Secure & Enable the New Internet
Contact Us divider How to Buy dividerFaceForward Blog
Home | FDIC Regulations
Contact Sales
 

FDIC Regulations

FaceTime for Instant Messaging Compliance

Below you will find the Federal Deposit Insurance Corporation's (FDIC) recent guidance to assist financial institutions in protecting themselves against the vulnerabilities of instant messaging (IM) usage. The guidance is represented in a letter targeted to CEO's and CIO's of its member companies. This is significant news for the industry and a positive step in providing awareness for IM in the workplace.

The FDIC provides regular guidance to its member firms on a broad set of issues. Information regarding the FDIC Internet compliance law on IM can be found at the following links:

FDIC Guidance on Instant Messaging

http://www.fdic.gov/news/news/financial/2004/fil8404.html

FDIC Guidance on Instant Messaging Technology (attachment):

http://www.fdic.gov/news/news/financial/2004/fil8404a.html

FaceTime Solutions and FDIC Regulations

On July 21, 2004 in a letter entitled Guidance on Instant Messaging Michael J. Zamorski, Director, Division of Supervision and Consumer Protection had some very specific things to say about the risks inherent in instant messaging and file sharing adoption within the FDIC member community. Specifically the letter and included attachment state that IM use exposes firms to numerous vulnerabilities. The letter addresses three broad areas of specific concern:

  1. Security risks
  2. Privacy and identity hijacking
  3. Legal liability

This letter is different from previous guidance in that it is both deeper and broader (i.e. more specific, as well as affecting more users). Previous SEC and NASD guidance on the same matter has been primarily focused on archiving. This letter makes it clear that IM poses not only a risk in the context of "books and records" requirements for a small group of users (e.g. traders) but encompasses a broader compliance risk for all employees and users within member firms. It also extends the definition of risk beyond just monitoring and archiving to dealing with threats posed by viruses, worms, trojans and general information security threats. This can be summarized as follows:

  1. IM and File Sharing Networks are a broad risk affecting the whole company
  2. A written and comprehensive plan should be produced and executed

In addition to specific recommendations for how members firms should approach mitigation, the FDIC has outlined why existing security approaches are not adequate In its conclusion the report recognizes that:

"IM has a "port crawling" or "port agile" feature that allows messages to travel through legitimate open ports if others are unavailable"… including "Telnet (port 23); File Transfer Protocol (port 20) and Simple Mail Transfer Protocol (port 25). IM can also use Hypertext Transfer Protocol (port 80) in an attempt to bypass the firewall."

Conclusions

After reviewing the guidance thoroughly FaceTime has determined that there are two legitimate responses to the guidance:

  1. Allow secured and managed IM to be used in the organization with appropriate usage policies and technological safeguards.

Or alternatively but less plausibly:

  1. Block all public IM and File Sharing Networks.

In both cases, FaceTime's solutions have a unique value proposition. In fact, our "defense-in-depth" approach is the only way to satisfy the two possible responses to the guidance.

  1. Unified Security Gateway (USG), a hardened appliance that acts as an IM and file sharing perimeter security device with the unique ability to block unauthorized IM and P2P usage as well as VoIP, social networks and other Web 2.0 applications. USG has both the IDS and firewall capabilities required to secure "port agile" applications like public IM and file sharing networks
  2. IMAuditor with the additional ability to layer auditing, monitoring, IM specific anti-virus and a rich set of compliance workflow capabilities into an IM environment.
  3. Together these products comprise a working set that is a perfect fit for FDIC member firms looking for an immediate and proven solution

If you have any additional questions regarding how FaceTime solutions can ensure true compliance for your workplace IM, please contact us.

 

Literature

Spyware Cost Calculator
Find out how much spyware is costing your organization.
 
Free Assessment
Home  | Company  | Solutions  | Products  | Partners  | Support  | News & Events  | Security Labs  | Site Map  | RSS Feeds  | Contact Us
© Copyright 2003-2010, FaceTime Communications, Inc. All rights reserved.   Privacy Policy