SlideShare a Scribd company logo

Is security perspectives from banking industry - aguma mpairwe

Download as PPT, PDF
Somnath Bhattacharya
Somnath Bhattacharya

This document discusses information security perspectives from the banking industry. It begins with definitions of information security and banking. It then outlines best practices for IT security and auditing in banks as defined by the Federal Financial Institutions Examinations Council (FFIEC). The document describes common banking activities and the risks associated with them, emphasizing the importance of IT security. It also discusses trends in banking fraud and the changing profile of fraudsters in Uganda.

Business
1 of 52
IS SECURITY PERSPECTIVES FROM THE BANKING INDUSTRY AGUMA MPAIRWE CISA,CIA,FCCA,B.A(HONS).
DEFINITIONS  INFORMATION SECURITY - ‘THE PROCESS BY WHICH AN ORGANISATION PROTECTS AND SECURES ITS SYSTEMS, MEDIA AND FACILITIES THAT PROCESS AND MAINTAIN INFORMATION VITAL TO ITS OPERATIONS’ – FFIEC  BANKING – ‘THE BUSINESS ACTIVITY OF ACCEPTING AND SAFEGUARDING THE MONEY OWNED BY OTHER INDIVIDUALS AND ENTITIES THEN LENDING OUT THIS MONEY IN ORDER TO EARN A PROFIT’ - INVESTORWORDS
IT SECURITY AND AUDIT BEST PRACTICES - BANKS  FEDERAL FINANCIAL INSTITUTIONS EXAMINATIONS COUNCIL (FFIEC).  FFIEC IT EXAMINATION BOOKLETS  FFIEC – US BASED ORGANISATION THAT BRINGS TOGETHER ALL REGULATORS OF THE US FINANCIAL SYSTEM
BANKING ACTIVITIES - GENERAL  RECEIPT OF DEPOSITS (CASH,CHEQUE OR ELECTRONIC)  SAFEGUARDING OF DEPOSITS  LENDING OF DEPOSITS TO OTHER PARTIES  INVESTMENT AND TREASURY ACTIVITIES – PLACEMENT OF FUNDS, FOREX TRADING, DERIVATIVES TRADING  AVAILING FUNDS TO THOSE THAT WISH TO WITHDRAW THEM  GENERAL MANAGEMENT, ACCOUNTING AND ADMINISTRATION  ALL THE ABOVE WILL INVOLVE THE USE OF SOME FORM OF IT SYSTEM OR OTHER  ALL THE PROCESSES ABOVE PRESENT RISKS THAT CAN BE EXPLOITED FOR PURPOSES OF FRAUD  IT SECURITY IS PARAMOUNT
BANKING ACTIVITIES  BANKS IN THE ‘TRUST’ BUSINESS  LEGAL, PROFESSIONAL AND ETHICAL OBLIGATION TO KEEP CUSTOMER INFORMATION AND AFFAIRS CONFIDENTIAL –  ‘A FINANCIAL INSTITUTION’S EARNINGS, AND CAPITAL CAN BE ADVERSELY AFFECTED IF INFORMATION BECOMES KNOWN TO UNAUTHORISED PARTIES, IS ALTERED, OR IS NOT AVAILABLE WHEN IT IS NEEDED’ – FFIEC  ADVERSE PUBLICITY CAN LEAD TO REPUTATIONAL RISK AND IN THE WORST CASE A RUN ON A BANK.  THE ‘C.I.A’ - CONFIDENTIALITY, INTEGRITY AND AVAILABILITY OF INFORMATION PARAMOUNT
IT SECURITY OBJECTIVES  CONFIDENTIALITY  INTEGRITY  AVAILABILITY  ACCOUNTABILITY  ASSURANCE  NOTE - ACCOUNTABILITY AND INTEGRITY REPRESENT ‘NON - REPUDIATION’ - FFIEC
CHANGING BANK FRAUD AND FRAUSTER PROFILE - UGANDA  IN THE EARLY 2000’s AND BEFORE  KEY FRAUDS WERE  CHEQUE FRAUD, FORGED, ALTERED, COUNTERFEIT.  DEPOSIT SLIP FRAUD  TYPICAL FRAUDSTER – MALE, 35 YEAR OLD, LIMITED EDUCATION.
CHANGING BANK FRAUD AND FRAUSTER PROFILE - UGANDA  MID- 2005 TO DATE  ELECTRONIC FRAUD  ATM FRAUD  IN HOUSE BANK FRAUD – BY BANK EMPLOYEES EITHER ALONE OR IN COLLUSION WITH OUTSIDERS  TYPICAL FRAUDSTER – MALE OR FEMALE, BANK EMPLOYEE, TRUSTED INSIDER, EDUCATED, UNIVERSITY GRADUATE, IT LITERATE (NOT NECESSARILY EXPERT!),
ONLINE FRAUD - IMPLICATIONS  71% MORE CAUTIOUS WHEN SHOPPING ONLINE  67% MORE ATTENTIVE WHEN PROVIDING FINANCIAL AND PERSONAL INFORMATION TO WEBSITES  28% ABANDON A PURCHANSE IF RE- DIRECTED TO ANOTHER SITE TO PROVIDE PAYMENT INFORMATION  15% STOPPED SHOPPING ALTOGETHER AS A RESULT OF ONLINE FRAUD CONCERNS –  USA SURVEY
INFORMATION WEBSITES  POTENTIAL LIABILITY AND CONSUMER VIOLATIONS FOR INACCURATE OR INCOMPLETE INFORMATION ABOUT PRODUCTS, SERVICES, AND PRICING PRESENTED ON THE WEBSITE;  POTENTIAL ACCESS TO CONFIDENTIAL FINANCIAL INSTITUTION OR CUSTOMER INFORMATION IF THE WEBSITE IS NOT PROPERLY ISOLATED FROM THE FINANCIAL INSTITUTION'S INTERNAL NETWORK;  POTENTIAL LIABILITY FOR SPREADING VIRUSES AND OTHER MALICIOUS CODE TO COMPUTERS COMMUNICATING WITH THE INSTITUTION'S WEBSITE; AND  NEGATIVE PUBLIC PERCEPTION IF THE INSTITUTION'S ON-LINE SERVICES ARE DISRUPTED OR IF ITS WEBSITE IS DEFACED OR OTHERWISE PRESENTS INAPPROPRIATE OR OFFENSIVE MATERIAL. -FFIEC
TRANSACTIONAL WEBSITES  SECURITY CONTROLS FOR SAFEGUARDING CUSTOMER INFORMATION;  AUTHENTICATION PROCESSES -VERIFY THE IDENTITY OF NEW CUSTOMERS AND AUTHENTICATE EXISTING CUSTOMERS WHO ACCESS E-BANKING SERVICES;  LIABILITY FOR UNAUTHORIZED TRANSACTIONS;  LOSSES FROM FRAUD IF THE INSTITUTION FAILS TO VERIFY THE IDENTITY OF INDIVIDUALS OR BUSINESSES APPLYING FOR NEW ACCOUNTS OR CREDIT ON-LINE - FFIEC
. RETAIL SERVICES WHOLESALE SERVICES ACCOUNT MANAGEMENT ACCOUNT MANAGEMENT BILL PAYMENT AND PRESENTMENT CASH MANAGEMENT NEW ACCOUNT OPENING SMALL BUSINESS LOAN APPLICATIONS, APPROVALS, OR ADVANCES CONSUMER WIRE TRANSFERS INVESTMENT/BROKERAGE SERVICES COMMERCIAL WIRE TRANSFERS LOAN APPLICATION AND APPROVAL BUSINESS-TO-BUSINESS PAYMENTS ACCOUNT AGGREGATION EMPLOYEE BENEFITS/PENSION ADMINISTRATION
TRANSACTIONAL WEBSITES  POSSIBLE VIOLATIONS OF LAWS OR REGULATIONS PERTAINING TO CONSUMER PRIVACY, ANTI-MONEY LAUNDERING, ANTI- TERRORISM, OR THE CONTENT, TIMING, OR DELIVERY OF REQUIRED CONSUMER DISCLOSURES; AND  NEGATIVE PUBLIC PERCEPTION, CUSTOMER DISSATISFACTION, AND POTENTIAL LIABILITY RESULTING FROM FAILURE TO PROCESS THIRD- PARTY PAYMENTS AS DIRECTED OR WITHIN SPECIFIED TIME FRAMES, LACK OF AVAILABILITY OF ON-LINE SERVICES, OR UNAUTHORIZED ACCESS TO CONFIDENTIAL CUSTOMER INFORMATION DURING TRANSMISSION OR STORAGE. - FFIEC
SOURCE :FFIEC
ATM/CARD- FRAUD  WHO PICKS UP THE COST IF YOUR CARD IS MISUSED, YOU OR YOUR BANK?  SOUTH AFRICA - TOTAL VALUE OF ONLINE TRANSACTIONS – USD $285 MILLION  SOUTH AFRICA - 2009 TOTAL LOSSES TO BANKING INDUSTRY DUE TO LOST AND STOLEN CARDS – USD 13MILLION – PERSONAL FINANCE
ATM/DEBIT/CREDIT CARD – RISKS  CARD INFORMATION HELD IN MAGNETIC STRIPE INCLUDING PRIMARY ACCOUNT NUMBER, EXPIRY DATE,  CARD CAN BE CLONED, IF DETAILS ON MAGNETIC STRIPE CAN BE COPIED USING SKIMMING DEVICES  CARD CAN BE STOLEN/LOST  USED FOR ‘CARDHOLDER NOT PRESENT’ TRANSACTIONS – OVER PHONE OR ONLINE  PIN CAN BE OBTAINED USING HIDDEN CAMERAS IN ATM LOCATION OR CCTV CAMERAS IN VIEW OF THE KEYPAD!
CARD SKIMMING  INVOLVES THE USE OF DEVICES THAT READ CARD DETAILS CONTAINED IN THE MAGNETIC STRIP OF THE CARD  CAB BE PLACED IN THE ATM CARD SLOT  OR CAN BE HAND HELD (POCKET)  RESTAURANTS HIGH RISK!  BEGAN TO OBSERVE COMPLAINTS IN UGANDA  DISCUSSION AT BANKERS ASSOSCIATION FRAUD AND FORGERIES SUB-COMMITTEE  CASES OF FRAUD REPORTED BY MEMBER BANKS  CUSTOMERS USUALLY HAD TRAVELLED ABROAD AT SOME POINT IN TIME  SOUTH AFRICA – MENTIONED AS A DESINATION VISITED IN SOME CASES
CARD SKIMMING  ABSA 177 ARRESTS, 26 SKIMMING DEVICES CAPTURED IN 2011 - PERSONAL FINANCE  COST TO THE US - $60 MILLION PER YEAR! – CSO ONLINE
ATM RISK MITIGANTS  CHIP AND PIN BASED CARDS.  AWARENESS TRAINING FOR CUSTOMERS!!  PHYSICAL SECURITY  CAUTION AT ATM SITES – WATCH OUT FOR CAMERA’S, SKIMMING DEVICES  SHIELD ENTRY OF PIN AT ATM WITH HAND/WALLET  REGULAR CHECKING OF CARD BALANCES  MERCHANT TRAINING
INTERNAL ACCOUNT TRANSFERS  INCRESINGLY COMMON FRAUD IN INDUSTRY  INVOLVES UNAUTHORISED ‘CREATION’ OF DEPOSITS  DEBIT ‘OVERCROWDED’ ACCOUNT WITH SEVERAL ITEMS DIFFICULT TO TRACE E.G SUSPENSE ACCOUNT  CREDIT IS MADE TO CUSTOMER ACCOUNT  FUNDS ARE WITHDRAWN!
POSSIBLE SOLUTIONS  COMBINATION OF ROLE BASED ACCESS AND LEAST PRIVILEDGE RESTRICTIONS CAN BE ENFORCED  RESTRICT TELLER OR OPERATIONS STAFF ABILITY TO POST TRANSACTIONS TO ADMINISTRATIVE ACCOUNTS E.G FIXED ASSET ACCCOUNTS  RESTRIC FINANCE DEPARTMENT STAFF ABILITY TO POST TRANSACTIONS DIRECTLY TO CUSTOMER ACCOUNTS  G.L AUDIT REVIEW –PERIODIC  CLEAR TIMELINES FOR CLEARING OFF ITEMS IN SUSPENSE, TRANSIT AND CLEARING ACCOUNTS
IT PROJECT MANAGEMENT RISKS  INADEQUATE SECURITY FEATURES ENFORCED DURING IMPLEMENTATION OF IT APPLICATION SYSTEMS  OBSERVED IN BANKING INDUSTRY IN THE PAST  MUST PROVIDE FOR:  GENERAL ACCESS CONTROLS  IDENTIFICATION AND AUTHENTICATION CONTROLS  AUDIT TRAIL  COMMUNICATION CONTROLS – KELLY KIM 2008  DATA MIGRATION CONTROLS – IMPORTANT  TAKE ACCOUNT OF FACT THAT BANK SYSTEMS MAY NEED TO BE ONLINE 24/7/365
PROJECT MANAGEMENT  PROJECT MANAGEMENT –  BASELINE CONTROLS IMPLEMENTED  IS AUDIT INVOLVEMENT  POST IMPLEMENTATION REVIEW  REGULATORY CERTIFICATION PRE - IMPLEMENTATION
TREASURY  HIGH RISK AREA  BANK IS INVESTING OR TRADING  MONEY MARKET PRODUCTS  FOREIGN CURRENCY (FX)  DERIVATIVES  TRANSACTION SIZES MAY BE VERY LARGE  POTENTIAL FOR PROFIT/LOSSES MAY BE VERY LARGE DEPENDING ON MARKET CONDITIONS
TREASURY RISK  APPROVAL TO COMMIT THE BANK GIVEN TO TRADERS BEFORE TRANSACTION THROUGH THE USE OF VARIOUS LIMITS  MONITORING OF COMPLIANCE WITH LIMITS IS CRITICAL TO RISK MANAGEMENT IN TRASURY  SEGREGATION OF DUTIES IS ALSO CRITICAL ( FRONT OFFICE, MIDDLE OFFICE, BACK OFFICE)  TRADERS MUST NO HAVE ACCESS TO RATE REVALUATION SYSTEMS – COULD HIDE LOSSES  TRADERS SHOULD NOT HAVE ACCESS TO CONFIRMATION AND SETTLEMENT SYSTEMS – COULD HIDE TRADES AND LOSSES  IT SECURITY DESIGN IMPORTANT TO DEAL WITH THESE ISSUES
TREASURY –KEY BANK LOSSES/FRAUDS  2002 TRADER JOHN RUSNACK - £485 MILLION LOSS TO ALLIED IRISH BANK – TAMPERED WITH REUTERS RATES FEED  2008 TRADER JEROME KERVIEL – $ 7 BILLION LOSS – HAD PREVIOUSLY WORKED IN BACK OFFICE, HID TRANSACTIONS (TRADES), FALSIFIED E-MAIL, - FVTER  1995 – trader NICK LEESON – HID £865M LOSSES, BROUGHT DOWN BARINGS BANK…..INTEGRATED IT SYSTEMS COULD HAVE PREVENTED BANK COLLAPSE - COMPUTERWEEKLY
COSO –CONTROL MODEL MONITORING INFORMATION AND COMMUNICATION CONTROL PROCEDURES RISK ASSESSMENT CONTROL ENVIRONMENT
IT GOVERNANCE  ‘FINANCIAL INSTITUTIONS SHOULD IMPLEMENT AN ONGOING SECURITY PROCESS AND INSTITUTE APPROPRIATE GOVERNANCE FOR THE SECURITY FUNCTION, ASSIGNING CLEAR AND APPROPRIATE ROLES AND RESPONSIBILITIES TO THE BOARD OF DIRECTORS, MANAGEMENT AND EMPLOYEES’ - FFIEC
IS SECURITY STRATEGY  FINANCIAL INSTITUTIONS SHOULD DEVELOP A STRATEGY THAT DEFINES CONTROL OBJECTIVES AND ESTABLISHES AN IMPLEMENTATION PLAN. THE SECURITY STRATEGY SHOULD INCLUDE  APPROPRIATE CONSIDERATION OF PREVENTION, DETECTION, AND RESPONSE MECHANISMS,  IMPLEMENTATION OF THE LEAST PERMISSIONS AND LEAST PRIVILEGES CONCEPTS,  LAYERED CONTROLS THAT ESTABLISH MULTIPLE CONTROL POINTS BETWEEN THREATS AND ORGANIZATION ASSETS, AND  POLICIES THAT GUIDE OFFICERS AND EMPLOYEES IN IMPLEMENTING THE SECURITY PROGRAM. -FFIEC
IT RISK ASSESSMENT  GATHERS DATA REGARDING THE INFORMATION AND TECHNOLOGY ASSETS OF THE ORGANIZATION, THREATS TO THOSE ASSETS, VULNERABILITIES, EXISTING SECURITY CONTROLS AND PROCESSES, AND THE CURRENT SECURITY STANDARDS AND REQUIREMENTS;  ANALYZES THE PROBABILITY AND IMPACT ASSOCIATED WITH THE KNOWN THREATS AND VULNERABILITIES TO THEIR ASSETS; AND  PRIORITIZES THE RISKS PRESENT DUE TO THREATS AND VULNERABILITIES TO DETERMINE THE APPROPRIATE LEVEL OF TRAINING, CONTROLS, AND ASSURANCE NECESSARY FOR EFFECTIVE MITIGATION. - FFIEC
