*** January/February Project Update *** Since our last update, we have launched two new projects (Business Continuity Compliance and Status Reporting, Image Quality and Usability Assurance Phase II), completed one project (Counter-Phishing Phase I), and have added two new projects to our pipeline (Better Mutual Authentication, Resiliency Maturity Model) in addition to Interoperable Verification of Check Security Features. [As a reminder, projects show up in this update only after it has a high probability of launching. We have a number of initiatives in earlier stages of development.] Our Standing Committees (SCOMs) and Special Interest Groups (SIGs) continue to provide a forum for discussion that results in networking, knowledge sharing, and action in the form of projects and workshops. If you are not yet active in one or more committees, please contact me or the committee's Managing Executive. SCOMs and SIGs are still open to non-members, however, projects are members-only. FSTC provides an action-oriented, collaborative forum for our members to address shared business opportunities and challenges through technology projects and knowledge-sharing. We view our projects as our core activity, and one of the key benefits of FSTC membership is eligibility to participate in these projects. In our efforts to keep our members and friends up-to-date on the latest developments in these active and developing initiatives, we provide our colleagues this periodic project update As always, please contact me or Zach Tumin, FSTC Executive Director, for more information. Or visit our website at http://fstc.org. Active Projects: 1. Counter-Phishing Phase I (completed Dec 2004) 2. e-Authentication: Business and Technology Proof-of-Concept (launched Oct 2004) 3. Business Continuity: Compliance and Status Reporting (launched Nov 2004) 4. Image Quality and Usability Assurance Phase II (launched Nov 2004) Projects in Formation (soliciting commitments): [coming soon] Projects in Development: 1. Interoperable Verification of Check Security Features 2. Resilience Maturity Model (RMM): Phase I 3. Better Mutual Authentication: Phase I ______________ ACTIVE PROJECTS: 1. Counter-Phishing Phase I (completed Dec 2004) http://fstc.org/projects/counter-phishing-phase-1/ FSTC has completed a first-phase initiative to address the problem of phishing and related threats in financial services, as it affects the relationship between customer and firm. In collaboration with other industry groups, the project team developed a suite of documents and tools that allowed institutions to understand the comprehensive nature of the problem, and understand the available solution options available to the industry. The project developed a detailed model of the problem, a cost/impact model, the solution space, and a survey of over 60 solution providers. In addition, the project developed a next-phase proposal draft for coordinated industry action to enable Better Mutual Authentication (described below). 12 financial institutions and over 15 technology companies participated in the initiative, and recently published the project's core findings and recommendations to the public. These documents are available from the FSTC web site (link above). A core group is currently developing a next-phase initiative in Better Mutual Authentication, which is described below, and other areas. This project originated from the Security SCOM: co-chaired by Mike McCormick of Wells Fargo, and Mike Versace of NEC. (http://fstc.org/advisory/security.cfm) ______________ 2. FSTC/GSA e-Authentication: Business and Technology Proof-of-Concept (launched Oct 2004, to complete in late March) http://fstc.org/projects/new.cfm#eauth This 5-month project is assessing the viability of the potential business opportunity that exists for financial institutions to leverage their online customer relationships and provide a federated identity-driven authentication service to government agencies, and to integrate these services into financial institutions' online applications. FSTC, jointly with the GSA's E-Authentication Initiative Project Management Office (EAI PMO), have launched a three-track project to ascertain the business model, legal framework, and technical viability of using institutions' identity credentials to permit consumers and businesses to access secure online government applications through federation. There are 7 financial institutions and 10 technology companies and other organizations participating in the project. An in-person meeting is currently scheduled for mid-March in Atlanta, hosted by Bank of America. The project should complete in late March. ______________ 3. Business Continuity: Compliance and Status Reporting (launched Dec 2004) http://fstc.org/projects/new.cfm#compliance The FSTC Business Continuity Standing Committee has launched an initiative to assist the financial industry in coming to a common understanding on the meaning of continuity regulation, prioritization of compliance related activities, and creating efficiencies in documenting regulatory compliance status. To establish a clear understanding of the regulatory environment, a list of continuity related guidance will be pulled together along with the name of the agency responsible. Each regulation will be reviewed and a clearly worded summary of the continuity requirements will be developed. Where possible the regulatory agencies will be contacted for clarification on specific points. Common themes and requirements will be documented and prioritized. The project will focus on providing straight forward interpretations