Re: Bankers on FFIEC
- From: "William M. Davis" <WDavis@xxxxxxxxx>
- Date: Thu, 15 Mar 2007 06:57:27 -0700
The FFIEC guidance is just that it is guidance. It also does not require
multi-factor authentication; it does require that banks do a risk assessment
and adequately protect their systems. I agree that what most are doing is
not really multi-factor. However, additional questions can increase the
level of security and help justify the continued use of single factor
authentication until better, cheaper, easier methods are developed.
William M. Davis, CISSP, CISA
----- Original Message ----- From: "Ken Kousky" <kkousky@xxxxxxxxxx>
Sent: Wednesday, March 14, 2007 5:42 PM
Subject: Bankers on FFIEC
The FFIEC guidance on online banking calls for strong authentication,
applied based on appropriate risk analysis and they even spell out the three
factors of authentication and state that single factor password
authentication isn't adequate. Yet, I've found many banks adding addition
questions to the login sequence and thinking they've added another factor.
Does anybody have experience with this situation and understand how banks
are getting around the Guidance for Online Banking requirements?
- Prev by Date: Re: NOC password management
- Next by Date: RE: The Value of GIAC/GSEC Certification
- Previous by thread: Bankers on FFIEC
- Next by thread: RE: The Value of GIAC/GSEC Certification