E-Commerce And You E-Commerce And You Lake Buena Vista, Fl Lake Buena Vista, Fl November 3, 2004 November 3, 2004 Roger Blake Roger Blake Senior Information Systems Officer Senior Information Systems Officer National Credit Union Administration National Credit Union Administration
48
Embed
E-Commerce And You Lake Buena Vista, Fl November 3, 2004 Roger Blake Roger Blake Senior Information Systems Officer National Credit Union Administration.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
E-Commerce And YouE-Commerce And You
Lake Buena Vista, FlLake Buena Vista, Fl November 3, 2004November 3, 2004
Roger BlakeRoger Blake
Senior Information Systems OfficerSenior Information Systems Officer
National Credit Union AdministrationNational Credit Union Administration
22
Notable QuotesNotable Quotes
“…“…The Internet is the single greatest The Internet is the single greatest threat to the economy and national threat to the economy and national
security of the United States today…”security of the United States today…”
Richard ClarkRichard Clark
President’s Chief Advisor ofPresident’s Chief Advisor of
Critical InfrastructureCritical Infrastructure
National Security CouncilNational Security Council
33
Notable QuotesNotable Quotes
“…“…Anyone in the privacy of their own Anyone in the privacy of their own home can create a very persuasive home can create a very persuasive vehicle for fraud over the Internet…”vehicle for fraud over the Internet…”
Louis J. FreehLouis J. Freeh
Director of the FBIDirector of the FBI
44
Notable QuotesNotable Quotes“…“…The use of digital media also can lend fraudulent The use of digital media also can lend fraudulent
material an air of credibility. Someone with a home material an air of credibility. Someone with a home computer and knowledge of computer graphics computer and knowledge of computer graphics can create an attractive, professional-looking Web can create an attractive, professional-looking Web site, rivaling that of a Fortune 500 company…”site, rivaling that of a Fortune 500 company…”
Facilitate the ability of credit unions to Facilitate the ability of credit unions to safely integrate financial services and safely integrate financial services and emerging technology in order to meet emerging technology in order to meet the changing expectations of their the changing expectations of their members.members.
66
e-Commerce Servicese-Commerce Services
Does NCUA expect all credit unions to Does NCUA expect all credit unions to develop and implement e-Commerce develop and implement e-Commerce services?services?
No!No!
NCUA encourages credit unions to NCUA encourages credit unions to consider offering e-Commerce services.consider offering e-Commerce services.
77
88
Credit Union StatisticsCredit Union Statistics
Website TrendsWebsite Trends
June ‘98 – June ‘04June ‘98 – June ‘04
5300 Call Report Data5300 Call Report Data
1010
Credit Union Industry StatisticsCredit Union Industry Statistics
Crime and Security SurveyCrime and Security Survey
www.gocsi.comwww.gocsi.com
1515
Key FindingsKey Findings
Unauthorized use and financial losses declinedUnauthorized use and financial losses declined Virus and denial of service top costVirus and denial of service top cost Law enforcement reporting declinedLaw enforcement reporting declined Security audits usedSecurity audits used Security outsourcing lowSecurity outsourcing low Sarbanes-Oxley impactSarbanes-Oxley impact Security training neededSecurity training needed
1616
RespondentsRespondents
Respondents By Revenue
Over $1B37%
$100M-$1B20%
$10M-$99M23%
Under $10M20%
1717
Percentage of IT BudgetPercentage of IT BudgetSpent on SecuritySpent on Security
Risk that are generally associated with Risk that are generally associated with e-Commerce and IT include:e-Commerce and IT include:• ComplianceCompliance• TransactionTransaction• StrategicStrategic• ReputationReputation
2727
e-Commerce Riskse-Commerce Risks
Potential impact of risks facing a credit Potential impact of risks facing a credit unions engaging in e-commerce unions engaging in e-commerce activities may include: activities may include: • Lack of member trust due to poor public Lack of member trust due to poor public
imageimage• Potential legal or regulatory sanctionsPotential legal or regulatory sanctions• Fraudulent loans, disbursements and Fraudulent loans, disbursements and
withdrawal of member fundswithdrawal of member funds
2828
e-Commerce Riskse-Commerce Risks
Potential impact of risks facing a credit Potential impact of risks facing a credit unions engaging in e-commerce unions engaging in e-commerce activities may include: activities may include: • Misappropriation of fundsMisappropriation of funds• Extended disruption of member services Extended disruption of member services • Unauthorized access to member dataUnauthorized access to member data• Theft of confidential member dataTheft of confidential member data
Risk identification involves the Risk identification involves the evaluation of: evaluation of: • What risk categories impact the credit What risk categories impact the credit
union as it relates to IT (e.g., operational, union as it relates to IT (e.g., operational, financial, informational, transactional)?financial, informational, transactional)?
