CRITICAL SECURITY AND COMPLIANCE ISSUES IN INTERNET BANKING Presented By: Thomas A. Donofrio Director of Technology Audit and Consulting Services
May 10, 2015
CRITICAL SECURITY AND COMPLIANCE ISSUES IN
INTERNET BANKING
Presented By: Thomas A. DonofrioDirector of Technology Audit and Consulting Services
Regulatory Guidelines and Suggested Practices - Electronic
Banking Environment FFIEC, OCC, FRB, FDIC and OTS have issued joint and separate guidance such as:
• Bulletin 98-38 - Technology Risk Management, August 1998
• Bulletin 2000-14 Infrastructure Threats - Intrusion Risks, May 2000
• Authentication in an E-Banking Environment (FFIEC), July 2001
• Section 501(b) of GLBA - Customer Information Security Guidelines, July 2001
Regulatory Guidelines and Suggested Practices - Electronic
Banking Environment “Living” risk-based management plan and enterprise-wide security program.
• BOD and Management responsibilities and actions speak volumes.
• Don’t wait for regulatory exam guidance or criticisms before taking action
• Your formalized E-banking risks focus must consider:
1. Strategic and business risks
• Customer perception and acceptance
• Reliance and stability of third party partners
2. Operational and transaction risks
• Access controls for bank staff • Access controls for online banking customers
(profiles)• Reliability of customer authentication• Physical and virtual security
3. Reputation risks
• Confidentiality expectations • Customer access capabilities versus actual
availability
4. Compliance risks
Regulatory Guidelines and Suggested Practices - Electronic
Banking Environment
• Outsourcing information technology services and operations
Due diligence in selection of vendor
Risk assessment of application and services is critical
Ongoing evidence of vendor oversight
Regulatory Guidelines and Suggested Practices - Electronic
Banking Environment
Regulatory Guidelines and Suggested Practices - Electronic
Banking Environment • Compliance Issues
GLBA requires that you ensure security and confidentiality
Weblinking possibilities
Fair Lending and strategic targeted lending efforts
Proof of delivery of electronic disclosures
Aggregation services and liability
Technology Risk Management: Components of an
E-Banking Risk Assessment Model and Security GuidelinesEnterprise-wide technology universe
•Assign Universe criticality ratings (mission critical, important but less than critical, marginal
criticality). Dependent upon:
Customer and product database implications
Delivery channel and replacement alternatives
Service and product expectations of customers
Security and control ratings
•Inherent risk assessed factor (high, moderate or low)
• Business case to support
• Detailed implementation action plans
• Risk and security policies developed
Three essential elements for planned new technologies
Technology Risk Management: Components of an
E-Banking Risk Assessment Model and Security Guidelines
Risk assessment document
• Definition of technology organization
• Short and long term technology planning
• Adequacy of management oversight
• Compliance with regulatory and legal requirements
• Management of service levels, system performance and capacity (internal or outsourced)
Technology Risk Management: Components of an
E-Banking Risk Assessment Model and Security Guidelines
Risk assessment document that addresses evidence of:
• Comprehensive management (due diligence) of third party services
• Continuous service quality
• Logical security controls for core systems, networks, online capabilities
• User authentication and password controls in place
• Data access controls and firewall administration
• Virus detection and prevention
Technology Risk Management: Components of an
E-Banking Risk Assessment Model and Security Guidelines
• Objectives:
Assurance of security and confidentiality
Protection against anticipated threats or hazards
Protection against unauthorized access or use
• Responsible for the oversight of information security measures of service providers
Privacy and Information Security Policy
Technology Risk Management: Components of an
E-Banking Risk Assessment Model and Security Guidelines
Privacy and Information Security Policy suggested additional guidelines (in addition to those already addressed prior to GLBA)
• Security program to comply with GLBA should consider:
1. Identification of reputation impact 2. Encryption of electronic customer
information
Technology Risk Management: Components of an
E-Banking Risk Assessment Model and Security Guidelines
Privacy and Information Security Policy suggested additional guidelines (in addition to those already addressed prior to GLBA)
• Development or enhancement of a security program to comply with GLBA should consider:
3. System monitoring reports that deal with:• external access attempts • attempted attacks • probes of your customer information
systems
4. Customer complaints of lost information or corrupt data
5. A program for ongoing training and training responsibilities
Technology Risk Management: Components of an
E-Banking Risk Assessment Model and Security Guidelines
Privacy and Information Security Policy suggested additional guidelines (in addition to those already addressed prior to GLBA)
• Development of a security program to comply with GLBA should consider:
6. Comprehensive audit and test requirements
7. Performance of periodic key control testing and system vulnerability assessments completed by
• qualified third parties or • staff that are independent
Technology Risk Management: Components of an
E-Banking Risk Assessment Model and Security Guidelines
8. Effective February 28, 2001, contracts with third party service providers must contain appropriate language
Specific documentation regarding:
• customer data security efforts
• system monitoring
• intrusion testing
• performance escalation guidelines
• system performance expectations
• bank and vendor responsibilities
Responsibility for services provided by third party vendors
SAS 70 reports, Security White papers, and third party penetration and intrusion test reports
Technology Risk Management: Components of an
E-Banking Risk Assessment Model and Security Guidelines
New E-customer verification, if not face to face, requires:
Positive verification
Logical verification with customer of general information
Use of digital certificates
Authentication of E-customers
Technology Risk Management: Components of an
E-Banking Risk Assessment Model and Security Guidelines
Existing E-customer/transaction validation and security.
