« NCUA issues Legal Opinion Letter Regarding FCUs Receiving Stock in Visa, Inc. | Main | Odds and Ends, and Electronic Alphabet Soup »

November 05, 2007


Security Advisor

As it relates to asking questions from a Director regarding the risks involved, there is one that is persistently overlooked and can be easily handled. The issue is referred to as Non-Repudiation. Can one tell that by looking at the log files who actually was the person that electronically did an action? In today's networks I have assessed, every one of them has indicated that by using a Username and Password it is impossible to tell that it was indeed that person who was accessing the systems. Unfortanetly this is very basis of making sure audit controls are in place. It would be much easier to certify every action by using what is referred to as a 2nd factor of authentication. It would be advisable to have this for the employees as described in various regulatory comments across the board. Today the main focus has been in home banking but also applies to employees. NAFCU provides references to handling these types of issues as part of the Services arm. Investigate further to simplify the compliance program from questionable activities by employees or authoritative actions taken by employees and a simple 2nd factor that can address the security question - was it that employee or not.

The comments to this entry are closed.

Enter your email address:

Delivered by FeedBurner