1 / 87

TOP IT Security Issues An Examiner’s Perspective

TOP IT Security Issues An Examiner’s Perspective. Matthew Biliouris, Information Systems Officer – E&I. TRADITIONAL EFS. EFS Products & Services. ATM WIRE TRANSFER ACH Automated Telephone Response Systems. TYPICAL INTERNET-BASED EFS. EFS Products & Services. A/C History Review

thornton
Download Presentation

TOP IT Security Issues An Examiner’s Perspective

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TOP IT Security IssuesAn Examiner’s Perspective Matthew Biliouris, Information Systems Officer – E&I April 2005

  2. TRADITIONAL EFS EFS Products & Services • ATM • WIRE TRANSFER • ACH • Automated Telephone Response Systems

  3. TYPICAL INTERNET-BASED EFS EFS Products & Services • A/C History Review • Account Transfers • Applications • Withdrawal Requests

  4. NEWER ON-LINE EFS EFS Products & Services • Bill Payment / Presentment • Account Aggregation • Statement & Disclosure Delivery • Check Imaging • Credit Card Statement Access • Downloads to Financial Software

  5. Account Aggregation Travel Brokerage 401K CUs/Banks taxes Credit Cards E-Mail Bills Shopping Airline Miles

  6. Types of Web Sites • Informational Sites • Marketing Info • Interactive Sites • Secure Messaging • Loan Applications • Account Inquiry • Fully Transactional Sites • Financial Transactions (transfer funds, pay bills, etc.)

  7. Credit Union Industry Statistics

  8. Credit Union Industry Statistics

  9. Credit Union Industry Statistics

  10. Credit Union Industry Statistics

  11. 2004 CSI/FBI Survey Security Trends 2004 Computer Security Institute & FBI Survey • 494 Security practitioner responses • 19% of responders from financial services industry

  12. Key Findings • Unauthorized use and financial losses declined • Virus and denial of service top cost • Law enforcement reporting declined • Security audits used • Security outsourcing low • Sarbanes-Oxley impact • Security training needed

  13. Respondents

  14. Percentage of IT Budget Spent on Security 2004: 481 Respondents/97%

  15. Unauthorized Use

  16. Breach Frequency

  17. Website Incidents

  18. Types of Losses

  19. Computer Intrusions Actions Taken

  20. Computer Intrusions Not Reported

  21. NCUA Strategic Plan 2003-2008 Goal #2: Facilitate the ability of credit unions to safely integrate financial services and emerging technology in order to meet the changing expectations of their members.

  22. Frequent Question Does NCUA expect all credit unions to develop and implement e-Commerce services? NO! NCUA encourages credit unions to consider offering e-Commerce services.

  23. 23

  24. 24

  25. 1. Identify Risks 2. Understand Risks 5. Monitor 4. Develop & Implement Action Plans 3. Prioritize Risks Risk Assessment Process

  26. Electronic Financial Services Areas of Risk • Transaction/Operational • Compliance • Reputation • Strategic

  27. Before implementing product/service: Seek education as to the benefits & risks. Determine if risks are acceptable. Determine regulatory compliance requirements. Ensure a legal review of contracts. Assess the adequacy of staff expertise (technical, managerial, member service). IS&T Exam Procedures

  28. Before implementing product/service (cont’d): Assess the adequacy of staff expertise (technical, managerial, member service). Determine best in-house/outsourcing solution. Evaluate necessary security measures. Research available bond coverage. Seek expert assistance when necessary. IS&T Exam Procedures

  29. Before implementing product/service (cont’d): Complete due diligence of vendors. Involve all interested operational & audit functions in planning & implementation. Develop audit & performance mechanisms. Create or revise related policies and procedures. IS&T Exam Procedures

  30. Security Programs • Gramm-Leach-Bliley Act – 501(b) • Outlines Specific Objectives • Requires NCUA establish standards for safeguarding member records

  31. Security Programs • Credit Unions Must Have Process in Place to: • Ensure Security & Confidentiality of Member Records • Protect Against Anticipated Threats or Hazards • Protect Against Unauthorized Access • Specifically Stated in §748.0(b)(2)

  32. Security Programs • Appendix A – Guidelines for Safeguarding Member Information • Involvement of Board of Directors • Assess Risk • Manage & Control Risk • Oversee Service Providers • Adjust the Program • Report to the Board

  33. Security Programs • Response Program Guidance • Increasing Number of Security Events • Congressional Inquiries • GLBA Interpretation • FFIEC Working Group • Revise Part 748-Add New Appendix B

  34. Security Programs • Credit Unions Must Have Process in Place to: • Ensure Security & Confidentiality of Member Records • Protect Against Anticipated Threats or Hazards • Protect Against Unauthorized Access • Respond to Incidents of Unauthorized Access to Member Information

  35. Security Programs • Appendix B – Guidance on Response Programs • Components of a Response Program • Assessing Incident • Notifying NCUA/SSA • Notifying Law Enforcement Agencies • Containing/Controlling Incident • Notifying Affected Members

  36. Security Programs • Appendix B – Guidance on Response Programs • Content of Member Notice • Account/Statement Review • Fraud Alerts • Credit Reports • FTC Guidance

  37. PART 748 APPENDIX B • Conflict with State Law – e.g., California Notice of Security Breach statute • Requires notice to California residents when unencrypted member information is or may have been acquired by unauthorized person • Gramm Leach Bliley Preemption Standards: no intent to preempt where state law provides greater consumer protections

  38. NCUA Expectations • Potential Questionnaire: • Incorporated into Overall Security Program • Escalation Process / Incident Response • Review of Notices – Attorney Review? • Enterprise Wide Approach • Reporting to Senior Management • Member Outreach / Awareness Programs • Employee Training Programs

  39. “Phishing”

  40. Quotes • “…The use of digital media also can lend fraudulent material an air of credibility. Someone with a home computer and knowledge of computer graphics can create an attractive, professional-looking Web site, rivaling that of a Fortune 500 company…” Arthur Levitt Former Chairman of the SEC

  41. Quotes “Bogus e-mails that try to trick customers into giving out personal information are the hottest, and most troubling, new scam on the Internet.” Jana Monroe Assistant Director Cyber Division of FBI

  42. Phishing 101 • Phishing uses e-mail to lure recipients to bogus websites designed to fool them into divulging personal data.

  43. Phishing 101 • E-mail • Spoofed address • Convincing • Sense of urgency • Embedded link (but not always)

  44. Phishing Trends Anti-Phishing Working GroupIndustry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing. APWG Members- Over 400 members- Over 250 companies- 8 of the top 10 US banks- 4 of the top 5 US ISPs- Over 100 technology vendors- Law enforcement from Australia, CA, UK, USA

  45. Phishing Trends Source: Anti-Phishing Working Group Phishing Attach Trends Report s- March 2004 & May 2004

  46. Phishing Trends Source: Anti-Phishing Working Group Phishing Attach Trends Report - May 2004

  47. Examples (June 2004) Source: Anti-Phishing Working Group Phishing Archive

  48. Examples (June 2004) Source: Anti-Phishing Working Group Phishing Archive

More Related