PT RMS Bank Security v1.1

March 2013

Johnston Yoon

1. Why is the Bank Security needed?

2. Why do Banks need to improve Information Security?

3. What is the benefit to banks in Malaysia?

4. What are required to enhance on IT Security?

5. What can IT Security solution provide ?

6. Introduction to Rights Management System (RMS)

MarkAny Confidential | © 2012 MarkAny Inc. 3

Why Is The Bank Security Needed?

DATA GROWTH

The growth of digital information has rapidly surpassed

expectations.by 2011 digital universe will be 10 times size of 2006

INCREASED DATA MOBILITY

The importance of data has increased its access and mobility

requirements making it more difficult to secure and protect

INCREASED DATA BREACHES

As data and its mobility grow, the amount of data breaches and

data exposure has also grown

REGULATIONS INCREASING

Increased data exposure has resulted in increased regulations

and reporting requirements globally

U.S. 2010 > 662 Breaches2

COST OF DATA BREACHES GROWS

Increased reporting requirements and increased data breaches

results in increased breach costs

U.S. 2010

$7.2 Million3

Average org. cost of data breach over 4 years

$214 per record3

1Source: IDC – The Diverse and Exploding Universe – March 2008 2Source: Identity Theft Resource Center – 2010 Data Breach Stats January 3, 2011

3Source: Ponemon Institute – Fourth Annual U.S. Cost of Data Breach Study January 2009

412 (62%) Exposed Social Security Numbers

170 (26%) Exposed Credit or Debit Cards


Why Does Banks Need To Improve Information Security?

What are the key concerns for banks in the cash handling cycle?

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

Cost Security Process

Improvement

Transparency &

Audit Traceability

Source: Asian Banker Research

44

% 33

% 19

%

4%

MAIN DRIVERS TO IMPROVE CASH HANDLING

EFFICIENCY:

Resulting in higher risk of

robbery, theft, and fraud.

Internal theft also poses a

bigger problem involving

more manual processing

with more touch points of

staff and cash thus creating

opportunities for theft.

Minimize Operation

Cost & Security

MAJOR COST CONCERNING:

Matured Bank Emerging Bank

This is not just due to

generally higher salaries,

but also more efficient

management of handling

cash through technology

and supply chain

management, bringing

down other non labor

related cost.




The composition of cash handling cost in emerging and mature markets

Labor(Maintenance)

Labor(Backoffice:

Sorting, Counting)

Labor(Refilling)

Transport

Currency

Fitness

Holding of

Excess Cash

Downtime of

Machine

Assurance

Theft

Matured Banks

Australia, Hong Kong,

Korea, and Singapore

Labor(Maintenance)

Labor(Backoffi

ce: Sorting,

Counting)

Labor(Refilling)

Transport

Holding of

Excess Cash

Assurance

Currency

Fitness(Change)

Downtime of Machine Theft

Emerging Banks

China, India,

Indonesia, Malaysia,

Sri Lanka and

Thailand




The composition of cash handling cost in selected banks in emerging & matured markets

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Bank

Thailand

Bank

Malaysia

Bank Sri

Lank Bank

Indonesia

Foreign

Bank

Singapore

Bank

Taiwan Bank

Korea

Security & Regulatory Cost

IT & Operation Cost

Labor Cost

Theft

Currency Fitness (Change)

Assurance

Downtime of Machine

(Opportunity Cost)

Holding of Excess Cash

(Opportunity Cost)

Transport

Labor (Maintenance)

Labor (BackOffice:

Sorting, Counting)

Labor (Refilling)

Emerging Banks Matured Banks


Why Does Bank Need To Improve Information Security?

Terrorism activity

Supply chain breakdown

E-discovery requests

Natural disaster

Federal compliance issues

Product quality issues

Theft

Physical security

Power failure

Hardware and system malfunction

IT security

50%

40%

28%

25%

22%

17%

13%

11%

6%

50% 100%

Source: 2010 IBM Global IT Risk Study

Today’s banks face a wide range of risk issues, almost all of which have an impact on that

organization’s data

Bank

Phishing

Identity

Theft

Information

leakage

78%

63%

Voice Phishing Privacy Spyware Card Fraud


What Are Required to Enhance on IT Security?

