Critical Security And Compliance Issues In Internet Banking

Presented By: Thomas A. Donofrio Director of Technology Audit and Consulting Services CRITICAL SECURITY AND COMPLIANCE ISSUES IN INTERNET BANKING

Regulatory Guidelines and Suggested Practices - Electronic Banking Environment FFIEC, OCC, FRB, FDIC and OTS have issued joint and separate guidance such as: ,[object Object],[object Object],[object Object],[object Object]

Regulatory Guidelines and Suggested Practices - Electronic Banking Environment “ Living” risk-based management plan and enterprise-wide security program. ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],4. Compliance risks Regulatory Guidelines and Suggested Practices - Electronic Banking Environment

[object Object],Due diligence in selection of vendor Risk assessment of application and services is critical Ongoing evidence of vendor oversight Regulatory Guidelines and Suggested Practices - Electronic Banking Environment

Regulatory Guidelines and Suggested Practices - Electronic Banking Environment ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines Enterprise-wide technology universe ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

[object Object],[object Object],[object Object],Three essential elements for planned new technologies Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines

Risk assessment document ,[object Object],[object Object],[object Object],[object Object],[object Object],Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines

Risk assessment document that addresses evidence of: ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines

[object Object],[object Object],[object Object],[object Object],[object Object],Privacy and Information Security Policy Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines

Privacy and Information Security Policy suggested additional guidelines (in addition to those already addressed prior to GLBA) ,[object Object],[object Object],[object Object],[object Object],Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines

Privacy and Information Security Policy suggested additional guidelines (in addition to those already addressed prior to GLBA) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines

Privacy and Information Security Policy suggested additional guidelines (in addition to those already addressed prior to GLBA) ,[object Object],[object Object],[object Object],[object Object],[object Object],Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines 8. Effective February 28, 2001, contracts with third party service providers must contain appropriate language

[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Responsibility for services provided by third party vendors ,[object Object],Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines

New E-customer verification, if not face to face, requires: Positive verification Logical verification with customer of general information Use of digital certificates Authentication of E-customers Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines

[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Authentication of E-customers Technology Risk Management: Components of an E-Banking Risk Assessment Model and Security Guidelines

[object Object],[object Object],[object Object],[object Object],[object Object],Network and Web-based Security and System Monitoring Network and web site security maintenance

[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Other control initiatives include: Network and Web-based Security and System Monitoring

[object Object],[object Object],[object Object],Penetration/Intrusion Testing Tests electronic environments ,[object Object],[object Object],Zero-knowledge attacks versus full-knowledge attacks

[object Object],[object Object],[object Object],Penetration/Intrusion Testing Typical goals of testing: Insider attacks Remote access exploits (telnet, pc anywhere, secure shell) E-mail exploits Back doors Frontal assaults Evidence and monitoring destruction

Penetration/Intrusion Testing Typical goals of testing: ,[object Object],[object Object],[object Object],[object Object]

Penetration/Intrusion Testing Testing limitations ,[object Object],[object Object]

Network versus E-Commerce intrusion Outsourced web hosting and applications Skill set to exploit the vulnerabilities Penetration/Intrusion Testing Choose a service provider wisely ,[object Object],[object Object],[object Object],[object Object],[object Object]

Security Issues with Other Web Site Initiatives Weblinking/Portals ,[object Object],content compliance customer confusion security policies compliance (e.g., RESPA and Privacy) ,[object Object]

Security Issues with Other Web Site Initiatives Weblinking/Portals ,[object Object],[object Object]

Security Issues with Other Web Site Initiatives Aggregation - web-based consolidation of customer information ,[object Object],Erroneous data gathered Concentration of data increases risk of intrusion Reliance on third party security over information Liability for disputed transactions ,[object Object]

Security Issues with Other Web Site Initiatives Aggregation - web-based consolidation of customer information ,[object Object],Wireless Banking

Needs Assessment - E-Insurance Analysis of your current commercial coverage Determine if new e-insurance offerings duplicate Customer privacy violations, specific business interruptions or denial of access may have limited coverage or no coverage at all

Does current business coverage meet needs if modified? If new coverage is needed, how does it work and how are losses valued? When will coverage in proposal be available? Needs Assessment - E-Insurance Coverage questions to assist in determining e-insurance needs Require outsourcing partners e-insurance as part of contract SLA

Critical Security And Compliance Issues In Internet Banking

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (20)

Semelhante a Critical Security And Compliance Issues In Internet Banking

Semelhante a Critical Security And Compliance Issues In Internet Banking (20)

Último

Último (20)

Critical Security And Compliance Issues In Internet Banking