520 likes | 668 Views
IS SECURITY. PERSPECTIVES FROM THE BANKING INDUSTRY AGUMA MPAIRWE CISA,CIA,FCCA,B.A(HONS). DEFINITIONS. INFORMATION SECURITY - ‘THE PROCESS BY WHICH AN ORGANISATION PROTECTS AND SECURES ITS SYSTEMS, MEDIA AND FACILITIES THAT PROCESS AND MAINTAIN INFORMATION VITAL TO ITS OPERATIONS’ – FFIEC
E N D
IS SECURITY PERSPECTIVES FROM THE BANKING INDUSTRY AGUMA MPAIRWE CISA,CIA,FCCA,B.A(HONS).
DEFINITIONS • INFORMATION SECURITY - ‘THE PROCESS BY WHICH AN ORGANISATION PROTECTS AND SECURES ITS SYSTEMS, MEDIA AND FACILITIES THAT PROCESS AND MAINTAIN INFORMATION VITAL TO ITS OPERATIONS’ – FFIEC • BANKING – ‘THE BUSINESS ACTIVITY OF ACCEPTING AND SAFEGUARDING THE MONEY OWNED BY OTHER INDIVIDUALS AND ENTITIES THEN LENDING OUT THIS MONEY IN ORDER TO EARN A PROFIT’ - INVESTORWORDS
IT SECURITY AND AUDIT BEST PRACTICES - BANKS • FEDERAL FINANCIAL INSTITUTIONS EXAMINATIONS COUNCIL (FFIEC). • FFIEC IT EXAMINATION BOOKLETS • FFIEC – US BASED ORGANISATION THAT BRINGS TOGETHER ALL REGULATORS OF THE US FINANCIAL SYSTEM
BANKING ACTIVITIES - GENERAL • RECEIPT OF DEPOSITS (CASH,CHEQUE OR ELECTRONIC) • SAFEGUARDING OF DEPOSITS • LENDING OF DEPOSITS TO OTHER PARTIES • INVESTMENT AND TREASURY ACTIVITIES – PLACEMENT OF FUNDS, FOREX TRADING, DERIVATIVES TRADING • AVAILING FUNDS TO THOSE THAT WISH TO WITHDRAW THEM • GENERAL MANAGEMENT, ACCOUNTING AND ADMINISTRATION • ALL THE ABOVE WILL INVOLVE THE USE OF SOME FORM OF IT SYSTEM OR OTHER • ALL THE PROCESSES ABOVE PRESENT RISKS THAT CAN BE EXPLOITED FOR PURPOSES OF FRAUD • IT SECURITY IS PARAMOUNT
BANKING ACTIVITIES • BANKS IN THE ‘TRUST’ BUSINESS • LEGAL, PROFESSIONAL AND ETHICAL OBLIGATION TO KEEP CUSTOMER INFORMATION AND AFFAIRS CONFIDENTIAL – • ‘A FINANCIAL INSTITUTION’S EARNINGS, AND CAPITAL CAN BE ADVERSELY AFFECTED IF INFORMATION BECOMES KNOWN TO UNAUTHORISED PARTIES, IS ALTERED, OR IS NOT AVAILABLE WHEN IT IS NEEDED’ – FFIEC • ADVERSE PUBLICITY CAN LEAD TO REPUTATIONAL RISK AND IN THE WORST CASE A RUN ON A BANK. • THE ‘C.I.A’ - CONFIDENTIALITY, INTEGRITY AND AVAILABILITY OF INFORMATION PARAMOUNT
IT SECURITY OBJECTIVES • CONFIDENTIALITY • INTEGRITY • AVAILABILITY • ACCOUNTABILITY • ASSURANCE • NOTE - ACCOUNTABILITY AND INTEGRITY REPRESENT ‘NON - REPUDIATION’ - FFIEC
CHANGING BANK FRAUD AND FRAUSTER PROFILE - UGANDA • IN THE EARLY 2000’s AND BEFORE • KEY FRAUDS WERE • CHEQUE FRAUD, FORGED, ALTERED, COUNTERFEIT. • DEPOSIT SLIP FRAUD • TYPICAL FRAUDSTER – MALE, 35 YEAR OLD, LIMITED EDUCATION.