PCI & DSS Compliance: 6 Control Objectives, 12 Requirements Spanning

1. Build and Maintain a Secure Network Install and maintain a firewall configuration to protect

cardholder data Do not use vendor-supplied defaults for system passwords

and other security parameters

2. Protect Cardholder Data Protect stored cardholder data Encrypt transmission of cardholder data across open, public

networks

3. Maintain a Vulnerability Management Program Use and regularly update anti-virus software Develop and maintain secure systems and applications

4. Implement Strong Access Control Measures Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data

5. Regularly Monitor and Test Networks Track and monitor all access to network resources and

cardholder data Regularly test security systems and processes

6. Maintain an Information Security Policy Maintain a policy that addresses information security


What Is The Benefit to Banks in Malaysia?

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Bank

Korea

Introducing Information Security brings about the cost-down effect to the bank and pay back to

Indonesian Banks with work efficiency and more salaries to bank executives and employees

Quantitative Benefit • Helping to avoid contractual, industry

and regulatory penalties as in nearly

5% of total cost.

• Maximum as much as 20 % to 30%

cost saving by delivering considerable

savings over traditional information

security management efforts.

• Helping to create 2nd new revenue

streams by reducing bank security cost

and invest to labor management cost.

Qualitative Benefit • Creating and maintaining one set of

processes, leading to reduced

redundancies compared to traditional

data security management efforts.

• Allowing for faster market rollout of

new initiatives, products and services.

Theft

Currency Fitness

(Change)

Insurance

Downtime of

Machine

(Opportunity Cost)

Holding of Excess

Cash (Opportunity

Cost)

Transport

Labor (Maintenance)

Labor (BackOffice:

Sorting, Counting)

Labor (Refilling)

Security & Regulatory Cost

IT & Operation Cost

Labor Cost

Theft

Currency Fitness (Change)

Assurance

Downtime of Machine

(Opportunity Cost)

Holding of Excess Cash

(Opportunity Cost)

Transport

Labor (Maintenance)

Labor (BackOffice:

Sorting, Counting)

Labor (Refilling)

Bank

Malaysia


Internal & External

Malicious Threats

IT Security Policy &

External Regulation

Information Security

Breaches At Banks

Inability of Data Monitoring &

Traceability

What Are Required to Enhance on IT Security?

Facilitate alignment of IT

data initiatives and

business strategies

Improve ability to measure,

monitor and improve e-

Evidence & e-Discovery

Increase compliance and

regulatory adherence &

Enhance business

intelligence capabilities

Initiate Ultimate Data

Protection Ensure

Adequate Controls of

Internal Data


Improve existing controls used to prevent, detect and mitigate security breaches and data risks at rest, in motion, and in use

Collect data on threats, impacts and effectiveness of current document management process and provide hardcopy protection for e-Discovery

Identify and define risks by assessing each business

activity to potential threats and the risk at internal

information & data

Provide extensive industry knowledge and guideline that cover important data

risk areas such as PCI compliance and remote

data protection.

What Can IT Security Solution Provide ?


Introduction to RMS (Rights Management System)

The Rights Management System is a total security solution to protect internal information and prevent illegal usage or

forwarding the sensitive information to unauthorized user. It enables the organization to consolidate its security policy

and make all intelligence secured in the Bank organization.

Se

rvic

e O

rie

nte

d S

ecu

rity

Arc

hite

ctu

re

RMS Standard Edition

Document

Encryption

Access

Control

User

Applications

Control

Centralized

Security

Policy

Audit

Monitoring

User Platform Support Business System Integration

WinXP WinVista Win 7 x64 OS

BlackBerry

Mobile Support

UCM / BPM SharedPoint

FileNet Documentum

Components Interface

RMS Component Packages

PC DRM –

Auto-

Encryption

Media

Control CD / USB

Distribution

Screen & Web

Protection Hardcopy

Protection

File Server

Security Offline Policy &

External DRM


Introduction to RMS – Basic Service Flow

The organization can assure to embrace security polices enforced by means of document encryption, access control,

and audit trails. It enables the Bank to enforce internal control using security policy and system.

Save

Control Edit

Control

Print

Control

Screen

Capture

Control

Expiry Date

Control

Internal

Users

Blocking Illegal Uses

(CD, Thumb-drive, Email, Business

Application System, etc)

User

Platform

Control

Internal

Owner

Administrator

Internal

User

Outflow

Monitoring and

Tracking

Limited Access

based on

Access Control

List

Centralized

Management

Document

Download

Prevent illegal

Access


Introduction to RMS – Encryption & Document Control

If the user can not have rights of ‘Edit’ ‘Save’ ‘Print’, user applications disables functions of ‘save’, ‘edit’, and ‘print’. In

addition, the unauthorized person cannot be accessed to an encrypted document and read it.