IT RISK ASSESSMENT  BOTH TECHNICAL AND NON-TECHNICAL INFORMATION SHOULD BE GATHERED.  TECHNICAL INFORMATION –  NETWORK MAPS DETAILING INTERNAL AND EXTERNAL CONNECTIVITY;  HARDWARE AND SOFTWARE INVENTORIES;  DATABASES AND FILES THAT CONTAIN CRITICAL AND/OR CONFIDENTIAL INFORMATION;  PROCESSING ARRANGEMENTS AND INTERFACES WITH EXTERNAL ENTITIES;  HARDWARE AND SOFTWARE CONFIGURATIONS;  POLICIES, STANDARDS, AND PROCEDURES FOR THE OPERATION, MAINTENANCE, UPGRADING, AND MONITORING OF TECHNICAL SYSTEMS.- FFIEC
IT RISK ASSESSMENT  NON-TECHNICAL INFORMATION  POLICIES, STANDARDS, AND PROCEDURES ADDRESSING PHYSICAL SECURITY (INCLUDING FACILITIES AS WELL AS INFORMATION ASSETS THAT INCLUDE LOAN DOCUMENTATION, DEPOSIT RECORDS AND SIGNATURE CARDS, AND KEY AND ACCESS CODE LISTS),  PERSONNEL SECURITY (INCLUDING HIRING BACKGROUND CHECKS AND BEHAVIOUR MONITORING),  VENDOR CONTRACTS, PERSONNEL SECURITY TRAINING AND EXPERTISE, AND  INSURANCE COVERAGE.  ADDITIONALLY, INFORMATION REGARDING CONTROL EFFECTIVENESS SHOULD BE GATHERED. TYPICALLY, THAT INFORMATION COMES FROM SECURITY MONITORING, INCLUDING SELF-ASSESSMENTS, METRICS, AND INDEPENDENT TESTS. FFIEC
IT SYSTEMS ASSESSMENT  ‘SOME SYSTEMS AND DATA STORES MAY NOT BE READILY APPARENT. FOR EXAMPLE, BACKUP TAPES, PORTABLE COMPUTERS, PERSONAL DIGITAL ASSISTANTS, MEDIA SUCH AS COMPACT DISKS, MICRO DRIVES, AND DISKETTES, AND MEDIA USED IN SOFTWARE DEVELOPMENT AND TESTING SHOULD BE CONSIDERED’. - FFIEC
IT THREATS AND VULNERABILITIES  THREATS -EVENTS THAT COULD CAUSE HARM TO THE CONFIDENTIALITY, INTEGRITY, OR AVAILABILITY OF INFORMATION OR INFORMATION SYSTEMS.  EXPLOITING A VULNERABILITY TO CAUSE HARM THROUGH THE UNAUTHORIZED DISCLOSURE, MISUSE, ALTERATION, OR DESTRUCTION OF INFORMATION OR INFORMATION SYSTEMS.  INTERNAL (MALICIOUS OR INCOMPETENT EMPLOYEES, CONTRACTORS, SERVICE PROVIDERS, AND FORMER INSIDERS)  EXTERNAL (CRIMINALS, RECREATIONAL HACKERS, COMPETITORS, AND TERRORISTS). - FFIEC
IT THREATS AND VULNERABILITIES  VULNERABILITIES - WEAKNESSES IN A SYSTEM, OR CONTROL GAPS THAT, IF EXPLOITED, COULD RESULT IN THE UNAUTHORIZED DISCLOSURE, MISUSE, ALTERATION, OR DESTRUCTION OF INFORMATION OR INFORMATION SYSTEMS.  VULNERABILITIES ARE GENERALLY GROUPED INTO TWO TYPES: KNOWN AND EXPECTED. - FFIEC
VULNERABILITIES  KNOWN VULNERABILITIES - DISCOVERED BY TESTING OR OTHER REVIEWS OF THE ENVIRONMENT, KNOWLEDGE OF POLICY WEAKNESSES, KNOWLEDGE OF INADEQUATE IMPLEMENTATIONS, AND KNOWLEDGE OF PERSONNEL ISSUES. .  EXPECTED VULNERABILITIES - THOSE THAT CAN REASONABLY BE ANTICIPATED TO ARISE IN THE FUTURE. EXAMPLES  UNPATCHED SOFTWARE,  NEW AND UNIQUE ATTACK METHODOLOGIES THAT BYPASS CURRENT CONTROLS,  EMPLOYEE AND CONTRACTOR FAILURES TO PERFORM SECURITY DUTIES SATISFACTORILY,  PERSONNEL TURNOVER - FFIEC
IT SECURITY POLICY  KEY ACTIONS THAT CONTRIBUTE TO THE SUCCESS OF A SECURITY POLICY ARE  IMPLEMENTING THROUGH ORDINARY MEANS, SUCH AS SYSTEM ADMINISTRATION PROCEDURES AND ACCEPTABLE-USE POLICIES;  ENFORCING POLICY THROUGH SECURITY TOOLS AND SANCTIONS;  DELINEATING THE AREAS OF RESPONSIBILITY FOR USERS, ADMINISTRATORS, AND MANAGERS;  COMMUNICATING IN A CLEAR, UNDERSTANDABLE MANNER TO ALL CONCERNED;  OBTAINING EMPLOYEE CERTIFICATION THAT THEY HAVE READ AND UNDERSTOOD THE POLICY;  PROVIDING FLEXIBILITY TO ADDRESS CHANGES IN THE ENVIRONMENT; AND  CONDUCTING ANNUALLY A REVIEW AND APPROVAL BY THE BOARD OF DIRECTORS. - FFIEC
SECURITY DOMAINS  A SECURITY DOMAIN IS A PART OF THE SYSTEM WITH ITS OWN POLICIES AND CONTROL MECHANISMS.  SECURITY DOMAINS FOR A NETWORK ARE TYPICALLY CONSTRUCTED FROM ROUTING CONTROLS AND DIRECTORIES.  DOMAINS CONSTRUCTED FROM ROUTING CONTROLS MAY BE BOUNDED BY NETWORK PERIMETERS WITH PERIMETER CONTROLS.  THE PERIMETERS SEPARATE WHAT IS NOT TRUSTED FROM WHAT MAY BE TRUSTWORTHY. THE PERIMETERS SERVE AS WELL-DEFINED TRANSITION POINTS BETWEEN TRUST AREAS WHERE POLICY ENFORCEMENT AND MONITORING TAKES PLACE.  AN EXAMPLE OF SUCH A DOMAIN IS A DEMILITARIZED ZONE (DMZ), BOUNDED BY A PERIMETER THAT CONTROLS ACCESS FROM OUTSIDE AND INSIDE THE INSTITUTION.  DOMAINS CONSTRUCTED FROM DIRECTORIES MAY LIMIT ACCESS TO NETWORK RESOURCES AND APPLICATIONS BASED ON ROLE OR FUNCTION. - FFIEC
DEFENSE IN DEPTH  FINANCIAL INSTITUTIONS SHOULD DESIGN MULTIPLE LAYERS OF SECURITY CONTROLS  ESTABLISH SEVERAL LINES OF DEFENSE BETWEEN THE ATTACKER AND THE ASSET BEING ATTACKED.  AN INTERNET SECURITY - A PACKET FILTERING ROUTER WITH STRICT ACCESS CONTROL RULES, IN FRONT OF  AN APPLICATION LEVEL FIREWALL, IN FRONT OF  WEB SERVERS, IN FRONT OF  A TRANSACTIONAL SERVER, IN FRONT OF  A DATABASE SERVER, WITH INTRUSION DETECTION SYSTEMS LOCATED AT VARIOUS POINTS BETWEEN THE SERVERS AND ON CERTAIN HOSTS.  THE LAYERS SHOULD BE AT MULTIPLE CONTROL POINTS THROUGHOUT THE COMMUNICATION AND TRANSACTIONAL FLOW AND SHOULD INCLUDE BOTH SYSTEMS AND MANUAL PROCESSES. TO SUCCESSFULLY ATTACK AN ASSET, EACH LAYER MUST BE PENETRATED. WITH EACH PENETRATION, THE PROBABILITY OF DETECTING THE ATTACKER INCREASES. - FFIEC
NETWORK SECURITY  FINANCIAL INSTITUTIONS SHOULD SECURE ACCESS TO THEIR COMPUTER NETWORKS THROUGH MULTIPLE LAYERS OF ACCESS CONTROLS TO PROTECT AGAINST UNAUTHORIZED ACCESS. INSTITUTIONS SHOULD  GROUP NETWORK SERVERS, APPLICATIONS, DATA, AND USERS INTO SECURITY DOMAINS (E.G., UNTRUSTED EXTERNAL NETWORKS, EXTERNAL SERVICE PROVIDERS, OR VARIOUS INTERNAL USER SYSTEMS);  ESTABLISH APPROPRIATE ACCESS REQUIREMENTS WITHIN AND BETWEEN EACH SECURITY DOMAIN;  IMPLEMENT APPROPRIATE TECHNOLOGICAL CONTROLS TO MEET THOSE ACCESS REQUIREMENTS CONSISTENTLY; AND  MONITOR CROSS-DOMAIN ACCESS FOR SECURITY POLICY VIOLATIONS AND ANOMALOUS ACTIVITY. - FFIEC
OPERATING SYSTEM SECURITY  FINANCIAL INSTITUTIONS SHOULD SECURE ACCESS TO THE OPERATING SYSTEMS OF ALL SYSTEM COMPONENTS BY  SECURING ACCESS TO SYSTEM UTILITIES,  RESTRICTING AND MONITORING PRIVILEGED ACCESS,  LOGGING AND MONITORING USER OR PROGRAM ACCESS TO SENSITIVE RESOURCES AND ALERTING ON SECURITY EVENTS,  UPDATING THE OPERATING SYSTEMS WITH SECURITY PATCHES, AND  SECURING THE DEVICES THAT CAN ACCESS THE OPERATING SYSTEM THROUGH PHYSICAL AND LOGICAL MEANS. -FFIEC
APPLICATION SECURITY  FINANCIAL INSTITUTIONS SHOULD CONTROL ACCESS TO APPLICATIONS BY  USING AUTHENTICATION AND AUTHORIZATION CONTROLS APPROPRIATELY ROBUST FOR THE RISK OF THE APPLICATION,  MONITORING ACCESS RIGHTS TO ENSURE THEY ARE THE MINIMUM REQUIRED FOR THE USER'S CURRENT BUSINESS NEEDS,  USING TIME-OF-DAY LIMITATIONS ON ACCESS AS APPROPRIATE,  LOGGING ACCESS AND SECURITY EVENTS, AND  USING SOFTWARE THAT ENABLES RAPID ANALYSIS OF USER ACTIVITIES. - FFIEC
REMOTE ACCESS -CONTROLS  FINANCIAL INSTITUTIONS SHOULD SECURE REMOTE ACCESS TO AND FROM THEIR SYSTEMS BY  DISABLING REMOTE COMMUNICATIONS IF NO BUSINESS NEED EXISTS,  TIGHTLY CONTROLLING ACCESS THROUGH MANAGEMENT APPROVALS AND SUBSEQUENT AUDITS,  IMPLEMENTING ROBUST CONTROLS OVER CONFIGURATIONS AT BOTH ENDS OF THE REMOTE CONNECTION TO PREVENT POTENTIAL MALICIOUS USE,  LOGGING AND MONITORING ALL REMOTE ACCESS COMMUNICATIONS,  SECURING REMOTE ACCESS DEVICES, AND  USING STRONG AUTHENTICATION AND ENCRYPTION TO SECURE COMMUNICATIONS - FFIEC
PHYSICAL ACCESS - CONTROLS  FINANCIAL INSTITUTIONS SHOULD DEFINE PHYSICAL SECURITY ZONES AND IMPLEMENT APPROPRIATE PREVENTATIVE AND DETECTIVE CONTROLS IN EACH ZONE TO PROTECT AGAINST THE RISKS OF  PHYSICAL PENETRATION BY MALICIOUS OR UNAUTHORIZED PEOPLE,  DAMAGE FROM ENVIRONMENTAL CONTAMINANTS, AND  ELECTRONIC PENETRATION THROUGH ACTIVE OR PASSIVE ELECTRONIC EMISSIONS. - FFIEC
ENCRYPTION CONTROLS  FINANCIAL INSTITUTIONS SHOULD EMPLOY ENCRYPTION TO MITIGATE THE RISK OF DISCLOSURE OR ALTERATION OF SENSITIVE INFORMATION IN STORAGE AND TRANSIT.  ENCRYPTION IMPLEMENTATIONS SHOULD INCLUDE ENCRYPTION STRENGTH SUFFICIENT TO PROTECT THE INFORMATION FROM DISCLOSURE UNTIL SUCH TIME AS DISCLOSURE POSES NO MATERIAL RISK,  EFFECTIVE KEY MANAGEMENT PRACTICES,  ROBUST RELIABILITY, AND  APPROPRIATE PROTECTION OF THE ENCRYPTED COMMUNICATION'S ENDPOINTS - FFIEC
ENCRYPTION KEY MANAGEMENT  GENERATING KEYS FOR DIFFERENT CRYPTOGRAPHIC SYSTEMS AND DIFFERENT APPLICATIONS;  GENERATING AND OBTAINING PUBLIC KEYS;  DISTRIBUTING KEYS TO INTENDED USERS, INCLUDING HOW KEYS SHOULD BE ACTIVATED WHEN RECEIVED;  STORING KEYS, INCLUDING HOW AUTHORIZED USERS OBTAIN ACCESS TO KEYS;  CHANGING OR UPDATING KEYS, INCLUDING RULES ON WHEN KEYS SHOULD BE CHANGED AND HOW THIS WILL BE DONE;  DEALING WITH COMPROMISED KEYS;  REVOKING KEYS AND SPECIFYING HOW KEYS SHOULD BE WITHDRAWN OR DEACTIVATED;  RECOVERING KEYS THAT ARE LOST OR CORRUPTED AS PART OF BUSINESS CONTINUITY MANAGEMENT;  ARCHIVING KEYS;  DESTROYING KEYS -FFIEC
MONITORING  MONITORING NETWORK AND HOST ACTIVITY TO IDENTIFY POLICY VIOLATIONS AND ANOMALOUS BEHAVIOR;  MONITORING HOST AND NETWORK CONDITION TO IDENTIFY UNAUTHORIZED CONFIGURATION AND OTHER CONDITIONS WHICH INCREASE THE RISK OF INTRUSION OR OTHER SECURITY EVENTS;  ANALYZING THE RESULTS OF MONITORING TO ACCURATELY AND QUICKLY IDENTIFY, CLASSIFY, ESCALATE, REPORT, AND GUIDE RESPONSES TO SECURITY EVENTS; AND  RESPONDING TO INTRUSIONS AND OTHER SECURITY EVENTS AND WEAKNESSES TO APPROPRIATELY MITIGATE THE RISK TO THE INSTITUTION AND ITS CUSTOMERS, AND TO RESTORE THE INSTITUTION'S SYSTEMS.  MONITORING SHOULD, COMMENSURATE WITH THE RISK, IDENTIFY CONTROL FAILURES BEFORE A SECURITY INCIDENT OCCURS, DETECT AN INTRUSION IN SUFFICIENT TIME TO ENABLE AN EFFECTIVE AND TIMELY RESPONSE,  SUPPORT POST-EVENT FORENSICS ACTIVITIES. - FFIEC
FUTURE TRENDS/THREATS  DEPEND ON TECHNOLOGY TRENDS  TELECOMS AND BANKING CONVERGENCE  RISKS IN MOBILE MONEY INDUSTRY  CLOUD COMPUTING  MOBILE COMPUTING AND WIRELESS COMPUTING THREATS  EASE OF ACCESS TO INTERNET AND TOOLS TO COMMIT FRAUD  FASTER SPEEDS FOR INTERNET ACCESS IN EAST AFRICA  GREATER OUTSOURCING?  NEW IT SAVVY GENERATION?
SOLUTIONS  IT AWARENESS  USER AND CUSTOMER TRAINING  STAFF SCREEENING  ETHICAL EMPHASIS  EMBEDDING STRONG CONTROL AND RISK CULTURE IN BANKS  SYSTEMS CERTIFICATION BY REGULATORS BEFORE DEPLOYMENT  STRENGHTEN IT CONTROL, SECURITY, AUDIT PROFESSION AND TRAIN MORE PROFESSIONALS  INCREASE CEO AND BOARD AWARENESS
OTHER BEST PRACTICES  ISO 17799 : CODE OF PRACTIVE FOR INFORMATION SECURITY MANAGEMENT  BS 7799: SPECIFICATION FOR INFORMATION SECURITY MANAGEMENT SYSTEMS  COBIT
.  QUESTIONS?
REFERENCES  http://ithandbook.ffiec.gov/it-booklets.aspx  http://www.securitymanagement.com/article/atm-fraud-trends-europe- 006362  http://www.bizreport.com/2009/03/consumers_in_the_us_are.html#  http://www.csoonline.com/article/555863/atm-skimming-how-to- recognize-card-fraud  http://iss.gwu.edu/merlin- cgi/p/downloadFile/d/21440/n/off/other/1/name/BaselineSecurityRequire mentsandControls-Techn/  http://fvter.wordpress.com/2008/01/30/kervielsociete-generale- information-security-insider-threat/  http://www.computerweekly.com/Articles/2009/10/27/238308/Podcast- interview-Nick-Leeson-says-Integrated-IT-could-have-prevented- Barings.htm

