FaceTime Solutions and FDIC Regulations

Below you will find the Federal Deposit Insurance Corporation's (FDIC) recent guidance to assist financial institutions in protecting themselves against the vulnerabilities of instant messaging (IM) usage. The guidance is represented in a letter targeted to CEO's and CIO's of its member companies. This is a very big piece of news for the industry and is a positive step in providing awareness for IM in the workplace.

The FDIC provides regular guidance to its member firms on a broad set of issues. Information regarding the FDIC guidance on IM can be found at the following links:

FDIC Guidance on Instant Messaging

http://www.fdic.gov/news/news/financial/2004/fil8404.html

FDIC Guidance on Instant Messaging Technology (attachment):

http://www.fdic.gov/news/news/financial/2004/fil8404a.html

On July 21, 2004 in a letter entitled Guidance on Instant Messaging Michael J. Zamorski, Director, Division of Supervision and Consumer Protection had some very specific things to say about the risks inherent in instant messaging and file sharing adoption within the FDIC member community. Specifically the letter and included attachment state that IM use exposes firms to numerous vulnerabilities. The letter addresses three broad areas of specific concern:

Security risks
Privacy and identity hijacking
Legal liability

This letter is different from previous guidance in that it is both deeper and broader (i.e. more specific, as well as affecting more users). Previous SEC and NASD guidance on the same matter has been primarily focused on archiving. This letter makes it clear that IM poses not only a risk in the context of "books and records" requirements for a small group of users (e.g. traders) but encompasses a broader compliance risk for all employees and users within member firms. It also extends the definition of risk beyond just monitoring and archiving to dealing with threats posed by viruses, worms, trojans and general information security threats. This can be summarized as follows:

IM and File Sharing Networks are a broad risk affecting the whole company
A written and comprehensive plan should be produced and executed

In addition to specific recommendations for how members firms should approach mitigation, the FDIC has outlined why existing security approaches are not adequate. In its conclusion the report recognizes that:

"IM has a "port crawling" or "port agile" feature that allows messages to travel through legitimate open ports if others are unavailable"… including "Telnet (port 23); File Transfer Protocol (port 20) and Simple Mail Transfer Protocol (port 25). IM can also use Hypertext Transfer Protocol (port 80) in an attempt to bypass the firewall."

After reviewing the guidance thoroughly FaceTime has determined that there are two legitimate responses to the guidance:

Allow secured and managed IM to be used in the organization with appropriate usage policies and technological safeguards.

Or alternatively but less plausibly:

Block all public IM and File Sharing Networks.

In both cases, FaceTime's solutions have a unique value proposition. In fact, our "defense-in-depth" approach is the only way to satisfy the two possible responses to the guidance.

RTG500™, a hardened appliance that acts as an IM and File Sharing perimeter security device with the unique ability to block unauthorized IM and P2P usage. RTG500 has both the IDS and firewall capabilities required to secure "port agile" applications like Public IM and File Sharing Networks
IMAuditor™ with the additional ability to layer auditing, monitoring, IM specific anti-virus and a rich set of compliance workflow capabilities into an IM environment.
Together these products comprise a working set that is a perfect fit for FDIC member firms that are looking for an immediate and proven solution.

If you have any additional questions regarding how FaceTime solutions can ensure true compliance for your workplace IM, please contact us directly.