAC).
The immediate need for finance organizations to apply Bash software patches for protection against Shellshock vulnerabilities was also stressed. The reason is the bug, once executed, can create havoc by running malicious code immediately after the shell is invoked in UNIX-based and Linux operating systems. The other contributing factor is the Bash shell is one of the most-used utilities for Linux/UNIX.
The vast majority of vendors provide retrieval of patches via the web. CIAC and CERT also have security patch information and links to applicable vendor patches. For Mac users, Apple offers an OS X bash update on the web even though a company spokesperson stated that Mac systems are safe by default.
Credit card issuers also mandate that acquiring banks are required to make sure that their merchants and service providers are in compliance with Payment Card Information Data Security Standards (PCI-DSS) [1]. Similarly to FFIEC, the PCI-DSS compliance requirements also stipulate that IT systems changes are detected and investigated. Actively monitoring IT systems for changes insures that malicious activity is identified and addressed immediately. A newly released update for PCI-DSS went live on January 1st
Find out more about how CimTrak helps banks and other financial institutions meet FFIEC IT security requirements and download our free FFIEC Solution Brief on our FFIEC compliance page.
References
[1] http://ithandbook.ffiec.gov/it-booklets/retail-payment-systems/retail-pa...