Recommended

Aml training
Aml trainingAml training
Aml training
Rahul Bhan (CA, CIA, MBA)
 
AML Training uba capital
AML Training uba capitalAML Training uba capital
AML Training uba capital
SEGUN AREMU B.sc Banking and Finance (ACIB)
 
A.risk.perspective aml
A.risk.perspective amlA.risk.perspective aml
A.risk.perspective aml
Mohammad Ibrahim Fheili
 
Amla traning (2014) 180714
Amla traning (2014) 180714Amla traning (2014) 180714
Amla traning (2014) 180714
Nurul Amira
 
AML presentation
AML presentationAML presentation
AML presentation
Jowhar Roshan
 
Preventing Human Trafficking Indicators
Preventing Human Trafficking IndicatorsPreventing Human Trafficking Indicators
Preventing Human Trafficking Indicators
Adina Dediu, CFE, CFCS
 
Fraud Risk
Fraud RiskFraud Risk
Fraud Risk
F a h a d Z a f a r (Bradford MBA)
 
Law amla presentation
Law amla presentationLaw amla presentation
Law amla presentation
Thilagavathy Palaniappan, TTT
 

Recommended

Aml training
Aml trainingAml training
Aml training
Rahul Bhan (CA, CIA, MBA)
 
AML Training uba capital
AML Training uba capitalAML Training uba capital
AML Training uba capital
SEGUN AREMU B.sc Banking and Finance (ACIB)
 
A.risk.perspective aml
A.risk.perspective amlA.risk.perspective aml
A.risk.perspective aml
Mohammad Ibrahim Fheili
 
Amla traning (2014) 180714
Amla traning (2014) 180714Amla traning (2014) 180714
Amla traning (2014) 180714
Nurul Amira
 
AML presentation
AML presentationAML presentation
AML presentation
Jowhar Roshan
 
Preventing Human Trafficking Indicators
Preventing Human Trafficking IndicatorsPreventing Human Trafficking Indicators
Preventing Human Trafficking Indicators
Adina Dediu, CFE, CFCS
 
Fraud Risk
Fraud RiskFraud Risk
Fraud Risk
F a h a d Z a f a r (Bradford MBA)
 
Law amla presentation
Law amla presentationLaw amla presentation
Law amla presentation
Thilagavathy Palaniappan, TTT
 
Compliance ontrack
Compliance ontrackCompliance ontrack
Compliance ontrack
sanjeetnandi
 
