4. Things to Discuss
1. Navigating Internet Banking Further
2. Understanding User Behaviors and Expectations
3. Acquiring and Developing Internet Banking
Services
4. Understanding Change Management and Problem
Management
5. Comprehending Information Security and Privacy
6. Navigating Continuity and Recovery
7. Auditing, Assessing and Testing Activities
8. Conducting IT Risk Management
Managing IT Risks in Internet Banking 4November 2015
6. Internet Banking Revisited
âProvision of banking services and
products via electronic delivery
channels based on computer networks
or internet technologies, including
cellular or wireless networks, web-
based applications and mobile
devices.â
Managing IT Risks in Internet Banking 6November 2015
7. Why Internet Banking?
In Indonesia technology context:
⢠Mobile phone users are huge (estimated
60% feature and 40% smartâs) ~ citing Redwing
Asia 2015
⢠SIM cards sold surpassed total of
population (121%) ~ citing GSMA Q4 2014
â˘Active mobile phone users: 54 million ~
various resources Q1 2015
⢠Ranked the world's top ten in number of
internet users (72+ million) ~ various resources Q1 2015
7Managing IT Risks in Internet BankingNovember 2015
18. Why Internet Banking? (contâd)
Economic and Industry Perspectives:
⢠Economic outlook (>4%) ~ citing ADB recent stats
⢠Stable inflation and interest rate ~ citing ADB recent stats
⢠4G technology edges closer
⢠US$4.5B investment in telematics (US$300m
for cellular phoneâs)~ citing IndonesiaInvestments May 2015
⢠IT spending of US$20+B ~ citing IDC in early 2015
⢠80% of budget goes to corporates and
enterprises (majority in Banking & Telco) ~ citing
IDC in early 2015
18Managing IT Risks in Internet BankingNovember 2015
19. Why Internet Banking? (contâd)
Managing IT Risks in Internet Banking 19November 2015
20. ⢠30% saving account owners
⢠7% credit card subscribers
⢠50 million Facebookers (Top 5)
⢠40 million Twitterers (Top 5)
⢠4 million Kaskusers
⢠85 million middle class
⢠5 million middle class growth per year
⢠3% internet users growth per year
Letâs Digging the Numbers DeeperâŚ
22. Indonesia E-Channel Banking Services
Channels with most
users (Kadence
International 2014
research):
⢠mobile
banking (67%)
⢠internet banking
(54%)
⢠phone banking
(28%)
Managing IT Risks in Internet Banking 22November 2015
23. Most Considered Factors by Indonesians
According to the
same study:
â˘Speed
â˘Security Level
â˘Easy for registration
â˘Easy to use
Managing IT Risks in Internet Banking 23November 2015
24. What Mobile Phone Users Do
⢠No password
62% smartphone users let their belongings unprotected
(from âProtect Your Bubbleâ study)
⢠Auto sign-in
Donât do it for banking and financial services
⢠Phishing email
156 million sent everyday across the globe - 4% of them
succeeded
⢠Sensitive info on social media
75% (identity) thief capitalize this whenever targeting
their victims including geotagging feature
Managing IT Risks in Internet Banking 24November 2015
25. What Mobile Phone Users Do (contâd)
⢠Sharing data with
unknown parties
Accounts for around
27% - attained through
phone call with fake ID
or false identity.
⢠Connected to
unprotected networks
52% plugged into
unsafe wifi and or plain
networks
Managing IT Risks in Internet Banking 25November 2015
26. Factors to Consider In Details
⢠Data confidentiality
⢠System integrity
⢠System availability
⢠Customer and
transaction
authenticity
⢠Customer
protection
Managing IT Risks in Internet Banking 26November 2015
27. Acquiring and Developing Internet Banking Services
Managing IT Risks in Internet Banking 27
Image: AlphaCoders
November 2015
28. System Development Life Cycle
Things to Consider:
⢠Tasks and processes for developing new systems
should include assignment and delineation of
responsibilities and accountabilities for system
deliverables and project milestones.
⢠Business and functional requirements, systems
design, technical specifications and service
performance expectation be adequately
documented and approved at appropriate
management levels.
Managing IT Risks in Internet Banking 28November 2015
29. System Development Life Cycle (contâd)
⢠Security requirements be clearly specified:
System access control
Authentication
Transaction authorization
Data integrity
System activity logging
Audit trail
Security event tracking
Exception handling
⢠Compliance check against bankâs security standards and
regulatory requirements are expected.
Managing IT Risks in Internet Banking 29November 2015
30. System Development Life Cycle (contâd)
⢠Methodology approved by management should set out on
how and what system testing should be conducted:
ď§ Scope should cover business logic, security controls
and system performance under various stress load
scenarios and recovery conditions.
ď§ Full regression testing is required to be performed
before major system rectification or enhancement is
implemented.
ď§ Test results should be reviewed and signed off by users
whose systems and operations are affected by the new
changes.
Managing IT Risks in Internet Banking 30November 2015
31. System Development Life Cycle (contâd)
⢠To control migration of new systems or
changes to production environment, it is
important that separate physical or logical
environments be maintained for unit,
integration, system and user acceptance
testing.
