Ask the Guru: Fedline in the lobby

July 23, 2013 Tom Hinkel From the Field 4 Comments  Like

Ask the Guru: Fedline in the lobby

Hey Guru,

I have a question about Fedline.  Will regulators write us up for having Fedline on a PC in the lobby of the bank?

Possibly, I have seen that.  The issue is with the extreme sensitivity of data processed on that device, so if you want to leave it where it is, your response should focus on the physical and administrative controls in place.  For example how is the device physically secured?  Is it completely in the open or behind a barrier of some sort?  Could anyone simply walk up to it and sit down?  Is it clearly identified as the Fedline machine?  What about passwords and authentication devices?  Is it left logged in?  Is dual authentication required to access Fedline; one to the network and another one to the application?  What about dual control for transactions?  Who reviews activity reports?  How often?

SO they may say something, but if you have a response ready that addresses these questions they probably won’t write you up for it.  On the other hand if you just don’t want to deal with the hassle, you can put it behind the teller line.  Oh, and one more thing…wherever you decide to put the Fedline PC, don’t use a wireless keyboard!

Print Friendly, PDF & Email
Tags
Tom Hinkel
Tom Hinkel
As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.
tom.hinkel@safesystems.com

4 comments

  1. brian scrip
    July 24, 2013

    The compiance officer that leaves Fedline in the lobby computer knows no fear. There have been breaches. If you want a reality check visit a few Russian hacker websites

    1. Tom
      July 24, 2013

      Agreed Brian, that is not the optimal arrangement. When you consider all the compensating controls, you have to question whether the convenience is worth the risk. The key is understanding the risk, and being able to convince the regulators that you’re on top of it.

      By the way, most of the compliance officers I know, know nothing BUT fear…it’s in their DNA! Oh, and I’ll have to take your word for the Russian hacker websites, the Guru definitely knows fear.

      Thanks for the comment!

  2. Libby
    August 20, 2013

    What is the risk of using a wireless keyboard with a Fedline PC?

    1. Tom
      August 20, 2013

      This is one of those “abundance of caution” best practices Libby. Early generations of wireless keyboards had either no or weak encryption, and although current versions are much more secure it is still possible to intercept keystrokes. Is it likely? No. Is it easy? No. But it is theoretically possible. And since we have seen some auditors and even examiners frown on them (particularly for secure devices like Fedline) we just found it easier to discourage their usage.

Write a Comment

© 2024 Safe Systems, Inc. All rights reserved. Compliance Guru is a registered trademark of Safe Systems. Privacy Policy