As your trusted financial partner, Maps Credit Union is committed to helping you assess and manage risks associated with your business online banking. We recommend that you do a periodic risk assessment to ensure that you have the necessary controls in place for your processes, systems, and personnel. This risk assessment tool can help you assess your systems and make any needed changes. Physical Security 1. What level of security have you employed for your critical systems, including those used to access online banking? a. They are behind a locked door. b. They are in a restricted area. c. All computer systems are in a public area. 2. Are your employees trained to lock their workstations before leaving them? a. No. b. Yes, but locking is only done manually. c. Yes, and each workstation auto-­‐locks after a period of inactivity. 3. Are employees set as Administrator level on their workstations? a. Yes, if it is necessary for their work. b. Yes. c. No. 4. How are passwords stored? a. Employees remember them or keep a log on their computer or in a locked desk drawer. b. They are written on sticky notes or paper placed by the computer. Computer Security 5. Does your network employ a firewall? a. Yes. b. No. 6. Do you use Internet content filtering? a. Yes. We have an Internet content filter in place. b. No. c. Yes. Internet traffic on the system(s) used for online banking activities is completely restricted only to sites needed for necessary business functions. 7. Do you filter SPAM email? a. No. b. Yes. 8. Do you employ an intrusion detection or prevention system (IDS/IPS) for network traffic? a. Yes. b. No. 9. Is your anti-­‐virus software up-­‐to-­‐date on workstations and servers? a. Yes, on critical systems. b. Yes, on all systems. c. No. 10. How do you handle software and operating system updates? a. We have no formal process. b. Staff chooses when to install updates and patches with little or no guidance from IT staff or management. c. We have a formal process that ensures all updates and patches are installed at least monthly. 11. Is wireless technology used on the same network as the system used to access online banking? a. Yes, and wireless traffic uses WEP encryption. b. Yes, and wireless technology uses industry-­‐approved encryption (e.g., WPA). c. Yes. d. No. Personnel Security 12. Do your employees sign an Acceptable Use Policy? a. On hire. b. At least once a year. c. No. 13. Do you screen employees before hire? a. No. b. Yes. We background screen employees in specific positions. c. Yes. We run full background checks on all employees. 14. Does your management team stay abreast of potential information security threats and the steps that can be taken to mitigate them? a. Yes. b. No. 15. Do you require security awareness training of the employees who use business online banking? a. No. b. Once a year or more. c. On hire. 16. Are duties related to online banking and financial management segregated? a. One individual has access to all portions of online banking, though other employees are cross-­‐trained to cover vacations or staff changes. b. Yes, this is an important component of our fraud prevention plan. c. No. Scoring and Explanation 1. a: 1 b: 2 c: 5 The more you restrict access to systems that can access your online banking, the more secure it will remain. 2. a: 5 b: 2 c: 1 Locking workstations, even in areas that are physically secure or restricted, is critical to maintaining their security. Each user should lock their computer when they get up, even for a short time, and your IT team should set them to auto-­‐lock after a specific period of inactivity. 3. a: 3 b: 5 c: 1 Administrators have special levels of access to install software and use devices, so it is best to restrict that level of access as much as possible. 4. a: 1 b: 10 Instruct employees to store passwords in a secure location, not out on their desk or stuck on their monitor. 5. a: 1 b: 15 Make sure you have a firewall installed and that you keep it up-­‐to-­‐date. 6. a: 2 b: 5 c: 1 Content filters can provide another line of defense on critical systems by blocking non-­‐mission-­‐critical types of Internet content. 7. a: 5 b: 1 Filtering SPAM emails before they make it to employee inboxes helps mitigate risk by ensuring that employees have fewer opportunities to click links that download Trojans, worms, or viruses. 8. a: 1 b: 3 An IDS/IPS is a smart choice to monitor Internet traffic for potential problems. 9. a: 3 b: 1 c: 5 Keeping anti-­‐virus software up-­‐to-­‐date on all systems is crucial to protecting your systems. If keeping it updated on all systems isn’t feasible, then make sure updates are installed on critical systems and servers. Automating full system scans and updates helps ensure that the process happens on an ongoing basis; try scheduling full system scans overnight or during off-­‐hours to minimize slowing down employee work. 10. a: 5 b: 3 c: 1 Software and operating system manufacturers continually release security patches that can prevent unauthorized intrusions into your critical and non-­‐critical computer systems. A formal process to ensure that these patches and software updates are installed regularly will help protect your network and systems. Try automating the update process when your software supports it. 11. a: 2 b: 1 c: 15 d: 1 Wireless traffic can open security holes in your network, so be careful about the types of devices you allow to access your systems over wireless networks. Either lock your network down to wired traffic only or ensure that wireless devices use higher-­‐level security encryption, such as WPA. Ensure that your IT staff have customized the configuration of your wireless access points to make it harder for unauthorized individuals to find and use them. 12. a: 2 b: 1 c: 5 An AUP provides users with concrete guidelines for what they can and cannot do on your computer systems and network. You should review your policy annually or more often to ensure that you make changes if there are new technologies or situations that need to be covered. Also ask your employees to review the policy, even if there are no changes, so that it remains fresh in their minds. 13. a: 5 b: 2 c: 1 Background screening is an important part of an overall hiring strategy that mitigates risk for your organization. Consider screening all employees before hire. 14. a: 1 b: 5 Management should stay up-­‐to-­‐date on new developments in online and computer security, as well as credible threats. 15. a: 5 b: 1 c: 2 Security awareness training should be part of your annual or semi-­‐annual requirements for all employees who have access to your business online banking. Topics covered should include computer and network security policies, password guidelines, ways to recognize and avoid social engineering, and so on. 16. a: 4 b: 1 c: 5 One of the best ways to prevent internal fraud is to ensure that multiple employees have access to financial information and that financial duties are spread among employees. For example, one employee could enter AP data and cut checks, and a second employee could audit printed checks monthly through online statements or printed statements. This ensures that discrepancies are caught early and can prove a deterrent. Add your total score to see whether your risk rating falls in a category you can tolerate. Cumulative Risk Rating Low (0-­‐15) Low (0-­‐15) Medium (16-­‐25) Critical (35+) High (26-­‐35) Medium (16-­‐25) High (26-­‐35) Critical (35+) If you fall into the High or Critical categories, consider enacting some of the recommended strategies above.