Network Encryption from CipherOptics
 
 
 Company Overview
 Executive Team
 Board of Directors
 Executive Advisory Board
 Newsroom
 In the News
 Industry News
 Trophy Room
 Press Releases
 Careers
 Solutions Overview
 Network Encryption
 MPLS Security
 Metro Ethernet Security
 International Data Protection
 Network Security & Data Protection
 Disaster Recovery
 Point-to-Point Encryption
 Real-time & High-volume Applications
 Secure Information Sharing
 Products Overview
 CipherEngine™
 Security Gateways
 Service Offerings
 Resource Center
 Compliance Overview
 HIPAA Compliance
 Sarbanes-Oxley Compliance
 GLBA Compliance
 CA SB 1386 Compliance
 PCI DSS Compliance
 Basel II Compliance
 FERPA Compliance
 FFIEC Compliance
 ISO 17799 Compliance
 NERC Cyber Security
 Government Overview
 Government Regulations
 FISMA Compliance
 DoD 8100.2 Compliance
 NISPOM Compliance
 DCID 6/3 Compliance
 Government Security News
 10Gig Network Encryption
 Partner Overview
 Strategic Partners
 Resellers
 Technology Partners
 Become a Partner
 Partner Portal Login
 Contact Information
 Web Contact Form
 Support
 
   

Compliance
Quick Links
Secure Information
Sharing
 White Papers
CipherEngine
Resource Center
Compliance Video
Regulatory Compliance Overview Video
Watch the video
Contact Us
1-877-878-6655
info@cipheroptics.com
Request more information

Click here to chat with a CipherOptics representative
Available Monday - Friday
9am - 5:30pm EST
Home > Compliance > FFIEC Compliance

FFIEC Compliance

The Federal Financial Institutions Examination Council (FFIEC) is a formal interagency body empowered to prescribe uniform principles, FFIEC Compliance standards, and report forms for the federal examination of financial institutions by their regulating bodies. The FFIEC issues standards for operating financial institutions, including for the use of information technology.

How does CipherOptics help?
CipherOptics CipherEngine enables Secure Information Sharing, which assures the confidentiality, authenticity, and integrity of data in motion on any network. Our approach to protecting both your network and your data is to deny access to everyone, permit by exception. With that as our driving force, our solutions provide you with both encryption and authentication of all your critical information.

We use 256-bit AES encryption that is approved by the government for "sensitive but unclassified" information; our solutions authenticate networks and packets, as well as, protect data. Using the robust secure hash algorithm (SHA-1) to verify the integrity of the data, rejecting any packets that have been manipulated or altered.

FFIEC examination requirements also call for a key management system. The CipherOptics CipherEngine, Policy & Key Manger, offers a first-of-its-kind network overlay for the generation and distribution of policies and keys for encryption, authentication, and access control. CipherEngine Policy & Key Manager not only provides key management, it also offers the scalability needed for a comprehensive data protection solution that complies with FFIEC.

Network-wide data protection is an important part of best practices-for keeping customer data confidential and for complying with FFIEC. CipherOptics Secure Information Sharing solutions offer a reliable and proven method of ensuring FFIEC requirements for data confidentiality, integrity, and authentication.

What does CipherOptics do?
CipherOptics is the leader in network-wide encryption. Offering an innovative policy and key management solution, coupled with high speed, low latency encryption technology, CipherOptics helps their customers mitigate the risk of data leakage, loss and theft over any network.

Who is affected by FFIEC?
Financial institutions that are regulated by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), or the Office of Thrift Supervision (OTS) are subject to the examination standards of the FFIEC.

What are the requirements of FFIEC?
The FFIEC's examination scope is comprehensive. The "Information Security" examination booklet contains a section on "Security Controls Implementation." In the subsection titled "Encryption," the FFIEC spells out the related examination requirements. Here are some of the salient points the FFIEC makes:
"Encryption is a key control in ensuring confidentiality, data integrity, and accountability."
"Financial institutions should employ an encryption strength sufficient to protect information from disclosure until such time as the information's disclosure poses no material threat."
"Generally speaking, authenticators are encrypted whether on public networks or on the financial institution's network. Sensitive information is also encrypted when passing over a public network and also may be encrypted within the institution."

The examination booklet also addresses key management: "Since security is primarily based on the encryption keys, effective key management is crucial." The FFIEC then goes on to specify what characterizes a secure key management system:
Key management is fully automated (e.g., personnel do not have the opportunity to expose a key or influence the key creation).
No key ever appears unencrypted.
Keys are randomly chosen from the entire key space, preferably by hardware.
Key-encrypting keys are separate from data keys. No data ever appears in clear text that was encrypted using a key-encrypting key. (A key-encrypting key is used to encrypt other keys, securing them from disclosure.)
All patterns in clear text are disguised before encrypting.
Keys with a long life are sparsely used. The more a key is used, the greater the opportunity for an attacker to discover the key.
Keys are changed frequently. The cost of changing keys rises linearly while the cost of attacking the keys rises exponentially. Therefore, all other factors being equal, changing keys increases the effective key length of an algorithm.
Keys that are transmitted are sent securely to well-authenticated parties.
Key-generating equipment is physically and logically secure from construction through receipt, installation, operation, and removal from service.

What are the penalties for FFIEC non-compliance?
The appropriate regulating body for each type of financial institution enforces its examination findings. For example, the FDIC issues enforcement actions and orders against state nonmember banks and insured branches of foreign banks.

How do financial institutions comply with FFIEC?
FFIEC compliance requires enterprises to deploy robust encryption solutions that protect information from disclosure-both on the financial institution's own network and on shared external networks. Financial institutions must ensure data confidentiality and integrity. The FFIEC also mandates an effective key management system that complements and enables the encryption technology.

Helpful Resources
Booklet on Information Security (part of FFIEC Bank IT Examination Handbook)
Section on Encryption (Booklet on Information Security)
 
Copyright 2002-2008 CipherOptics, Inc. | All rights reserved | 1-877-878-6655
Trademark and Legal Notices | Privacy Policy | Site Map