• Transaction encryption
• E-correspondence security
• Personal passwords and PINs
• Digital certificates using Public Key Infrastructure
• Tokens (smart cards)
• Biometrics (voice, fingerprints, signature)
Authentication of E-customers
Technology Risk Management: Components of an
E-Banking Risk Assessment Model and Security Guidelines
• The ability to identify new system vulnerabilities
• Installing software patches & upgrades
• Ongoing monitoring
• Updating vulnerability scanning and intrusion detection tools
• Conduct penetration and intrusion testing
Network and Web-based Security and
System MonitoringNetwork and web site security maintenance
• employee and vendor background checks
• firewalls
• secured communication (VPNs, T-1s, etc.)
• real-time intrusion detection
• modem sweeping
• data encryption
• customer authentication options
• vendor management
Other control initiatives include:
Network and Web-based Security and
System Monitoring
• Internet access (incoming and outgoing)
• Intranet
• Dial-up access
Penetration/Intrusion Testing
Tests electronic environments
• Extensive knowledge of system dynamics versus extensive understanding of systems and security infrastructures in place
• Outside attacker versus inside attacker
Zero-knowledge attacks versus full-knowledge attacks
• “Weakest link” phenomenon
• Firewall assessment
• Security vulnerabilities
Penetration/Intrusion Testing
Typical goals of testing:
Insider attacks
Remote access exploits (telnet, pc anywhere, secure shell)
E-mail exploits
Back doors
Frontal assaults
Evidence and monitoring destruction
Penetration/Intrusion Testing
Typical goals of testing:
• Validate intrusion detection performance
• Validate system response capabilities
• Validate adequacy of security setups
• Ranked vulnerabilities and suggested corrective actions
Penetration/Intrusion Testing
Testing limitations• Not a comprehensive evaluation of security
• Results of tests are only reflective of security status during the time period of tests
Network versus E-Commerce intrusion
Outsourced web hosting and applications
Skill set to exploit the vulnerabilities
Penetration/Intrusion Testing
Choose a service provider wisely
• Background check of staff
• Reference checks
• Software utilized
• Knowledge and experience with Banking
• Need based selection
Security Issues with Other Web Site Initiatives
Weblinking/Portals• Weblinking due diligence:
content compliance
customer confusion
security policies
compliance (e.g., RESPA and Privacy)
• Must distinguish between your products and services and those offered by third parties
Security Issues with Other Web Site Initiatives
Weblinking/Portals
• Disclosure regarding differentiation, non endorsement or guarantee
• Risk disclosures for links that allow customers to open accounts or initiate transactions for non-deposit investment products
Security Issues with Other Web Site Initiatives
Aggregation - web-based consolidation of customer information
• Transaction risks
Erroneous data gathered
Concentration of data increases risk of intrusion
Reliance on third party security over information
Liability for disputed transactions
• Privacy compliance
Security Issues with Other Web Site Initiatives
Aggregation - web-based consolidation of customer information
• Vendor management responsibilities
Wireless Banking
Needs Assessment - E-Insurance
Analysis of your current commercial coverage
Determine if new e-insurance offerings duplicate
Customer privacy violations, specific business interruptions or denial of access may have limited coverage or no coverage at all
Does current business coverage meet needs if modified?
If new coverage is needed, how does it work and how are losses valued?
When will coverage in proposal be available?
Needs Assessment - E-Insurance
Coverage questions to assist in determining e-insurance needs
Require outsourcing partners e-insurance as part of contract SLA