⢠Vendor and developer access to UAT
environment should be strictly monitored.
Managing IT Risks in Internet Banking 31November 2015
32. Outsourcing Management
⢠Contractual terms and conditions governing the
roles, relationships, obligations and
responsibilities of all contracting parties should be
carefully and properly defined in written
agreements.
⢠Agreements shall be covered performance
targets, service levels, availability, reliability,
scalability, compliance, audit, security,
contingency planning, disaster recovery capability
and backup processing facility.
Managing IT Risks in Internet Banking 32November 2015
33. Outsourcing Management (contâd)
⢠Unless acceptable arrangements have been
made and mutually agreed, the service provider
should be required to provide access to all parties
nominated by the bank to:
⢠Its systems
⢠Operations
⢠Documentation
⢠Facilities
to carry out any review or assessment for
regulatory, audit or compliance purpose.
Managing IT Risks in Internet Banking 33November 2015
34. Outsourcing Management (contâd)
⢠Banks and service providers must observe
requirements of banking secrecy under
Banking laws and regulations.
⢠Contracts and arrangements with service
providers should take into account the need
to protect the confidentiality of customer
information as well as necessity to comply
with all applicable laws and regulations.
Managing IT Risks in Internet Banking 34November 2015
35. Monitoring Outsourcing Management
⢠Bank should require the vendor to implement security
policies, procedures and controls at least as stringent as it
would expect for its own operations.
⢠It should review and monitor security practices and
processes of the vendor on a regular basis, including
commissioning or obtaining periodic expert reports on
security adequacy and compliance in respect of the
operations of the vendor.
⢠A process of monitoring service delivery, performance
reliability and processing capacity of the vendor should
also be established for gauging ongoing compliance with
agreed SLA and viability of its operations.
Managing IT Risks in Internet Banking 35November 2015
36. The Vendorâs Contingency and BCP
⢠Management should require the vendor to
develop and establish BCP and DRP framework.
⢠As human error still accounts for bulk of systems
downtime and failures, all parties and personnel
concerned should receive regular training in
activating the contingency plan and executing the
recovery procedures
⢠Plan should be reviewed, updated and tested
regularly in accordance with changing technology
conditions and operational requirements.
Managing IT Risks in Internet Banking 36November 2015
41. 41
Source: IBM [1] UNODC Comprehensive Study on Cybercrime, 2013
Managing IT Risks in Internet BankingNovember 2015
42. 42
Source: IBM
[2] FBI: Crime in the United States 2013
[3] United California Bank Robbery
[4] Center for Strategic and International Studies
Managing IT Risks in Internet BankingNovember 2015
43. 43
Source: IBM [6] ESG: http://bit.ly/1xzTmUW
Managing IT Risks in Internet BankingNovember 2015
44. In 2014 Federal Bureau Investigation (FBI)
unveils from the most frequent one:
⢠Viruses
⢠Employee abuse of internet privileges
⢠Unauthorized access by insiders
⢠Denial of Service
⢠System penetration from the outside
⢠Theft of proprietary information
⢠Sabotage of data/networks
⢠Proving/scanning systems
⢠Financial fraud
Notable Cyber Attacks
Managing IT Risks in Internet Banking 44November 2015
45. ď Manipulate data
integrity
ď Installed a sniffer
ď Stole password
files
ď Trojan logons
ď IP spoofing
Notable Cyber Attacks (contâd)
Image courtesy of @TrojanLax
Managing IT Risks in Internet Banking 45November 2015
46. Another Perspectives on Attacks
Key findings from 2014 US State of Cybercrime Survey and
PwC:
⢠80% of attacks rely on exploits that we can readily defend
against
â Focus on security awareness
â Properly maintained IT Infrastructure
â Effective monitoring
⢠15% of the attacks can be mitigated with a solid security
strategy
⢠5% are Sophisticated/Nation State
46Managing IT Risks in Internet BankingNovember 2015
47. Common Cyber Attacks
⢠Unauthorized access
⢠Theft of information
⢠Email bombing
⢠Data diddling
⢠Salami attacks
⢠Denial of Service
47
Image courtesy of accidentalcreative.com
Managing IT Risks in Internet BankingNovember 2015
48. Common Cyber Attacks (contâd)
⢠Virus and worm attacks
⢠Logic bombs
⢠Trojan attacks
⢠Internet time thefts
⢠Web jacking
⢠Theft of computer
system
⢠Physically damaging a
computer system
48
Image courtesy of indiatimes.com
Managing IT Risks in Internet BankingNovember 2015
49. Defining Cyber Crime
⢠Former descriptions were "computer crime",
"computer-related crime" or "crime by computerâ.
⢠With the pervasion of digital technology, some new
terms like "high-technology" or "information-age"
crime were added to the definition. Also, Internet
brought other new terms, like "cybercrime" and "net"
crime.
⢠Other forms include "digital", "electronic", "virtual" ,
"IT", "high-tech" and technology-enabled" crime.
