March 26, 2000
FYI - Bank, thrift, and credit union regulators issued a document discussing lessons learned from the preparation for the Year 2000 date change, and urged financial institutions to incorporate the knowledge gained from that experience into future projects and technology risk management.
FYI - A British teenager, arrested after an FBI investigation into international computer hacking, says he obtained the credit card number of Bill Gates, the head of Microsoft and the world's richest man.
INTERNET SECURITY - Last week we covered four of seven security policy components. The information is from the Information Systems Audit and Control Association's (ISACA) Certified Systems Audit (CISA) Review Technical Information Manual. ISACA is a worldwide organization of professional computer security auditors. The CISA is the organization's certification that the IS auditor is proficient to audit computer security systems including the Internet.
For security to be successfully implemented and maintained, the framework and intent of security must be clearly established and communicated to all appropriate parties. The key is a written security policy that serves to heighten security awareness throughout the organization.
The last three key components of such a policy include the following:
5) Security Awareness
All employees, including management, need to be made aware on a regular basis of the importance of security. A number of different mechanisms are available for raising security awareness including:
a) Distribution of a written security policy
c) Non-disclosure statements signed by the employee
d) Company newsletter
e) Visible enforcement of security rules
f) Periodic audits
Employee responsibilities for security include:
a) Reading the security policy
b) Keeping logon-IDs and passwords secret
c) Reporting suspected violations of security to the security administrator
d) Maintaining good physical security by keeping doors locked, safeguarding access keys, not disclosing access door lock combinations and questioning unfamiliar people
Non-employees with access to company systems also should be held accountable for security policies and responsibilities. This includes contract employees, vendors programmers/analysts, maintenance personnel and clients.
Security awareness should not disclose sensitive information. Security policies provided to the employees should not identify such sensitive security features as password file names, technical security configurations, methods to bypass electronic security or system software files.
6) Role of the Security Administrator
The security administrator, typically a member of the IS department, is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized. For proper segregation of duties, the security administrator should not be responsible for updating application data nor be an end user, application programmer, computer operator or data entry clerk. In large organizations, the security administrator is usually a full time function; in small organizations, someone may perform this function with other non-conflicting responsibilities.
7) Security Committee
Security guidelines, policies and procedures affect the entire organization and as such, should have the support and suggestions of end users, executive management, security administration, IS personnel and legal counsel. Therefore, individuals representing various management levels, should meet as a committee to discuss these issues and establish security practices.
INTERNET COMPLIANCE - The FDIC and NCUA consider every insured depository institution's online system top level page, or "home page", to be an advertisement. Therefore, according to these agencies' interpretation of their rules, financial institutions should display the official advertising statement on their home pages unless subject to one of the exceptions. Furthermore, each subsidiary page of an online system that contains an advertisement should display the official advertising statement unless subject to one of the exceptions. The official bank sign, official savings association sign, and NCUA official sign are currently not required to be displayed on an institution's on-line system.
INTERNET RISKS - According to the OCC, Internet banking creates new risk control challenges. Over the past few weeks, we covered the OCC's comments on Credit Risk, Interest Rate Risk, Liquidity Risk, Price Risk, Foreign Exchange Risk, Transactional Risk, and Compliance Risk. This week we will cover Strategic Risk.
Strategic risk is the current and prospective impact on earnings or capital arising from adverse business decisions, improper implementation of decisions, or lack of responsiveness to industry changes. This risk is a function of the compatibility of an organization's strategic goals, the business strategies developed to achieve those goals, the resources deployed against these goals, and the quality of implementation. The resources needed to carry out business strategies are both tangible and intangible. They include communication channels, operating systems, delivery networks, and managerial capacities and capabilities. The organization's internal characteristics must be evaluated against the impact of economic, technological, competitive, regulatory, and other environmental changes.
Management must understand the risks associated with Internet banking before they make a decision to develop a particular class of business. In some cases, banks may offer new products and services via the Internet. It is important that management understand the risks and ramifications of these decisions. Sufficient levels of technology and MIS are necessary to support such a business venture. Because many banks will compete with financial institutions beyond their existing trade area, those engaging in Internet banking must have a strong link between the technology employed and the bank's strategic planning process.
Before introducing a Internet banking product, management should consider whether the product and technology are consistent with tangible business objectives in the bank's strategic plan. The bank also should consider whether adequate expertise and resources are available to identify, monitor, and control risk in the Internet banking business. The planning and decision making process should focus on how a specific business need is met by the Internet banking product, rather than focusing on the product as an independent objective. The bank's technology experts, along with its marketing and operational executives, should contribute to the decision making and planning process. They should ensure that the plan is consistent with the overall business objectives of the bank and is within the bank's risk tolerance. New technologies, especially the Internet, could bring about rapid changes in competitive forces. Accordingly, the strategic vision should determine the way the Internet banking product line is designed, implemented, and monitored.
IN CLOSING - We provide penetration and vulnerability testing that meets the regulatory recommendations as part of an Internet security audit. Our associate is Cisco certified and can answer any of your questions regarding IS security and the Internet. If you would like more information, please send us an e-mail and our associate will call you to discuss how penetration and vulnerability testing will benefit your Internet audit and security program.