CHANGING BANK FRAUD AND FRAUSTER PROFILE - UGANDA • MID- 2005 TO DATE • ELECTRONIC FRAUD • ATM FRAUD • IN HOUSE BANK FRAUD – BY BANK EMPLOYEES EITHER ALONE OR IN COLLUSION WITH OUTSIDERS • TYPICAL FRAUDSTER – MALE OR FEMALE, BANK EMPLOYEE, TRUSTED INSIDER, EDUCATED, UNIVERSITY GRADUATE, IT LITERATE (NOT NECESSARILY EXPERT!),
ONLINE FRAUD - IMPLICATIONS • 71% MORE CAUTIOUS WHEN SHOPPING ONLINE • 67% MORE ATTENTIVE WHEN PROVIDING FINANCIAL AND PERSONAL INFORMATION TO WEBSITES • 28% ABANDON A PURCHANSE IF RE-DIRECTED TO ANOTHER SITE TO PROVIDE PAYMENT INFORMATION • 15% STOPPED SHOPPING ALTOGETHER AS A RESULT OF ONLINE FRAUD CONCERNS – • USA SURVEY
INFORMATION WEBSITES • POTENTIAL LIABILITY AND CONSUMER VIOLATIONS FOR INACCURATE OR INCOMPLETE INFORMATION ABOUT PRODUCTS, SERVICES, AND PRICING PRESENTED ON THE WEBSITE; • POTENTIAL ACCESS TO CONFIDENTIAL FINANCIAL INSTITUTION OR CUSTOMER INFORMATION IF THE WEBSITE IS NOT PROPERLY ISOLATED FROM THE FINANCIAL INSTITUTION'S INTERNAL NETWORK; • POTENTIAL LIABILITY FOR SPREADING VIRUSES AND OTHER MALICIOUS CODE TO COMPUTERS COMMUNICATING WITH THE INSTITUTION'S WEBSITE; AND • NEGATIVE PUBLIC PERCEPTION IF THE INSTITUTION'S ON-LINE SERVICES ARE DISRUPTED OR IF ITS WEBSITE IS DEFACED OR OTHERWISE PRESENTS INAPPROPRIATE OR OFFENSIVE MATERIAL. -FFIEC
TRANSACTIONAL WEBSITES • SECURITY CONTROLS FOR SAFEGUARDING CUSTOMER INFORMATION; • AUTHENTICATION PROCESSES -VERIFY THE IDENTITY OF NEW CUSTOMERS AND AUTHENTICATE EXISTING CUSTOMERS WHO ACCESS E-BANKING SERVICES; • LIABILITY FOR UNAUTHORIZED TRANSACTIONS; • LOSSES FROM FRAUD IF THE INSTITUTION FAILS TO VERIFY THE IDENTITY OF INDIVIDUALS OR BUSINESSES APPLYING FOR NEW ACCOUNTS OR CREDIT ON-LINE - FFIEC
TRANSACTIONAL WEBSITES • POSSIBLE VIOLATIONS OF LAWS OR REGULATIONS PERTAINING TO CONSUMER PRIVACY, ANTI-MONEY LAUNDERING, ANTI-TERRORISM, OR THE CONTENT, TIMING, OR DELIVERY OF REQUIRED CONSUMER DISCLOSURES; AND • NEGATIVE PUBLIC PERCEPTION, CUSTOMER DISSATISFACTION, AND POTENTIAL LIABILITY RESULTING FROM FAILURE TO PROCESS THIRD-PARTY PAYMENTS AS DIRECTED OR WITHIN SPECIFIED TIME FRAMES, LACK OF AVAILABILITY OF ON-LINE SERVICES, OR UNAUTHORIZED ACCESS TO CONFIDENTIAL CUSTOMER INFORMATION DURING TRANSMISSION OR STORAGE. - FFIEC
ATM/CARD- FRAUD • WHO PICKS UP THE COST IF YOUR CARD IS MISUSED, YOU OR YOUR BANK? • SOUTH AFRICA - TOTAL VALUE OF ONLINE TRANSACTIONS – USD $285 MILLION • SOUTH AFRICA - 2009 TOTAL LOSSES TO BANKING INDUSTRY DUE TO LOST AND STOLEN CARDS – USD 13MILLION – PERSONAL FINANCE
ATM/DEBIT/CREDIT CARD – RISKS • CARD INFORMATION HELD IN MAGNETIC STRIPE INCLUDING PRIMARY ACCOUNT NUMBER, EXPIRY DATE, • CARD CAN BE CLONED, IF DETAILS ON MAGNETIC STRIPE CAN BE COPIED USING SKIMMING DEVICES • CARD CAN BE STOLEN/LOST • USED FOR ‘CARDHOLDER NOT PRESENT’ TRANSACTIONS – OVER PHONE OR ONLINE • PIN CAN BE OBTAINED USING HIDDEN CAMERAS IN ATM LOCATION OR CCTV CAMERAS IN VIEW OF THE KEYPAD!