Managing IT Risks in Internet Banking 49November 2015
50. Cyber Criminals: Who They Really Are?
⢠Kids (age group below
17)
⢠Disgruntled employees
⢠Organized hacktivists
⢠Professional hackers
(corporate espionage)
either white or black hats
⢠Cyber Terrorist (political
motive)
50
Image courtesy of Travaux
Managing IT Risks in Internet BankingNovember 2015
51. Cyber Crime-as-a-Service Marketplace
⢠Continues to mature over the past two years.
⢠Enables more fraudsters to cash in without needing
to understand the chain of fraud, how to phish or
spam, or IT infrastructure requirements.
⢠Becomes fiercely competitive.
⢠Cybercrime 'service providers' must work harder than
ever before to win and keep 'customers.â
⢠Generalized increase in quality of malware produced.
⢠Enables much larger pool of bad actors with no
technical knowledge to profit from.
51Managing IT Risks in Internet BankingNovember 2015
52. Cyber Crime-as-a-Service Marketplace
(contâd)
⢠Many types of attack are simple and low
cost.
⢠Phishing attacks: 500,000 email addresses
cost $30.
⢠Hosting a phishing site can be more or less
free.
⢠Thousands of credit cards can be stolen in
return for around $100.
52Managing IT Risks in Internet BankingNovember 2015
55. Human Resources Management
⢠Internet security ultimately relies on trusting a small
group of skilled personnel, who must be subject to
proper checks and balances.
⢠Their duties and access to systems resources for the
more reason must be placed under close scrutiny.
⢠Stringent selection criteria and thorough screening is
applied in appointing personnel to internet operations
and security functions.
⢠Personnel involved in developing, maintaining and
operating websites and systems should be
adequately trained in security principles and
practices.
Managing IT Risks in Internet Banking 55November 2015
56. Human Resources Management (contâd)
⢠Never alone principle
Sensitive and critical nature of certain systems functions and
procedures should be jointly carried out by more than one
person/performed by one person and checked by another:
ď§ Systems initialization
ď§ Network security configuration
ď§ Access control system installation
ď§ Changing operating system parameters
ď§ Implementing firewalls and intrusion prevention systems
ď§ Modifying contingency plans
ď§ Invoking emergency procedures
ď§ Obtaining access to backup recovery resources
ď§ Creating master passwords and cryptographic keys
Managing IT Risks in Internet Banking 56November 2015
57. Human Resources Management (contâd)
⢠Segregation of duties principles
Responsibilities and duties should be separated and performed by
different groups of personnel on:
ď§ Operating systems function
ď§ Systems design and development
ď§ Application maintenance programming
ď§ Computer operations
ď§ Database administration
ď§ Access control administration
ď§ Data security
ď§ Librarian
ď§ Backup data file custody
⢠Transaction processes should be designed so no single person could
initiate, approve, execute and enter transactions into a system in a
manner that would enable fraudulent actions to be perpetrated and
processing details to be concealed.
Managing IT Risks in Internet Banking 57November 2015
58. Human Resources Management (contâd)
⢠Access Control principles
ď§ Access rights and system privileges must be based
on job responsibility and necessity to have them to
fulfil one's duties.
ď§ No person by virtue of rank or position should have
any intrinsic right to access confidential data,
applications, system resources or facilities.
ď§ Only employees with proper authorization should
be allowed to access confidential information and
use system resources solely for legitimate
purposes.
Managing IT Risks in Internet Banking 58November 2015
59. Human Resources Management (contâd)
⢠Internal sabotage, clandestine espionage or
furtive attacks by trusted employees, contractors
and vendors are potentially among the most
serious risks that a bank faces.
⢠Current and past employees, contractors,
vendors and those who have an intimate
knowledge of the inner workings of the bankâs
systems, operations and internal controls have a
significant advantage over external attackers.
Managing IT Risks in Internet Banking 59November 2015
60. Human Resources Management (contâd)
⢠No one should have concurrent access to both
production systems and backup systems,
particularly data files and computer facilities.
⢠Any person who needs to access backup files or
system recovery resources should be duly
authorized for a specific reason and a specified
time only.
⢠Access which is not for a specific purpose and for
a defined period should not be granted.
Managing IT Risks in Internet Banking 60November 2015
61. Human Resources Management (contâd)
⢠Personnel from
vendors and service
providers, including
consultants, who
have been given
authorized access to
the organization's
critical network and
computer resources
pose similar risks.
