Fedline Advantage | For Bankers. From Bankers

Skip to content

BOL Conferences

BankersOnline.com Forums Banker Forums eBanking / Technology Fedline Advantage

Thread Options

#540497 - 04/30/06 04:28 PM Fedline Advantage
buckwheat New Poster Joined: Jan 2005 Posts: 15 The wild west	As is the case with many community banks, we've recently converted to Fedline Advantage. With that conversion has come several questions, one of which deals with any changes to our customer information security policy, specifically, our firewall policy. My position is that the migration to the web-based protocol placed significant emphasis on the quality of a bank's firewall policy, including frequently of third party penetration testing. With respect to this major change, I have the following questions for your thoughts: 1. How are you approaching this from a holistic risk management/internal control perspective? What changes have you made to your IT risk assessment document and firewall policy? 2. How are you deciding the population of bank employees to have access to Fedline Advantage. Are you requiring employees to lockup their tokens at night? 3. Commensurate with the use of a VPN to execute wires, how are you evaluating this risk? Hopefully the FFIEC and/or Federal Reserve (our oversight entity) will publish authorize risk guidance on Fedline Advantage very soon. Thanks.
Return to Top

eBanking / Technology

#540498 - 04/30/06 09:26 PM Re: Fedline Advantage
IamNoBanker New Poster Joined: Jan 2006 Posts: 12	hi buckwheat, which option did your bank took? We did the fed's vpn route w/ ip just for its use. And it's setup so that ONLY that workstation has access to the VPN (due to IP routing and static IP lock at the Fed's vpn). and it's also under a camera token stays in the vault, no need from home unless you think it looks cool on the key chain? HTH
Return to Top

#540499 - 05/01/06 10:34 PM Re: Fedline Advantage
Search_Me Power Poster Joined: Aug 2005 Posts: 8,433 In my Strappy Heeled Sandals!	About locking up the "tokens"... each individual has a locked bag... in which they are responsible for ensuring that the token is in bag, the bag is locked and placed into the lock box that is located in the vault by the end of EACH day. We have about 6 individual's that have access to a token... myself included and we've found this way works best...so we don't grab the wrong token or accidently misplace it. Everyone is happy and we always have the token when needed...no chance of leaving it at home or misplacing it. _________________________ She who dies with the most shoes WINS!
Return to Top

#540500 - 05/02/06 11:58 AM Re: Fedline Advantage
LynnH 100 Club Joined: Dec 2002 Posts: 129 NH	On token lockup, we had state banking examiners on site as we were converting over. They recommended that some employees take their tokens home with them. They said if we locked them all up then we needed to have a disaster plan if our building and tokens were gone as it takes 3 days to get a new one. They also said that whatever we did we needed to have documented in a token management policy.
Return to Top

#540501 - 05/02/06 01:59 PM Re: Fedline Advantage
KrisH Gold Star Joined: Mar 2003 Posts: 358 Massachusetts	Quote: On token lockup, we had state banking examiners on site as we were converting over. They recommended that some employees take their tokens home with them. They said if we locked them all up then we needed to have a disaster plan if our building and tokens were gone as it takes 3 days to get a new one. They also said that whatever we did we needed to have documented in a token management policy. I had the FDIC make a similar comment for us, however, my response was that if something happens to the building, the VPN device is going to be trashed as well... so the tokens won't be much use. I have talked to the Fed, and they have indicated to me that the turnaround time for a replacement VPN and tokens can be next day depending on when you call. The examiner didn't seem to have any problems with my response. For the record, our tokens are kept in a combination lockbox, which is located in a secure room that requires a passcard. Only authorized personnel have access to that room. _________________________ My opinions are my own and do not necessarily reflect the opinions of my employer.
Return to Top

#540502 - 05/03/06 06:56 PM Re: Fedline Advantage
IT Storm New Poster Joined: May 2006 Posts: 2	Enforcing a strict policy on tokens when they are not in use is a big deal. Every so often I see a FedLine Advantage user in my travels who has their workstation wedged between their desk and their wall and it's too much of a pain to get their token out so they leave it in all the time (bad idea). I'm in many banks as both a network vendor and an IT auditor (never both at the same bank). The biggest threat I see is remote access software installed by the IT Dept. (to make life easier for them) or by the user of the workstation (to make life earier for them). We actually found an unauthorized installation of gotomypc.com on a FedLine Advantage machine. The long-time employee reasoned she had too much to do and wanted to be able to work from home. She worked in the accounting area and was a FedLine Advantage user (not good). The most dangerous scenario out there is for small community banks who are either dependent on one IT person or a single person within a local networking vendor. That one person has likely installed FedLine Advantage, knows how it works to a great extent, probably maintains the firewall and holds all the keys except for the token. When I say they hold all the keys except for the token, the User ID, the User passphrase and the password are easily obtainable if someone has malicious intent with a hardware keylogger. Those things are next to impossible to detect and sell for $39. Installing remote access software is unfortunately all too easy. The only thing preventing the unimaginable from happening in that scenario is keeping those tokens out of those machines.
Return to Top