CARD SKIMMING • INVOLVES THE USE OF DEVICES THAT READ CARD DETAILS CONTAINED IN THE MAGNETIC STRIP OF THE CARD • CAB BE PLACED IN THE ATM CARD SLOT • OR CAN BE HAND HELD (POCKET) • RESTAURANTS HIGH RISK! • BEGAN TO OBSERVE COMPLAINTS IN UGANDA • DISCUSSION AT BANKERS ASSOSCIATION FRAUD AND FORGERIES SUB-COMMITTEE • CASES OF FRAUD REPORTED BY MEMBER BANKS • CUSTOMERS USUALLY HAD TRAVELLED ABROAD AT SOME POINT IN TIME • SOUTH AFRICA – MENTIONED AS A DESINATION VISITED IN SOME CASES
CARD SKIMMING • ABSA 177 ARRESTS, 26 SKIMMING DEVICES CAPTURED IN 2011 - PERSONAL FINANCE • COST TO THE US - $60 MILLION PER YEAR! – CSO ONLINE
ATM RISK MITIGANTS • CHIP AND PIN BASED CARDS. • AWARENESS TRAINING FOR CUSTOMERS!! • PHYSICAL SECURITY • CAUTION AT ATM SITES – WATCH OUT FOR CAMERA’S, SKIMMING DEVICES • SHIELD ENTRY OF PIN AT ATM WITH HAND/WALLET • REGULAR CHECKING OF CARD BALANCES • MERCHANT TRAINING
INTERNAL ACCOUNT TRANSFERS • INCRESINGLY COMMON FRAUD IN INDUSTRY • INVOLVES UNAUTHORISED ‘CREATION’ OF DEPOSITS • DEBIT ‘OVERCROWDED’ ACCOUNT WITH SEVERAL ITEMS DIFFICULT TO TRACE E.G SUSPENSE ACCOUNT • CREDIT IS MADE TO CUSTOMER ACCOUNT • FUNDS ARE WITHDRAWN!
POSSIBLE SOLUTIONS • COMBINATION OF ROLE BASED ACCESS AND LEAST PRIVILEDGE RESTRICTIONS CAN BE ENFORCED • RESTRICT TELLER OR OPERATIONS STAFF ABILITY TO POST TRANSACTIONS TO ADMINISTRATIVE ACCOUNTS E.G FIXED ASSET ACCCOUNTS • RESTRIC FINANCE DEPARTMENT STAFF ABILITY TO POST TRANSACTIONS DIRECTLY TO CUSTOMER ACCOUNTS • G.L AUDIT REVIEW –PERIODIC • CLEAR TIMELINES FOR CLEARING OFF ITEMS IN SUSPENSE, TRANSIT AND CLEARING ACCOUNTS
IT PROJECT MANAGEMENT RISKS • INADEQUATE SECURITY FEATURES ENFORCED DURING IMPLEMENTATION OF IT APPLICATION SYSTEMS • OBSERVED IN BANKING INDUSTRY IN THE PAST • MUST PROVIDE FOR: • GENERAL ACCESS CONTROLS • IDENTIFICATION AND AUTHENTICATION CONTROLS • AUDIT TRAIL • COMMUNICATION CONTROLS – KELLY KIM 2008 • DATA MIGRATION CONTROLS – IMPORTANT • TAKE ACCOUNT OF FACT THAT BANK SYSTEMS MAY NEED TO BE ONLINE 24/7/365
PROJECT MANAGEMENT • PROJECT MANAGEMENT – • BASELINE CONTROLS IMPLEMENTED • IS AUDIT INVOLVEMENT • POST IMPLEMENTATION REVIEW • REGULATORY CERTIFICATION PRE - IMPLEMENTATION
TREASURY • HIGH RISK AREA • BANK IS INVESTING OR TRADING • MONEY MARKET PRODUCTS • FOREIGN CURRENCY (FX) • DERIVATIVES • TRANSACTION SIZES MAY BE VERY LARGE • POTENTIAL FOR PROFIT/LOSSES MAY BE VERY LARGE DEPENDING ON MARKET CONDITIONS
