Critical Security And Compliance Issues In Internet Banking

CRITICAL SECURITY AND COMPLIANCE ISSUES IN

INTERNET BANKING

Presented By: Thomas A. DonofrioDirector of Technology Audit and Consulting Services

Regulatory Guidelines and Suggested Practices - Electronic

Banking Environment FFIEC, OCC, FRB, FDIC and OTS have issued joint and separate guidance such as:

• Bulletin 98-38 - Technology Risk Management, August 1998

• Bulletin 2000-14 Infrastructure Threats - Intrusion Risks, May 2000

• Authentication in an E-Banking Environment (FFIEC), July 2001

• Section 501(b) of GLBA - Customer Information Security Guidelines, July 2001


Banking Environment “Living” risk-based management plan and enterprise-wide security program.

• BOD and Management responsibilities and actions speak volumes.

• Don’t wait for regulatory exam guidance or criticisms before taking action

• Your formalized E-banking risks focus must consider:

1. Strategic and business risks

• Customer perception and acceptance

• Reliance and stability of third party partners

2. Operational and transaction risks

• Access controls for bank staff • Access controls for online banking customers

(profiles)• Reliability of customer authentication• Physical and virtual security

3. Reputation risks

• Confidentiality expectations • Customer access capabilities versus actual

availability

4. Compliance risks


Banking Environment

• Outsourcing information technology services and operations

Due diligence in selection of vendor

Risk assessment of application and services is critical

Ongoing evidence of vendor oversight


Banking Environment


Banking Environment • Compliance Issues

GLBA requires that you ensure security and confidentiality

Weblinking possibilities

Fair Lending and strategic targeted lending efforts

Proof of delivery of electronic disclosures

Aggregation services and liability

Technology Risk Management: Components of an

E-Banking Risk Assessment Model and Security GuidelinesEnterprise-wide technology universe

•Assign Universe criticality ratings (mission critical, important but less than critical, marginal

criticality). Dependent upon:

Customer and product database implications

Delivery channel and replacement alternatives

Service and product expectations of customers

Security and control ratings

•Inherent risk assessed factor (high, moderate or low)

• Business case to support

• Detailed implementation action plans

• Risk and security policies developed

Three essential elements for planned new technologies


E-Banking Risk Assessment Model and Security Guidelines

Risk assessment document

• Definition of technology organization

• Short and long term technology planning

• Adequacy of management oversight

• Compliance with regulatory and legal requirements

• Management of service levels, system performance and capacity (internal or outsourced)



Risk assessment document that addresses evidence of:

• Comprehensive management (due diligence) of third party services

• Continuous service quality

• Logical security controls for core systems, networks, online capabilities

• User authentication and password controls in place

• Data access controls and firewall administration

• Virus detection and prevention



• Objectives:

Assurance of security and confidentiality

Protection against anticipated threats or hazards

Protection against unauthorized access or use

• Responsible for the oversight of information security measures of service providers

Privacy and Information Security Policy



Privacy and Information Security Policy suggested additional guidelines (in addition to those already addressed prior to GLBA)

• Security program to comply with GLBA should consider:

1. Identification of reputation impact 2. Encryption of electronic customer

information




• Development or enhancement of a security program to comply with GLBA should consider:

3. System monitoring reports that deal with:• external access attempts • attempted attacks • probes of your customer information

systems

4. Customer complaints of lost information or corrupt data

5. A program for ongoing training and training responsibilities




• Development of a security program to comply with GLBA should consider:

6. Comprehensive audit and test requirements

7. Performance of periodic key control testing and system vulnerability assessments completed by

• qualified third parties or • staff that are independent



8. Effective February 28, 2001, contracts with third party service providers must contain appropriate language

Specific documentation regarding:

• customer data security efforts

• system monitoring

• intrusion testing

• performance escalation guidelines

• system performance expectations

• bank and vendor responsibilities

Responsibility for services provided by third party vendors

SAS 70 reports, Security White papers, and third party penetration and intrusion test reports



New E-customer verification, if not face to face, requires:

Positive verification

Logical verification with customer of general information

Use of digital certificates

Authentication of E-customers



Existing E-customer/transaction validation and security.

• Transaction encryption

• E-correspondence security

• Personal passwords and PINs

• Digital certificates using Public Key Infrastructure

• Tokens (smart cards)

• Biometrics (voice, fingerprints, signature)

Authentication of E-customers



• The ability to identify new system vulnerabilities

• Installing software patches & upgrades

• Ongoing monitoring

• Updating vulnerability scanning and intrusion detection tools

• Conduct penetration and intrusion testing

Network and Web-based Security and

System MonitoringNetwork and web site security maintenance

• employee and vendor background checks

• firewalls

• secured communication (VPNs, T-1s, etc.)

• real-time intrusion detection

• modem sweeping

• data encryption

• customer authentication options

• vendor management

Other control initiatives include:

Network and Web-based Security and

System Monitoring

• Internet access (incoming and outgoing)

• Intranet

• Dial-up access

Penetration/Intrusion Testing

Tests electronic environments

• Extensive knowledge of system dynamics versus extensive understanding of systems and security infrastructures in place

• Outside attacker versus inside attacker

Zero-knowledge attacks versus full-knowledge attacks

• “Weakest link” phenomenon

• Firewall assessment

• Security vulnerabilities


Typical goals of testing:

Insider attacks

Remote access exploits (telnet, pc anywhere, secure shell)

E-mail exploits

Back doors

Frontal assaults

Evidence and monitoring destruction


Typical goals of testing:

• Validate intrusion detection performance

• Validate system response capabilities

• Validate adequacy of security setups

• Ranked vulnerabilities and suggested corrective actions


Testing limitations• Not a comprehensive evaluation of security

• Results of tests are only reflective of security status during the time period of tests

Network versus E-Commerce intrusion

Outsourced web hosting and applications

Skill set to exploit the vulnerabilities


Choose a service provider wisely

• Background check of staff

• Reference checks

• Software utilized

• Knowledge and experience with Banking

• Need based selection

Security Issues with Other Web Site Initiatives

Weblinking/Portals• Weblinking due diligence:

content compliance

customer confusion

security policies

compliance (e.g., RESPA and Privacy)

• Must distinguish between your products and services and those offered by third parties


Weblinking/Portals

• Disclosure regarding differentiation, non endorsement or guarantee

• Risk disclosures for links that allow customers to open accounts or initiate transactions for non-deposit investment products


Aggregation - web-based consolidation of customer information

• Transaction risks

Erroneous data gathered

Concentration of data increases risk of intrusion

Reliance on third party security over information

Liability for disputed transactions

• Privacy compliance


Aggregation - web-based consolidation of customer information

• Vendor management responsibilities

Wireless Banking

Needs Assessment - E-Insurance

Analysis of your current commercial coverage

Determine if new e-insurance offerings duplicate

Customer privacy violations, specific business interruptions or denial of access may have limited coverage or no coverage at all

Does current business coverage meet needs if modified?

If new coverage is needed, how does it work and how are losses valued?

When will coverage in proposal be available?

Needs Assessment - E-Insurance

Coverage questions to assist in determining e-insurance needs

Require outsourcing partners e-insurance as part of contract SLA

Critical Security And Compliance Issues In Internet Banking

Technology

Transcript of Critical Security And Compliance Issues In Internet Banking