140 likes | 324 Views
BITS and FSSCC R&D Efforts. John Carlson Senior Vice President of BITS Panel on Data Breaches in Payments Systems-- Roles and Best Practices for the Public and Private Sector Response Emerging Retail Payments Risks Conference Federal Reserve Bank of Atlanta November 5, 2009. Agenda.
E N D
BITS and FSSCC R&D Efforts John Carlson Senior Vice President of BITS Panel on Data Breaches in Payments Systems-- Roles and Best Practices for the Public and Private Sector Response Emerging Retail Payments Risks Conference Federal Reserve Bank of Atlanta November 5, 2009
Agenda • BITS Efforts • Fraud • Security • Vendor Management & Shared Assessments • Regulation • FSSCC R&D Committee Efforts
Fraud ACH Fraud Risk Information Sharing Calls (e.g., ACH fraud trends, implementation of IAT codes) Credit Bust Out Project Bust Out and Credit Abuse Activities (July 2009) Development of USSS information sharing portal Mortgage Fraud Reduction White Paper: Residential Mortgage Fraud Prevention Strategies for Financial Institutions Fraud Advisory: Servicing Frauds (June 2009) Preparing and Presenting Your Mortgage Fraud Case to Law Enforcement (May 2009) Payment Card Fraud Information Sharing Calls (e.g., pre-paid fraud trends, card data security)
Fraud Remote Channel Fraud Information Sharing Calls (e.g., attacks on commercial account customers , SMS attacks) Recommendations for Detecting and Communicating with Customers whose Computers are Infected with Malware (October 2009) Financial Exploitation of Elderly and Vulnerable Updating 2005 paper on BITS Fraud Protection Guide: Protecting the Elderly and Vulnerable from Financial Fraud and Exploitation Fraud Working Group Information Sharing Calls Examples: employment scams, outsourcing fraud processes
Fraud Third Party Payment System Access Focusing on: Information security and PCI Registration, underwriting, and high risk Developing recommendations for: PCI Council NACHA Card networks “Regional” EFT networks Others
Security • Web-Business • ICANN and gTLD • Secure Web Browser Project • Email Security • Implementation of email authentication protocols • Collaboration with FS-ISAC on repository of key information • ISP outreach to build support for authenticated email • Authentication • Surveys on current practices of customer, employee and business partner authentication
Security • Software Assurance • Developing best practices for software development contract terms and vendor management • Working with FSTC’s Software Assurance Project to focus on secure development and metrics • Security Awareness & Education • Developing quarterly Security Awareness Newsletter • Planning 4th Annual Meeting • Future focus: • Cloud computing • Social networking
Vendor Management/Shared Assessments • Vendor Management • Updating “Ongoing Monitoring” section of BITS Framework • Surveys on oversight of line of business vendor managers • Other focus areas • Financial condition of service providers • Oversight of vendors for ID theft red flags rule and BCP • Shared Assessments • Promote adoption by US FIs and service providers • Explore synergies with industry organizations (e.g., IAPP, SIFMA) • Expand awareness/adoption by other sectors (e.g., healthcare) • Expand foreign outreach through NASSCOM • Enhancing privacy
Regulation • Two-way dialog with regulatory agencies and other government agencies • Comment letters • Example: ICANN governance • Monitoring legislative proposals • Example: Senate & House Homeland Security hearings on Heartland breach and Cybersecurity Act proposal • Studies • Example: Reducing the Delta Between New Regulations and Cost-Effective Practices Within the Financial Services Industry (with Deloitte)
FSSCC R&D • FSSCC R&D Committee Objectives: • Identify top priorities (and gaps) for research • Application security • More secure and resilient financial transaction systems • ID management • Understanding the human insider threat • Data centric protection strategies • Better measures of the value of security investments • Best practices and standards • Engage stakeholders (including academic institutions, government agencies, Internet Corporation for Assigned Names and Numbers) • Promote development initiatives to improve the resiliency of the FS Sector • Manage Subject Matter Advisory Response Team (SMART) Program
FSSCC R&D • Outreach to academic, technology and government communities: • National Cyber Leap Year • Workshop on National Cyber Defense Initiative on Oct 28-29 • SMART Program • Goal: assist R&D organizations by providing subject matter experts from financial institutions • Endorsed DECIDE Project: • Simulation model • Enables FIs and others to test the impact of disruptive events on the banking and finance sector (e.g., cyber attacks, natural disasters, policy decisions) • Funded by DHS via consortium of universities
FSSCC R&D • Identity Management Discussions • June: FSSCC meeting with new White House CTO • CTO asks FSSCC for top, “actionable” R&D priority that the Federal government should promote • FSSCC R&D Committee recommends identity management • July-Oct: Additional discussions with White House CTO and other government agencies: • Identity management aligns with Administration’s goals • CTO requests FSSCC issue RFP on identity management for government to leverage • FSSCC & FBIIC establishes ID management committee chaired by VISA exec and FDIC official
FSSCC R&D • Financial Communications and Authentication Pilot • August: Proposed to OSTP the idea to create a financial sub-net within a government-controlled domain to pilot: • Strong B2B and B2G authentication options • Recommendations to ICANN for financial domains • Harvest data and lessons-learned for industry government, and academic use
Contact Info John Carlson Senior Vice President BITS/Financial Services Roundtable 202.589.2442 John@fsround.org