• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Critical Security And Compliance Issues In Internet Banking
 

Critical Security And Compliance Issues In Internet Banking

on

  • 6,461 views

 

Statistics

Views

Total Views
6,461
Views on SlideShare
6,428
Embed Views
33

Actions

Likes
0
Downloads
168
Comments
1

2 Embeds 33

http://www.slideshare.net 32
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Helpful tips of information technology services. nice layout of good information http://scambaitings.blogspot.com/
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Critical Security And Compliance Issues In Internet Banking Critical Security And Compliance Issues In Internet Banking Presentation Transcript

    • Presented By: Thomas A. Donofrio Director of Technology Audit and Consulting Services CRITICAL SECURITY AND COMPLIANCE ISSUES IN INTERNET BANKING
    • Regulatory Guidelines and Suggested Practices - Electronic Banking Environment FFIEC, OCC, FRB, FDIC and OTS have issued joint and separate guidance such as:
      • Bulletin 98-38 - Technology Risk Management, August 1998
      • Bulletin 2000-14 Infrastructure Threats - Intrusion Risks, May 2000
      • Authentication in an E-Banking Environment (FFIEC), July 2001
      • Section 501(b) of GLBA - Customer Information Security Guidelines, July 2001
    • Regulatory Guidelines and Suggested Practices - Electronic Banking Environment “ Living” risk-based management plan and enterprise-wide security program.
      • BOD and Management responsibilities and actions speak volumes.
      • Don’t wait for regulatory exam guidance or criticisms before taking action
      • Your formalized E-banking risks focus must consider:
      • 1. Strategic and business risks
        • Customer perception and acceptance
        • Reliance and stability of third party partners
      • 2. Operational and transaction risks
        • Access controls for bank staff
        • Access controls for online banking customers (profiles)
        • Reliability of customer authentication
        • Physical and virtual security
      • 3. Reputation risks
        • Confidentiality expectations
        • Customer access capabilities versus actual availability
      4. Compliance risks Regulatory Guidelines and Suggested Practices - Electronic Banking Environment
      • Outsourcing information technology services and operations
      Due diligence in selection of vendor Risk assessment of application and services is critical Ongoing evidence of vendor oversight Regulatory Guidelines and Suggested Practices - Electronic Banking Environment
    • Regulatory Guidelines and Suggested Practices - Electronic Banking Environment
      • Compliance Issues
      • GLBA requires that you ensure security and confidentiality
      • Weblinking possibilities
      • Fair Lending and strategic targeted lending efforts
      • Proof of delivery of electronic disclosures
      • Aggregation services and liability
    • Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines Enterprise-wide technology universe
          • Assign Universe criticality ratings (mission critical, important but less than critical, marginal criticality). Dependent upon:
            • Customer and product database implications
            • Delivery channel and replacement alternatives
            • Service and product expectations of customers
      • Security and control ratings
          • Inherent risk assessed factor (high, moderate or low)
      • Business case to support
      • Detailed implementation action plans
      • Risk and security policies developed
      Three essential elements for planned new technologies Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines
    • Risk assessment document
      • Definition of technology organization
      • Short and long term technology planning
      • Adequacy of management oversight
      • Compliance with regulatory and legal requirements
      • Management of service levels, system performance and capacity (internal or outsourced)
      Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines
    • Risk assessment document that addresses evidence of:
      • Comprehensive management (due diligence) of third party services
      • Continuous service quality
      • Logical security controls for core systems, networks, online capabilities
      • User authentication and password controls in place
      • Data access controls and firewall administration
      • Virus detection and prevention
      Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines
        • Objectives:
        • Assurance of security and confidentiality
      • Protection against anticipated threats or hazards
      • Protection against unauthorized access or use
        • Responsible for the oversight of information security measures of service providers
      Privacy and Information Security Policy Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines
    • Privacy and Information Security Policy suggested additional guidelines (in addition to those already addressed prior to GLBA)
        • Security program to comply with GLBA should consider:
        • 1. Identification of reputation impact
        • 2. Encryption of electronic customer information
      Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines
    • Privacy and Information Security Policy suggested additional guidelines (in addition to those already addressed prior to GLBA)
        • Development or enhancement of a security program to comply with GLBA should consider:
        • 3. System monitoring reports that deal with:
              • external access attempts
              • attempted attacks
              • probes of your customer information systems
      • 4. Customer complaints of lost information or corrupt data
