Committee to Establish the
National Institute of Finance
Providing the data and analytic tools needed to safeguard the U.S. financial system
What measures will be used to minimize the risk of access by hackers?  E-mail

The NIF's Federal Financial Data Center (FFDC) will include preventive hardware and software controls that will minimize the risk of intrusion and damage by hackers (e.g., software and hardware firewalls, role based access controls, intrusion detection systems). Operating the FFDC under best practices, engaging in periodic risk assessments and continuous penetration testing will routinely assess the NIF's processing environment to determine if control upgrades are needed. Incident response controls would identify possible intrusions and quickly initiate automated and manual procedures to prevent or minimize exposure of data and resources.

How would security be designed and managed to ensure: (1) the adequacy of the initial security and (2) the maintenance of security at a high level through the life of the NIF program?  E-mail

The design, assessment, mitigation and risk control processes of the security systems would be in compliance with both the Federal Information Security Management Act (FISMA) and with the guidelines provided by the National Institute of Standards and Technologies. These standards and guidelines are designed to ensure the creation and maintenance of secure systems for the most sensitive U.S. government data. The system would not be implemented without the successful completion of a comprehensive security test and evaluation (ST&E) that determines the adequacy of the designed controls. The system's security would be assessed annually through FISMA-required self-assessment, and every three years through the more rigorous ST&E process.

How will the NIF be made secure?  E-mail

Considering the sensitivity of the data and the program’s high profile, security will be a high priority. Securing the NIF will require the successful completion of: (1) an independent risk assessment that includes vulnerability testing to evaluate the application’s safeguards against hackers, and (2) an independent security audit prior to implementation that evaluates and tests manual and automated controls within critical control areas that include, but not limited to: access, authentication, accountability, data integrity, and communication.

Can the NIF be made secure?  E-mail

Establishing the NIF as a secure institution is entirely feasible. The anticipated level of risk and associated security requirements are comparable with the security requirements for existing financial entities and secure government facilities and are well within current practices.

Can data security be maintained?  E-mail

Yes. The U.S. Federal Government has a long-standing and excellent track record in maintaining the security of sensitive financial, military, intelligence and census data. The NIF will adhere to the same data security standards.