480 likes | 701 Views
E-Commerce And You. Roger Blake Senior Information Systems Officer National Credit Union Administration. Lake Buena Vista, Fl. November 3, 2004. Notable Quotes. “…The Internet is the single greatest threat to the economy and national security of the United States today…”. Richard Clark
E N D
E-Commerce And You Roger Blake Senior Information Systems Officer National Credit Union Administration Lake Buena Vista, Fl November 3, 2004
Notable Quotes “…The Internet is the single greatest threat to the economy and national security of the United States today…” Richard Clark President’s Chief Advisor of Critical Infrastructure National Security Council
Notable Quotes “…Anyone in the privacy of their own home can create a very persuasive vehicle for fraud over the Internet…” Louis J. Freeh Director of the FBI
Notable Quotes “…The use of digital media also can lend fraudulent material an air of credibility. Someone with a home computer and knowledge of computer graphics can create an attractive, professional-looking Web site, rivaling that of a Fortune 500 company…” Arthur Levitt Chairman of the SEC
NCUA Strategic Plan2003-2008 Goal #2: Facilitate the ability of credit unions to safely integrate financial services and emerging technology in order to meet the changing expectations of their members.
e-Commerce Services Does NCUA expect all credit unions to develop and implement e-Commerce services? No! NCUA encourages credit unions to consider offering e-Commerce services.
Credit Union Statistics Website Trends June ‘98 – June ‘04 5300 Call Report Data
Credit Union Industry Statistics Credit Union Websites
Credit Union Industry Statistics Website Growth
Computer Security Institute(CSI) Computer Security Issues & Trends 2004 CSI/FBI Computer Crime and Security Survey www.gocsi.com
Key Findings • Unauthorized use and financial losses declined • Virus and denial of service top cost • Law enforcement reporting declined • Security audits used • Security outsourcing low • Sarbanes-Oxley impact • Security training needed
Percentage of IT BudgetSpent on Security 2004: 481 Respondents/97%
Technologies 2004: 483 Respondents/98% 2003: 525 Respondents/99% 2002: 500 Respondents/99% 2001: 530 Respondents/99% 2000: 629 Respondents/97% 1999: 501 Respondents/96% 1998: 512 Respondents/98%
Unauthorized Use 1998: 515 Respondents/99% 1997: 391 Respondents/69% 1996: 410 Respondents/96% 2004: 481 Respondents/97% 2003: 524 Respondents/99% 2002: 481 Respondents/96% 2001: 532 Respondents/99.6% 2000: 585 Respondents/91% 1999: 512 Respondents/98%
Breach Frequency 2002: 321 Respondents/64% 2001: 348 Respondents/65% 2000: 392 Respondents/61% 1999: 327 Respondents/63% 2004: 280 Respondents/57% 2003: 356 Respondents/67%
Website Incidents 2004: 132 Respondents/27% 2003: 135 Respondents/25% 2002: 244 Respondents/49% 2001: 211 Respondents/40% 2000: 120 Respondents/18% 1999: 92 Respondents/18%
Types of Losses 2004: 269 Respondents/54%
Computer IntrusionsActions Taken 2004: 320 Respondents/65% 2003: 376 Respondents/71% 2002: 389 Respondents/77% 2001: 345 Respondents/64% 2000: 407 Respondents/63% 1999: 295 Respondents/57% 1998: 321 Respondents/72% 1997: 317 Respondents/56% 1996: 325 Respondents/76%
Computer IntrusionsNot Reported 2004: 267 Respondents/54% 2003: 376 Respondents/71% 2002: 389 Respondents/77% 2001: 345 Respondents/64% 2000: 407 Respondents/63% 1999: 295 Respondents/57% 1998: 321 Respondents/72% 1997: 317 Respondents/56% 1996: 325 Respondents/76%
Risk Assessment Risk Assessment Modeling
e-Commerce Risks • Risk that are generally associated with e-Commerce and IT include: • Compliance • Transaction • Strategic • Reputation
e-Commerce Risks • Potential impact of risks facing a credit unions engaging in e-commerce activities may include: • Lack of member trust due to poor public image • Potential legal or regulatory sanctions • Fraudulent loans, disbursements and withdrawal of member funds
e-Commerce Risks • Potential impact of risks facing a credit unions engaging in e-commerce activities may include: • Misappropriation of funds • Extended disruption of member services • Unauthorized access to member data • Theft of confidential member data
Risk Management ProcessIdentify Risks • Risk identification involves the evaluation of: • What risk categories impact the credit union as it relates to IT (e.g., operational, financial, informational, transactional)? • Which assets should be reviewed?
Risk Management ProcessAssess Impact • Impact Assessment includes: • Threat Analysis • Asset Valuation • Vulnerability Analysis
Risk Management ProcessAction Plans (Mitigation) • Mitigation recommendations should, at a minimum, address: • The medium to high risk exposures • Those exposures that exceed management’s expectations and allowances (i.e., unacceptable risks)
Risk Management ProcessAction Plans (Mitigation) • Recommendations can fall into one of four categories: • Preventative Safeguards • Mitigating Safeguards • Detective Safeguards • Recovery Safeguards
Risk Management ProcessImplement, Monitor, Report • Implement revised strategies in a timely manner • Monitor the risks • Report results
Outsourcing Vendor Management
Outsourcing • Risk Management • Vendor Selection • Contracts • Oversight • Service Level Agreements
OutsourcingRisk Management • Board of directors and senior management responsible for: • Understanding risks associated with outsourcing arrangements for technology services. • Ensuring effective risk management practices are in place.
OutsourcingRisk Management • Board of directors and senior management responsible for: • Assessing how outsourcing arrangements will support the credit union’s objectives and strategic plans. • Assessing how relationships will be managed.
OutsourcingVendor Selection • Selection criteria: • Ensure potential vendors have relevant expertise and references • Evaluate vendor’s capabilities, references, and personnel involved • Ensure stable financial position • Evaluate consequences of selecting inappropriate vendor
OutsourcingContracts • As a minimum, contracts should address: • Scope of services • Cost and duration of services • Security and confidentiality • Audit and controls • Performance standards
OutsourcingContracts • As a minimum, contracts should address: • Indemnification • Limitation of liability • Dispute resolution • Termination and assignment • Reporting
OutsourcingOversight • Implement an on-going oversight program to monitor each service provider’s controls, conditions and performance • Monitor key indicators: • Financial condition and operations • Quality of service and support
OutsourcingOversight • Monitor key indicators: • Contract compliance and required revisions • Access to credit union’s systems • Business contingency plans
OutsourcingService Level Agreements • Clearly outline any service level agreements (SLAs) based on defined standards • Formal SLAs help to ensure outsourced vendor provides an appropriate level of service to credit union • SLAs should be confirmed by all parties involved and kept current
Other Issues • Security • Privacy • Business Continuity • Regulation (Federal & State) • etc...