Managing IT Risks in Internet Banking 61November 2015
62. Applying Control and Security Practices
⢠Implement two-factor authentication for privileged
users
⢠Institute strong controls over remote access by
privileged users
⢠Restrict the number of privileged users
⢠Grant privileged access on a âneed-to-haveâ basis
⢠Maintain audit logging of system activities performed
by privileged users
⢠Ensure that privileged users do not have access to
systems logs in which their activities are being
captured
Managing IT Risks in Internet Banking 62November 2015
63. Applying Control and Security Practices (contâd)
⢠Conduct regular audit or management
review of the logs
⢠Prohibit sharing of privileged IDs and their
access codes
⢠Disallow vendors and contractors from
gaining privileged access to systems
without close supervision and monitoring
⢠Protect backup data from unauthorized
access
Managing IT Risks in Internet Banking 63November 2015
64. Security Practices Further
⢠Deploy hardened operating systems â systems software and
firewalls
⢠should be configured to the highest security settings consistent
with the level of protection required, keeping abreast of
updates, patches and enhancements recommended by system
vendors
⢠Change all default passwords for new systems immediately
upon installation
⢠Install firewalls between internal and external networks as well
as between geographically separate sites
⢠Install intrusion detection-prevention devices (including denial-
of-service security appliances where appropriate)
⢠Develop built-in redundancies for single points of failure which
can bring down the entire network
Managing IT Risks in Internet Banking 64November 2015
65. Security Practices Further (contâd)
⢠Perform application security review using a combination
of source code review, stress loading and exception
testing to identify insecure coding techniques and
systems vulnerabilities
⢠Engage independent security specialists to assess
strengths and weaknesses of internet-based applications,
systems and networks before each initial implementation
(at least annually without forewarning to internal staff)
⢠Conduct penetration testing at least annually
⢠Establish network surveillance and security monitoring
procedures with the use of network scanners, intrusion
detectors and security alerts
Managing IT Risks in Internet Banking 65November 2015
67. Impact on Information Privacy
The relationship between collection
and dissemination of:
â˘Information
â˘Technology
â˘Personal and public expectations
â˘Laws and regulations surrounding
them
67Managing IT Risks in Internet BankingNovember 2015
68. Primary Concerns
⢠The act of data collection: Legal versus Illegal
⢠Improper access (Authentication)
⢠Unauthorized use (Authorization)
68
Image courtesy of: City Caucus Image courtesy of:ngshire
Managing IT Risks in Internet BankingNovember 2015
69. What does Privacy Mean Now?
⢠In the past: Privacy is about secrecy.
⢠These days: Privacy is all about control.
People's relationship with privacy is socially
complicated
Agree or Disagree? ď
69Managing IT Risks in Internet BankingNovember 2015
70. Privacy Challenges
⢠What is âprivateâ information by now?
⢠Make information more accessible
⢠Evolve systems to prevent breaches
70
Image courtesy of theinspirationroom.com
Managing IT Risks in Internet BankingNovember 2015
71. Business Priorities according to IT
71
Courtesy of DataCenterJournal
Managing IT Risks in Internet BankingNovember 2015
72. What Takes Priority with IT Teams?
72
Courtesy of DataCenterJournal
Managing IT Risks in Internet BankingNovember 2015
74. Bank Disclosure
⢠Should provide clear information to customers about
risks and benefits of using internet banking prior to
subscription.
⢠Customers should be informed clearly and precisely
on respective rights, obligations and responsibilities
of customers and bank on all matters relating to
online transactions, and any problems that may arise
from processing errors and security breaches.
⢠Information written in prolix legalese and technical
terminology would cause legibility and
comprehension difficulties for customers.
Managing IT Risks in Internet Banking 74November 2015
75. Bank Disclosure (contâd)
⢠Terms and conditions applying to online banking products
and services should be readily available to customers
within the internet banking application.
⢠On initial logon or subscription to a particular service or
product, this would require a positive acknowledgement of
the terms and conditions from the customer.
⢠Banks should publish their customer privacy and security
policy.
⢠Customer dispute handling, reporting and resolution
procedures, including expected timing for the banks'
response, should also be clearly defined.
⢠All this information should be posted on the banks'
websites.
⢠Disclosure of information should be useful and relevant
for customers in making informed decisions.
Managing IT Risks in Internet Banking 75November 2015
76. Bank Disclosure (contâd)
⢠On their websites, banks should advise and explain
to their customers security measures and
reasonable precautions customers should take
when accessing their online accounts.
⢠The precautionary procedures would include taking
adequate steps to prevent unauthorized
transactions and fraudulent use of their accounts,
⢠It also ensures no one else would be able to
observe or steal their access credentials or other
security information to impersonate them or obtain
unauthorized access to their online accounts.
Managing IT Risks in Internet Banking 76November 2015
77. Bank Disclosure (contâd)
⢠When security breaches occur and customer
online accounts might have been fraudulently
accessed and unauthorized transactions
made, banks should explain on their websites
what process will be invoked to resolve the
problem or dispute.
⢠Informed the conditions and circumstances in
which the resultant losses or damages would
be attributable to the banks or their customers.
Managing IT Risks in Internet Banking 77November 2015
79. Business and IT Continuity
⢠Recovery and business resumption priorities
must be defined and contingency procedures
tested and practiced
⢠Business and operating disruption arising from a
serious incident could be minimized.
⢠Continuity and Recovery Plan as well as Incident
Prevention and Response Plan should be there,
evaluated periodically and updated as and when
changes to business operations, systems and
networks occur.
