In response to the increased risk and evolution of the threats surrounding the FedLine platforms, the Federal Reserve has announced a new program, FedLine Solutions Security and Resiliency Assurance Program.
The program requires financial institutions that use FedLine products to review and attest that they are in alignment with the Federal Reserve Banks’ standards and security controls prior to December 31, 2021. This applies to financial institutions that use any of the FedLine Solutions, and the assurance program mandates an independent attestation of the effectiveness of the controls.
This is very different from a typical wire transfer system review, though. While the standards do include a handful of items that pertain to user access, most of the controls here pertain to the workstation and network security controls where FedLine is installed. This means that whoever conducts the review needs to understand the institution’s technical security controls, including antivirus software, patch management, firewall configuration and IP address settings.
Who can perform this review?
Before you start planning for your IT department to complete the review (since they are likely the only individuals in the organization that understand those control elements), know that your IT department cannot provide an independent attestation that those controls are implemented correctly, since they are the team responsible for setting up those controls in the first place.
This is where we can help; Wipfli can be that independent attestor for you. If we already perform your IT audit/IT controls review, and FedLine is part of our scope, then we can add on an attestation piece. If we do not perform your IT audit, or if FedLine is not in scope, then we can perform a limited review to test those controls and provide that attestation. We offer three options:
- If you have resources within the organization that can gather the information necessary to complete the review, Wipfli can review your completed matrix and provide the independent attestation.
- If you think you have the skills needed to find the answers but need some help getting pointed in the right direction, Wipfli can meet with you to provide detailed instructions to assemble the information. Once the information has been complied, Wipfli will review for completeness and accuracy and will provide the independent attestation.
- If you do not feel confident that you have internal resources capable of completing the matrix, Wipfli can gather all the information, complete the matrix and provide the independent attestation.
We recommend engaging with an independent organization such as Wipfli now and reviewing your controls before the rush at the end of the year. Please contact your Wipfli relationship executive or contact us here to get your review scheduled.
Sign up to receive additional audit and financial institutions information in your inbox, or continue reading on:
Biggest mistakes we find during IT audits
Are your employees following best security practices?
How to prepare for your first IT audit