07/16/2007
I need to issue an RFP for IT risk assessment consultancy services. What should be the scope and detail covered by the RFP?
07/09/2007
I need to issue an RFP for IT risk assessment consultancy services. What should be the scope and detail covered by the RFP?
03/12/2007
We have had several customers express ardent displeasure with multi-factor authentication and the desire to be "opted out." Our system allows for opt-out but an FDIC examiner has told us that opt-out should never be allowed. I understand that it should be extremely limited, but if a very good customer says "turn it off," why should they not have the choice since it is being put in place for their security - provided they are willing to sign some kind of hold harmless agreement. From a Regulatory compliance standpoint we are meeting our obligations by putting multi-factor generally in place, but is the expectation that no customer ever be given a choice?
09/25/2006
Do you have anything that would address the issues outlined in the OCC 2005-35 Bulletin concerning Authentication in an Internet Banking Environment such as any type of policies and/or checklists?
09/25/2006
With the FFIEC guidelines related to multi-factor authentication, can you offer any information on the VRU/Telephone Banking platform? If banking clients access data via the telephone is the typical SSN/PIN/Account Number input enough to comply with the FFIEC?
08/21/2006
What is the regulatory requirement regarding the minimum number of characters required on passwords used for online banking?
07/24/2006
Just completed listening to a CD that we purchased from you titled Multi-Factor Authentication. Unfortunately, I don't get a chance to ask questions, so I'm sending this one off to you in hopes that either Mary Beth Guard or someone familiar with the topic can answer. It was never mentioned whether adding another ID/password challenge is an acceptable form of additional authentication and where appropriate would satisfy the FFIEC directive for end of this year?
07/10/2006
I am a brand new Network Administrator who has just learned how to install a network in my bank. How can I prepare for an IT audit?
03/20/2006
Is there any place I can find a guide on "record retention" periods for items related to technology? For example, log reports, user records, software and hardware licensing agreements, etc.
02/20/2006
I oversee the bank website and have been told that new compliance guidelines will soon be in effect, making it mandatory for us to have customers use two different types of verification procedures. This would involve more than just a login and password; a second type of verification procedure would be necessary. Can you clarify exactly what we need to do to be compliant?