Security and Infrastructure Standing Committee

The Security and Infrastructure Standing Committee sets the information security agenda for the FSTC by identifying issues, collaborative project opportunities, and cross-industry information security topics of interest to the financial services community.  The Committee has active participation from over 20 US and global financial institutions and over 50 top name technology and service provider firms.

The Committee was formed to help member financial institutions anticipate and respond better to challenges and opportunities in the dynamic area of information security technology, while in turn helping technology and services providers and standardization forums to understand the unique security needs of the financial services industry.   

Our Charter

All aspects of information security risk, technology, business, and operations are considered in the Committees charter, including:

• advancements in traditional security technologies and techniques, such as applications to enable the federation of traditional identity and authentication data;
• the enablement of emerging information security methods such web services security, fraud data sharing, trusted computing and distributed software assurance, and
• breakthrough thinking around new information security challenges, such as consumer-driven identity, compliance aware data management, and sponsored domains for financial internet services.

In addition, the Committee stays closely aligned with the security component associated with current and emerging regulations, such as breach notification, ID theft red flags, electronic discovery, and government issued credentials.

FSTC supports the committee's mission through its unique capability to sponsor hands-on projects and proofs-of-concept. Previous committee initiatives include the Blueprint for Mutual Authentication, an exercise to establish requirements and options for bi-directional authentication on the Web; and the Secure Web Browsing Concept – a design to enable a highly reliable level of security in internet browsers; the Account Opening Initiative, designed to describe requirements for opening financial accounts using less non-public consumer data; and Counter-Phishing Phase I, an industry-level initiative that evaluated individual and coordinated technology approaches to counter the practice of phishing and related threats.

Current and Pipeline Projects

Leading into 2008 and 2009, the agenda for the Security and Infrastructure Committee of the FSTC is being shaped around significant topics that drive the attention and resource commitments from the Technology Risk and Information Security programs, products, and services of our members.  This topic list includes:

• Insider Threat
• Compliance Aware Data/Records Governance
• Provisioning mobile security
• Authentication of email, text messages and call center applications
• Sponsored Domains for Internet Financial Services
• Credentialing Standards
• Consumer-driven Identity
• Trusted Computing
• Software assurance
• Security metrics
• Application Security

Securing the Extended Enterprise - With the objective of creating better management and control of access to information and resources across the Extended Enterprise, upcoming topics will be: 1) Securing Data with an emphasis on Data-at-Rest, including data loss protection, advances in data encryption and aspects of digital rights management and 2) Governance and Compliance of the extended digitized business process. A proposed Financial Services “statement of findings” for Digital Identity and Federation was developed to set the stage for analysis and best practices solutions.

Fighting Fraud: Better Collaboration Tools and Real-Time Sharing of Information –Real-time sharing of information on fraud incidents and patterns to improve fraud forecast, detection and mitigation is the focus of this project in which we will determine the feasibility and benefit of near real time sharing models of fraudulent behavior, better prediction and mitigation of fraud, and better forensics and prosecution. E&Y will be the project manager, and we will be working closely with Early Warning, BITS, FS ISAC, and NCHA to discuss how to coordinate all efforts in this space.

I2PADS Account Opening and Funds Transfer with OMG – In conjunction with OMG, FSTC will investigate and develop recommendations for next-generation business process models for account opening and funds transfer, where the financial processes are modified to be more efficient and secure. This project team will consists of two parallel working groups; 1) to develop reference models for the retail space and 2) develop reference models for business-to-business (B2B).

Authenticating Financial Institutions to Customers (AFIC) - This project involves the development of use cases and a testing harness at Columbia together with pilot usability testing with Columbia students addressing authentication of the FI to Consumers.  The project includes threat analyses, processes, and testing various technology solutions against these Financial Services community use cases and requirements.

Securing the Extended Enterprise - This project addresses the issues of protecting and controlling information that is shared across the Extended Enterprise with partners, vendors and outsourcers. The project activities include a reviewing of available products and practices against the desired state, development of gaps and requirements, identifying needed standards, process improvements and gaps; and developing a recommended plan of action and accompanying business case.

Credentialing Strategy – This activity is an overall program of work in Identity Assurance with specific deliverables produced by examining trust and assurance requirements for a range of financial applications, including web browsing for private and public sector services, emergency response credentialing, business data exchange, and others. The first set of deliverables will focus on trust and assurance level interoperability, and business models for credentialing services.  Two operational prototypes are planned to follow these activities – the first will be a demonstration for a commercial credentialing service, and the second will be a validation exercise of secure mode browsing solutions from the FSTC vendor community.

Records Management and Data Leakage - This project will study the issues and related requirements of timely classification, protection, storage, retrieval, and destruction of unstructured content. The requirements will be designed to satisfy electronic discovery requirements of financial regulations, and to minimize data leakage. The requirements will be described in an overall enterprise architecture of standards, technologies and business processes that can greatly improve the effectiveness of records management solutions, while greatly reducing manpower required, and can scale to meet the Industry needs.

Software Assurance – Working with the Department of Homeland Security, this project will focus on gathering consensus among providers of financial services on requirements for following aspects of Technology Risk Management as it pertains to Software Assurance:
a) the resiliency of code prior to installation – measures and metrics for identifying and measuring vulnerabilities prior to installation, b) Overall integrity of internal controls designed reduce the likelihood of introducing new vulnerabilities to “running” software
c) Ongoing validation of software in production against defined metrics, d) The role of consensus standards and standardization efforts in enabling software assurance techniques and metrics e) The impact of software assurance activities on insurance policies and
premiums covering potential vulnerabilities in software.  The FSTC and members of this project will represent their requirements through several industry initiatives, including the Software Assurance Consortium and DHS Software Assurance Working Groups

Trusted Computing - The FSTC is working with HP and the Trusted Computing Group to develop an appropriate level of financial industry representation and related priorities for various trusted computing platforms standards, including mobile devices, storage, security appliances, and others.

Member Benefits

The Security and Infrastructure Standing Committee provides a setting for participants to turn the results of their dialogues into action and potential FSTC projects. It also provides a vehicle for standing committee participants to reduce their research and development costs through collaborative projects. Plus, project participants get to know their peers at other financial institutions and develop a professional network that lasts beyond the project lifecycle. The standing committee is chartered with setting the security agenda for FSTC.

If you would like to learn more about the Security and Infrastructure Standing Committee or would like to share your expertise with us, contact Mike Versace.

Co-Chairs

FSTC Managing Executive: Roger Lang

For more information Roger D. Lang

FSTC Security and Infrastructure Committee
(O) 201-389-3571
(C) 917-538-8041

About | Membership | Conferences | Projects | News | Standing Committees | Jobs | Search | Join FSTC | Contact Us | Home