Banking and Finance Sector-Specific Plan - U.S. Department of ...
Banking and Finance Sector-Specific Plan - U.S. Department of ...
Banking and Finance Sector-Specific Plan - U.S. Department of ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
1. Common operating picture architecture;<br />
2. Next-generation Internet with built-in security; <strong>and</strong><br />
3. Resilient, self-diagnosing, self-healing systems.<br />
These goals will be achieved in the financial services industry only in conjunction with commensurate advances in CI/KR<br />
technology. These advances will be achieved only if steady focus is maintained on the financial industry R&D challenges.<br />
4. Research Guidance<br />
This guidance explains why R&D in the FSSCC research challenge is a good <strong>and</strong> proper area <strong>of</strong> focus for R&D in the area corresponding<br />
to the lettered column <strong>of</strong> the NIPP columns (A-M) <strong>of</strong> the matrix. For example, paragraph B in section 4.1 below is<br />
meant to be understood as:<br />
Secure Financial Transaction Protocol (SFTP) R&D is a good <strong>and</strong> proper area <strong>of</strong> focus for R&D in the area <strong>of</strong> protection <strong>and</strong> prevention systems<br />
because protection <strong>and</strong> prevention systems are needed to protect against abuses <strong>of</strong> batch <strong>and</strong> real-time transaction processing capabilities<br />
<strong>and</strong> to prevent certain fraudulent transactions from being processed.<br />
This guidance also explains why the FSSCC R&D Committee has proposed four categories <strong>of</strong> R&D plans <strong>and</strong> programs that are<br />
not addressed specifically in the NIPP. It describes why R&D focused on FSSCC research challenges will need to concentrate<br />
some effort on the more general R&D theme identified (in columns N-Q <strong>of</strong> the matrix). For example, the paragraph Q in section<br />
4.1 below is to be understood as:<br />
R&D focused on SFTP requires as a prerequisite some focus on the “Economics <strong>of</strong> InfoSec” because the widespread acceptance <strong>of</strong> the results <strong>of</strong><br />
SFTP research will rely on the development <strong>of</strong> an economic model for secure communications types. This is because the costs to implement<br />
<strong>and</strong> maintain SFTP must not present an unacceptable burden to smaller merchants or local banks that may operate with limited technical<br />
expertise <strong>and</strong> lower budgets.<br />
The format <strong>of</strong> each guidance paragraph is abbreviated because it is not intended to reproduce either the NIPP or FSSCC research<br />
challenge document, but rather is intended to enable an academic researcher, a DHS reviewer, or other interested reader to<br />
determine quickly the applicability <strong>of</strong> the FSSCC research challenge to a larger NIPP or other research area field <strong>of</strong> study.<br />
4.1 Secure Financial Transaction Protocol (SFTP)<br />
B Protection <strong>and</strong> prevention systems are needed to protect against abuses <strong>of</strong> batch <strong>and</strong> real-time transaction processing capabilities<br />
<strong>and</strong> to prevent impersonation-enabled fraudulent transactions from being processed.<br />
H Advanced infrastructure architectures are required to assure that availability <strong>and</strong> resiliency dem<strong>and</strong>s for SFTP are met. This<br />
includes non-stop processing <strong>and</strong> intelligent distributed systems designs to achieve agreed-upon service levels.<br />
J Compatibility <strong>of</strong> communications systems with interoperability st<strong>and</strong>ards is a must for any SFTP to assure that, regardless<br />
<strong>of</strong> the sender’s computing resources, transactions can be interpreted <strong>and</strong> processed successfully.<br />
K SFTP requires that mutual authentication <strong>of</strong> parties is established prior to transaction processing. Both automated <strong>and</strong><br />
human-interactive operations are in scope.<br />
L SFTP, as well as any other secure protocols that accomplish NIPP R&D programs, should utilize <strong>and</strong> thus benefit from<br />
rigorous acceptance methodology, including submittal to the ANSI X9 Committee for ratification <strong>and</strong> eventual certification<br />
by the International Organization for St<strong>and</strong>ardization (ISO) for <strong>Finance</strong> <strong>and</strong> <strong>Banking</strong> St<strong>and</strong>ards.<br />
Appendix : FSSCC Research <strong>and</strong> Development Agenda