Want to make sure your company is Federal Financial Institutions Examination Council (FFIEC) compliant? Then check out this guide to FFIEC data encryption standards, describing how you can ensure your organization complies with the FFIEC's encryption requirements.
Cybersecurity standards set the minimum requirements to protect your business systems and data. Complying with government and industry data security standards can cost a business millions – and the costs have been increasing in recent years. Concerns about technology and data security are also on the rise, which in turn has led to new rules and new regulations.
On average, the cost of compliance is still much lower than the cost of non-compliance. Ensuring your business is compliant to the standards established for your industry will save your business both money – and trouble.
Understanding the Importance of Data Encryption
Before we dive into the specifics of the FFIEC's standards, let’s take a look at encryption itself. How does encryption work, and why is it important for a business?
Encryption predates the computer age. People throughout history have used various codes to write hidden messages. Unless you know the code, you won’t be able to read the message.
The same principle applies to electronic data encryption. If you're sending data from one place to another, you want to be sure no one else can access it. One of the ways to do that is to encode it using a key.
The encryption key codes the data, which makes it unreadable unless you have the key. If you wish to read the data, you’ll need to get a copy of the key. The machine at the other end can then decode the data.
Why You Need Encryption
The transfer of data between machines happens on a daily basis. When you access the Internet, your device and a website’s servers share information.
If data passes between devices unencrypted, anyone can intercept and read it, exposing important or sensitive information and hurting your company’s reputation.
Think about shopping online. You enter the information for your credit card into the seller’s form. You then hit send, and the information must travel to another machine to complete the sale. If the data is unencrypted, someone could steal it. If encryption is used, this is much more difficult to do.
In your business, you probably store information in an online database. If database encryption isn’t employed to protect your information, someone (internal or external to your organization) could hack in and steal critical data
Both examples here highlight the importance of encryption in transit between multiple devices as well as encryption at rest on stored data. Both are essential, as one without the other leaves data exposed.
The FFIEC Data Encryption Standard
In 2005, the FFIEC issued standards for increasing cybersecurity at financial institutions. The FFIEC recognized the importance of protecting banking clients' data from security threats.
These standards include requirements for multi-factor identification and for data encryption, offering stronger protection than had been recommended before. Generally, the standards suggest it’s up to the organization to decide what to encrypt. You may encrypt certain kinds of data based on other laws, or based on risk management assessments.
The FFIEC rules and all security best practices standards say that you should salt and hash stored passwords. This makes them almost impossible to read without the right key. Organizations will also need to practice proper key management.
The FFIEC outlines some standards for effective key management, including:
- Creating protocols for generating and obtaining public keys
- Using different keys for different applications and systems
- Creating rules for the distribution of keys to authorized users
- Introducing protocols to manage the changing or updating of keys
Their recommendations also include developing procedures for dealing with compromised keys. You should also log activities around key management.
You’ll also need to perform regular testing of keys to check for vulnerabilities.
What Data to Encrypt
Banks and other financial institutions collect sensitive information about their clients. There are several regulations you’ll want to pay attention to, especially in the U.S. There are certain types of data you must protect.
The Gramm-Leach-Bliley Act requires protection of a client’s non-public personal information (NPI). Personal identifiable information (PII) is also protected under various laws in the U.S.
The FFIEC leaves it up to firms in the financial industry to decide exactly what they need to encrypt. You’ll want to perform a risk assessment to determine what types of data you’ll protect with encryption. Generally, the higher the risk associated with the data, the more you want to do to protect it. As noted, regardless of your decisions, you’ll need to take steps to protect PII, NPI, and other forms of data.
Broadly speaking, you should be thinking about encryption at both the database and application level. Almost all databases these days come with data-encryption capabilities. Using the encryption available from the database helps ensure encryption is optimized for database performance, that encryption services are integrated with other database access control services, and helps make encryption key management easier. Application-level encryption is when you encrypt data before it's added to a database. It's a very secure way to protect data, especially when it's combined with granular user-access controls to manage who can decrypt (and therefore read) data.
You’ll also need to make decisions about how long you’ll encrypt the data for, among other factors.
Selecting an Encryption Algorithm
There are many different algorithms you can use to encrypt your data. The FFIEC standards say you should use different keys for different applications. This may mean you’ll want to use different encryption algorithms.
Some algorithms are better than others. What’s the best encryption algorithm to use?
One of the oldest is the data encryption standard or DES. The U.S. government developed DES in the 1970s. DES is often used for low-level data since it can be broken with relative ease.
Newer encryption algorithms include TripleDES, which improves on the old DES. The Advanced Encryption Standard, or AES, is another choice. There are others, too, and you may want to research what’s available.
These newer encryption algorithms vary the lengths of keys and engage in more rounds of encryption. This makes it more difficult for anyone without the key to successfully break the code.
When you’re selecting an encryption algorithm, you should consider how you’ll use it. The stronger the encryption, the more computing power it takes. This may be important for highly sensitive data, but it could also bog down your database.
You’ll need to find a balance between strength and operational efficiency.
Are You Compliant?
The FFIEC data encryption standard is part of a larger set of rules designed to protect your organization and your clients. Encryption – while very important – is only one small part of a total cybersecurity solution.
Is your organization compliant with the FFIEC’s other cybersecurity standards? If you’re unsure, perhaps it’s time for an assessment? For example, Credit Unions have five key areas of security and risk management to achieve an "innovative" rating from the FFIEC: Oversight, Collaboration, Cybersecurity Controls, External Dependency and Incident Management.
Cygilant's Security-as-a-Service affordably elevates financial institutions to "innovative," in four out of five FFIEC domains. Get in touch today, and we’ll help you take steps toward achieving compliance with FFIEC mandates.