Forensic accounting vs fraud examination
Forensic accounting vs fraud examinationForensic accounting vs fraud examination
Forensic accounting vs fraud examination
Kolluru N Rao
 
EMV - The Chips are Coming - Ken Givens U.S. Merchant Payment Solutions 11-15
EMV - The Chips are Coming - Ken Givens U.S. Merchant Payment Solutions 11-15EMV - The Chips are Coming - Ken Givens U.S. Merchant Payment Solutions 11-15
EMV - The Chips are Coming - Ken Givens U.S. Merchant Payment Solutions 11-15
Ken Givens
 
Prevent banking frauds through identity management
Prevent banking frauds through identity managementPrevent banking frauds through identity management
Prevent banking frauds through identity management
GARL
 
Prevention of money laundering act, 2002
Prevention of money laundering act, 2002Prevention of money laundering act, 2002
Prevention of money laundering act, 2002
kotha priyanka
 
Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015
Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015
Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015
Arm Igf
 
Current Trends in Fraud Prevention
Current Trends in Fraud PreventionCurrent Trends in Fraud Prevention
Current Trends in Fraud Prevention
Blackbaud
 
Anti-Money Laundering and Counter Financing of Terrorism
Anti-Money Laundering and Counter Financing of TerrorismAnti-Money Laundering and Counter Financing of Terrorism
Anti-Money Laundering and Counter Financing of Terrorism
Puni Hariaratnam
 
Fraud Management Solutions
Fraud Management SolutionsFraud Management Solutions
Fraud Management Solutions
SAS Institute India Pvt. Ltd
 
Anti-Money Laundering Seminar
Anti-Money Laundering SeminarAnti-Money Laundering Seminar
Anti-Money Laundering Seminar
McInerney Saunders
 
Knowyourcustomer
KnowyourcustomerKnowyourcustomer
Knowyourcustomer
mohitronnie
 
Insurance anti money laundering
Insurance anti money launderingInsurance anti money laundering
Insurance anti money laundering
Mohit Singla
 
Aml & kyc
Aml & kyc Aml & kyc
Aml & kyc
Satyajit Dutta
 
AML KYC Certification
AML KYC CertificationAML KYC Certification
AML KYC Certification
Vskills
 
Fraud Awareness
Fraud AwarenessFraud Awareness
Fraud Awareness
Yogi Schulz
 
Combating money laundering in India
Combating money laundering in IndiaCombating money laundering in India
Combating money laundering in India
Anuroop Omkar Kritika Krishnamurthy
 
E-book: How to manage Anti-Money Laundering and Counter Financing of Terroris...
E-book: How to manage Anti-Money Laundering and Counter Financing of Terroris...E-book: How to manage Anti-Money Laundering and Counter Financing of Terroris...
E-book: How to manage Anti-Money Laundering and Counter Financing of Terroris...
Jitske de Bruijne
 
Vp financial-fraud-report-digiversion
Vp financial-fraud-report-digiversionVp financial-fraud-report-digiversion
Vp financial-fraud-report-digiversion
Value Partners
 
Money Laundering and Its Fall-out - ROLE OF INFORMATION TECHNOLOGY IN ANTI M...
Money Laundering and Its Fall-out - ROLE OF INFORMATION TECHNOLOGY IN ANTI M...Money Laundering and Its Fall-out - ROLE OF INFORMATION TECHNOLOGY IN ANTI M...
Money Laundering and Its Fall-out - ROLE OF INFORMATION TECHNOLOGY IN ANTI M...
Resurgent India
 
Hacked Customer Accounts
Hacked Customer AccountsHacked Customer Accounts
Hacked Customer Accounts
Abbie Olson
 
Indonesia's Measures to prevent FinTech from abusing ML and TF
Indonesia's Measures to prevent FinTech from abusing ML and TFIndonesia's Measures to prevent FinTech from abusing ML and TF
Indonesia's Measures to prevent FinTech from abusing ML and TF
Clare O'Hare
 
Kyc
KycKyc
Kyc
sumitmalik13
 

More Related Content

What's hot

Compliance ontrack
Compliance ontrackCompliance ontrack
Compliance ontrack
sanjeetnandi
 
Forensic accounting vs fraud examination
Forensic accounting vs fraud examinationForensic accounting vs fraud examination
Forensic accounting vs fraud examination
Kolluru N Rao
 
EMV - The Chips are Coming - Ken Givens U.S. Merchant Payment Solutions 11-15
EMV - The Chips are Coming - Ken Givens U.S. Merchant Payment Solutions 11-15EMV - The Chips are Coming - Ken Givens U.S. Merchant Payment Solutions 11-15
EMV - The Chips are Coming - Ken Givens U.S. Merchant Payment Solutions 11-15
Ken Givens
 
Prevent banking frauds through identity management
Prevent banking frauds through identity managementPrevent banking frauds through identity management
Prevent banking frauds through identity management
GARL
 
Prevention of money laundering act, 2002
Prevention of money laundering act, 2002Prevention of money laundering act, 2002
Prevention of money laundering act, 2002
kotha priyanka
 
Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015
Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015
Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015
Arm Igf
 
Current Trends in Fraud Prevention
Current Trends in Fraud PreventionCurrent Trends in Fraud Prevention
Current Trends in Fraud Prevention
Blackbaud
 
Anti-Money Laundering and Counter Financing of Terrorism
Anti-Money Laundering and Counter Financing of TerrorismAnti-Money Laundering and Counter Financing of Terrorism
Anti-Money Laundering and Counter Financing of Terrorism
Puni Hariaratnam
 
Fraud Management Solutions
Fraud Management SolutionsFraud Management Solutions
Fraud Management Solutions
SAS Institute India Pvt. Ltd
 
Anti-Money Laundering Seminar
Anti-Money Laundering SeminarAnti-Money Laundering Seminar
Anti-Money Laundering Seminar
McInerney Saunders
 
Knowyourcustomer
KnowyourcustomerKnowyourcustomer
Knowyourcustomer
mohitronnie
 
Insurance anti money laundering
Insurance anti money launderingInsurance anti money laundering
Insurance anti money laundering
Mohit Singla
 
Aml & kyc
Aml & kyc Aml & kyc
Aml & kyc
Satyajit Dutta
 
AML KYC Certification
AML KYC CertificationAML KYC Certification
AML KYC Certification
Vskills
 
Fraud Awareness
Fraud AwarenessFraud Awareness
Fraud Awareness
Yogi Schulz
 
Combating money laundering in India
Combating money laundering in IndiaCombating money laundering in India
Combating money laundering in India
Anuroop Omkar Kritika Krishnamurthy
 
E-book: How to manage Anti-Money Laundering and Counter Financing of Terroris...
E-book: How to manage Anti-Money Laundering and Counter Financing of Terroris...E-book: How to manage Anti-Money Laundering and Counter Financing of Terroris...
E-book: How to manage Anti-Money Laundering and Counter Financing of Terroris...
Jitske de Bruijne
 
Vp financial-fraud-report-digiversion
Vp financial-fraud-report-digiversionVp financial-fraud-report-digiversion
Vp financial-fraud-report-digiversion
Value Partners
 
Money Laundering and Its Fall-out - ROLE OF INFORMATION TECHNOLOGY IN ANTI M...
Money Laundering and Its Fall-out - ROLE OF INFORMATION TECHNOLOGY IN ANTI M...Money Laundering and Its Fall-out - ROLE OF INFORMATION TECHNOLOGY IN ANTI M...
Money Laundering and Its Fall-out - ROLE OF INFORMATION TECHNOLOGY IN ANTI M...
Resurgent India
 
Hacked Customer Accounts
Hacked Customer AccountsHacked Customer Accounts
Hacked Customer Accounts
Abbie Olson
 

What's hot (20)

Compliance ontrack
Compliance ontrackCompliance ontrack
Compliance ontrack
 
Forensic accounting vs fraud examination
Forensic accounting vs fraud examinationForensic accounting vs fraud examination
Forensic accounting vs fraud examination
 
EMV - The Chips are Coming - Ken Givens U.S. Merchant Payment Solutions 11-15
EMV - The Chips are Coming - Ken Givens U.S. Merchant Payment Solutions 11-15EMV - The Chips are Coming - Ken Givens U.S. Merchant Payment Solutions 11-15
EMV - The Chips are Coming - Ken Givens U.S. Merchant Payment Solutions 11-15
 
Prevent banking frauds through identity management
Prevent banking frauds through identity managementPrevent banking frauds through identity management
Prevent banking frauds through identity management
 
Prevention of money laundering act, 2002
Prevention of money laundering act, 2002Prevention of money laundering act, 2002
Prevention of money laundering act, 2002
 
Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015
Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015
Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015
 
Current Trends in Fraud Prevention
Current Trends in Fraud PreventionCurrent Trends in Fraud Prevention
Current Trends in Fraud Prevention
 
Anti-Money Laundering and Counter Financing of Terrorism
Anti-Money Laundering and Counter Financing of TerrorismAnti-Money Laundering and Counter Financing of Terrorism
Anti-Money Laundering and Counter Financing of Terrorism
 
Fraud Management Solutions
Fraud Management SolutionsFraud Management Solutions
Fraud Management Solutions
 
Anti-Money Laundering Seminar
Anti-Money Laundering SeminarAnti-Money Laundering Seminar
Anti-Money Laundering Seminar
 
Knowyourcustomer
KnowyourcustomerKnowyourcustomer
Knowyourcustomer
 
Insurance anti money laundering
Insurance anti money launderingInsurance anti money laundering
Insurance anti money laundering
 
Aml & kyc
Aml & kyc Aml & kyc
Aml & kyc
 
AML KYC Certification
AML KYC CertificationAML KYC Certification
AML KYC Certification
 
Fraud Awareness
Fraud AwarenessFraud Awareness
Fraud Awareness
 
Combating money laundering in India
Combating money laundering in IndiaCombating money laundering in India
Combating money laundering in India
 
E-book: How to manage Anti-Money Laundering and Counter Financing of Terroris...
E-book: How to manage Anti-Money Laundering and Counter Financing of Terroris...E-book: How to manage Anti-Money Laundering and Counter Financing of Terroris...
E-book: How to manage Anti-Money Laundering and Counter Financing of Terroris...
 
Vp financial-fraud-report-digiversion
Vp financial-fraud-report-digiversionVp financial-fraud-report-digiversion
Vp financial-fraud-report-digiversion
 
Money Laundering and Its Fall-out - ROLE OF INFORMATION TECHNOLOGY IN ANTI M...
Money Laundering and Its Fall-out - ROLE OF INFORMATION TECHNOLOGY IN ANTI M...Money Laundering and Its Fall-out - ROLE OF INFORMATION TECHNOLOGY IN ANTI M...
Money Laundering and Its Fall-out - ROLE OF INFORMATION TECHNOLOGY IN ANTI M...
 