TREASURY RISK • APPROVAL TO COMMIT THE BANK GIVEN TO TRADERS BEFORE TRANSACTION THROUGH THE USE OF VARIOUS LIMITS • MONITORING OF COMPLIANCE WITH LIMITS IS CRITICAL TO RISK MANAGEMENT IN TRASURY • SEGREGATION OF DUTIES IS ALSO CRITICAL ( FRONT OFFICE, MIDDLE OFFICE, BACK OFFICE) • TRADERS MUST NO HAVE ACCESS TO RATE REVALUATION SYSTEMS – COULD HIDE LOSSES • TRADERS SHOULD NOT HAVE ACCESS TO CONFIRMATION AND SETTLEMENT SYSTEMS – COULD HIDE TRADES AND LOSSES • IT SECURITY DESIGN IMPORTANT TO DEAL WITH THESE ISSUES
TREASURY –KEY BANK LOSSES/FRAUDS • 2002 TRADER JOHN RUSNACK - £485 MILLION LOSS TO ALLIED IRISH BANK – TAMPERED WITH REUTERS RATES FEED • 2008 TRADER JEROME KERVIEL – $ 7 BILLION LOSS – HAD PREVIOUSLY WORKED IN BACK OFFICE, HID TRANSACTIONS (TRADES), FALSIFIED E-MAIL, - FVTER • 1995 – trader NICK LEESON – HID £865M LOSSES, BROUGHT DOWN BARINGS BANK…..INTEGRATED IT SYSTEMS COULD HAVE PREVENTED BANK COLLAPSE - COMPUTERWEEKLY
IT GOVERNANCE • ‘FINANCIAL INSTITUTIONS SHOULD IMPLEMENT AN ONGOING SECURITY PROCESS AND INSTITUTE APPROPRIATE GOVERNANCE FOR THE SECURITY FUNCTION, ASSIGNING CLEAR AND APPROPRIATE ROLES AND RESPONSIBILITIES TO THE BOARD OF DIRECTORS, MANAGEMENT AND EMPLOYEES’ - FFIEC
IS SECURITY STRATEGY • FINANCIAL INSTITUTIONS SHOULD DEVELOP A STRATEGY THAT DEFINES CONTROL OBJECTIVES AND ESTABLISHES AN IMPLEMENTATION PLAN. THE SECURITY STRATEGY SHOULD INCLUDE • APPROPRIATE CONSIDERATION OF PREVENTION, DETECTION, AND RESPONSE MECHANISMS, • IMPLEMENTATION OF THE LEAST PERMISSIONS AND LEAST PRIVILEGES CONCEPTS, • LAYERED CONTROLS THAT ESTABLISH MULTIPLE CONTROL POINTS BETWEEN THREATS AND ORGANIZATION ASSETS, AND • POLICIES THAT GUIDE OFFICERS AND EMPLOYEES IN IMPLEMENTING THE SECURITY PROGRAM. -FFIEC
IT RISK ASSESSMENT • GATHERS DATA REGARDING THE INFORMATION AND TECHNOLOGY ASSETS OF THE ORGANIZATION, THREATS TO THOSE ASSETS, VULNERABILITIES, EXISTING SECURITY CONTROLS AND PROCESSES, AND THE CURRENT SECURITY STANDARDS AND REQUIREMENTS; • ANALYZES THE PROBABILITY AND IMPACT ASSOCIATED WITH THE KNOWN THREATS AND VULNERABILITIES TO THEIR ASSETS; AND • PRIORITIZES THE RISKS PRESENT DUE TO THREATS AND VULNERABILITIES TO DETERMINE THE APPROPRIATE LEVEL OF TRAINING, CONTROLS, AND ASSURANCE NECESSARY FOR EFFECTIVE MITIGATION. - FFIEC
IT RISK ASSESSMENT • BOTH TECHNICAL AND NON-TECHNICAL INFORMATION SHOULD BE GATHERED. • TECHNICAL INFORMATION – • NETWORK MAPS DETAILING INTERNAL AND EXTERNAL CONNECTIVITY; • HARDWARE AND SOFTWARE INVENTORIES; • DATABASES AND FILES THAT CONTAIN CRITICAL AND/OR CONFIDENTIAL INFORMATION; • PROCESSING ARRANGEMENTS AND INTERFACES WITH EXTERNAL ENTITIES; • HARDWARE AND SOFTWARE CONFIGURATIONS; • POLICIES, STANDARDS, AND PROCEDURES FOR THE OPERATION, MAINTENANCE, UPGRADING, AND MONITORING OF TECHNICAL SYSTEMS.- FFIEC