Managing IT Risks in Internet Banking 79November 2015
80. Emergency Response
⢠Banks should refrain from adopting
impromptu and untested recovery
measures over pre-determined recovery
actions that have been rehearsed and
endorsed by management.
⢠Ad hoc recovery measures carry high
operational risks as their effectiveness has
not been verified through rigorous testing
and validation.
Managing IT Risks in Internet Banking 80November 2015
81. Crisis Communication
⢠A predetermined action plan to address
public relations issues.
⢠Constitutes of 5W and 1H to communicate
the disaster/crisis to the internet banking
stakeholders.
⢠Being able to maintain customer
confidence throughout a crisis period or
an emergency situation is of great
importance to bank reputation and
soundness.
Managing IT Risks in Internet Banking 81November 2015
82. Business and IT Recovery
⢠A recovery site geographically separate from primary
site must be established to enable the restoration of
critical systems and resumption of business
operations should a disruption occur at the primary
site.
⢠A hot site rapid recovery capability should be created
and maintained.
⢠Required speed of recovery will depend on the
criticality of resuming business operations, type of
online services and whether there are alternative
ways and processing means to maintain adequate
continuing service levels to satisfy customers.
Managing IT Risks in Internet Banking 82November 2015
83. In Conclusion
⢠Network and systems linked to specific service
providers and vendors should conduct bilateral or
multilateral recovery testing and ensure inter-
dependencies are also fully catered for.
⢠Incident response, disaster recovery and business
continuity preparations need to be regularly reviewed,
updated and tested to ensure their effectiveness
⢠Responsible staff capable of undertaking emergency
and recovery procedures when required.
⢠Recovery preparedness should fully anticipate a total
shutdown or incapacitation of primary computer site.
Managing IT Risks in Internet Banking 83November 2015
84. Auditing, Assessing and Testing Activities
Managing IT Risks in Internet Banking 84November 2015
85. Assessing with Source Code Review
⢠System and UAT are ineffective in detecting
malicious codes, trojans, backdoors, logic bombs and
other malware and either PT.
⢠Objective: finding security defects due to coding
errors, insecure coding practices or malicious
attempts.
⢠Designed to detect security vulnerabilities,
deficiencies, gaps and mistakes (relating to control
structure, security, input validation, error handling, file
update, function parameter verification, reliability,
integrity, resiliency and execution etc).
Managing IT Risks in Internet Banking 85November 2015
86. Assessing with Source Code Review
⢠Code quality and programming practices
can also be improved.
⢠High degree of system and data integrity is
required for all internet facing applications.
⢠Due diligence in ensuring these
applications have appropriate security
controls, taking into consideration the type
and complexity of online services provided.
Managing IT Risks in Internet Banking 86November 2015
87. Penetration Testing
⢠Conducted for a new system particularly offers
internet accessibility and open network
interfaces through Black-Box and White-Box
techniques.
⢠Complementarity with Vulnerability
Assessment of external and internal network
components that support new system.
⢠VA conducted at least quarterly whilst PT at
least yearly.
Managing IT Risks in Internet Banking 87November 2015
88. Other Types of Testing
1. Identify information leakages
⢠Sensitive information such as cryptographic keys, account
and password details, system configurations and
database connection strings should not be disclosed.
⢠Potential sources of information leakages like verbose
error messages and banners, hard-coded data, files and
directories operations should be scrutinized for
inappropriate information disclosure.
2. Assess resiliency against input manipulation
⢠The test should review all input validation routines and
assess their effectiveness against known vulnerabilities.
Managing IT Risks in Internet Banking 88November 2015
89. Other Types of Testing (contâd)
3. Identify insecure programming practices
⢠Use of vulnerable function calls
⢠Inadequate memory management
⢠Unchecked argument passing
⢠Inadequate logging and comments
⢠Use of relative paths
⢠Logging of passwords and authentication
credentials
⢠Inappropriate access privilege assignment
Managing IT Risks in Internet Banking 89November 2015
90. Other Types of Testing (contâd)
4. Detect deviations from design specifications
⢠Critical modules containing authentication and
session management functions should be vetted for
discrepancies between the code design and its
implementation.
5. Evaluate exception handling
⢠Adequate controls should be in place to ensure
resulting errors do not allow users to bypass security
checks or obtain core dumps.
⢠Sufficient processing details should be logged at the
source of the exception to assist problem diagnosis.
Managing IT Risks in Internet Banking 90November 2015
91. Other Types of Testing (contâd)
6. Evaluate cryptographic implementation
⢠Only cryptographic modules based on
authoritative standards and reputable protocols
should be installed.
⢠Functions involving cryptographic algorithms and
crypto-key configurations must be vetted for
deficiencies and loopholes.
⢠Evaluate choice of ciphers, key sizes, key
exchange control protocols, hashing functions
and random number generators.
Managing IT Risks in Internet Banking 91November 2015
94. Conducting IT Risk Management
Managing IT Risks in Internet Banking 94November 2015
95. Definition of IT Risks
⢠Any adverse outcome, damage, loss, disruption,
violation, irregularity or failure arising from the use of or
reliance on computer hardware, software, electronic
devices, online networks and telecommunications
systems.