Hacked Customer Accounts
Hacked Customer AccountsHacked Customer Accounts
Hacked Customer Accounts
 

Similar to Is security perspectives from banking industry - aguma mpairwe

Indonesia's Measures to prevent FinTech from abusing ML and TF
Indonesia's Measures to prevent FinTech from abusing ML and TFIndonesia's Measures to prevent FinTech from abusing ML and TF
Indonesia's Measures to prevent FinTech from abusing ML and TF
Clare O'Hare
 
Kyc
KycKyc
Kyc
sumitmalik13
 
Naccu Card Fraud And Identity Theft
Naccu Card Fraud And Identity TheftNaccu Card Fraud And Identity Theft
Naccu Card Fraud And Identity Theft
mherr_riskconsult
 
Webcast - how can banks defend against fraud?
Webcast - how can banks defend against fraud?Webcast - how can banks defend against fraud?
Webcast - how can banks defend against fraud?
Uniphore
 
Money Laundering
Money Laundering Money Laundering
Money Laundering
Siddharth Chakravarty
 
Timur AITOV NPC Kaliningrad ENGLISH VERSION
Timur AITOV NPC Kaliningrad ENGLISH VERSIONTimur AITOV NPC Kaliningrad ENGLISH VERSION
Timur AITOV NPC Kaliningrad ENGLISH VERSION
Timur AITOV
 
ATM2.pdf.pdf
ATM2.pdf.pdfATM2.pdf.pdf
ATM2.pdf.pdf
Rashmibansal15
 
Commercial bank
Commercial bankCommercial bank
Commercial bank
gvrs college of engineering & technology
 
Combating Fraud : Putting in Place an Effective Audit System to Detect and Pr...
Combating Fraud : Putting in Place an Effective Audit System to Detect and Pr...Combating Fraud : Putting in Place an Effective Audit System to Detect and Pr...
Combating Fraud : Putting in Place an Effective Audit System to Detect and Pr...
Pairat Srivilairit
 
Cdic 2009 fraud audit pairat 4
Cdic 2009 fraud audit pairat 4Cdic 2009 fraud audit pairat 4
Cdic 2009 fraud audit pairat 4
Pairat Srivilairit
 
KYC Regulations - Mel Georgie Racela
KYC Regulations - Mel Georgie RacelaKYC Regulations - Mel Georgie Racela
KYC Regulations - Mel Georgie Racela
SWIFTAsiaPac
 
Top Fraud Events & Scandals in The Payment Industry
Top Fraud Events & Scandals in The Payment IndustryTop Fraud Events & Scandals in The Payment Industry
Top Fraud Events & Scandals in The Payment Industry
itio Innovex Pvt Ltv
 
McKonly & Asbury Webinar - Skimming: What the Auditor's Miss
McKonly & Asbury Webinar - Skimming: What the Auditor's MissMcKonly & Asbury Webinar - Skimming: What the Auditor's Miss
McKonly & Asbury Webinar - Skimming: What the Auditor's Miss
McKonly & Asbury, LLP
 
Money Laundering in the Art, Collectibles, and Luxury Goods Industry
Money Laundering in the Art, Collectibles, and Luxury Goods IndustryMoney Laundering in the Art, Collectibles, and Luxury Goods Industry
Money Laundering in the Art, Collectibles, and Luxury Goods Industry
BrandonRuse1
 
Skillwise Know your Customer & Money Laundering
Skillwise Know your Customer & Money LaunderingSkillwise Know your Customer & Money Laundering
Skillwise Know your Customer & Money Laundering
Skillwise Group
 
Banker and Customer Relation
Banker and Customer RelationBanker and Customer Relation
Banker and Customer Relation
SowmyashreeBhat1
 
121010_Mobile Banking & Payments for Emerging Asia Summit 2012_A Risk-Based A...
121010_Mobile Banking & Payments for Emerging Asia Summit 2012_A Risk-Based A...121010_Mobile Banking & Payments for Emerging Asia Summit 2012_A Risk-Based A...
121010_Mobile Banking & Payments for Emerging Asia Summit 2012_A Risk-Based A...
spirecorporate
 
Suspicious Activities Reports, Perceptions and Reality in AML Investigations
Suspicious Activities Reports, Perceptions and Reality in AML InvestigationsSuspicious Activities Reports, Perceptions and Reality in AML Investigations
Suspicious Activities Reports, Perceptions and Reality in AML Investigations
Sarah George
 
E Banking
E BankingE Banking
E Banking
Arshad85
 
Blockchain - The Regulatory Framework
Blockchain - The Regulatory FrameworkBlockchain - The Regulatory Framework
Blockchain - The Regulatory Framework
Silvan Mifsud
 

Similar to Is security perspectives from banking industry - aguma mpairwe (20)

Indonesia's Measures to prevent FinTech from abusing ML and TF
Indonesia's Measures to prevent FinTech from abusing ML and TFIndonesia's Measures to prevent FinTech from abusing ML and TF
Indonesia's Measures to prevent FinTech from abusing ML and TF
 
Kyc
KycKyc
Kyc
 
Naccu Card Fraud And Identity Theft
Naccu Card Fraud And Identity TheftNaccu Card Fraud And Identity Theft
Naccu Card Fraud And Identity Theft
 
Webcast - how can banks defend against fraud?
Webcast - how can banks defend against fraud?Webcast - how can banks defend against fraud?
Webcast - how can banks defend against fraud?
 
Money Laundering
Money Laundering Money Laundering
Money Laundering
 
Timur AITOV NPC Kaliningrad ENGLISH VERSION
Timur AITOV NPC Kaliningrad ENGLISH VERSIONTimur AITOV NPC Kaliningrad ENGLISH VERSION
Timur AITOV NPC Kaliningrad ENGLISH VERSION
 
ATM2.pdf.pdf
ATM2.pdf.pdfATM2.pdf.pdf
ATM2.pdf.pdf
 
Commercial bank
Commercial bankCommercial bank
Commercial bank
 
Combating Fraud : Putting in Place an Effective Audit System to Detect and Pr...
Combating Fraud : Putting in Place an Effective Audit System to Detect and Pr...Combating Fraud : Putting in Place an Effective Audit System to Detect and Pr...
Combating Fraud : Putting in Place an Effective Audit System to Detect and Pr...
 
Cdic 2009 fraud audit pairat 4
Cdic 2009 fraud audit pairat 4Cdic 2009 fraud audit pairat 4
Cdic 2009 fraud audit pairat 4
 
KYC Regulations - Mel Georgie Racela
KYC Regulations - Mel Georgie RacelaKYC Regulations - Mel Georgie Racela
KYC Regulations - Mel Georgie Racela
 
Top Fraud Events & Scandals in The Payment Industry
Top Fraud Events & Scandals in The Payment IndustryTop Fraud Events & Scandals in The Payment Industry
Top Fraud Events & Scandals in The Payment Industry
 
McKonly & Asbury Webinar - Skimming: What the Auditor's Miss
McKonly & Asbury Webinar - Skimming: What the Auditor's MissMcKonly & Asbury Webinar - Skimming: What the Auditor's Miss
McKonly & Asbury Webinar - Skimming: What the Auditor's Miss
 
Money Laundering in the Art, Collectibles, and Luxury Goods Industry
Money Laundering in the Art, Collectibles, and Luxury Goods IndustryMoney Laundering in the Art, Collectibles, and Luxury Goods Industry
Money Laundering in the Art, Collectibles, and Luxury Goods Industry
 
Skillwise Know your Customer & Money Laundering
Skillwise Know your Customer & Money LaunderingSkillwise Know your Customer & Money Laundering
Skillwise Know your Customer & Money Laundering
 
Banker and Customer Relation
Banker and Customer RelationBanker and Customer Relation
Banker and Customer Relation
 
121010_Mobile Banking & Payments for Emerging Asia Summit 2012_A Risk-Based A...
121010_Mobile Banking & Payments for Emerging Asia Summit 2012_A Risk-Based A...121010_Mobile Banking & Payments for Emerging Asia Summit 2012_A Risk-Based A...
121010_Mobile Banking & Payments for Emerging Asia Summit 2012_A Risk-Based A...
 
Suspicious Activities Reports, Perceptions and Reality in AML Investigations
Suspicious Activities Reports, Perceptions and Reality in AML InvestigationsSuspicious Activities Reports, Perceptions and Reality in AML Investigations
Suspicious Activities Reports, Perceptions and Reality in AML Investigations
 
E Banking
E BankingE Banking
E Banking
 
Blockchain - The Regulatory Framework
Blockchain - The Regulatory FrameworkBlockchain - The Regulatory Framework
Blockchain - The Regulatory Framework
 

Recently uploaded

Easily Verify Compliance and Security with Binance KYC
Easily Verify Compliance and Security with Binance KYCEasily Verify Compliance and Security with Binance KYC
Easily Verify Compliance and Security with Binance KYC
Any kyc Account
 
Digital Marketing with a Focus on Sustainability
Digital Marketing with a Focus on SustainabilityDigital Marketing with a Focus on Sustainability
Digital Marketing with a Focus on Sustainability
sssourabhsharma
 
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
Stephen Cashman
 
Call 8867766396 Satta Matka Dpboss Matka Guessing Satta batta Matka 420 Satta...
Call 8867766396 Satta Matka Dpboss Matka Guessing Satta batta Matka 420 Satta...Call 8867766396 Satta Matka Dpboss Matka Guessing Satta batta Matka 420 Satta...
Call 8867766396 Satta Matka Dpboss Matka Guessing Satta batta Matka 420 Satta...
bosssp10
 
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challengesEvent Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Holger Mueller
 
Best Competitive Marble Pricing in Dubai - ☎ 9928909666
Best Competitive Marble Pricing in Dubai - ☎ 9928909666Best Competitive Marble Pricing in Dubai - ☎ 9928909666
Best Competitive Marble Pricing in Dubai - ☎ 9928909666
Stone Art Hub
 
GKohler - Retail Scavenger Hunt Presentation
GKohler - Retail Scavenger Hunt PresentationGKohler - Retail Scavenger Hunt Presentation
GKohler - Retail Scavenger Hunt Presentation
GraceKohler1
 
Understanding User Needs and Satisfying Them
Understanding User Needs and Satisfying ThemUnderstanding User Needs and Satisfying Them
Understanding User Needs and Satisfying Them
Aggregage
 
一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理
一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理
一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理
taqyea
 
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta MatkaDpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
➒➌➎➏➑➐➋➑➐➐Dpboss Matka Guessing Satta Matka Kalyan Chart Indian Matka
 
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
my Pandit
 
Zodiac Signs and Food Preferences_ What Your Sign Says About Your Taste
Zodiac Signs and Food Preferences_ What Your Sign Says About Your TasteZodiac Signs and Food Preferences_ What Your Sign Says About Your Taste
Zodiac Signs and Food Preferences_ What Your Sign Says About Your Taste
my Pandit
 
Business storytelling: key ingredients to a story
Business storytelling: key ingredients to a storyBusiness storytelling: key ingredients to a story
Business storytelling: key ingredients to a story
Alexandra Fulford
 
The latest Heat Pump Manual from Newentide
The latest Heat Pump Manual from NewentideThe latest Heat Pump Manual from Newentide
The latest Heat Pump Manual from Newentide
JoeYangGreatMachiner
 
The Genesis of BriansClub.cm Famous Dark WEb Platform
The Genesis of BriansClub.cm Famous Dark WEb PlatformThe Genesis of BriansClub.cm Famous Dark WEb Platform
The Genesis of BriansClub.cm Famous Dark WEb Platform
SabaaSudozai
 
How to Implement a Real Estate CRM Software
How to Implement a Real Estate CRM SoftwareHow to Implement a Real Estate CRM Software
How to Implement a Real Estate CRM Software
SalesTown
 
Building Your Employer Brand with Social Media
Building Your Employer Brand with Social MediaBuilding Your Employer Brand with Social Media
Building Your Employer Brand with Social Media
LuanWise
 
3 Simple Steps To Buy Verified Payoneer Account In 2024
3 Simple Steps To Buy Verified Payoneer Account In 20243 Simple Steps To Buy Verified Payoneer Account In 2024
3 Simple Steps To Buy Verified Payoneer Account In 2024
SEOSMMEARTH
 
Innovation Management Frameworks: Your Guide to Creativity & Innovation
Innovation Management Frameworks: Your Guide to Creativity & InnovationInnovation Management Frameworks: Your Guide to Creativity & Innovation
Innovation Management Frameworks: Your Guide to Creativity & Innovation
Operational Excellence Consulting
 
Authentically Social by Corey Perlman - EO Puerto Rico
Authentically Social by Corey Perlman - EO Puerto RicoAuthentically Social by Corey Perlman - EO Puerto Rico
Authentically Social by Corey Perlman - EO Puerto Rico
Corey Perlman, Social Media Speaker and Consultant
 

Recently uploaded (20)

Easily Verify Compliance and Security with Binance KYC
Easily Verify Compliance and Security with Binance KYCEasily Verify Compliance and Security with Binance KYC
Easily Verify Compliance and Security with Binance KYC
 
Digital Marketing with a Focus on Sustainability
Digital Marketing with a Focus on SustainabilityDigital Marketing with a Focus on Sustainability
Digital Marketing with a Focus on Sustainability
 
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
 
Call 8867766396 Satta Matka Dpboss Matka Guessing Satta batta Matka 420 Satta...
Call 8867766396 Satta Matka Dpboss Matka Guessing Satta batta Matka 420 Satta...Call 8867766396 Satta Matka Dpboss Matka Guessing Satta batta Matka 420 Satta...
Call 8867766396 Satta Matka Dpboss Matka Guessing Satta batta Matka 420 Satta...
 
