Jackie Marshall, SVP, IT Regulatory Compliance
Wireless fidelity technology or (WiFi) has become a common type of technology for personal use. But, the use of WiFi by financial institutions for business purposes presents a unique set of issues. This is due to the fact that regulatory compliance objectives can be more difficult to manage with WiFi technology.
If your institution’s Technology Committee is looking into going wireless in the next few months, it’s strongly recommended that management consider all aspects of WiFi. In this article, I will explore two key areas of concern that financial institutions should consider when designing, implementing, and managing wireless systems.
#1 – Consider the Risks
Confidential data may be easier to intercept. WiFi data is broadcast out into the airwaves, thus making any confidential information easier to intercept than access by tapping into a physical wire.
Traditional network security controls can be bypassed. Wireless connections present an attractive mechanism for hackers to tap into a user’s workstation to gain access to a corporate network. Typical corporate network based protective measures (e.g., firewalls and similar defensive software) could be by-passed under such circumstances because when a user connects a workstation directly to the Internet, the workstation itself becomes the connection point without the benefit of all the corporate network protections. Keep in mind, every workstation connected directly to the Internet creates a separate opportunity for intrusion.
Other risks include: Disruption of wireless service from radio transmission of other wireless devices and obsolescence of current systems due to rapidly changing standards.
#2 – Will Your WiFi Security Controls Stand up to an Examiner’s Scrutiny?
Per GLBA and FFIEC standards, financial institutions must protect the integrity and confidentiality of non-public customer information. WiFi, like any type of new technology, can challenge current methods of information protection. Assessment of risk, assignment of appropriate security controls, policies and procedures, and general business practices associated with the wireless products and services will be scrutinized more closely if wireless is implemented. Some examples of WiFi security controls include:
Encryption is a security control to consider in helping to prevent unauthorized parties from reading data. WPA (WiFi Protected Access) is currently the best option for encrypting wireless network traffic; however, the strength of its security relies on the length and complexity of the encryption keys.
Firewalls and other devices installed on the workstation level. Risks can be mitigated for WiFi users by having the same or similar types of protections installed locally in the workstation that the corporate network provides. For example, when providing customers a wireless “cafe” in the lobby area, a wireless access point off the Demilitarized Zone (DMZ) Port of the firewall is needed so that this connection can be monitored and have the content filter rules applied to it. Having this connection on the DMZ ensures that the customer access to the Internet is separate from the financial institution’s internal network and does not require the institution to purchase a separate DSL line for this setup.
A wireless bridge can be implemented for an institution that is looking for a wireless setup between branches. The bridge can be locked down so that information can only pass between the wireless devices and data can be encrypted between the sites.
Also, some institutions are implementing WiFi access for remote users. A secure way to do this is with a VPN connection.
Wireless IPS/IDS – Monitoring wireless network activity with an intrusion prevention/detection system can allow proactive detection and blocking for most types of intruder attempts through a wireless access point.
To summarize, when planning future technology decisions that involve WiFi, take a comprehensive approach. Consider the risks and ensure proper planning to keep information secure and to satisfy examiner expectations. When in doubt, consult technology partners who understand the importance of the combining technical and regulatory expertise for ultimate success.
For more detail regarding wireless regulatory guidance, reference FDIC FIL-8-2002. http://www.fdic.gov/news/news/financial/2002/fil0208.html