IT RISK ASSESSMENT • NON-TECHNICAL INFORMATION • POLICIES, STANDARDS, AND PROCEDURES ADDRESSING PHYSICAL SECURITY (INCLUDING FACILITIES AS WELL AS INFORMATION ASSETS THAT INCLUDE LOAN DOCUMENTATION, DEPOSIT RECORDS AND SIGNATURE CARDS, AND KEY AND ACCESS CODE LISTS), • PERSONNEL SECURITY (INCLUDING HIRING BACKGROUND CHECKS AND BEHAVIOUR MONITORING), • VENDOR CONTRACTS, PERSONNEL SECURITY TRAINING AND EXPERTISE, AND • INSURANCE COVERAGE. • ADDITIONALLY, INFORMATION REGARDING CONTROL EFFECTIVENESS SHOULD BE GATHERED. TYPICALLY, THAT INFORMATION COMES FROM SECURITY MONITORING, INCLUDING SELF-ASSESSMENTS, METRICS, AND INDEPENDENT TESTS. FFIEC
IT SYSTEMS ASSESSMENT • ‘SOME SYSTEMS AND DATA STORES MAY NOT BE READILY APPARENT. FOR EXAMPLE, BACKUP TAPES, PORTABLE COMPUTERS, PERSONAL DIGITAL ASSISTANTS, MEDIA SUCH AS COMPACT DISKS, MICRO DRIVES, AND DISKETTES, AND MEDIA USED IN SOFTWARE DEVELOPMENT AND TESTING SHOULD BE CONSIDERED’. - FFIEC
IT THREATS AND VULNERABILITIES • THREATS -EVENTS THAT COULD CAUSE HARM TO THE CONFIDENTIALITY, INTEGRITY, OR AVAILABILITY OF INFORMATION OR INFORMATION SYSTEMS. • EXPLOITING A VULNERABILITY TO CAUSE HARM THROUGH THE UNAUTHORIZED DISCLOSURE, MISUSE, ALTERATION, OR DESTRUCTION OF INFORMATION OR INFORMATION SYSTEMS. • INTERNAL (MALICIOUS OR INCOMPETENT EMPLOYEES, CONTRACTORS, SERVICE PROVIDERS, AND FORMER INSIDERS) • EXTERNAL (CRIMINALS, RECREATIONAL HACKERS, COMPETITORS, AND TERRORISTS). - FFIEC
IT THREATS AND VULNERABILITIES • VULNERABILITIES - WEAKNESSES IN A SYSTEM, OR CONTROL GAPS THAT, IF EXPLOITED, COULD RESULT IN THE UNAUTHORIZED DISCLOSURE, MISUSE, ALTERATION, OR DESTRUCTION OF INFORMATION OR INFORMATION SYSTEMS. • VULNERABILITIES ARE GENERALLY GROUPED INTO TWO TYPES: KNOWN AND EXPECTED. - FFIEC
VULNERABILITIES • KNOWN VULNERABILITIES - DISCOVERED BY TESTING OR OTHER REVIEWS OF THE ENVIRONMENT, KNOWLEDGE OF POLICY WEAKNESSES, KNOWLEDGE OF INADEQUATE IMPLEMENTATIONS, AND KNOWLEDGE OF PERSONNEL ISSUES. . • EXPECTED VULNERABILITIES - THOSE THAT CAN REASONABLY BE ANTICIPATED TO ARISE IN THE FUTURE. EXAMPLES • UNPATCHED SOFTWARE, • NEW AND UNIQUE ATTACK METHODOLOGIES THAT BYPASS CURRENT CONTROLS, • EMPLOYEE AND CONTRACTOR FAILURES TO PERFORM SECURITY DUTIES SATISFACTORILY, • PERSONNEL TURNOVER - FFIEC