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challengesEvent Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
 
Best Competitive Marble Pricing in Dubai - ☎ 9928909666
Best Competitive Marble Pricing in Dubai - ☎ 9928909666Best Competitive Marble Pricing in Dubai - ☎ 9928909666
Best Competitive Marble Pricing in Dubai - ☎ 9928909666
 
GKohler - Retail Scavenger Hunt Presentation
GKohler - Retail Scavenger Hunt PresentationGKohler - Retail Scavenger Hunt Presentation
GKohler - Retail Scavenger Hunt Presentation
 
Understanding User Needs and Satisfying Them
Understanding User Needs and Satisfying ThemUnderstanding User Needs and Satisfying Them
Understanding User Needs and Satisfying Them
 
一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理
一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理
一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理
 
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta MatkaDpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
 
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
 
Zodiac Signs and Food Preferences_ What Your Sign Says About Your Taste
Zodiac Signs and Food Preferences_ What Your Sign Says About Your TasteZodiac Signs and Food Preferences_ What Your Sign Says About Your Taste
Zodiac Signs and Food Preferences_ What Your Sign Says About Your Taste
 
Business storytelling: key ingredients to a story
Business storytelling: key ingredients to a storyBusiness storytelling: key ingredients to a story
Business storytelling: key ingredients to a story
 
The latest Heat Pump Manual from Newentide
The latest Heat Pump Manual from NewentideThe latest Heat Pump Manual from Newentide
The latest Heat Pump Manual from Newentide
 
The Genesis of BriansClub.cm Famous Dark WEb Platform
The Genesis of BriansClub.cm Famous Dark WEb PlatformThe Genesis of BriansClub.cm Famous Dark WEb Platform
The Genesis of BriansClub.cm Famous Dark WEb Platform
 
How to Implement a Real Estate CRM Software
How to Implement a Real Estate CRM SoftwareHow to Implement a Real Estate CRM Software
How to Implement a Real Estate CRM Software
 
Building Your Employer Brand with Social Media
Building Your Employer Brand with Social MediaBuilding Your Employer Brand with Social Media
Building Your Employer Brand with Social Media
 
3 Simple Steps To Buy Verified Payoneer Account In 2024
3 Simple Steps To Buy Verified Payoneer Account In 20243 Simple Steps To Buy Verified Payoneer Account In 2024
3 Simple Steps To Buy Verified Payoneer Account In 2024
 
Innovation Management Frameworks: Your Guide to Creativity & Innovation
Innovation Management Frameworks: Your Guide to Creativity & InnovationInnovation Management Frameworks: Your Guide to Creativity & Innovation
Innovation Management Frameworks: Your Guide to Creativity & Innovation
 
Authentically Social by Corey Perlman - EO Puerto Rico
Authentically Social by Corey Perlman - EO Puerto RicoAuthentically Social by Corey Perlman - EO Puerto Rico
Authentically Social by Corey Perlman - EO Puerto Rico
 

