Presented By:  Thomas A. Donofrio Director of Technology Audit and Consulting Services CRITICAL SECURITY AND COMPLIANCE IS...
Regulatory Guidelines and Suggested Practices - Electronic Banking Environment   FFIEC, OCC, FRB, FDIC and OTS have issued...
Regulatory Guidelines and Suggested Practices - Electronic Banking Environment  “ Living” risk-based management plan and  ...
<ul><li>2.  Operational and transaction risks </li></ul><ul><ul><li>Access controls for bank staff  </li></ul></ul><ul><ul...
<ul><li>Outsourcing information technology services and operations </li></ul>Due diligence in selection of vendor Risk ass...
Regulatory Guidelines and Suggested Practices - Electronic Banking Environment   <ul><li>Compliance Issues </li></ul><ul><...
Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines Enterprise-wide techn...
<ul><li>Business case to support </li></ul><ul><li>Detailed implementation action plans </li></ul><ul><li>Risk and securit...
Risk assessment document <ul><li>Definition of technology organization </li></ul><ul><li>Short and long term technology pl...
Risk assessment document that addresses evidence of: <ul><li>Comprehensive management (due diligence) of third party servi...
<ul><ul><li>Objectives: </li></ul></ul><ul><ul><li>Assurance of security and confidentiality </li></ul></ul><ul><li>Protec...
Privacy and Information Security Policy suggested additional guidelines (in addition to those already addressed prior to G...
Privacy and Information Security Policy suggested additional guidelines (in addition to those already addressed prior to G...
Privacy and Information Security Policy suggested additional guidelines (in addition to those already addressed prior to G...
<ul><li>Specific documentation regarding: </li></ul><ul><ul><li>customer data security efforts  </li></ul></ul><ul><ul><li...
New E-customer verification, if not face to face, requires: Positive verification Logical verification with customer of ge...
<ul><li>Existing E-customer/transaction validation and security. </li></ul><ul><ul><li>Transaction encryption </li></ul></...
<ul><li>The ability to identify new system vulnerabilities </li></ul><ul><li>Installing software patches & upgrades </li><...
<ul><li>employee and vendor background checks </li></ul><ul><li>firewalls </li></ul><ul><li>secured communication (VPNs, T...
<ul><li>Internet access (incoming and outgoing) </li></ul><ul><li>Intranet  </li></ul><ul><li>Dial-up access </li></ul>Pen...
<ul><li>“ Weakest link” phenomenon </li></ul><ul><li>Firewall assessment </li></ul><ul><li>Security vulnerabilities </li><...
Penetration/Intrusion Testing Typical goals of testing: <ul><li>Validate intrusion detection performance </li></ul><ul><li...
Penetration/Intrusion Testing Testing limitations <ul><li>Not a comprehensive evaluation of security </li></ul><ul><li>Res...
Network versus E-Commerce intrusion Outsourced web hosting and applications Skill set to exploit the vulnerabilities   Pen...
Security Issues with Other Web Site Initiatives   Weblinking/Portals <ul><li>Weblinking due diligence:  </li></ul>content ...
Security Issues with Other Web Site Initiatives   Weblinking/Portals <ul><li>Disclosure regarding differentiation, non end...
Security Issues with Other Web Site Initiatives   Aggregation - web-based consolidation of customer information <ul><li>Tr...
Security Issues with Other Web Site Initiatives   Aggregation - web-based consolidation of customer information <ul><li>Ve...
Needs Assessment - E-Insurance Analysis of your current commercial coverage Determine if new e-insurance offerings duplica...
Does current business coverage meet needs if modified? If new coverage is needed, how does it work and how are losses valu...