⢠Can also be associated with systems failures,
processing errors, software defects, operating
mistakes, hardware breakdowns, capacity deficiencies,
network vulnerabilities, control weaknesses, security
shortcomings, internal sabotage, espionage, malicious
attacks, hacking incidents, fraudulent conduct and
defective recovery capabilities.
Managing IT Risks in Internet Banking 95November 2015
96. Risk Management Framework
⢠Identify, classify and assess (qualitative and
quantitative) risks.
⢠Develop a plan containing policies, practices and
procedures addressing and controlling these risks.
⢠Implement and regularly test the plan.
⢠Monitor risks and plan effectiveness on regular basis.
⢠Update the plan periodically to take account of
changes in technology, legal requirements and
business environment including external and internal
threats and security vulnerabilities.
Managing IT Risks in Internet Banking 96November 2015
97. IT Risk Assessment Framework
Managing IT Risks in Internet Banking 97
IT Risk Assessment
Frameworks
ISACA Risk IT
Information Security Risk Management for
ISO 27001
CRAMM Information Security Toolkit
OCTAVE (Operationally Critical Threat,
Asset, Vulnerability Evaluation)
November 2015
98. ISACA Risk IT
Complements
and extends
COBIT and Val
IT to make a
more complete
IT governance
guidance
resource.
98
November 2015
Managing IT Risks in Internet Banking
99. Risk Response
⢠Avoidance
Eliminate, withdraw from or not
become involved
⢠Mitigate
Reduction on impact or
probability
⢠Transfer
Outsource or insure
⢠Accept
Mostly due to very low
impact/probability
99November 2015 Managing IT Risks in Internet Banking
101. Cybersecurity Risks
Q: Are you more concerned or less concerned about cybersecurity threats posed to your organization this year (2015)
than those you encountered the previous year (2014)?
Q: Please estimate the total monetary value of losses your organization sustained due to cybercrime and advanced
persistent threats during the past 12 months including those costs associated with resolving all issues associated with
the incident.
Source: The 2015 U.S. State of Cybercrime Survey, in partnership with PwC, CSO, U.S. Secret Service, and CERT Division of Software Engineering Institute at Carnegie Mellon University
Managing IT Risks in Internet Banking 101November 2015
102. Cybersecurity Risks Major Attention
Q: To address cyber-risks, are your investments and spending focused on:
49%
44%
32%
17%
14%
11%
45%
35% 35%
30%
16% 18%
New technologies Audits & assessments New skills &
capabilities
Redesign
cybersecurity strategy
Redesigning
processes
Particpating in
knowledge sharing
Enterprise (1,000+) SMB (<1,000)
Source: The 2015 U.S. State of Cybercrime Survey, in partnership with PwC, CSO, U.S. Secret Service, and CERT Division of Software Engineering Institute at Carnegie Mellon University
Managing IT Risks in Internet Banking 102November 2015
103. 62%
57%
52%
42% 40%
23%
Third-party
vendors
Contractors Software Suppliers Procurements
Assessment of business ecosystem risks
Supply Chains at Risk; Need C-Suite
Attention
Q: Please identify all areas where you consider supply chain/ business ecosystem risks?
Q: On average, how often do you evaluate the security of supply chain/business ecosystem partners with which you share data or network access?
Source: The 2015 U.S. State of Cybercrime Survey, in partnership with PwC, CSO, U.S. Secret Service, and CERT Division of Software Engineering Institute at Carnegie Mellon University
Managing IT Risks in Internet Banking 103November 2015
104. Manual patch
management
Change control/
configuration
management
systems
Wireless
monitoring
Automated patch
management
Video surveillance
Not very effective
Not at all effective
Confidence in Security Solutions Varies
Firewalls SPAM filtering Electronic access
control systems
Network-based
anti-virus
Access controls
Very effective
Somewhat effective
Q: How effective do you consider each of the following technologies in place your organization in detecting
and/or countering security events?
86% 82% 76% 74%76%
17%17%18%19%
32%
5 MOST
EFFECTIVE
SOLUTIONS
5 LEAST
EFFECTIVE
SOLUTIONS
Source: The 2015 U.S. State of Cybercrime Survey, in partnership with PwC, CSO, U.S. Secret Service, and CERT Division of Software Engineering Institute at Carnegie Mellon University
Managing IT Risks in Internet Banking 104November 2015
105. Indonesia Case: Check This Facts Out
Security Threat and Symantec says
⢠36,6 million cyber attacks (35% from outside, the rests
from inside the country) from 2012 to 2014.
⢠497 cyber crime cases from 2012 to April 2015 with 389
are foreigners and 108 local citizens.
⢠Fake bank account, money laundering, artificial LC
document, camouflage posting.
⢠Accounted for 4.1% of the world cyber crimes.
⢠The highest percentage of PC infected by malware across
the globe.
