On October 12th, 2005 the United States Federal Financial Institutions Examination Council (FFIEC) released updated guidance on the risks and risk management controls necessary to authenticate the identity of customers accessing internet-based financial services. The guidance, "Authentication in an Internet Banking Environment," was issued to reflect the many significant legal and technological challenges facing today's information-based economy. Financial institutions are expected to achieve compliance with these new regulations by year-end 2006.
Financial institutions engaging in any form of internet banking should have effective and reliable methods to authenticate customers. An effective authentication system is necessary for compliance with requirements to safeguard customer information, to prevent money laundering and terrorist financing, to reduce fraud, to inhibit identity theft, and to promote the legal enforceability of their electronic agreements and transactions. The risks of doing business with unauthorized or incorrectly identified persons in an internet banking environment can result in financial loss and reputation damage through fraud, disclosure of customer information, corruption of data, or unenforceable agreements.
Institutions Need Multi-factor Authentication
The FFEIC considers the use of single-factor authentication, such as a simple combination of username and password, to be inadequate in the case of high-risk transactions involving access to customer information or the movement of funds to other parties. Where risk assessments indicate that the use of single-factor authentication is inadequate, institutions should implement multi-factor authentication, layered security, or other controls reasonably calculated to mitigate those risks.
The Encode Multi-factor Authentication Assessment
The Encode Multi-factor Authentication Assessment is a short-term engagement designed to help identify the challenges associated with adopting the new FFIEC guidelines and the implementation of multi-factor authentication.
During an Assessment, Encode works with key stakeholders to identify and assess the security risks facing your business. Encode will work with you to determine how to become, and remain, compliant with the new guidelines. We do this by performing a gap analysis covering issues relating to risk, policies, procedures, validation and enforcement, as well as a technical assessment covering issues relating to:
- System & Network Monitoring & Reporting
- Identity Management
- Access Management
- Multi-factor Authentication
- Privacy Management
- Compliance (FFIEC, NIST, HIPAA, SOX, GLB)
Encode's extensive experience with IBM Tivoli products allows us to quickly assess and identify the various domains, business units, user communities, and legacy systems that may be affected by new security systems and work with you to mitigate any readiness issues or internal differences.
At the end of the engagement we provide full documentation of your organization's level of compliance and an actionable plan to become and remain compliant.
IBM Tivoli
For security Encode has chosen to partner with IBM because IBM Tivoli is the best choice for first class, industrial grade security. IBM's Tivoli security products provide the basis for integrated, scalable, reliable, and secure information systems.
IBM's Tivoli Access Manager (TAM), Tivoli Identity Manager (ITIM) and Federated Identity Manager (FIM) can help manage growth, simplify complex security policies issues, and solve problems associated with implementing security policies across a wide range of web, application and operating resources:
- TAM lets companies define comprehensive security policies and administer security based on those policies. It supports single sign-on for web, Microsoft, telnet, and mainframe application environments.
- ITIM centralizes the definition of users and provisioning of user services. It enables users to perform many tasks themselves, such as password resets and personal profile changes which can lower help-desk call volume and costs.
- FIM is a system that allows individuals to use the same user name, password or other personal identification to sign on to the networks of more than one enterprise in order to conduct transactions. It negates the need to replicate identity and security administration at both companies.
SecurIT
Encode has chosen to partner with SecurIT to provide our customers with an expanded portfolio of capabilities and best-in-class security solutions. SecurIT products are certified to work with and enhance the IBM Tivoli product suite, helping to open business-critical applications to internet users in a cost-effective manner.
- SecurIT TrustBuilder is an extension for IBM Tivoli Access Manager (TAM) that, "out-of-the-box," satisfies custom, multi-factor authentication and administration requirements.
TrustBuilder allows the implementation of a flexible authentication policy that supports straightforward migration between authentication mechanisms.
TrustBuilder can be used by any system or application requiring authentication services.
- SecurIT D-Man Monitoring Suite is the leading secure monitoring solution for e-business and security environments. D-Man comes with a comprehensive set of monitors to completely control the business-critical TAM environment, including surrounding network components, web servers and application servers.
- SecurIT R-Man is an extension for IBM Tivoli Identity Manager (ITIM) to manage roles in a more flexible way. R-man follows the NIST standard for Role Based Access Control (RBAC) and supports different models to implement RBAC in ITIM.
For additional information about Encode's Multi-factor Authentication Assessment,
contact us.
