About Us | Contact Us
View Cart

Interim Framework for Auditing Progress on Supplement

By Dan Hadaway | Wednesday, September 21, 2011 - Leave a Comment

An Interim Audit Framework for the Supplement to the 2005 Authentication Guidance

Since I find myself sending this in e-mails to several of our Clients, I thought it would make a good Dan’s New Leaf post:

The problem:  Between now and your next examination, depending on when that is, you “should be” working on ensuring your bank complies with the Supplement that was released on June 28th 2011 to clarify the Authentication Guidance that was released in October 2005.  But what are you supposed to be doing?  The guidance itself establishes January as the date that “examiners will start guiding banks towards compliance.”

So what actually needs to be done between now and then?

The following is an audit framework that I will be using for banks I audit between now and March of 2012.  It may change as I learn more about the FFIEC’s expectations, especially at the upcoming IT Security Conference on October 12th and 13th.  There will be at least one talk dedicated to the subject, and we’ll also have that examiner panel!!

But, if you have ME coming in to audit you between now and March of 2012, I believe if you see this seven-point plan as the goal post, and have a good explanation as to where you are against this goal post, and you are closer to the 20 yard line than the 50 yard line, you will be in good shape.


Seven Point Plan for Compliance with the Supplement to the 2005 Authentication Guidance:

  1. Branchless Banking (or Electronic Banking Policy1): Have you updated your Policy to establish that the bank needs to a) Inventory all Branchless Banking Assets conduct a risk assessment to identify assets (including payment processes, delivery systems, and authentication assets) which require more scrutiny from a risk management perspective?
  2. Asset Prioritization Risk Assessment: Do you have a high-level (system-level) risk assessment on your Branchless Banking Assets to help you prioritize which assets require more scrutiny?  Have you conducted a risk assessment on the primary systems you call “electronic banking” to determine which ones require more scrutiny?
  3. Inventory of your branchless banking assets: Have you inventoried all assets which store bank information outside of the bank?  This would include an inventory of transactions as well as payment processes as well as system.  In other words, you might have Internet Banking on your inventory, but also Billpay and Set Up New Payee.  All three are different assets, even though one is a subset of another which is a subset of another.  The level of detail in your inventory depends upon the results of your Asset Prioritization Risk Assessment (see point 2 above.)
  4. Documentation of Authentication Methods: In that inventory, are you documenting for each asset the type of authentication method being used?  By the way, if the answer for ANY asset is “that depends,” then your asset inventory is not detailed enough.  In other words, if you say “the type of authentication we use for Billpay depends on whether you are setting up a new payee or whether you are just authorizing a payment” then you actually have three assets:  Billpay, Setting up New Payee, Authorizing Payments.  You want your inventory to be that detailed.
  5. Drill-down Risk Assessments: Have you started detailed (drill-down) risk assessments on assets identified in the high-level assessment as high priority?  As an auditor, I will be asking how that’s going and offering suggestions as to how to make sure it is complete and in compliance with the supplement.
  6. Vendor Management: Have you contacted your vendors and service providers?  Compliance?  Projected Timeline?  Good faith effort to be ongoing?  Regular communication on progress.  Do you understand how your Vendor intends to come into compliance with various parts of the supplement?
  7. Customer Awareness Training Strategy: Have you created a strategy, or at least met with your marketing team and/or the appropriate persons in the bank, for how you are going to meet the Customer Awareness and Education requirements of the Supplement.

I hope this “audit framework” provides a little direction for you.  I’d be happy to answer any questions you may have, especially if you’re a Client!

We’ll get through this together!!

Footnote #1:  To understand why I’m using the term “Branchless Banking Assets” instead of “Electronic Banking Assets,” check out this article.)


Founder and President, Infotex


“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”


Latest News
    As the investigation of the SolarWinds Hack was ongoing, another hack stole some of the limelight… This is the final update on the SolarWinds hack unless a major development comes to light. You can see the previous article here: “Autopsy of the SolarWinds Hack Update“. One of the largest cyber-espionage campaigns in the history of […]
    Employees working from home may find it more difficult to follow security policies… An article review. The surge in employees working from home during the pandemic created many headaches for IT departments around the world, many of whom had no telecommuting policies or procedures before the start… but what about the employees who had to […]
    A Webinar-Movie infotex presents the 2021 update of a previously released webinar presented by our Lead Non-Technical Auditor, Adam Reynolds. This movie-short is intended for those who are planning to participate in an infotex Incident Response Test. Not sure about the importance of an Incident Response Test? Check out onetest.infotex.com for more information! Please let […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS INFOTEX PROMOTES BRYAN BONNELL TO DIGITAL MEDIA MANAGER infotex, the Managed Security Service Provider, announced Bryan Bonnell’s promotion from Senior Data Security Analyst to Digital Media Manager.  “He will continue his normal DSA duties on a limited basis, because we want everybody to stay in touch with […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS RYAN HENSLER OF INFOTEX, EARNS CISSP CERTIFICATE Ryan Hensler, Senior NOC Associate of infotex, Inc., recently received the CISSP certification. “Ryan has proven himself to be a seasoned security professional both in his work for infotex and now through achieving this certification.” said Sean Waugh, Information Security Officer. […]
    Dubious app store subscriptions bring in hundreds of millions of dollars in revenue… An article review. When it comes to malicious applications you’re probably familiar with things like malware and ransomware, and you have ways to avoid them.  Modern desktop and smartphone operating systems have built-in malware detection tools, and some web browsers even automatically […]
    Another Manifesto A supply-chain manifesto by the author of Never Say Never: A Password Manifesto! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . [Sssshh.  Turn out the lights.  Let’s lower our inner voices, as I have something to propose that might be a bit […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office.  
    While malware and security exploits continue to make headlines, the majority of reported security incidents involve phishing… An article review. With all the attention given recently to security incidents involving software exploits and high-profile malware attacks, it would be easy to believe that they represented the most likely incidents you may encounter in the wild.  […]
    Implementing Protective DNS could help your organization avoid attack… An article review. Noting the risks still associated with the Domain Name System (DNS), the National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) have recently released new guidance on the selection and use of a Protective DNS service (PDNS). The guidance, released in […]