About Us | Contact Us
View Cart

Interim Framework for Auditing Progress on Supplement

By Dan Hadaway | Wednesday, September 21, 2011 - Leave a Comment

An Interim Audit Framework for the Supplement to the 2005 Authentication Guidance

Since I find myself sending this in e-mails to several of our Clients, I thought it would make a good Dan’s New Leaf post:

The problem:  Between now and your next examination, depending on when that is, you “should be” working on ensuring your bank complies with the Supplement that was released on June 28th 2011 to clarify the Authentication Guidance that was released in October 2005.  But what are you supposed to be doing?  The guidance itself establishes January as the date that “examiners will start guiding banks towards compliance.”

So what actually needs to be done between now and then?

The following is an audit framework that I will be using for banks I audit between now and March of 2012.  It may change as I learn more about the FFIEC’s expectations, especially at the upcoming IT Security Conference on October 12th and 13th.  There will be at least one talk dedicated to the subject, and we’ll also have that examiner panel!!

But, if you have ME coming in to audit you between now and March of 2012, I believe if you see this seven-point plan as the goal post, and have a good explanation as to where you are against this goal post, and you are closer to the 20 yard line than the 50 yard line, you will be in good shape.


Seven Point Plan for Compliance with the Supplement to the 2005 Authentication Guidance:

  1. Branchless Banking (or Electronic Banking Policy1): Have you updated your Policy to establish that the bank needs to a) Inventory all Branchless Banking Assets conduct a risk assessment to identify assets (including payment processes, delivery systems, and authentication assets) which require more scrutiny from a risk management perspective?
  2. Asset Prioritization Risk Assessment: Do you have a high-level (system-level) risk assessment on your Branchless Banking Assets to help you prioritize which assets require more scrutiny?  Have you conducted a risk assessment on the primary systems you call “electronic banking” to determine which ones require more scrutiny?
  3. Inventory of your branchless banking assets: Have you inventoried all assets which store bank information outside of the bank?  This would include an inventory of transactions as well as payment processes as well as system.  In other words, you might have Internet Banking on your inventory, but also Billpay and Set Up New Payee.  All three are different assets, even though one is a subset of another which is a subset of another.  The level of detail in your inventory depends upon the results of your Asset Prioritization Risk Assessment (see point 2 above.)
  4. Documentation of Authentication Methods: In that inventory, are you documenting for each asset the type of authentication method being used?  By the way, if the answer for ANY asset is “that depends,” then your asset inventory is not detailed enough.  In other words, if you say “the type of authentication we use for Billpay depends on whether you are setting up a new payee or whether you are just authorizing a payment” then you actually have three assets:  Billpay, Setting up New Payee, Authorizing Payments.  You want your inventory to be that detailed.
  5. Drill-down Risk Assessments: Have you started detailed (drill-down) risk assessments on assets identified in the high-level assessment as high priority?  As an auditor, I will be asking how that’s going and offering suggestions as to how to make sure it is complete and in compliance with the supplement.
  6. Vendor Management: Have you contacted your vendors and service providers?  Compliance?  Projected Timeline?  Good faith effort to be ongoing?  Regular communication on progress.  Do you understand how your Vendor intends to come into compliance with various parts of the supplement?
  7. Customer Awareness Training Strategy: Have you created a strategy, or at least met with your marketing team and/or the appropriate persons in the bank, for how you are going to meet the Customer Awareness and Education requirements of the Supplement.

I hope this “audit framework” provides a little direction for you.  I’d be happy to answer any questions you may have, especially if you’re a Client!

We’ll get through this together!!

Footnote #1:  To understand why I’m using the term “Branchless Banking Assets” instead of “Electronic Banking Assets,” check out this article.)


Founder and President, Infotex


“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”


Latest News
    The One Test… …Is there a Test that Covers 9/11’s of the Battle? Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Twenty years ago two geek-friends and I debated the following question:  “Is there an Audit Test that covers 9/11’s of the battle?” This […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX infotex has just hired Tanvee Dhir, to be a new Data Security Analyst. “Tanvee is an outstanding addition to the team, bringing a new skillset we are eager to utilize.” says Chad Smith, NOC Manager of infotex. “I am really excited to be […]
    While we’re not a news service, we often use current events to comment on trends and our services. This blog is intended to get people thinking about topics and trends in Technology Risk Management, through our article reviews, as well as through original blog articles about current events and our MSSP services (such as our […]
    Seven Trends . . . that small bank Information Security Officers face in 2021 Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Welcome to the Magnificent Seven, my annual predictive article about the seven trends in technology that will impact the Information Security Officers of […]
    Top Seven Risks . . . that small bank Information Security Officers face in 2021 Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Once again, I compile this list in preparation for updating our normal board of directors awareness training PowerPoints and movies and such. […]