Financial Industry Compliance: Part 2, the FFIEC Information Security Handbook

by Val Hetrick, Fiberlink

In our previous post we surveyed several regulations and standards with provisions that apply specifically to endpoints.

We also noted that some of these included general guidelines such as “protecting against foreseeable risks” that might be challenging to pin down. What standards can financial firms use to address such vague requirements?

Here we will look at one source of guidance on financial industry best practices, the Information Security Handbook from the Federal Financial Institutions Examination Council (FFIEC).

This document can be downloaded at: http://www.ffiec.gov/ffiecinfobase/booklets/information_security/information_security.pdf

Patch Management

The FFIEC Information Security Handbook suggests that financial firms must “update operating systems with security patches and using appropriate change control mechanisms” and “Appropriately and in a timely manner patch, update, and maintain all software…” It also recommends a comprehensive patch management process, including processes to monitor vulnerabilities, prioritize and test patches, plan a rollout, and create an audit trail of all changes.

Configuration Management of Remote Endpoints

The FFIEC authors highlight the importance of protecting the integrity of remote devices. They specifically recommend that organizations “Appropriately configure remote access devices,” “Periodically audit… access device configurations and patch levels,” and highlight the importance of “Monitoring host and network condition to identify unauthorized configuration and other conditions which increase the risk of intrusion or other security events.”

Securing Remote Access Devices Against Malware

The FFIEC handbook insists that it is particularly important to “Appropriately secure remote access devices against malware” and to keep anti-virus definitions up to date. Also, to ensure that technical safeguards remain in place, organizations should have “Integrity checking software, combined with strict change controls and configuration management.”

Encryption

The FFIEC authors strongly emphasize the importance of encryption of both data stored on devices (data at rest) and data transmitted over wireless networks (data in motion).

Logging and Monitoring Remote Access Communications

The FFIEC handbook repeatedly emphasizes the importance of continually monitoring events in the environment. For wireless devices, it specifically suggests that financial firms “Log remote access communications, analyze them in a timely manner, and follow up on anomalies.” It also recommends that firms: “Log and monitor the date, time, user, user location, duration, and purpose for all remote access.”

Network Access Controls

The FFIEC authors recommend that for sensitive communications with remote devices financial organizations “Restrict the use of the access device by policy and configuration” and “Ascertain the trustworthiness of the access device before granting access [to corporate networks].”

Tags: compliance, computers, information technology, MaaS360, mobile devices, mobile workforce, mobility-as-a-service, security

This entry was posted by MaaS360 on July 8, 2010 at 3:22 am, and is filled under Endpoint Management. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.

Related Posts
Comments (0)

No comments yet.

No trackbacks yet.

Microsoft DLL Hijacking Vulnerability

about 1 week ago - 1 comment

by David Lingenfelter, Fiberlink Microsoft released this week information about an issue in their OS that has made hundreds of applications that run on Windows vulnerable to attack. Here’s the security advisory from Microsoft: http://www.microsoft.com/technet/security/advisory/2269637.mspx The vulnerability basically allows applications to start DLLs that are on remote network shares. A DLL (Dynamic Link Library) is More >

Remote Takeover: Add a Personal Touch to Endpoint Management Activities

about 2 weeks ago - No comments

by Clint Adams, Fiberlink As you know from reading this blog, I work for Fiberlink, a company that operates a “Mobility-as-a-Service” platform called MaaS360. The marketing tag line for this platform is “See. Know. Go.” Now I am no marketing whiz, but I think that is a fantastic tag line and describes what the platform More >

A PC in everyone’s pocket. Financial Services leads the way, again.

about 1 month ago - No comments

by Jim Szafranski, Fiberlink Remember the days of investment bankers and investors carrying around the Blackberry 850 that looked more pager than the start of today’s smart phone craze? Also, wasn’t it just two years ago that Blackberry had a stranglehold on the enterprise smartphone? Well, those days are obviously gone and some new smartphone More >

Financial Industry Compliance: Part 3, the FSA Data Security Report

about 1 month ago - No comments

In our previous posts we surveyed regulations and standards with provisions that apply specifically to endpoints, and looked at the Information Security Handbook from the Federal Financial Institutions Examination Council (FFIEC) for guidance on best practices. Here we will look at another excellent set of guidelines for financial firms, the Data Security in Financial Services More >

Financial Industry Compliance: Part 1, Survey of Regulations

about 2 months ago - No comments

by Val Hetrick, Fiberlink The financial industry is of course highly regulated. But what financial industry regulations and standards apply specifically to endpoints, and to data stored on mobile and distributed devices? We did a little research on the subject, and would like to share our findings. In this post we will survey several of More >

Business Intelligence for Everyone, Please!

about 3 months ago - No comments

by Jonathan Dale, Fiberlink An article I recently read by Gary Smith in the May 3rd issue of InformationWeek got me thinking. The author wrote a nice piece about 7 steps to better decisions, entitled “How to Successfully Implement an Analytics Methodology.” Although I’m not a fan of all 7 steps, I recommend folks reading More >

News Flash – Employees Blatantly Violate IT Policies

about 4 months ago - No comments

by Clint Adams, Fiberlink This recent headline is based on a survey conducted by Fiberlink and states that one in ten employees has “blatantly” violated IT policies at some point in order to be productive. Definitely an interesting statistic. This made me wonder how many employees are inadvertently violating IT policies in the quest to More >

Top 5 Operational Workflows for IT to Simplify in 2010

about 5 months ago - No comments

by Chris Corbet and Jonathan Dale, Fiberlink The year is 2010… IT departments have watched their resources steadily being depleted over the last 2 years, while the workload increases and tasks pile up. The year is 2010… it’s also the year organizations need to move faster than the competition to get to the front of More >

The New IT Workflow Requirement

about 5 months ago - No comments

When I think of an IT workflow, I conjure a vision of a runbook that contains a number of specific steps to accomplish some critical task. In the realm of Endpoint Device Management, much of the time the result of the execution of these steps results in the creation, observation and analysis of a report More >

- Our Sites
- Blog Sponsor
  
  This blog is sponsored by Fiberlink. Fiberlink is the developer of MaaS360, the leading cloud-based, mobile device visibility and management platform. To learn more or take a test ride of MaaS360, please visit www.maas360.com.

Top
©2010 Fiberlink Communications. All Rights Reserved. All brands and their products, featured or referred to within this document, are trademarks or registered trademarks of their respective holders and should be noted as such.

Financial Industry Compliance: Part 2, the FFIEC Information Security Handbook

Patch Management

Configuration Management of Remote Endpoints

Securing Remote Access Devices Against Malware

Encryption

Logging and Monitoring Remote Access Communications

Network Access Controls

No comments yet.

No trackbacks yet.

Our Sites

Blog Sponsor