EXPERT RESPONSE
To my knowledge, the FFIEC has not mandated anything specifically related to VoIP. That being said, voice over IP is a technology that would be subjected to the risk management program specified by FFIEC. Before I expand a bit on that topic, let me clearly address the second part of your question, which is no, the FFIEC does not specifically require voice traffic to be encrypted.
Let's dig a bit into the FFIEC risk management program and see what's there. Basically, banks need to implement a security program, which would include things like risk assessments, security controls and monitoring. Details about what is specified can be found on the FFIEC website. There are lots of structured programs that can help corporations adhere to these standards, like ISO 27002 or COBIT. If an organization has a sufficiently strong security posture, the FFIEC guidance is nothing new or out of the ordinary.
In 2006, there was a lot of activity relative to the mutual authentication requirement on online banking services relative to FFIEC guidance. But that is largely in the rearview mirror, as most banks have some sort of stronger authentication implemented, and there haven't been any examples of failed audits or other ramifications that would cause the banks to revisit their strategies.
And that really is the point relative to VoIP and any of these regulations. Voice traffic running on an IP network is just another data type and should be subjected to the same level of scrutiny and security controls as any other data or application. There are some specific attacks relative to voice, but they are unsophisticated and uncommon.
So if you work for a bank and FFIEC is a concern, go back and revisit your overall security program. If you are in good shape overall relative to what it outlines, you will be good relative to VoIP.
For more information:
In this tip, Mike Chapple examines virtualization and VoIP in 2008.
Learn if deploying VoIP on an 802.1x network causes security problems.
|