IT SECURITY POLICY • KEY ACTIONS THAT CONTRIBUTE TO THE SUCCESS OF A SECURITY POLICY ARE • IMPLEMENTING THROUGH ORDINARY MEANS, SUCH AS SYSTEM ADMINISTRATION PROCEDURES AND ACCEPTABLE-USE POLICIES; • ENFORCING POLICY THROUGH SECURITY TOOLS AND SANCTIONS; • DELINEATING THE AREAS OF RESPONSIBILITY FOR USERS, ADMINISTRATORS, AND MANAGERS; • COMMUNICATING IN A CLEAR, UNDERSTANDABLE MANNER TO ALL CONCERNED; • OBTAINING EMPLOYEE CERTIFICATION THAT THEY HAVE READ AND UNDERSTOOD THE POLICY; • PROVIDING FLEXIBILITY TO ADDRESS CHANGES IN THE ENVIRONMENT; AND • CONDUCTING ANNUALLY A REVIEW AND APPROVAL BY THE BOARD OF DIRECTORS. - FFIEC
SECURITY DOMAINS • A SECURITY DOMAIN IS A PART OF THE SYSTEM WITH ITS OWN POLICIES AND CONTROL MECHANISMS. • SECURITY DOMAINS FOR A NETWORK ARE TYPICALLY CONSTRUCTED FROM ROUTING CONTROLS AND DIRECTORIES. • DOMAINS CONSTRUCTED FROM ROUTING CONTROLS MAY BE BOUNDED BY NETWORK PERIMETERS WITH PERIMETER CONTROLS. • THE PERIMETERS SEPARATE WHAT IS NOT TRUSTED FROM WHAT MAY BE TRUSTWORTHY. THE PERIMETERS SERVE AS WELL-DEFINED TRANSITION POINTS BETWEEN TRUST AREAS WHERE POLICY ENFORCEMENT AND MONITORING TAKES PLACE. • AN EXAMPLE OF SUCH A DOMAIN IS A DEMILITARIZED ZONE (DMZ), BOUNDED BY A PERIMETER THAT CONTROLS ACCESS FROM OUTSIDE AND INSIDE THE INSTITUTION. • DOMAINS CONSTRUCTED FROM DIRECTORIES MAY LIMIT ACCESS TO NETWORK RESOURCES AND APPLICATIONS BASED ON ROLE OR FUNCTION. - FFIEC
DEFENSE IN DEPTH • FINANCIAL INSTITUTIONS SHOULD DESIGN MULTIPLE LAYERS OF SECURITY CONTROLS • ESTABLISH SEVERAL LINES OF DEFENSE BETWEEN THE ATTACKER AND THE ASSET BEING ATTACKED. • AN INTERNET SECURITY - A PACKET FILTERING ROUTER WITH STRICT ACCESS CONTROL RULES, IN FRONT OF • AN APPLICATION LEVEL FIREWALL, IN FRONT OF • WEB SERVERS, IN FRONT OF • A TRANSACTIONAL SERVER, IN FRONT OF • A DATABASE SERVER, WITH INTRUSION DETECTION SYSTEMS LOCATED AT VARIOUS POINTS BETWEEN THE SERVERS AND ON CERTAIN HOSTS. • THE LAYERS SHOULD BE AT MULTIPLE CONTROL POINTS THROUGHOUT THE COMMUNICATION AND TRANSACTIONAL FLOW AND SHOULD INCLUDE BOTH SYSTEMS AND MANUAL PROCESSES. TO SUCCESSFULLY ATTACK AN ASSET, EACH LAYER MUST BE PENETRATED. WITH EACH PENETRATION, THE PROBABILITY OF DETECTING THE ATTACKER INCREASES. - FFIEC