Upcoming SlideShare
Loading in...5
×

Critical Security And Compliance Issues In Internet Banking

4,287

Published on

Published in: Technology
1 Comment
0 Likes
Statistics
Notes
  • Helpful tips of information technology services. nice layout of good information http://scambaitings.blogspot.com/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Views
Total Views
4,287
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
184
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

Critical Security And Compliance Issues In Internet Banking

  1. 1. Presented By: Thomas A. Donofrio Director of Technology Audit and Consulting Services CRITICAL SECURITY AND COMPLIANCE ISSUES IN INTERNET BANKING
  2. 2. Regulatory Guidelines and Suggested Practices - Electronic Banking Environment FFIEC, OCC, FRB, FDIC and OTS have issued joint and separate guidance such as: <ul><li>Bulletin 98-38 - Technology Risk Management, August 1998 </li></ul><ul><li>Bulletin 2000-14 Infrastructure Threats - Intrusion Risks, May 2000 </li></ul><ul><li>Authentication in an E-Banking Environment (FFIEC), July 2001 </li></ul><ul><li>Section 501(b) of GLBA - Customer Information Security Guidelines, July 2001 </li></ul>
  3. 3. Regulatory Guidelines and Suggested Practices - Electronic Banking Environment “ Living” risk-based management plan and enterprise-wide security program. <ul><li>BOD and Management responsibilities and actions speak volumes. </li></ul><ul><li>Don’t wait for regulatory exam guidance or criticisms before taking action </li></ul><ul><li>Your formalized E-banking risks focus must consider: </li></ul><ul><li>1. Strategic and business risks </li></ul><ul><ul><li>Customer perception and acceptance </li></ul></ul><ul><ul><li>Reliance and stability of third party partners </li></ul></ul>
  4. 4. <ul><li>2. Operational and transaction risks </li></ul><ul><ul><li>Access controls for bank staff </li></ul></ul><ul><ul><li>Access controls for online banking customers (profiles) </li></ul></ul><ul><ul><li>Reliability of customer authentication </li></ul></ul><ul><ul><li>Physical and virtual security </li></ul></ul><ul><li>3. Reputation risks </li></ul><ul><ul><li>Confidentiality expectations </li></ul></ul><ul><ul><li>Customer access capabilities versus actual availability </li></ul></ul>4. Compliance risks Regulatory Guidelines and Suggested Practices - Electronic Banking Environment
  5. 5. <ul><li>Outsourcing information technology services and operations </li></ul>Due diligence in selection of vendor Risk assessment of application and services is critical Ongoing evidence of vendor oversight Regulatory Guidelines and Suggested Practices - Electronic Banking Environment
  6. 6. Regulatory Guidelines and Suggested Practices - Electronic Banking Environment <ul><li>Compliance Issues </li></ul><ul><li>GLBA requires that you ensure security and confidentiality </li></ul><ul><li>Weblinking possibilities </li></ul><ul><li>Fair Lending and strategic targeted lending efforts </li></ul><ul><li>Proof of delivery of electronic disclosures </li></ul><ul><li>Aggregation services and liability </li></ul>
  7. 7. Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines Enterprise-wide technology universe <ul><ul><ul><li>Assign Universe criticality ratings (mission critical, important but less than critical, marginal criticality). Dependent upon: </li></ul></ul></ul><ul><ul><ul><ul><li>Customer and product database implications </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Delivery channel and replacement alternatives </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Service and product expectations of customers </li></ul></ul></ul></ul><ul><li>Security and control ratings </li></ul><ul><ul><ul><li>Inherent risk assessed factor (high, moderate or low) </li></ul></ul></ul>
  8. 8. <ul><li>Business case to support </li></ul><ul><li>Detailed implementation action plans </li></ul><ul><li>Risk and security policies developed </li></ul>Three essential elements for planned new technologies Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines
  9. 9. Risk assessment document <ul><li>Definition of technology organization </li></ul><ul><li>Short and long term technology planning </li></ul><ul><li>Adequacy of management oversight </li></ul><ul><li>Compliance with regulatory and legal requirements </li></ul><ul><li>Management of service levels, system performance and capacity (internal or outsourced) </li></ul>Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines
  10. 10. Risk assessment document that addresses evidence of: <ul><li>Comprehensive management (due diligence) of third party services </li></ul><ul><li>Continuous service quality </li></ul><ul><li>Logical security controls for core systems, networks, online capabilities </li></ul><ul><li>User authentication and password controls in place </li></ul><ul><li>Data access controls and firewall administration </li></ul><ul><li>Virus detection and prevention </li></ul>Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines
  11. 11. <ul><ul><li>Objectives: </li></ul></ul><ul><ul><li>Assurance of security and confidentiality </li></ul></ul><ul><li>Protection against anticipated threats or hazards </li></ul><ul><li>Protection against unauthorized access or use </li></ul><ul><ul><li>Responsible for the oversight of information security measures of service providers </li></ul></ul>Privacy and Information Security Policy Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines
  12. 12. Privacy and Information Security Policy suggested additional guidelines (in addition to those already addressed prior to GLBA) <ul><ul><li>Security program to comply with GLBA should consider: </li></ul></ul><ul><ul><li>1. Identification of reputation impact </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li>2. Encryption of electronic customer information </li></ul></ul>Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines
  13. 13. Privacy and Information Security Policy suggested additional guidelines (in addition to those already addressed prior to GLBA) <ul><ul><li>Development or enhancement of a security program to comply with GLBA should consider: </li></ul></ul><ul><ul><li>3. System monitoring reports that deal with: </li></ul></ul><ul><ul><ul><ul><ul><li>external access attempts </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>attempted attacks </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>probes of your customer information systems </li></ul></ul></ul></ul></ul><ul><li>4. Customer complaints of lost information or corrupt data </li></ul><ul><li>5. A program for ongoing training and training responsibilities </li></ul>Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines
  14. 14. Privacy and Information Security Policy suggested additional guidelines (in addition to those already addressed prior to GLBA) <ul><ul><li>Development of a security program to comply with GLBA should consider: </li></ul></ul><ul><ul><li>6. Comprehensive audit and test requirements </li></ul></ul><ul><li>7. Performance of periodic key control testing and system vulnerability assessments completed by </li></ul><ul><li>qualified third parties or </li></ul><ul><li>staff that are independent </li></ul>Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines 8. Effective February 28, 2001, contracts with third party service providers must contain appropriate language
  15. 15. <ul><li>Specific documentation regarding: </li></ul><ul><ul><li>customer data security efforts </li></ul></ul><ul><ul><li>system monitoring </li></ul></ul><ul><ul><li>intrusion testing </li></ul></ul><ul><ul><li>performance escalation guidelines </li></ul></ul><ul><ul><li>system performance expectations </li></ul></ul><ul><ul><li>bank and vendor responsibilities </li></ul></ul>Responsibility for services provided by third party vendors <ul><ul><li>SAS 70 reports, Security White papers, and third party penetration and intrusion test reports </li></ul></ul>Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines
  16. 16. New E-customer verification, if not face to face, requires: Positive verification Logical verification with customer of general information Use of digital certificates Authentication of E-customers Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines
  17. 17. <ul><li>Existing E-customer/transaction validation and security. </li></ul><ul><ul><li>Transaction encryption </li></ul></ul><ul><ul><li>E-correspondence security </li></ul></ul><ul><ul><li>Personal passwords and PINs </li></ul></ul><ul><ul><li>Digital certificates using Public Key Infrastructure </li></ul></ul><ul><ul><li>Tokens (smart cards) </li></ul></ul><ul><ul><li>Biometrics (voice, fingerprints, signature) </li></ul></ul>Authentication of E-customers Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines
  18. 18. <ul><li>The ability to identify new system vulnerabilities </li></ul><ul><li>Installing software patches & upgrades </li></ul><ul><li>Ongoing monitoring </li></ul><ul><li>Updating vulnerability scanning and intrusion detection tools </li></ul><ul><li>Conduct penetration and intrusion testing </li></ul>Network and Web-based Security and System Monitoring Network and web site security maintenance
  19. 19. <ul><li>employee and vendor background checks </li></ul><ul><li>firewalls </li></ul><ul><li>secured communication (VPNs, T-1s, etc.) </li></ul><ul><li>real-time intrusion detection </li></ul><ul><li>modem sweeping </li></ul><ul><li>data encryption </li></ul><ul><li>customer authentication options </li></ul><ul><li>vendor management </li></ul>Other control initiatives include: Network and Web-based Security and System Monitoring
  20. 20. <ul><li>Internet access (incoming and outgoing) </li></ul><ul><li>Intranet </li></ul><ul><li>Dial-up access </li></ul>Penetration/Intrusion Testing Tests electronic environments <ul><li>Extensive knowledge of system dynamics versus extensive understanding of systems and security infrastructures in place </li></ul><ul><li>Outside attacker versus inside attacker </li></ul>Zero-knowledge attacks versus full-knowledge attacks
  21. 21. <ul><li>“ Weakest link” phenomenon </li></ul><ul><li>Firewall assessment </li></ul><ul><li>Security vulnerabilities </li></ul>Penetration/Intrusion Testing Typical goals of testing: Insider attacks Remote access exploits (telnet, pc anywhere, secure shell) E-mail exploits Back doors Frontal assaults Evidence and monitoring destruction
  22. 22. Penetration/Intrusion Testing Typical goals of testing: <ul><li>Validate intrusion detection performance </li></ul><ul><li>Validate system response capabilities </li></ul><ul><li>Validate adequacy of security setups </li></ul><ul><li>Ranked vulnerabilities and suggested corrective actions </li></ul>
  23. 23. Penetration/Intrusion Testing Testing limitations <ul><li>Not a comprehensive evaluation of security </li></ul><ul><li>Results of tests are only reflective of security status during the time period of tests </li></ul>
  24. 24. Network versus E-Commerce intrusion Outsourced web hosting and applications Skill set to exploit the vulnerabilities Penetration/Intrusion Testing Choose a service provider wisely <ul><li>Background check of staff </li></ul><ul><li>Reference checks </li></ul><ul><li>Software utilized </li></ul><ul><li>Knowledge and experience with Banking </li></ul><ul><li>Need based selection </li></ul>
  25. 25. Security Issues with Other Web Site Initiatives Weblinking/Portals <ul><li>Weblinking due diligence: </li></ul>content compliance customer confusion security policies compliance (e.g., RESPA and Privacy) <ul><li>Must distinguish between your products and services and those offered by third parties </li></ul>
  26. 26. Security Issues with Other Web Site Initiatives Weblinking/Portals <ul><li>Disclosure regarding differentiation, non endorsement or guarantee </li></ul><ul><li>Risk disclosures for links that allow customers to open accounts or initiate transactions for non-deposit investment products </li></ul>
  27. 27. Security Issues with Other Web Site Initiatives Aggregation - web-based consolidation of customer information <ul><li>Transaction risks </li></ul>Erroneous data gathered Concentration of data increases risk of intrusion Reliance on third party security over information Liability for disputed transactions <ul><li>Privacy compliance </li></ul>
  28. 28. Security Issues with Other Web Site Initiatives Aggregation - web-based consolidation of customer information <ul><li>Vendor management responsibilities </li></ul>Wireless Banking
  29. 29. Needs Assessment - E-Insurance Analysis of your current commercial coverage Determine if new e-insurance offerings duplicate Customer privacy violations, specific business interruptions or denial of access may have limited coverage or no coverage at all
  30. 30. Does current business coverage meet needs if modified? If new coverage is needed, how does it work and how are losses valued? When will coverage in proposal be available? Needs Assessment - E-Insurance Coverage questions to assist in determining e-insurance needs Require outsourcing partners e-insurance as part of contract SLA
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×