Is security perspectives from banking industry - aguma mpairwe

  • 1. IS SECURITY PERSPECTIVES FROM THE BANKING INDUSTRY AGUMA MPAIRWE CISA,CIA,FCCA,B.A(HONS).
  • 2. DEFINITIONS  INFORMATION SECURITY - ‘THE PROCESS BY WHICH AN ORGANISATION PROTECTS AND SECURES ITS SYSTEMS, MEDIA AND FACILITIES THAT PROCESS AND MAINTAIN INFORMATION VITAL TO ITS OPERATIONS’ – FFIEC  BANKING – ‘THE BUSINESS ACTIVITY OF ACCEPTING AND SAFEGUARDING THE MONEY OWNED BY OTHER INDIVIDUALS AND ENTITIES THEN LENDING OUT THIS MONEY IN ORDER TO EARN A PROFIT’ - INVESTORWORDS
  • 3. IT SECURITY AND AUDIT BEST PRACTICES - BANKS  FEDERAL FINANCIAL INSTITUTIONS EXAMINATIONS COUNCIL (FFIEC).  FFIEC IT EXAMINATION BOOKLETS  FFIEC – US BASED ORGANISATION THAT BRINGS TOGETHER ALL REGULATORS OF THE US FINANCIAL SYSTEM
  • 4. BANKING ACTIVITIES - GENERAL  RECEIPT OF DEPOSITS (CASH,CHEQUE OR ELECTRONIC)  SAFEGUARDING OF DEPOSITS  LENDING OF DEPOSITS TO OTHER PARTIES  INVESTMENT AND TREASURY ACTIVITIES – PLACEMENT OF FUNDS, FOREX TRADING, DERIVATIVES TRADING  AVAILING FUNDS TO THOSE THAT WISH TO WITHDRAW THEM  GENERAL MANAGEMENT, ACCOUNTING AND ADMINISTRATION  ALL THE ABOVE WILL INVOLVE THE USE OF SOME FORM OF IT SYSTEM OR OTHER  ALL THE PROCESSES ABOVE PRESENT RISKS THAT CAN BE EXPLOITED FOR PURPOSES OF FRAUD  IT SECURITY IS PARAMOUNT
  • 5. BANKING ACTIVITIES  BANKS IN THE ‘TRUST’ BUSINESS  LEGAL, PROFESSIONAL AND ETHICAL OBLIGATION TO KEEP CUSTOMER INFORMATION AND AFFAIRS CONFIDENTIAL –  ‘A FINANCIAL INSTITUTION’S EARNINGS, AND CAPITAL CAN BE ADVERSELY AFFECTED IF INFORMATION BECOMES KNOWN TO UNAUTHORISED PARTIES, IS ALTERED, OR IS NOT AVAILABLE WHEN IT IS NEEDED’ – FFIEC  ADVERSE PUBLICITY CAN LEAD TO REPUTATIONAL RISK AND IN THE WORST CASE A RUN ON A BANK.  THE ‘C.I.A’ - CONFIDENTIALITY, INTEGRITY AND AVAILABILITY OF INFORMATION PARAMOUNT
  • 6. IT SECURITY OBJECTIVES  CONFIDENTIALITY  INTEGRITY  AVAILABILITY  ACCOUNTABILITY  ASSURANCE  NOTE - ACCOUNTABILITY AND INTEGRITY REPRESENT ‘NON - REPUDIATION’ - FFIEC
  • 7. CHANGING BANK FRAUD AND FRAUSTER PROFILE - UGANDA  IN THE EARLY 2000’s AND BEFORE  KEY FRAUDS WERE  CHEQUE FRAUD, FORGED, ALTERED, COUNTERFEIT.  DEPOSIT SLIP FRAUD  TYPICAL FRAUDSTER – MALE, 35 YEAR OLD, LIMITED EDUCATION.
  • 8. CHANGING BANK FRAUD AND FRAUSTER PROFILE - UGANDA  MID- 2005 TO DATE  ELECTRONIC FRAUD  ATM FRAUD  IN HOUSE BANK FRAUD – BY BANK EMPLOYEES EITHER ALONE OR IN COLLUSION WITH OUTSIDERS  TYPICAL FRAUDSTER – MALE OR FEMALE, BANK EMPLOYEE, TRUSTED INSIDER, EDUCATED, UNIVERSITY GRADUATE, IT LITERATE (NOT NECESSARILY EXPERT!),
  • 9. ONLINE FRAUD - IMPLICATIONS  71% MORE CAUTIOUS WHEN SHOPPING ONLINE  67% MORE ATTENTIVE WHEN PROVIDING FINANCIAL AND PERSONAL INFORMATION TO WEBSITES  28% ABANDON A PURCHANSE IF RE- DIRECTED TO ANOTHER SITE TO PROVIDE PAYMENT INFORMATION  15% STOPPED SHOPPING ALTOGETHER AS A RESULT OF ONLINE FRAUD CONCERNS –  USA SURVEY
  • 10. INFORMATION WEBSITES  POTENTIAL LIABILITY AND CONSUMER VIOLATIONS FOR INACCURATE OR INCOMPLETE INFORMATION ABOUT PRODUCTS, SERVICES, AND PRICING PRESENTED ON THE WEBSITE;  POTENTIAL ACCESS TO CONFIDENTIAL FINANCIAL INSTITUTION OR CUSTOMER INFORMATION IF THE WEBSITE IS NOT PROPERLY ISOLATED FROM THE FINANCIAL INSTITUTION'S INTERNAL NETWORK;  POTENTIAL LIABILITY FOR SPREADING VIRUSES AND OTHER MALICIOUS CODE TO COMPUTERS COMMUNICATING WITH THE INSTITUTION'S WEBSITE; AND  NEGATIVE PUBLIC PERCEPTION IF THE INSTITUTION'S ON-LINE SERVICES ARE DISRUPTED OR IF ITS WEBSITE IS DEFACED OR OTHERWISE PRESENTS INAPPROPRIATE OR OFFENSIVE MATERIAL. -FFIEC
  • 11. TRANSACTIONAL WEBSITES  SECURITY CONTROLS FOR SAFEGUARDING CUSTOMER INFORMATION;  AUTHENTICATION PROCESSES -VERIFY THE IDENTITY OF NEW CUSTOMERS AND AUTHENTICATE EXISTING CUSTOMERS WHO ACCESS E-BANKING SERVICES;  LIABILITY FOR UNAUTHORIZED TRANSACTIONS;  LOSSES FROM FRAUD IF THE INSTITUTION FAILS TO VERIFY THE IDENTITY OF INDIVIDUALS OR BUSINESSES APPLYING FOR NEW ACCOUNTS OR CREDIT ON-LINE - FFIEC
  • 12. . RETAIL SERVICES WHOLESALE SERVICES ACCOUNT MANAGEMENT ACCOUNT MANAGEMENT BILL PAYMENT AND PRESENTMENT CASH MANAGEMENT NEW ACCOUNT OPENING SMALL BUSINESS LOAN APPLICATIONS, APPROVALS, OR ADVANCES CONSUMER WIRE TRANSFERS INVESTMENT/BROKERAGE SERVICES COMMERCIAL WIRE TRANSFERS LOAN APPLICATION AND APPROVAL BUSINESS-TO-BUSINESS PAYMENTS ACCOUNT AGGREGATION EMPLOYEE BENEFITS/PENSION ADMINISTRATION
  • 13. TRANSACTIONAL WEBSITES  POSSIBLE VIOLATIONS OF LAWS OR REGULATIONS PERTAINING TO CONSUMER PRIVACY, ANTI-MONEY LAUNDERING, ANTI- TERRORISM, OR THE CONTENT, TIMING, OR DELIVERY OF REQUIRED CONSUMER DISCLOSURES; AND  NEGATIVE PUBLIC PERCEPTION, CUSTOMER DISSATISFACTION, AND POTENTIAL LIABILITY RESULTING FROM FAILURE TO PROCESS THIRD- PARTY PAYMENTS AS DIRECTED OR WITHIN SPECIFIED TIME FRAMES, LACK OF AVAILABILITY OF ON-LINE SERVICES, OR UNAUTHORIZED ACCESS TO CONFIDENTIAL CUSTOMER INFORMATION DURING TRANSMISSION OR STORAGE. - FFIEC
  • 15. ATM/CARD- FRAUD  WHO PICKS UP THE COST IF YOUR CARD IS MISUSED, YOU OR YOUR BANK?  SOUTH AFRICA - TOTAL VALUE OF ONLINE TRANSACTIONS – USD $285 MILLION  SOUTH AFRICA - 2009 TOTAL LOSSES TO BANKING INDUSTRY DUE TO LOST AND STOLEN CARDS – USD 13MILLION – PERSONAL FINANCE
  • 16. ATM/DEBIT/CREDIT CARD – RISKS  CARD INFORMATION HELD IN MAGNETIC STRIPE INCLUDING PRIMARY ACCOUNT NUMBER, EXPIRY DATE,  CARD CAN BE CLONED, IF DETAILS ON MAGNETIC STRIPE CAN BE COPIED USING SKIMMING DEVICES  CARD CAN BE STOLEN/LOST  USED FOR ‘CARDHOLDER NOT PRESENT’ TRANSACTIONS – OVER PHONE OR ONLINE  PIN CAN BE OBTAINED USING HIDDEN CAMERAS IN ATM LOCATION OR CCTV CAMERAS IN VIEW OF THE KEYPAD!
  • 17. CARD SKIMMING  INVOLVES THE USE OF DEVICES THAT READ CARD DETAILS CONTAINED IN THE MAGNETIC STRIP OF THE CARD  CAB BE PLACED IN THE ATM CARD SLOT  OR CAN BE HAND HELD (POCKET)  RESTAURANTS HIGH RISK!  BEGAN TO OBSERVE COMPLAINTS IN UGANDA  DISCUSSION AT BANKERS ASSOSCIATION FRAUD AND FORGERIES SUB-COMMITTEE  CASES OF FRAUD REPORTED BY MEMBER BANKS  CUSTOMERS USUALLY HAD TRAVELLED ABROAD AT SOME POINT IN TIME  SOUTH AFRICA – MENTIONED AS A DESINATION VISITED IN SOME CASES
  • 18. CARD SKIMMING  ABSA 177 ARRESTS, 26 SKIMMING DEVICES CAPTURED IN 2011 - PERSONAL FINANCE  COST TO THE US - $60 MILLION PER YEAR! – CSO ONLINE
  • 19. ATM RISK MITIGANTS  CHIP AND PIN BASED CARDS.  AWARENESS TRAINING FOR CUSTOMERS!!  PHYSICAL SECURITY  CAUTION AT ATM SITES – WATCH OUT FOR CAMERA’S, SKIMMING DEVICES  SHIELD ENTRY OF PIN AT ATM WITH HAND/WALLET  REGULAR CHECKING OF CARD BALANCES  MERCHANT TRAINING
  • 20. INTERNAL ACCOUNT TRANSFERS  INCRESINGLY COMMON FRAUD IN INDUSTRY  INVOLVES UNAUTHORISED ‘CREATION’ OF DEPOSITS  DEBIT ‘OVERCROWDED’ ACCOUNT WITH SEVERAL ITEMS DIFFICULT TO TRACE E.G SUSPENSE ACCOUNT  CREDIT IS MADE TO CUSTOMER ACCOUNT  FUNDS ARE WITHDRAWN!
  • 21. POSSIBLE SOLUTIONS  COMBINATION OF ROLE BASED ACCESS AND LEAST PRIVILEDGE RESTRICTIONS CAN BE ENFORCED  RESTRICT TELLER OR OPERATIONS STAFF ABILITY TO POST TRANSACTIONS TO ADMINISTRATIVE ACCOUNTS E.G FIXED ASSET ACCCOUNTS  RESTRIC FINANCE DEPARTMENT STAFF ABILITY TO POST TRANSACTIONS DIRECTLY TO CUSTOMER ACCOUNTS  G.L AUDIT REVIEW –PERIODIC  CLEAR TIMELINES FOR CLEARING OFF ITEMS IN SUSPENSE, TRANSIT AND CLEARING ACCOUNTS
  • 22. IT PROJECT MANAGEMENT RISKS  INADEQUATE SECURITY FEATURES ENFORCED DURING IMPLEMENTATION OF IT APPLICATION SYSTEMS  OBSERVED IN BANKING INDUSTRY IN THE PAST  MUST PROVIDE FOR:  GENERAL ACCESS CONTROLS  IDENTIFICATION AND AUTHENTICATION CONTROLS  AUDIT TRAIL  COMMUNICATION CONTROLS – KELLY KIM 2008  DATA MIGRATION CONTROLS – IMPORTANT  TAKE ACCOUNT OF FACT THAT BANK SYSTEMS MAY NEED TO BE ONLINE 24/7/365
  • 23. PROJECT MANAGEMENT  PROJECT MANAGEMENT –  BASELINE CONTROLS IMPLEMENTED  IS AUDIT INVOLVEMENT  POST IMPLEMENTATION REVIEW  REGULATORY CERTIFICATION PRE - IMPLEMENTATION
  • 24. TREASURY  HIGH RISK AREA  BANK IS INVESTING OR TRADING  MONEY MARKET PRODUCTS  FOREIGN CURRENCY (FX)  DERIVATIVES  TRANSACTION SIZES MAY BE VERY LARGE  POTENTIAL FOR PROFIT/LOSSES MAY BE VERY LARGE DEPENDING ON MARKET CONDITIONS
  • 25. TREASURY RISK  APPROVAL TO COMMIT THE BANK GIVEN TO TRADERS BEFORE TRANSACTION THROUGH THE USE OF VARIOUS LIMITS  MONITORING OF COMPLIANCE WITH LIMITS IS CRITICAL TO RISK MANAGEMENT IN TRASURY  SEGREGATION OF DUTIES IS ALSO CRITICAL ( FRONT OFFICE, MIDDLE OFFICE, BACK OFFICE)  TRADERS MUST NO HAVE ACCESS TO RATE REVALUATION SYSTEMS – COULD HIDE LOSSES  TRADERS SHOULD NOT HAVE ACCESS TO CONFIRMATION AND SETTLEMENT SYSTEMS – COULD HIDE TRADES AND LOSSES  IT SECURITY DESIGN IMPORTANT TO DEAL WITH THESE ISSUES
  • 26. TREASURY –KEY BANK LOSSES/FRAUDS  2002 TRADER JOHN RUSNACK - £485 MILLION LOSS TO ALLIED IRISH BANK – TAMPERED WITH REUTERS RATES FEED  2008 TRADER JEROME KERVIEL – $ 7 BILLION LOSS – HAD PREVIOUSLY WORKED IN BACK OFFICE, HID TRANSACTIONS (TRADES), FALSIFIED E-MAIL, - FVTER  1995 – trader NICK LEESON – HID £865M LOSSES, BROUGHT DOWN BARINGS BANK…..INTEGRATED IT SYSTEMS COULD HAVE PREVENTED BANK COLLAPSE - COMPUTERWEEKLY
  • 27. COSO –CONTROL MODEL MONITORING INFORMATION AND COMMUNICATION CONTROL PROCEDURES RISK ASSESSMENT CONTROL ENVIRONMENT
  • 28. IT GOVERNANCE  ‘FINANCIAL INSTITUTIONS SHOULD IMPLEMENT AN ONGOING SECURITY PROCESS AND INSTITUTE APPROPRIATE GOVERNANCE FOR THE SECURITY FUNCTION, ASSIGNING CLEAR AND APPROPRIATE ROLES AND RESPONSIBILITIES TO THE BOARD OF DIRECTORS, MANAGEMENT AND EMPLOYEES’ - FFIEC
  • 29. IS SECURITY STRATEGY  FINANCIAL INSTITUTIONS SHOULD DEVELOP A STRATEGY THAT DEFINES CONTROL OBJECTIVES AND ESTABLISHES AN IMPLEMENTATION PLAN. THE SECURITY STRATEGY SHOULD INCLUDE  APPROPRIATE CONSIDERATION OF PREVENTION, DETECTION, AND RESPONSE MECHANISMS,  IMPLEMENTATION OF THE LEAST PERMISSIONS AND LEAST PRIVILEGES CONCEPTS,  LAYERED CONTROLS THAT ESTABLISH MULTIPLE CONTROL POINTS BETWEEN THREATS AND ORGANIZATION ASSETS, AND  POLICIES THAT GUIDE OFFICERS AND EMPLOYEES IN IMPLEMENTING THE SECURITY PROGRAM. -FFIEC
  • 30. IT RISK ASSESSMENT  GATHERS DATA REGARDING THE INFORMATION AND TECHNOLOGY ASSETS OF THE ORGANIZATION, THREATS TO THOSE ASSETS, VULNERABILITIES, EXISTING SECURITY CONTROLS AND PROCESSES, AND THE CURRENT SECURITY STANDARDS AND REQUIREMENTS;  ANALYZES THE PROBABILITY AND IMPACT ASSOCIATED WITH THE KNOWN THREATS AND VULNERABILITIES TO THEIR ASSETS; AND  PRIORITIZES THE RISKS PRESENT DUE TO THREATS AND VULNERABILITIES TO DETERMINE THE APPROPRIATE LEVEL OF TRAINING, CONTROLS, AND ASSURANCE NECESSARY FOR EFFECTIVE MITIGATION. - FFIEC
  • 31. IT RISK ASSESSMENT  BOTH TECHNICAL AND NON-TECHNICAL INFORMATION SHOULD BE GATHERED.  TECHNICAL INFORMATION –  NETWORK MAPS DETAILING INTERNAL AND EXTERNAL CONNECTIVITY;  HARDWARE AND SOFTWARE INVENTORIES;  DATABASES AND FILES THAT CONTAIN CRITICAL AND/OR CONFIDENTIAL INFORMATION;  PROCESSING ARRANGEMENTS AND INTERFACES WITH EXTERNAL ENTITIES;  HARDWARE AND SOFTWARE CONFIGURATIONS;  POLICIES, STANDARDS, AND PROCEDURES FOR THE OPERATION, MAINTENANCE, UPGRADING, AND MONITORING OF TECHNICAL SYSTEMS.- FFIEC