NETWORK SECURITY • FINANCIAL INSTITUTIONS SHOULD SECURE ACCESS TO THEIR COMPUTER NETWORKS THROUGH MULTIPLE LAYERS OF ACCESS CONTROLS TO PROTECT AGAINST UNAUTHORIZED ACCESS. INSTITUTIONS SHOULD • GROUP NETWORK SERVERS, APPLICATIONS, DATA, AND USERS INTO SECURITY DOMAINS (E.G., UNTRUSTED EXTERNAL NETWORKS, EXTERNAL SERVICE PROVIDERS, OR VARIOUS INTERNAL USER SYSTEMS); • ESTABLISH APPROPRIATE ACCESS REQUIREMENTS WITHIN AND BETWEEN EACH SECURITY DOMAIN; • IMPLEMENT APPROPRIATE TECHNOLOGICAL CONTROLS TO MEET THOSE ACCESS REQUIREMENTS CONSISTENTLY; AND • MONITOR CROSS-DOMAIN ACCESS FOR SECURITY POLICY VIOLATIONS AND ANOMALOUS ACTIVITY. - FFIEC
OPERATING SYSTEM SECURITY • FINANCIAL INSTITUTIONS SHOULD SECURE ACCESS TO THE OPERATING SYSTEMS OF ALL SYSTEM COMPONENTS BY • SECURING ACCESS TO SYSTEM UTILITIES, • RESTRICTING AND MONITORING PRIVILEGED ACCESS, • LOGGING AND MONITORING USER OR PROGRAM ACCESS TO SENSITIVE RESOURCES AND ALERTING ON SECURITY EVENTS, • UPDATING THE OPERATING SYSTEMS WITH SECURITY PATCHES, AND • SECURING THE DEVICES THAT CAN ACCESS THE OPERATING SYSTEM THROUGH PHYSICAL AND LOGICAL MEANS. -FFIEC
APPLICATION SECURITY • FINANCIAL INSTITUTIONS SHOULD CONTROL ACCESS TO APPLICATIONS BY • USING AUTHENTICATION AND AUTHORIZATION CONTROLS APPROPRIATELY ROBUST FOR THE RISK OF THE APPLICATION, • MONITORING ACCESS RIGHTS TO ENSURE THEY ARE THE MINIMUM REQUIRED FOR THE USER'S CURRENT BUSINESS NEEDS, • USING TIME-OF-DAY LIMITATIONS ON ACCESS AS APPROPRIATE, • LOGGING ACCESS AND SECURITY EVENTS, AND • USING SOFTWARE THAT ENABLES RAPID ANALYSIS OF USER ACTIVITIES. - FFIEC
REMOTE ACCESS -CONTROLS • FINANCIAL INSTITUTIONS SHOULD SECURE REMOTE ACCESS TO AND FROM THEIR SYSTEMS BY • DISABLING REMOTE COMMUNICATIONS IF NO BUSINESS NEED EXISTS, • TIGHTLY CONTROLLING ACCESS THROUGH MANAGEMENT APPROVALS AND SUBSEQUENT AUDITS, • IMPLEMENTING ROBUST CONTROLS OVER CONFIGURATIONS AT BOTH ENDS OF THE REMOTE CONNECTION TO PREVENT POTENTIAL MALICIOUS USE, • LOGGING AND MONITORING ALL REMOTE ACCESS COMMUNICATIONS, • SECURING REMOTE ACCESS DEVICES, AND • USING STRONG AUTHENTICATION AND ENCRYPTION TO SECURE COMMUNICATIONS - FFIEC
PHYSICAL ACCESS - CONTROLS • FINANCIAL INSTITUTIONS SHOULD DEFINE PHYSICAL SECURITY ZONES AND IMPLEMENT APPROPRIATE PREVENTATIVE AND DETECTIVE CONTROLS IN EACH ZONE TO PROTECT AGAINST THE RISKS OF • PHYSICAL PENETRATION BY MALICIOUS OR UNAUTHORIZED PEOPLE, • DAMAGE FROM ENVIRONMENTAL CONTAMINANTS, AND • ELECTRONIC PENETRATION THROUGH ACTIVE OR PASSIVE ELECTRONIC EMISSIONS. - FFIEC
ENCRYPTION CONTROLS • FINANCIAL INSTITUTIONS SHOULD EMPLOY ENCRYPTION TO MITIGATE THE RISK OF DISCLOSURE OR ALTERATION OF SENSITIVE INFORMATION IN STORAGE AND TRANSIT. • ENCRYPTION IMPLEMENTATIONS SHOULD INCLUDE ENCRYPTION STRENGTH SUFFICIENT TO PROTECT THE INFORMATION FROM DISCLOSURE UNTIL SUCH TIME AS DISCLOSURE POSES NO MATERIAL RISK, • EFFECTIVE KEY MANAGEMENT PRACTICES, • ROBUST RELIABILITY, AND • APPROPRIATE PROTECTION OF THE ENCRYPTED COMMUNICATION'S ENDPOINTS - FFIEC