When unauthorized user OPENs file When authorized user with READ-ONLY without printing

Unauthorized User Authorized User with Different Access Control


Introduction to RMS – Document Expiry Date Control

The user cannot access to documents after pre-defined period of use is expired. Before opening a document, the

expiration date is always checked, and if document expired to use, sent is an alarming message to the user. The

document will disappear from the memory, and even HD.

Controls valid

period of

document

access

Validity of

document


Introduction to RMS – Access Control

The access control information is configured by a security manager based on position, division, and job of the user.

Access rights are differently applied to users.

Header

Meta-Data

Properties

USER1

Read-only

Extension Data

ACL

USER2

Open 10 Times

Extension Data

ACL

GROUP A

Save / Edit

Extension Data

ACL

GROUP B

Read-only

Extension Data

ACL

POSITION1

Open/Print 10 Times

Extension Data

ACL

POSITION2

Read-only

Extension Data

ACL

Policy COMPANY1

Read-only

Extension Data

ACL

Access Control Information List

Encrypted Document Data

Document Data

Group A

Group B User 2

User 1 Job Position 1

Job Position 2

Company 1

Document SAFER

Server

Save/Edit

Enabled

Read-

only

Read-

only

Open 10

/ Print 10

Read-

only

Open 10

Times

Document

Encryption &

Access Control


Window’s applications to edit documents is controlled by Document SAFER Client program. Document SAFER

supports all kind of version of application software, including MS Office, Adobe PDF reader, Photoshop, Notepad, Word-

pad, MS Paint, CAD drawing tools, and etc.

Introduction to RMS – User Applications Control

User PC Group

MS WORD

MS EXCEL MS POWERPOINT

MS VISIO

PHOTOSHOP CAD DRAWING

MS PROJECT

ADBO PDF

MULTIMEDIA

IMAGE FORMAT (BMP,

JPEG, PNG, GIF, TIFF)

Save function is inactive

Edit function is inactive

Print function is inactive

Block-copy is disabled

Document SAFER Server

Document SAFER Client


All security policy is defined by a security manager with real-time configuration of access rights in Document SAFER

server.

Introduction to RMS – Centralized Security Policy

A document downloaded from Document SAFER server without edit,

save rights

Edit , save rights enabled in real time without download again according to

user’s authority


User activities of ‘open,’ ‘save,’ ‘print ‘, and ‘download/upload’ are reported to Document SAFER server. With this

audit trail, a security manager is able to monitor user activities and audit misuse of document handling in user platform.

Introduction to RMS – Auditing Trail & Monitoring

Log History Report Log History for File

Transactions

Log History for Date

Time Condition Log History for User

Activities

Log Export to Excel


Introduction to RMS – Screen Capture Protection

Controls screen capture by

protecting an encrypted block only.

Screen

Capture

Disabled

Control of the ‘screen capture’ for encrypted documents can block activation of commercial capture program or

shareware viewer programs . Blocking ‘screen capture’ function at PC is also activated for a user who is not allowed to

use ‘edit’ function. An unauthorized user for ‘screen capture’ function will find that there is no ways to capture the

information displayed on the screen.


Document SAFER Server Windows 2003

~ Windows 2008 R2 (x86, x64)

Document SAFER supports all kinds of Window operating system including WinXP, Vista, Win 7 and 64bitsapplications.

It supports multi-languages based on Unicode including English, Arabic, Chinese, Japanese, and Korean.

Introduction to RMS – User Platform Support

Microsoft .NET framework 3.0 or Higher

Support Unicode for

Multi-language

Document SAFER Client - Windows XP SP2/3 Vista ~ Windows 7 (x86, x64)


Smartphone support is becoming more important than ever. Document SAFER extends its security features to mobile

devices such as I-phone, Android phone, Windows Mobile, and Blackberry. Access of documents is controlled exactly

as in PC or Laptop computer.

Introduction to RMS – Mobile Device Support

Smartphone including

Document SAFER SecuReady

E-Mail Server

User PC

Document SAFER Server

Email Attached File

File Download from Media

ECM / BPM / DMS

Capture Control

Edit Control

Save Control

Expiry Date

Control

Outflowing Control

Mobile Enterprise DRM

SecuReady

http://www.usb.org/developers/onthego/


Document SAFER integrates seamlessly with existing business platform (ECM/EDMS/BPM/GW/PDM/ERP/ETC.).

