FFIEC Authentication Guidance: Where to BeginFirst Steps for Meeting the Jan. 1 Deadline
The most difficult part of that approach is having a structured methodology for going through a risk assessment, Speare says. "Go through a practical example of how to do a risk assessment," Speare says in an interview with BankInfoSecurity.com's Tom Field [transcript below].
Speare just completed a webinar for Information Security Media Group on how financial institutions can prepare for their next exams by the time the January 2012 deadline approaches.
Risk analysis is the fundamental element of meeting FFIEC requirements. "In that process, be honest with yourself," Speare says. Does your institution meet the requirements? If not, reach out to regulators for assistance in gray areas of the guidance.
Start the risk analysis now, Speare says, so that you have a well-documented plan about what you're going to do by the time January 1 rolls around.
In an exclusive interview on the FFIEC Authentication Guidance, Speare discusses:
- The biggest challenges for banks between now and January 2012;
- What to expect from their next examination;
- The one thing institutions can do now to jump-start their compliance efforts.
As SVP - Information Technology, M & T Bank Corporation, Speare is responsible for Information Technology Operations, Telecommunications and Networking, Platform Design and Support, Information Security and IT Risk Management, and Business Continuity Planning and Disaster Recovery.
He is also responsible for strategic planning of Infrastructure and Security resources in support of business objectives.
For fun, he is an avid helicopter and airplane pilot with over 9000 hours in AH-64 Apache attack helicopters.
Don't miss Matthew Speare's new webinar: FFIEC Authentication Guidance: How to Prepare for Your Next Exam.TOM FIELD: We've talked about this at length since this first came out as a draft last December. You've had the opportunity to compare the documents. How different is the final guidance from the draft we saw in December?
MATTHEW SPEARE: When you look at it and the number of items that were removed from what came out in the draft, in a kind of way it was toned down in the overall guidance. We have somewhat of a more neutral back-looking type of document that spends more time looking at the things that have happened in the last five years and what banks should now be doing to respond to them, versus things that were mandated in the guidance draft that we saw last December that have been removed altogether. But at the same time, I think its focus was on those three core tendencies of risk assessment: customer awareness, education and then layered security. There are no silver bullets to deal with the issues that our online banking customers are dealing with.
FIELD: The big date is January 2012 because after that the examiners will start looking at institutions in terms of how they've complied with this guidance. What do you see as the biggest challenges for banking institutions between now and 2012?
SPEARE: A bank has to go into this realizing that there is no way they're going to be able to remediate every gap that they identify, nor do the regulators really expect you to. However, what they need you to do is really take a risk-focused approach. Do that risk analysis and have a standard methodology for doing it so that you can justify your thought process. And most importantly have a plan for what you're going to do as well as any items that you have done in preparation for January 1 because it really comes down to if you have a plan, it's a million times better than if you don't have a plan. And if you're just doing your risk assessment by kind of a gut feeling, without being able to back it up with metrics, a thought process and documents, then really it's going to put you in a bad light for that initial discussion with the regulators. Overall the big picture is to start the risk analysis now so that you can have a documented plan for what you're going to do by the time January 1 rolls around.
FIELD: Now you and I both know that institutions and associations have been pouring over the letter of this document since it first came out in draft form, so it's not like this is news to people. What do you feel institutions should have done before the final guidance even was issued?
SPEARE: Certainly in retrospect those organizations that went through and started breaking down the draft of the guidance and started their planning process early, just based upon the draft, now are actually going to have a much easier time because there are many items that probably were going to be from a practical standpoint very difficult to be able to implement some kind of solution, or business process re-engineering, that are no longer there. You can take them right off the table and the more time you have to plan and prepare. It would have been great for organizations to have started that process back when the draft showed up, and now their plans are going to be easier to develop and probably many of them will be taken care of before January 1 comes around.
FIELD: It's no surprise you and I are talking because you just completed a webinar on this topic on what to expect and how to prepare for the 2012 examinations. This is a great seminar. I'm delighted to work with you on it. What would you say are the key points that you address in this for people that would be interested?
SPEARE: I think that one of the most difficult things for financial institutions to do is to have a structured methodology for going through and doing a risk assessment. Actually go through a practical example of how to do a risk assessment with the template. They are provided to the attendees so that they'll have a baseline of how to go through and look at their applications and application services in accordance with the FFIEC guidance. And they provide somewhat of that structured methodology to help jumpstart the process.
We certainly talk about some of the recommendations around layered security and those things that banks should be doing. The other area that certainly they've got to spend a lot of time around is customer awareness and education. They put out a lot of items that you must talk to your customers about. But I focus more on how to do it effectively because the discussion with your customers should be more dialogue-based, and it should be active on your part versus being passive or just providing pertinent materials. Ultimately if we're looking to raise the bar on customer awareness and education, we have to make it a topic of interest for them and do it in a way that is going to catch their attention. If it's a statement in a flier they will never read it. No one ever does.
FIELD: We'll make sure that we give people a link to this webinar because I think it's an important one for anybody that's looking toward 2012 and wants to make sense of all this. If you could boil it all down, what would you say is the one thing that institutions need to do now to jump start their compliance efforts?
SPEARE: Around this topic the fundamental, foundational element is the risk analysis. Going through and getting that risk analysis started today, in that process be honest with yourself. Do we not meet the requirements? Then don't be afraid during that process to reach out to your regulators because there is a lot of gray within the guidance, and certainly you want to have some interpretation from their perspective on what does it mean. This is what we do. We think it meets the requirements. We have a couple of questions. Do you feel that it meets?
Now the downside is the regulators prior to an exam are never going to give you a definitive opinion on something, but they will certainly help guide where you should focus your efforts. That is the one thing though that you can't wait to do because it's not something that happens overnight. You'll spend several months going through that process and if you don't start it today, the end of the year will be here and then all of a sudden: January 1.
FIELD: That's great advice and again we'll let people know how they can sign up for your webinar. It's an important one for any institution that wants to be prepared for 2012 examinations.