Tag: WIndows XP

22 Jan 2014

Windows XP and Electronic Banking

The FFIEC has previously issued a statement on Windows XP and the regulatory expectations for both financial institutions and TSP’s beyond April 8th, but so far the regulators have not weighed in on the implications to e-banking and RDC customers.  According to some estimates, as many as 30-40% of your business customers may still be using Windows XP.  Since Microsoft will discontinue support for WinXP after April 8th of this year, leaving these devices potentially exposed, what is your obligation to your high-risk Internet banking and RDC customers?  What do the regulators expect of you in this situation and better yet, what do your customers expect of you?  Would knowingly allowing your e-banking and RDC software to run on potentially insecure systems be considered “commercially reasonable” security?

According to the FFIEC E-Banking Handbook, financial institutions have an obligation to understand and manage the risks of the electronic banking environment, which includes the customer location.  Similarly, Remote Deposit Capture guidance makes it clear that institutions are required to understand how the risks of using the customer’s systems to engage in RDC impacts your legal, compliance, and operational risks.  That is why most institutions include site visits to the customer location as a part of the customer suitability process prior to approving them for RDC or commercial banking software.  But if your on-site assessment indicated the customer was using an insecure operating system, would you even allow your software to be installed?

Again, examiners may not be looking for this specifically (although I know of at least one auditor that has added it to their IT controls scope of work).  However I recommend that you at least make the effort to reach out to your high risk e-banking and RDC customers and remind them that according to the terms of their contract, you share responsibility for creating and maintaining a secure computing environment for electronic banking.  And then extend your awareness effort to ALL electronic banking customers.

UPDATE – Here is what Microsoft has to say about this.  You may want to reference this in your communications with customers:

Unsupported and unpatched environments are vulnerable to security risks. This may result in an officially recognized control failure by an internal or external audit body, leading to suspension of certifications, and/or public notification of the organization’s inability to maintain its systems and customer information.

25 Oct 2013

Windows XP and Vendor Management

The FFIEC issued a joint statement recently regarding Microsoft’s discontinuation of support for Windows XP.  The statement requires financial institutions to identify, assess, and manage the risks of these devices in their institutions after April 8, 2014.   After this date Microsoft will no longer provide regular security patches or support for this product, potentially leaving those devices vulnerable to cyber-attack and/or incompatibility with other applications.

Identifying, assessing and managing these devices within your own organization is fairly straightforward.  Have your admin or support provider run an OS report and present it to the IT Committee for review and discussion of possible mitigation options.  But somewhat lost in the FFIEC guidance is the fact that you are also responsible for identifying and assessing these devices at your third-party service providers as well.  While the statement was written as if it was directed at both FI’s and TSP’s separately, the FFIEC makes it clear that:

A financial institution’s use of a TSP to provide needed products and services does not diminish the responsibility of the institution’s board of directors and management to ensure that the activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations, just as if the institution were to perform the activities in-house.

So my interpretation of the expectations resulting from this guidance is that you must reach out to your critical service providers and ask about any XP devices currently in use at their organization.  If they aren’t using any, an affidavit from the CIO or similar person should suffice.  If they are, a statement about how they plan to mitigate the risk should be made a part of your risk assessment.  The fact that the FFIEC mentioned “TSP’s” five times in less than two pages indicates to me that they expect you to be pro-active about this.

One other thing that might have been overlooked in the guidance is this concept of operational risk.  Many IT risk assessments focus exclusively on the information security elements in their risk assessments, i.e. access to NPI/PII.  They only assess the GLBA elements of privacy and security.  Operational risk addresses the risk of failure, or of not performing to management’s expectations.  If your risk assessment is limited only to GLBA elements, expand it.  Make sure the criticality of the asset, product, or service is assessed as well.  And, when indicated by high residual risk, refer to your business continuity plan for further mitigation.