ENCRYPTION KEY MANAGEMENT • GENERATING KEYS FOR DIFFERENT CRYPTOGRAPHIC SYSTEMS AND DIFFERENT APPLICATIONS; • GENERATING AND OBTAINING PUBLIC KEYS; • DISTRIBUTING KEYS TO INTENDED USERS, INCLUDING HOW KEYS SHOULD BE ACTIVATED WHEN RECEIVED; • STORING KEYS, INCLUDING HOW AUTHORIZED USERS OBTAIN ACCESS TO KEYS; • CHANGING OR UPDATING KEYS, INCLUDING RULES ON WHEN KEYS SHOULD BE CHANGED AND HOW THIS WILL BE DONE; • DEALING WITH COMPROMISED KEYS; • REVOKING KEYS AND SPECIFYING HOW KEYS SHOULD BE WITHDRAWN OR DEACTIVATED; • RECOVERING KEYS THAT ARE LOST OR CORRUPTED AS PART OF BUSINESS CONTINUITY MANAGEMENT; • ARCHIVING KEYS; • DESTROYING KEYS -FFIEC
MONITORING • MONITORING NETWORK AND HOST ACTIVITY TO IDENTIFY POLICY VIOLATIONS AND ANOMALOUS BEHAVIOR; • MONITORING HOST AND NETWORK CONDITION TO IDENTIFY UNAUTHORIZED CONFIGURATION AND OTHER CONDITIONS WHICH INCREASE THE RISK OF INTRUSION OR OTHER SECURITY EVENTS; • ANALYZING THE RESULTS OF MONITORING TO ACCURATELY AND QUICKLY IDENTIFY, CLASSIFY, ESCALATE, REPORT, AND GUIDE RESPONSES TO SECURITY EVENTS; AND • RESPONDING TO INTRUSIONS AND OTHER SECURITY EVENTS AND WEAKNESSES TO APPROPRIATELY MITIGATE THE RISK TO THE INSTITUTION AND ITS CUSTOMERS, AND TO RESTORE THE INSTITUTION'S SYSTEMS. • MONITORING SHOULD, COMMENSURATE WITH THE RISK, IDENTIFY CONTROL FAILURES BEFORE A SECURITY INCIDENT OCCURS, DETECT AN INTRUSION IN SUFFICIENT TIME TO ENABLE AN EFFECTIVE AND TIMELY RESPONSE, • SUPPORT POST-EVENT FORENSICS ACTIVITIES. - FFIEC
FUTURE TRENDS/THREATS • DEPEND ON TECHNOLOGY TRENDS • TELECOMS AND BANKING CONVERGENCE • RISKS IN MOBILE MONEY INDUSTRY • CLOUD COMPUTING • MOBILE COMPUTING AND WIRELESS COMPUTING THREATS • EASE OF ACCESS TO INTERNET AND TOOLS TO COMMIT FRAUD • FASTER SPEEDS FOR INTERNET ACCESS IN EAST AFRICA • GREATER OUTSOURCING? • NEW IT SAVVY GENERATION?
SOLUTIONS • IT AWARENESS • USER AND CUSTOMER TRAINING • STAFF SCREEENING • ETHICAL EMPHASIS • EMBEDDING STRONG CONTROL AND RISK CULTURE IN BANKS • SYSTEMS CERTIFICATION BY REGULATORS BEFORE DEPLOYMENT • STRENGHTEN IT CONTROL, SECURITY, AUDIT PROFESSION AND TRAIN MORE PROFESSIONALS • INCREASE CEO AND BOARD AWARENESS
OTHER BEST PRACTICES • ISO 17799 : CODE OF PRACTIVE FOR INFORMATION SECURITY MANAGEMENT • BS 7799: SPECIFICATION FOR INFORMATION SECURITY MANAGEMENT SYSTEMS • COBIT