      • 5. A program for ongoing training and training responsibilities
      Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines
    • Privacy and Information Security Policy suggested additional guidelines (in addition to those already addressed prior to GLBA)
        • Development of a security program to comply with GLBA should consider:
        • 6. Comprehensive audit and test requirements
      • 7. Performance of periodic key control testing and system vulnerability assessments completed by
      • qualified third parties or
      • staff that are independent
      Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines 8. Effective February 28, 2001, contracts with third party service providers must contain appropriate language
      • Specific documentation regarding:
        • customer data security efforts
        • system monitoring
        • intrusion testing
        • performance escalation guidelines
        • system performance expectations
        • bank and vendor responsibilities
      Responsibility for services provided by third party vendors
        • SAS 70 reports, Security White papers, and third party penetration and intrusion test reports
      Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines
    • New E-customer verification, if not face to face, requires: Positive verification Logical verification with customer of general information Use of digital certificates Authentication of E-customers Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines
      • Existing E-customer/transaction validation and security.
        • Transaction encryption
        • E-correspondence security
        • Personal passwords and PINs
        • Digital certificates using Public Key Infrastructure
        • Tokens (smart cards)
        • Biometrics (voice, fingerprints, signature)
      Authentication of E-customers Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines
      • The ability to identify new system vulnerabilities
      • Installing software patches & upgrades
      • Ongoing monitoring
      • Updating vulnerability scanning and intrusion detection tools
      • Conduct penetration and intrusion testing
      Network and Web-based Security and System Monitoring Network and web site security maintenance
      • employee and vendor background checks
      • firewalls
      • secured communication (VPNs, T-1s, etc.)
      • real-time intrusion detection
      • modem sweeping
      • data encryption
      • customer authentication options
      • vendor management
      Other control initiatives include: Network and Web-based Security and System Monitoring
      • Internet access (incoming and outgoing)
      • Intranet
      • Dial-up access
      Penetration/Intrusion Testing Tests electronic environments
      • Extensive knowledge of system dynamics versus extensive understanding of systems and security infrastructures in place
      • Outside attacker versus inside attacker
      Zero-knowledge attacks versus full-knowledge attacks
      • “ Weakest link” phenomenon
      • Firewall assessment
      • Security vulnerabilities
      Penetration/Intrusion Testing Typical goals of testing: Insider attacks Remote access exploits (telnet, pc anywhere, secure shell) E-mail exploits Back doors Frontal assaults Evidence and monitoring destruction
    • Penetration/Intrusion Testing Typical goals of testing:
      • Validate intrusion detection performance
      • Validate system response capabilities
      • Validate adequacy of security setups
      • Ranked vulnerabilities and suggested corrective actions
    • Penetration/Intrusion Testing Testing limitations
      • Not a comprehensive evaluation of security
      • Results of tests are only reflective of security status during the time period of tests
    • Network versus E-Commerce intrusion Outsourced web hosting and applications Skill set to exploit the vulnerabilities Penetration/Intrusion Testing Choose a service provider wisely
      • Background check of staff
      • Reference checks
      • Software utilized
      • Knowledge and experience with Banking
      • Need based selection
    • Security Issues with Other Web Site Initiatives Weblinking/Portals
      • Weblinking due diligence:
      content compliance customer confusion security policies compliance (e.g., RESPA and Privacy)
      • Must distinguish between your products and services and those offered by third parties
    • Security Issues with Other Web Site Initiatives Weblinking/Portals
      • Disclosure regarding differentiation, non endorsement or guarantee
      • Risk disclosures for links that allow customers to open accounts or initiate transactions for non-deposit investment products
    • Security Issues with Other Web Site Initiatives Aggregation - web-based consolidation of customer information
      • Transaction risks
      Erroneous data gathered Concentration of data increases risk of intrusion Reliance on third party security over information Liability for disputed transactions
      • Privacy compliance
    • Security Issues with Other Web Site Initiatives Aggregation - web-based consolidation of customer information
      • Vendor management responsibilities
      Wireless Banking
    • Needs Assessment - E-Insurance Analysis of your current commercial coverage Determine if new e-insurance offerings duplicate Customer privacy violations, specific business interruptions or denial of access may have limited coverage or no coverage at all
    • Does current business coverage meet needs if modified? If new coverage is needed, how does it work and how are losses valued? When will coverage in proposal be available? Needs Assessment - E-Insurance Coverage questions to assist in determining e-insurance needs Require outsourcing partners e-insurance as part of contract SLA