• Which assets should be reviewed?Which assets should be reviewed?
Mitigation recommendations should, at Mitigation recommendations should, at a minimum, address: a minimum, address: • The medium to high risk exposures The medium to high risk exposures • Those exposures that exceed Those exposures that exceed
management’s expectations and management’s expectations and allowances (i.e., unacceptable risks)allowances (i.e., unacceptable risks)
Recommendations can fall into one of Recommendations can fall into one of four categories: four categories: • Preventative Safeguards Preventative Safeguards • Mitigating SafeguardsMitigating Safeguards• Detective SafeguardsDetective Safeguards• Recovery SafeguardsRecovery Safeguards
Board of directors and senior Board of directors and senior management responsible for:management responsible for:• Understanding risks associated with Understanding risks associated with
outsourcing arrangements for technology outsourcing arrangements for technology services. services.
• Ensuring effective risk management Ensuring effective risk management practices are in place. practices are in place.
Board of directors and senior Board of directors and senior management responsible for:management responsible for:• Assessing how outsourcing arrangements Assessing how outsourcing arrangements
will support the credit union’s objectives will support the credit union’s objectives and strategic plans. and strategic plans.
• Assessing how relationships will be Assessing how relationships will be managed.managed.
Selection criteria:Selection criteria:• Ensure potential vendors have relevant Ensure potential vendors have relevant
expertise and references expertise and references • Evaluate vendor’s capabilities, references, Evaluate vendor’s capabilities, references,
and personnel involved and personnel involved • Ensure stable financial position Ensure stable financial position • Evaluate consequences of selecting Evaluate consequences of selecting
inappropriate vendorinappropriate vendor
4242
OutsourcingOutsourcingContractsContracts
As a minimum, contracts should As a minimum, contracts should address:address:• Scope of servicesScope of services• Cost and duration of servicesCost and duration of services• Security and confidentialitySecurity and confidentiality• Audit and controlsAudit and controls• Performance standardsPerformance standards
4343
OutsourcingOutsourcingContractsContracts
As a minimum, contracts should As a minimum, contracts should address:address:• IndemnificationIndemnification• Limitation of liabilityLimitation of liability• Dispute resolutionDispute resolution• Termination and assignmentTermination and assignment• ReportingReporting
4444
OutsourcingOutsourcingOversightOversight
Implement an on-going oversight Implement an on-going oversight program to monitor each service program to monitor each service provider’s controls, conditions and provider’s controls, conditions and performanceperformance
Monitor key indicators:Monitor key indicators:• Financial condition and operations Financial condition and operations • Quality of service and support Quality of service and support
4545
OutsourcingOutsourcingOversightOversight
Monitor key indicators:Monitor key indicators:• Contract compliance and required Contract compliance and required
revisions revisions • Access to credit union’s systems Access to credit union’s systems • Business contingency plansBusiness contingency plans
Clearly outline any service level Clearly outline any service level agreements (SLAs) based on defined agreements (SLAs) based on defined standardsstandards• Formal SLAs help to ensure outsourced Formal SLAs help to ensure outsourced
vendor provides an appropriate level of vendor provides an appropriate level of service to credit unionservice to credit union
• SLAs should be confirmed by all parties SLAs should be confirmed by all parties involved and kept currentinvolved and kept current