Government CSRIT says
⢠60% of government domains encountered web
defacements and 36% infected by malware
105Managing IT Risks in Internet BankingNovember 2015
106. ⢠According to Norton latest Cyber
Crime report, global consumer
cyber crime cost over than USD
150bn annually.
⢠Yet the figures for Indonesia are
unknown.
⢠Dakaadvisory predicts around USD
2.3bn in 2013 by multiplying
number of victims with cost per
victim.
⢠From Ministry of Communication
and ITâs total budget of USD 500m,
1% allocated for Cyber Security.
106Managing IT Risks in Internet Banking
Indonesia Case: Check This Facts Out
November 2015
107. Indonesia: Estimated Cyber Crimes Costs
⢠DAKAAdvisory reveals from 2011 to 2013
107Managing IT Risks in Internet BankingNovember 2015
108. Putting Them into Global Context
⢠DAKAAdvisory reveals in 2013
108Managing IT Risks in Internet BankingNovember 2015
109. How Indonesian Government Respond
⢠Telecommunication Act No. 36/1999 focused
on Telecommunications Infrastructure briefly; Not
internet in particular.
⢠Information and Transaction Electronic Act
No. 11/2008 for legal enforcements against cyber
crime.
⢠Copyright Act No. 19/2002.
⢠Pornography Act No. 44/2008.
⢠Electronic System Provider and Electronic
Transaction Regulation No. 82/2012.
109Managing IT Risks in Internet BankingNovember 2015
111. Duration to Initiate an Investigation on Incidents
33%
4%
13%
13%
25%
12%
Unknown
Longer than 1 day
Within 1 day
Within 4 hours
Within 1 hour
Within 10 minutes
Respondents were asked to choose one.
Managing IT Risks in Internet Banking 111November 2015
112. Cybersecurity not Aligned to The Business
In order to get ahead of cybercrime, it is essential to keep your
cybersecurity measures 100% aligned with your business.
Managing IT Risks in Internet Banking
Organizations are
continuing to improve
their cybersecurity, but
the changes in the
threat are travelling at
an even faster rate,
meaning they are
effectively going
backwards. 2013 2104
Instead of an expected increase
in the number of organizations
reporting that their Information
Security function fully meets the
needs of their organization, our
survey found a decrease.
2013 2104
Instead of an increase in the number
of organizations reporting that their
Information Security function
partially meets their needs and that
improvements are under way, there
has been a decrease of 5%.
112November 2015
113. Cybersecurity not Meeting Organization Needs
Respondents were asked to choose one.
9%
20%
24%
31%
16%
We have a formal and advanced detection function that brings together
each category of modern technology (host-based malware detection,
antivirus, network-based malware detection, DLP, IDS, next-gen firewalls,
log aggregation) and uses sophisticated data analytics to identify
anomalies, trends and correlations. We have formal processes for threat
collection, dissemination, integration, response, escalation and prediction
of attacks
We have a formal detection program that leverages modern
technologies (host-based and network-based malware
detection, behavioral anomaly detection, etc.) to monitor both
internal and external traffic. We use ad hoc processes for threat
collection, integration, response and escalation
We utilize a security information and event
management (SIEM) solution to actively monitor
network, IDS/IPS and system logs. We have an
informal response and escalation processes in place
We have perimeter network security devices (i.e.,
IDS). We do not have formal processes in place
for response and escalation
We do not have a detection program
Managing IT Risks in Internet Banking 113November 2015
114. External Parties Protecting Our Organizationâs Information?
13%
8%
24%
34%
27%
27%
27%
56%
No reviews or assessments performed
Fourth parties (also known as sub-service organizations) are identified and assessments
performed (e.g., questionnaires issued, reliance placed on your vendor's assessment
processes)
Only critical or high-risk third parties are assessed
Self-assessments or other certifications performed by partners, vendors or contractors
Independent external assessments of partners, vendors or contractors (e.g., SSAE 16,
ISAE-3402)
Accurate inventory of all third-party providers, network connections and data transfers is
maintained and regularly updated
All third parties are risk-rated and appropriate diligence is applied
Assessments performed by your organizationâs information security, IT risk, procurement
or internal audit function (e.g., questionnaires, site visits, security testing)
Respondents were asked to choose all that apply.
Managing IT Risks in Internet Banking 114November 2015
116. InfoSec Leadership Is Inevitable
⢠Information Security Strategic Plan (including Cyber
Security domain).
⢠Information Security Policies, Procedures, Guidelines,
Framework and Standards.
⢠IT/Information Security personnel (the higher the better)
who reports directly to organizational leadership.
⢠Regular monitoring and controlling activities through
measurement and review process.
⢠Understanding past security and planning for future
security events.
⢠Governance, Risk, Legal and Compliance (no longer Ops-
focused).
116Managing IT Risks in Internet BankingNovember 2015
117. Where is InfoSec Role?
Quoting Security Expert Elliott Franklin in the US (2012):
⢠53% of CISOs now report to C-level execs
⢠74% of CISOs struggled to balance strategy and
operations in 2012
⢠32% of CISO cover both Information and Physical
Security
âIf I need to do strategic planning, I need to come in during
the weekends because ops takes 100% of my timeâ
In 2014 EMC says across the globe 60% of IT function
working time allocated for Operation.
