© BITS 2009. BITS and FSSCC R&D Efforts John Carlson Senior Vice President of BITS Panel on Data...
-
Upload
george-neal -
Category
Documents
-
view
212 -
download
0
Transcript of © BITS 2009. BITS and FSSCC R&D Efforts John Carlson Senior Vice President of BITS Panel on Data...
© BITS 2009.© BITS 2009.
BITS and FSSCC R&D Efforts
John CarlsonSenior Vice President of BITS
Panel on Data Breaches in Payments Systems-- Roles and Best Practices for the Public and Private Sector Response
Emerging Retail Payments Risks ConferenceFederal Reserve Bank of Atlanta
November 5, 2009
22© BITS 2009.© BITS 2009.
Agenda
BITS Efforts– Fraud– Security– Vendor Management & Shared Assessments– Regulation
FSSCC R&D Committee Efforts
33© BITS 2009.© BITS 2009.
Fraud
ACH Fraud Risk Information Sharing Calls (e.g., ACH fraud trends, implementation of IAT codes)
Credit Bust Out Project– Bust Out and Credit Abuse Activities (July 2009)– Development of USSS information sharing portal
Mortgage Fraud Reduction– White Paper: Residential Mortgage Fraud Prevention
Strategies for Financial Institutions– Fraud Advisory: Servicing Frauds (June 2009)– Preparing and Presenting Your Mortgage Fraud Case to Law
Enforcement (May 2009) Payment Card Fraud Information Sharing Calls (e.g.,
pre-paid fraud trends, card data security)
44© BITS 2009.© BITS 2009.
Fraud
Remote Channel Fraud– Information Sharing Calls (e.g., attacks on commercial
account customers , SMS attacks)– Recommendations for Detecting and Communicating with
Customers whose Computers are Infected with Malware (October 2009)
Financial Exploitation of Elderly and Vulnerable– Updating 2005 paper on BITS Fraud Protection Guide:
Protecting the Elderly and Vulnerable from Financial Fraud and Exploitation
Fraud Working Group Information Sharing Calls– Examples: employment scams, outsourcing fraud
processes
55© BITS 2009.© BITS 2009.
Fraud
Third Party Payment System Access – Focusing on:
− Information security and PCI − Registration, underwriting, and high risk
Developing recommendations for:– PCI Council– NACHA– Card networks– “Regional” EFT networks– Others
66© BITS 2009.© BITS 2009.
Security
Web-Business– ICANN and gTLD– Secure Web Browser Project
Email Security– Implementation of email authentication protocols– Collaboration with FS-ISAC on repository of key information– ISP outreach to build support for authenticated email
Authentication– Surveys on current practices of customer, employee and
business partner authentication
77© BITS 2009.© BITS 2009.
Security
Software Assurance– Developing best practices for software development
contract terms and vendor management– Working with FSTC’s Software Assurance Project to focus
on secure development and metrics
Security Awareness & Education – Developing quarterly Security Awareness Newsletter– Planning 4th Annual Meeting
Future focus: – Cloud computing– Social networking
88© BITS 2009.© BITS 2009.
Vendor Management/Shared Assessments
Vendor Management– Updating “Ongoing Monitoring” section of BITS Framework– Surveys on oversight of line of business vendor managers– Other focus areas
− Financial condition of service providers− Oversight of vendors for ID theft red flags rule and BCP
Shared Assessments – Promote adoption by US FIs and service providers– Explore synergies with industry organizations (e.g., IAPP,
SIFMA)– Expand awareness/adoption by other sectors (e.g.,
healthcare)– Expand foreign outreach through NASSCOM– Enhancing privacy
99© BITS 2009.© BITS 2009.
Regulation
Two-way dialog with regulatory agencies and other government agencies
Comment letters– Example: ICANN governance
Monitoring legislative proposals – Example: Senate & House Homeland Security hearings on
Heartland breach and Cybersecurity Act proposal
Studies – Example: Reducing the Delta Between New Regulations and
Cost-Effective Practices Within the Financial Services Industry (with Deloitte)
1010© BITS 2009.© BITS 2009.
FSSCC R&D
FSSCC R&D Committee Objectives: – Identify top priorities (and gaps) for research
1. Application security2. More secure and resilient financial transaction systems3. ID management4. Understanding the human insider threat5. Data centric protection strategies 6. Better measures of the value of security investments7. Best practices and standards
– Engage stakeholders (including academic institutions, government agencies, Internet Corporation for Assigned Names and Numbers)
– Promote development initiatives to improve the resiliency of the FS Sector
– Manage Subject Matter Advisory Response Team (SMART) Program
1111© BITS 2009.© BITS 2009.
FSSCC R&D
Outreach to academic, technology and government communities: – National Cyber Leap Year – Workshop on National Cyber Defense Initiative on Oct 28-29
SMART Program – Goal: assist R&D organizations by providing subject matter
experts from financial institutions– Endorsed DECIDE Project:
− Simulation model − Enables FIs and others to test the impact of disruptive
events on the banking and finance sector (e.g., cyber attacks, natural disasters, policy decisions)
− Funded by DHS via consortium of universities
1212© BITS 2009.© BITS 2009.
FSSCC R&D
Identity Management Discussions– June: FSSCC meeting with new White House CTO
− CTO asks FSSCC for top, “actionable” R&D priority that the Federal government should promote − FSSCC R&D Committee recommends identity
management – July-Oct: Additional discussions with White House CTO and
other government agencies: − Identity management aligns with Administration’s goals− CTO requests FSSCC issue RFP on identity
management for government to leverage− FSSCC & FBIIC establishes ID management committee
chaired by VISA exec and FDIC official
1313© BITS 2009.© BITS 2009.
FSSCC R&D
Financial Communications and Authentication Pilot– August: Proposed to OSTP the idea to create a
financial sub-net within a government-controlled domain to pilot:
− Strong B2B and B2G authentication options− Recommendations to ICANN for financial
domains− Harvest data and lessons-learned for industry
government, and academic use
1414© BITS 2009.© BITS 2009.
Contact Info
John Carlson
Senior Vice President
BITS/Financial Services Roundtable
202.589.2442