of what is needed for an FI to comply with current regulations. This project is sponsored by the Business Continuity SCOM, co-chaired by Tom Hirsch of US Bank, and Damian Walch of IBM. Please contact FSTC Managing Executive Charles Wallen for more information (charles.wallen@fstc.org). (http://fstc.org/advisory/business_continuity/) ______________ 4. Image Quality and Usability Assurance: Phase II (launched Nov 2004) http://fstc.org/projects/new.cfm#iqa2 In Phase I, more than 20 companies, representing 2/3 of US check volume, most major vendors, and key industry associations, undertook a 90-day effort to assess the impact of poor quality check images, and defined 16 technical metrics and 4 usability levels that can be used to measure image quality and usability in a standard and interoperable way. The findings of the Phase I project team justified further development, to test these metrics in a real-world scenario, on millions of images, to determine the quantitative thresholds for the 16 metrics that will define a minimum baseline "standard" for acceptable quality images for the industry. The business objectives are to maximize efficiencies, cost savings, and ensure strong adoption of image exchange. The project will undertake a robust, "real-world" analysis and test to provide actionable specifications and direction to the industry to allow financial institutions, technology vendors, standards organizations, and other key partners to collectively implement baseline image quality and usability through industry collaboration under the FSTC umbrella. This project originates from the Check Truncation SIG (http://fstc.org/advisory/check-truncation.cfm), co-chaired by James Burroughs, Wells Fargo; Glen Ulrich, US Bank; and Ian Goodall, NCR. 7 financial institutions and 18 vendors and industry organizations are participating. ______________ PROJECTS IN DEVELOPMENT: 1. Interoperable Verification of Check Security Features (IV-CSF) As a follow-on to the recently completed Survivability of Check Security Features project (http://fstc.org/projects/csf/), this initiative will seek to develop the business and technology foundation to enable interoperable verification of check security features. As a growing number of banks offer their customers security features targeted at surviving the imaging process, interoperability becomes an important enabler. The objective of this initiative, through interoperability, is to mitigate fraud risk for all stakeholders (banks, customers, merchants, etc.) by shortening the time between a check being presented, and the check verification process, and to enable any receiver of a check to verify it as close to the point of presentment as possible. This project originates from the Check Truncation SIG (http://fstc.org/advisory/check-truncation.cfm). A whiteboard session was held January 26-27 in Tempe, AZ, hosted by Bank of America and co-hosted by JPMorgan Chase. A full draft proposal will be published to the Check Truncation SIG in the coming week to ten days, reflecting the refined objectives and deliverables that were developed in Tempe. Potential project launch is in the March/April timeframe. ______________ 2. Resilience Maturity Model (RMM): Phase I A group of FSTC member institutions and vendors met at the FSTC Technology Recovery Roundtable, hosted by US Bank on October 6th in St. Paul. At the meeting, the group defined a potential project that would develop metrics to evaluate an institution's resilience, much like the Carnegie Mellon CMM model in software development. Resilience in this context is an institution's overall business continuity, disaster recovery, and crisis management program. The business objective of the project would be to allow financial institutions to "rate" themselves and their key business partners against industry-vetted definitions and metrics, and justify investment (or not) where needed to achieve the desired level of resilience. The group met again in New York on January 13th, hosted by JPMorgan Chase, and further refined the concept with 7 of the top 10 institutions in the US represented. A proposal is currently being finalized, and will be published in the next 7-10 days to the general public. More than 8 firms have already committed to participate. If you are interested, please contact Charles Wallen, Business Continuity SCOM Managing Executive, at charles.wallen@fstc.org. ______________ 3. Better Mutual Authentication: Phase I As a next-phase concept coming out of the Counter-Phishing: Phase I project, the initiative will focus on establishing a blueprint for the financial industry to establish better mutual authentication between customers and financial institutions. The three components of better mutual authentication include: customer to institution, institution to customer, and email communications from the institution to customer. The objective is to create a framework that supports individual institutions' efforts, while defining a "blueprint" of requirements to ensuring a level of consistency in customer experience (if affected), leveraging customer education efforts, and establishing interoperability wherever possible and prudent. An in-person, large-institution-only meeting is currently being scheduled for mid-late-March to create the charter, objectives, and deliverables for such an initiative. More information will be available in the coming weeks under the auspices of the Security Standing Committee. ## ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://ls.fstc.org/subscriber> --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'