  • 32. IT RISK ASSESSMENT  NON-TECHNICAL INFORMATION  POLICIES, STANDARDS, AND PROCEDURES ADDRESSING PHYSICAL SECURITY (INCLUDING FACILITIES AS WELL AS INFORMATION ASSETS THAT INCLUDE LOAN DOCUMENTATION, DEPOSIT RECORDS AND SIGNATURE CARDS, AND KEY AND ACCESS CODE LISTS),  PERSONNEL SECURITY (INCLUDING HIRING BACKGROUND CHECKS AND BEHAVIOUR MONITORING),  VENDOR CONTRACTS, PERSONNEL SECURITY TRAINING AND EXPERTISE, AND  INSURANCE COVERAGE.  ADDITIONALLY, INFORMATION REGARDING CONTROL EFFECTIVENESS SHOULD BE GATHERED. TYPICALLY, THAT INFORMATION COMES FROM SECURITY MONITORING, INCLUDING SELF-ASSESSMENTS, METRICS, AND INDEPENDENT TESTS. FFIEC
  • 33. IT SYSTEMS ASSESSMENT  ‘SOME SYSTEMS AND DATA STORES MAY NOT BE READILY APPARENT. FOR EXAMPLE, BACKUP TAPES, PORTABLE COMPUTERS, PERSONAL DIGITAL ASSISTANTS, MEDIA SUCH AS COMPACT DISKS, MICRO DRIVES, AND DISKETTES, AND MEDIA USED IN SOFTWARE DEVELOPMENT AND TESTING SHOULD BE CONSIDERED’. - FFIEC
  • 34. IT THREATS AND VULNERABILITIES  THREATS -EVENTS THAT COULD CAUSE HARM TO THE CONFIDENTIALITY, INTEGRITY, OR AVAILABILITY OF INFORMATION OR INFORMATION SYSTEMS.  EXPLOITING A VULNERABILITY TO CAUSE HARM THROUGH THE UNAUTHORIZED DISCLOSURE, MISUSE, ALTERATION, OR DESTRUCTION OF INFORMATION OR INFORMATION SYSTEMS.  INTERNAL (MALICIOUS OR INCOMPETENT EMPLOYEES, CONTRACTORS, SERVICE PROVIDERS, AND FORMER INSIDERS)  EXTERNAL (CRIMINALS, RECREATIONAL HACKERS, COMPETITORS, AND TERRORISTS). - FFIEC
  • 35. IT THREATS AND VULNERABILITIES  VULNERABILITIES - WEAKNESSES IN A SYSTEM, OR CONTROL GAPS THAT, IF EXPLOITED, COULD RESULT IN THE UNAUTHORIZED DISCLOSURE, MISUSE, ALTERATION, OR DESTRUCTION OF INFORMATION OR INFORMATION SYSTEMS.  VULNERABILITIES ARE GENERALLY GROUPED INTO TWO TYPES: KNOWN AND EXPECTED. - FFIEC
  • 36. VULNERABILITIES  KNOWN VULNERABILITIES - DISCOVERED BY TESTING OR OTHER REVIEWS OF THE ENVIRONMENT, KNOWLEDGE OF POLICY WEAKNESSES, KNOWLEDGE OF INADEQUATE IMPLEMENTATIONS, AND KNOWLEDGE OF PERSONNEL ISSUES. .  EXPECTED VULNERABILITIES - THOSE THAT CAN REASONABLY BE ANTICIPATED TO ARISE IN THE FUTURE. EXAMPLES  UNPATCHED SOFTWARE,  NEW AND UNIQUE ATTACK METHODOLOGIES THAT BYPASS CURRENT CONTROLS,  EMPLOYEE AND CONTRACTOR FAILURES TO PERFORM SECURITY DUTIES SATISFACTORILY,  PERSONNEL TURNOVER - FFIEC
  • 37. IT SECURITY POLICY  KEY ACTIONS THAT CONTRIBUTE TO THE SUCCESS OF A SECURITY POLICY ARE  IMPLEMENTING THROUGH ORDINARY MEANS, SUCH AS SYSTEM ADMINISTRATION PROCEDURES AND ACCEPTABLE-USE POLICIES;  ENFORCING POLICY THROUGH SECURITY TOOLS AND SANCTIONS;  DELINEATING THE AREAS OF RESPONSIBILITY FOR USERS, ADMINISTRATORS, AND MANAGERS;  COMMUNICATING IN A CLEAR, UNDERSTANDABLE MANNER TO ALL CONCERNED;  OBTAINING EMPLOYEE CERTIFICATION THAT THEY HAVE READ AND UNDERSTOOD THE POLICY;  PROVIDING FLEXIBILITY TO ADDRESS CHANGES IN THE ENVIRONMENT; AND  CONDUCTING ANNUALLY A REVIEW AND APPROVAL BY THE BOARD OF DIRECTORS. - FFIEC
  • 38. SECURITY DOMAINS  A SECURITY DOMAIN IS A PART OF THE SYSTEM WITH ITS OWN POLICIES AND CONTROL MECHANISMS.  SECURITY DOMAINS FOR A NETWORK ARE TYPICALLY CONSTRUCTED FROM ROUTING CONTROLS AND DIRECTORIES.  DOMAINS CONSTRUCTED FROM ROUTING CONTROLS MAY BE BOUNDED BY NETWORK PERIMETERS WITH PERIMETER CONTROLS.  THE PERIMETERS SEPARATE WHAT IS NOT TRUSTED FROM WHAT MAY BE TRUSTWORTHY. THE PERIMETERS SERVE AS WELL-DEFINED TRANSITION POINTS BETWEEN TRUST AREAS WHERE POLICY ENFORCEMENT AND MONITORING TAKES PLACE.  AN EXAMPLE OF SUCH A DOMAIN IS A DEMILITARIZED ZONE (DMZ), BOUNDED BY A PERIMETER THAT CONTROLS ACCESS FROM OUTSIDE AND INSIDE THE INSTITUTION.  DOMAINS CONSTRUCTED FROM DIRECTORIES MAY LIMIT ACCESS TO NETWORK RESOURCES AND APPLICATIONS BASED ON ROLE OR FUNCTION. - FFIEC
  • 39. DEFENSE IN DEPTH  FINANCIAL INSTITUTIONS SHOULD DESIGN MULTIPLE LAYERS OF SECURITY CONTROLS  ESTABLISH SEVERAL LINES OF DEFENSE BETWEEN THE ATTACKER AND THE ASSET BEING ATTACKED.  AN INTERNET SECURITY - A PACKET FILTERING ROUTER WITH STRICT ACCESS CONTROL RULES, IN FRONT OF  AN APPLICATION LEVEL FIREWALL, IN FRONT OF  WEB SERVERS, IN FRONT OF  A TRANSACTIONAL SERVER, IN FRONT OF  A DATABASE SERVER, WITH INTRUSION DETECTION SYSTEMS LOCATED AT VARIOUS POINTS BETWEEN THE SERVERS AND ON CERTAIN HOSTS.  THE LAYERS SHOULD BE AT MULTIPLE CONTROL POINTS THROUGHOUT THE COMMUNICATION AND TRANSACTIONAL FLOW AND SHOULD INCLUDE BOTH SYSTEMS AND MANUAL PROCESSES. TO SUCCESSFULLY ATTACK AN ASSET, EACH LAYER MUST BE PENETRATED. WITH EACH PENETRATION, THE PROBABILITY OF DETECTING THE ATTACKER INCREASES. - FFIEC
  • 40. NETWORK SECURITY  FINANCIAL INSTITUTIONS SHOULD SECURE ACCESS TO THEIR COMPUTER NETWORKS THROUGH MULTIPLE LAYERS OF ACCESS CONTROLS TO PROTECT AGAINST UNAUTHORIZED ACCESS. INSTITUTIONS SHOULD  GROUP NETWORK SERVERS, APPLICATIONS, DATA, AND USERS INTO SECURITY DOMAINS (E.G., UNTRUSTED EXTERNAL NETWORKS, EXTERNAL SERVICE PROVIDERS, OR VARIOUS INTERNAL USER SYSTEMS);  ESTABLISH APPROPRIATE ACCESS REQUIREMENTS WITHIN AND BETWEEN EACH SECURITY DOMAIN;  IMPLEMENT APPROPRIATE TECHNOLOGICAL CONTROLS TO MEET THOSE ACCESS REQUIREMENTS CONSISTENTLY; AND  MONITOR CROSS-DOMAIN ACCESS FOR SECURITY POLICY VIOLATIONS AND ANOMALOUS ACTIVITY. - FFIEC
  • 41. OPERATING SYSTEM SECURITY  FINANCIAL INSTITUTIONS SHOULD SECURE ACCESS TO THE OPERATING SYSTEMS OF ALL SYSTEM COMPONENTS BY  SECURING ACCESS TO SYSTEM UTILITIES,  RESTRICTING AND MONITORING PRIVILEGED ACCESS,  LOGGING AND MONITORING USER OR PROGRAM ACCESS TO SENSITIVE RESOURCES AND ALERTING ON SECURITY EVENTS,  UPDATING THE OPERATING SYSTEMS WITH SECURITY PATCHES, AND  SECURING THE DEVICES THAT CAN ACCESS THE OPERATING SYSTEM THROUGH PHYSICAL AND LOGICAL MEANS. -FFIEC
  • 42. APPLICATION SECURITY  FINANCIAL INSTITUTIONS SHOULD CONTROL ACCESS TO APPLICATIONS BY  USING AUTHENTICATION AND AUTHORIZATION CONTROLS APPROPRIATELY ROBUST FOR THE RISK OF THE APPLICATION,  MONITORING ACCESS RIGHTS TO ENSURE THEY ARE THE MINIMUM REQUIRED FOR THE USER'S CURRENT BUSINESS NEEDS,  USING TIME-OF-DAY LIMITATIONS ON ACCESS AS APPROPRIATE,  LOGGING ACCESS AND SECURITY EVENTS, AND  USING SOFTWARE THAT ENABLES RAPID ANALYSIS OF USER ACTIVITIES. - FFIEC
  • 43. REMOTE ACCESS -CONTROLS  FINANCIAL INSTITUTIONS SHOULD SECURE REMOTE ACCESS TO AND FROM THEIR SYSTEMS BY  DISABLING REMOTE COMMUNICATIONS IF NO BUSINESS NEED EXISTS,  TIGHTLY CONTROLLING ACCESS THROUGH MANAGEMENT APPROVALS AND SUBSEQUENT AUDITS,  IMPLEMENTING ROBUST CONTROLS OVER CONFIGURATIONS AT BOTH ENDS OF THE REMOTE CONNECTION TO PREVENT POTENTIAL MALICIOUS USE,  LOGGING AND MONITORING ALL REMOTE ACCESS COMMUNICATIONS,  SECURING REMOTE ACCESS DEVICES, AND  USING STRONG AUTHENTICATION AND ENCRYPTION TO SECURE COMMUNICATIONS - FFIEC
  • 44. PHYSICAL ACCESS - CONTROLS  FINANCIAL INSTITUTIONS SHOULD DEFINE PHYSICAL SECURITY ZONES AND IMPLEMENT APPROPRIATE PREVENTATIVE AND DETECTIVE CONTROLS IN EACH ZONE TO PROTECT AGAINST THE RISKS OF  PHYSICAL PENETRATION BY MALICIOUS OR UNAUTHORIZED PEOPLE,  DAMAGE FROM ENVIRONMENTAL CONTAMINANTS, AND  ELECTRONIC PENETRATION THROUGH ACTIVE OR PASSIVE ELECTRONIC EMISSIONS. - FFIEC
  • 45. ENCRYPTION CONTROLS  FINANCIAL INSTITUTIONS SHOULD EMPLOY ENCRYPTION TO MITIGATE THE RISK OF DISCLOSURE OR ALTERATION OF SENSITIVE INFORMATION IN STORAGE AND TRANSIT.  ENCRYPTION IMPLEMENTATIONS SHOULD INCLUDE ENCRYPTION STRENGTH SUFFICIENT TO PROTECT THE INFORMATION FROM DISCLOSURE UNTIL SUCH TIME AS DISCLOSURE POSES NO MATERIAL RISK,  EFFECTIVE KEY MANAGEMENT PRACTICES,  ROBUST RELIABILITY, AND  APPROPRIATE PROTECTION OF THE ENCRYPTED COMMUNICATION'S ENDPOINTS - FFIEC
  • 46. ENCRYPTION KEY MANAGEMENT  GENERATING KEYS FOR DIFFERENT CRYPTOGRAPHIC SYSTEMS AND DIFFERENT APPLICATIONS;  GENERATING AND OBTAINING PUBLIC KEYS;  DISTRIBUTING KEYS TO INTENDED USERS, INCLUDING HOW KEYS SHOULD BE ACTIVATED WHEN RECEIVED;  STORING KEYS, INCLUDING HOW AUTHORIZED USERS OBTAIN ACCESS TO KEYS;  CHANGING OR UPDATING KEYS, INCLUDING RULES ON WHEN KEYS SHOULD BE CHANGED AND HOW THIS WILL BE DONE;  DEALING WITH COMPROMISED KEYS;  REVOKING KEYS AND SPECIFYING HOW KEYS SHOULD BE WITHDRAWN OR DEACTIVATED;  RECOVERING KEYS THAT ARE LOST OR CORRUPTED AS PART OF BUSINESS CONTINUITY MANAGEMENT;  ARCHIVING KEYS;  DESTROYING KEYS -FFIEC
  • 47. MONITORING  MONITORING NETWORK AND HOST ACTIVITY TO IDENTIFY POLICY VIOLATIONS AND ANOMALOUS BEHAVIOR;  MONITORING HOST AND NETWORK CONDITION TO IDENTIFY UNAUTHORIZED CONFIGURATION AND OTHER CONDITIONS WHICH INCREASE THE RISK OF INTRUSION OR OTHER SECURITY EVENTS;  ANALYZING THE RESULTS OF MONITORING TO ACCURATELY AND QUICKLY IDENTIFY, CLASSIFY, ESCALATE, REPORT, AND GUIDE RESPONSES TO SECURITY EVENTS; AND  RESPONDING TO INTRUSIONS AND OTHER SECURITY EVENTS AND WEAKNESSES TO APPROPRIATELY MITIGATE THE RISK TO THE INSTITUTION AND ITS CUSTOMERS, AND TO RESTORE THE INSTITUTION'S SYSTEMS.  MONITORING SHOULD, COMMENSURATE WITH THE RISK, IDENTIFY CONTROL FAILURES BEFORE A SECURITY INCIDENT OCCURS, DETECT AN INTRUSION IN SUFFICIENT TIME TO ENABLE AN EFFECTIVE AND TIMELY RESPONSE,  SUPPORT POST-EVENT FORENSICS ACTIVITIES. - FFIEC
  • 48. FUTURE TRENDS/THREATS  DEPEND ON TECHNOLOGY TRENDS  TELECOMS AND BANKING CONVERGENCE  RISKS IN MOBILE MONEY INDUSTRY  CLOUD COMPUTING  MOBILE COMPUTING AND WIRELESS COMPUTING THREATS  EASE OF ACCESS TO INTERNET AND TOOLS TO COMMIT FRAUD  FASTER SPEEDS FOR INTERNET ACCESS IN EAST AFRICA  GREATER OUTSOURCING?  NEW IT SAVVY GENERATION?
  • 49. SOLUTIONS  IT AWARENESS  USER AND CUSTOMER TRAINING  STAFF SCREEENING  ETHICAL EMPHASIS  EMBEDDING STRONG CONTROL AND RISK CULTURE IN BANKS  SYSTEMS CERTIFICATION BY REGULATORS BEFORE DEPLOYMENT  STRENGHTEN IT CONTROL, SECURITY, AUDIT PROFESSION AND TRAIN MORE PROFESSIONALS  INCREASE CEO AND BOARD AWARENESS
  • 50. OTHER BEST PRACTICES  ISO 17799 : CODE OF PRACTIVE FOR INFORMATION SECURITY MANAGEMENT  BS 7799: SPECIFICATION FOR INFORMATION SECURITY MANAGEMENT SYSTEMS  COBIT
  • 52. REFERENCES  http://ithandbook.ffiec.gov/it-booklets.aspx  http://www.securitymanagement.com/article/atm-fraud-trends-europe- 006362  http://www.bizreport.com/2009/03/consumers_in_the_us_are.html#  http://www.csoonline.com/article/555863/atm-skimming-how-to- recognize-card-fraud  http://iss.gwu.edu/merlin- cgi/p/downloadFile/d/21440/n/off/other/1/name/BaselineSecurityRequire mentsandControls-Techn/  http://fvter.wordpress.com/2008/01/30/kervielsociete-generale- information-security-insider-threat/  http://www.computerweekly.com/Articles/2009/10/27/238308/Podcast- interview-Nick-Leeson-says-Integrated-IT-could-have-prevented- Barings.htm