MarkAny has a long experience in integration with many business systems, such as Oracle UCM/BPM, Microsoft Share

Point, IBM FileNet, EMC Documentum, even local EDMS, and e-mail systems.

Introduction to RMS – Integration with Existing Biz. System

Document SAFER

Content Management System

Documentum System

SharedPoint

FileNet ECM

SAP® ERP

WIND CHIL ® PLM/PDM

Other Groupwares

(Lotus Notes, etc.)

Other EDMS


Conclusion

0

20

40 60

100

80

Cost Down

20% ~ 30%

cost saving for

security

insurance

Document

Security

Ensure

document

authenticity,

integrity, and

Safeguarding

of information

Regulation

Satisfactory

Meet regulatory

requirements

and remove

extra cost

Enhanced

Security

Enhance

document

security

throughout the

information

lifecycle

30%

What is the real benefit to Bank office ? New

Opportunity

Leverage

existing

infrastructure

investment &

creation of

new revenue

stream

0

20

40 60

100

80

100%

0

20

40 60

100

80

80%

0

20

40 60

100

80

100%

0

20

40 60

100

80

50%


Document Security in Finances

Document Security in Global Sites

Successful References

Kumho Life

Insurance

Korea Development

Bank

Daegu District Bank IBK Bank

Hyundai Securities Woori Futures

Allianze Life

Insurance BC Credit Card

Kyobo Life

Insurance

Korea Financial

Supervisory

Service Korea Investment & Securities

Shinhan Bank

Woori Bank Korea Export-

Import Bank

Bank BTN

Indonesia PT. Telkom

Indonesia

Saudi Riyad

Bank


Successful Cases – Bank BTN Indonesia

Rights Management System (RMS)

Purpose: Protect online documents managed in IBM FileNet ECM and

provide data protection and strong access control to digital assets

Implementation Period: April. 2011 ~ April. 2011 (2 Weeks)

Database

Internal Network(10/100Mb)

Users

IBM FileNet RMS (Document SAFER)

File Storage User Profile System

(ADS/LDAP)

Triggering Logon Process &

Document Encryption /

Decryption

RMS Client

Download

Document Upload /

Download

User Authentication

(SSO)

User & Group

Profile

Synchronization

HR Integration Document File Access

System Administration

Softcopy Documents Hardcopy Documents

ECM Custom Layer HTTP APIs


Successful Cases – Korean Bank Industries


Purpose: Protect online documents managed in existing system (Banking

Information Management System, ERP, MIS, Accounting System, etc.) and

provide data protection and strong access control to digital assets

Project Implementation Information

Daegu District Bank

No Banks Type Document SAFER Components

1

Woori Bank & Woori Fi

nance Group

(2010~ 2011)

Initial Project PC-DRM(Included 11 Branches)

Additional Development Added OLAP,DM Message System

Maintenance Second Year Maintenance

2 Daegu District Bak

(2010~ 2011)

Initial Project Server DRM(#4) & PC-DRM

Maintenance Second Year Maintenace

3 Korean EXIM Bank

(2010~ 2011)

Initial Project Server DRM(#6) & PC-DRM

Maintenance Second Year Maintenace

4 KDB Finance Group

(2010~ 2011)

Initial Project Server DRM(#6) & Integration with 6

Branches

Maintenance Second Year Maintenance


Successful Cases – Saudi Riyad Bank


Purpose: Satisfying IT Compliance & Regulation like PCI & DSS with use of

IBM FileNet ECM and provide data protection and strong access control to

digital assets

Implementation Period: Jun.. 2011 ~ Sep. 2011 (2 Weeks)


Successful Cases – PT. Telkom Indonesia

Hardcopy Document Security (HDS)

Purpose: Protect Hardcopies at BoD Conference & Trace with Forensic

Watermarking & 2D-Barcode on Printed Papers

Implementation Period: Feb. 2010 ~ Feb. 2010 (1 Weeks)

Document Creation Document Upload

ADS

EDMS

Lotus Domino

Database

Single Sign On

1 Document Upload

3 Document Download

Watermarked

Image

Tracking Hardcopies

6 Document Tracking

4 Document

Print Out or

Email

Distribution

BOD Board

Photocopy & Illegal

Distribution 5

BOD Secretary

Security

Administrator Unauthorized

User

BOD Members

PT RMS Bank Security v1.1

Documents

Transcript of PT RMS Bank Security v1.1