117Managing IT Risks in Internet BankingNovember 2015
119. InfoSec Strategic Plan Key Factors
⢠Determine the direction of the business
⢠Vision
A descriptive picture of a desired future state
âWhere do we want to be?â
⢠Objectives
High-level achievement
âImprove customer loyaltyâ
âGrow market shareâ
ď§ Goals
Anything that is measured to help fulfill an objective
⢠Understand security's current position
â What do we do?
â For whom do we do it?
â How do we excel?
119
Source: Forresterâs Building A Strategic Security Program And Organization (2013)
Managing IT Risks in Internet BankingNovember 2015
120. InfoSec Strategic Plan Key Factors
(contâd)
⢠Strategies
â Those actions we implement on a day-to-day
basis to achieve our objectives
⢠Projects
â The concrete actions a business takes to
execute its strategic plan
⢠Capabilities
â An organizationâs ability, by virtue of its IT
assets, to create business value
120Managing IT Risks in Internet BankingNovember 2015
121. 121
Credit: ESET â Cyber Security road map for businesses (2013).
Managing IT Risks in Internet BankingNovember 2015
122. Take a Look at This Example
122
Credit: ESET â Cyber Security road map for businesses (2013).
Managing IT Risks in Internet BankingNovember 2015
124. InfoSec Standards
âISO/IEC 27001â
Best practice recommendations for initiating,
developing, implementing, and maintaining Information
Security Management Systems (ISMS) with:
⢠Risk Assessment
⢠Security Policy
⢠Asset Management
⢠Physical/Environmental Security
⢠Access Control
⢠And many others
124Managing IT Risks in Internet BankingNovember 2015
125. By Utilizing Such Framework and Standard
ď§Reduce complexity of activities and processes
ď§Deliver better understanding of information
security
ď§Attain cost-effectiveness in managing privacy
and security
ď§Enhance user satisfaction with the
arrangements and outcomes
ď§Improve integration of information security
125Managing IT Risks in Internet BankingNovember 2015
126. By Utilizing Such Framework and Standard (contâd)
ď§Inform risk decisions and risk awareness
ď§Enhance prevention, detection and
recovery
ď§Reduce probability and impact of
security incidents
ď§Leverage support for organization
innovation and competitiveness
126Managing IT Risks in Internet BankingNovember 2015
127. IIA Three Lines of Defense (3LoD)
Managing IT Risks in Internet Banking
Image courtesy of IIA Global Advocacy Platform
127November 2015
128. Incident Response Plan is Very Basic
128
ď§ Objectives
ď§ Respond to events & customer's
concerns
ď§ Rapidly & effectively address
disclosures
ď§ Type of incidents
ď§ Intentional
ď§ Unintentional
ď§ References
ď§ NIST-SP800-61r2
ď§ SANS Incident Handler's Handbook
Managing IT Risks in Internet BankingNovember 2015
129. Organization Culture
⢠What do your executives expect from
security?
⢠If not GRLC, then focus on operations
⢠Build trust and demonstrate value
⢠Reporting Inside or Outside IT?
⢠Centralized or Decentralized?
129Managing IT Risks in Internet BankingNovember 2015
130. Controls to Enforce Policies
⢠Log access to data, information and transaction
by unique identifierâ as it requires log
management or SIEM.
⢠Limit access to specific data to specific
individuals as it required unique system
username and password.
⢠Sensitive data shall not be emailed outside the
organization with DLP or email encryption
system.
130Managing IT Risks in Internet BankingNovember 2015
131. Educate, Educate, Educate
â˘Our security stakeholders: employees,
executives, partners, suppliers,
vendors
â˘What are our policies?
â˘How to comply?
â˘Consequences of failure to comply
131Managing IT Risks in Internet BankingNovember 2015
132. Monitoring and Controlling
⢠Assessment
⢠Review
⢠Audit
⢠Monitor change control
⢠New vendor relationships
⢠Marketing initiatives
⢠Employee terminations
132Managing IT Risks in Internet BankingNovember 2015
133. Simplest Ways of Prevention
⢠Disable and log off a specific user account to
prevent access.
⢠Disable and log off a group of user accounts which
access a particular service that is being attacked.
⢠Disable and dismount specific (network) devices,
for instance disk devices that are being swamped.
⢠Disable specific applications, for example, an e-
mail system subjected to a SPAM attack.
⢠Close down an entire system, and divert
processing to an alternative or backup service on
a secondary network.
133Managing IT Risks in Internet BankingNovember 2015
134. Simplest Tips of Controls
⢠Use antivirus software.
⢠Install firewalls.
⢠Uninstall unnecessary software.
⢠Maintain backup.
⢠Check security settings.
⢠Stay anonymous - choose a genderless screen
name.
⢠Never give your full name or address to
strangers.
⢠Learn more about Internet privacy.
134Managing IT Risks in Internet BankingNovember 2015