#540503 - 05/03/06 08:28 PM Re: Fedline Advantage
KrisH Gold Star Joined: Mar 2003 Posts: 358 Massachusetts	Quote: Every so often I see a FedLine Advantage user in my travels who has their workstation wedged between their desk and their wall and it's too much of a pain to get their token out so they leave it in all the time (bad idea). This surpises me, since our tokens shipped along with a USB extension cord, presumably for just that sort of purpose. When I ordered new PCs for our dedicated FedLine PCs, I made sure to get them with the USB ports directly in the front, so they were easily accessible to those needing to use them. But since certain FedLine Web applications can still be accessed from the users desktop, they all retained their USB extensions for that purpose. The end of the cord sits right on their desk, so it's no trouble to plug the token into it. _________________________ My opinions are my own and do not necessarily reflect the opinions of my employer.
Return to Top

#540504 - 05/03/06 09:19 PM Re: Fedline Advantage
Happy Trails Member Joined: Jun 2003 Posts: 54 Northern Calif	Quote: As is the case with many community banks, we've recently converted to Fedline Advantage. With that conversion has come several questions, one of which deals with any changes to our customer information security policy, specifically, our firewall policy. My position is that the migration to the web-based protocol placed significant emphasis on the quality of a bank's firewall policy, including frequently of third party penetration testing. With respect to this major change, I have the following questions for your thoughts: 1. How are you approaching this from a holistic risk management/internal control perspective? What changes have you made to your IT risk assessment document and firewall policy? 2. How are you deciding the population of bank employees to have access to Fedline Advantage. Are you requiring employees to lockup their tokens at night? 3. Commensurate with the use of a VPN to execute wires, how are you evaluating this risk? Hopefully the FFIEC and/or Federal Reserve (our oversight entity) will publish authorize risk guidance on Fedline Advantage very soon. Thanks. Actually the Federal Reserve has already published guidelines for security for these tokens. They can be found in the FedLine Advantage Subcriber Guide, a confidential publication that came to you with your service agreements. This publication specifically states on page 3 that you are responsible for keeping your token physically secure and that you must remove the token from your PC when you leave your PC. We remove our tokens each night from each PC and they are stored in the vault. One individual is responsible for this each morning and night (backup assignment also).
Return to Top

#540505 - 05/04/06 12:36 PM Re: Fedline Advantage
IT Storm New Poster Joined: May 2006 Posts: 2	Unfortunately I think FedLine Advantage VPN edition is a 60 Minutes social engineering story waiting to happen.
Return to Top

#540506 - 05/05/06 11:15 PM Re: Fedline Advantage
Search_Me Power Poster Joined: Aug 2005 Posts: 8,433 In my Strappy Heeled Sandals!	Quote: Quote: Every so often I see a FedLine Advantage user in my travels who has their workstation wedged between their desk and their wall and it's too much of a pain to get their token out so they leave it in all the time (bad idea). This surpises me, since our tokens shipped along with a USB extension cord, presumably for just that sort of purpose. When I ordered new PCs for our dedicated FedLine PCs, I made sure to get them with the USB ports directly in the front, so they were easily accessible to those needing to use them. But since certain FedLine Web applications can still be accessed from the users desktop, they all retained their USB extensions for that purpose. The end of the cord sits right on their desk, so it's no trouble to plug the token into it. We have these same USB extension cords... and our's lay on our desk as well. Sure does beat having to bend over.. crawl under the desk to plug and unplug the token daily. _________________________ She who dies with the most shoes WINS!
Return to Top

#540507 - 05/06/06 02:23 AM Re: Fedline Advantage
buckwheat New Poster Joined: Jan 2005 Posts: 15 The wild west	I would like to thank everyone for their comments. Proper security of tokens is a must. I've recommended that they be removed at night and stored in a very secure location.
Return to Top

#540508 - 08/02/06 06:45 PM Re: Fedline Advantage
califgirl Diamond Poster Joined: Mar 2002 Posts: 2,355 The O.C., California	We received a letter from the Fed announcing a new publication "Monitoring and control guidelines for fedline advantage" that is supposed to be available on their website. I have had no luck finding it. If anyone finds it, could you please post a link. Thanks! _________________________ I can explain it to you. I can't understand it for you.
Return to Top

Previous Thread

Previous Thread

View All Threads

Next Thread

Hop To

Moderator: Andy_Z