IS SECURITY PERSPECTIVES FROM THE BANKING INDUSTRY AGUMA MPAIRWE CISA,CIA,FCCA,B.A(HONS). DEFINITIONS INFORMATION SECURITY - ‘THE PROCESS BY WHICH AN ORGANISATION PROTECTS AND SECURES ITS SYSTEMS, MEDIA AND FACILITIES THAT PROCESS AND MAINTAIN INFORMATION VITAL TO ITS OPERATIONS’ – FFIEC BANKING – ‘THE BUSINESS ACTIVITY OF ACCEPTING AND SAFEGUARDING THE MONEY OWNED BY OTHER INDIVIDUALS AND ENTITIES THEN LENDING OUT THIS MONEY IN ORDER TO EARN A PROFIT’ INVESTORWORDS IT SECURITY AND AUDIT BEST PRACTICES - BANKS FEDERAL FINANCIAL INSTITUTIONS EXAMINATIONS COUNCIL (FFIEC). FFIEC IT EXAMINATION BOOKLETS FFIEC – US BASED ORGANISATION THAT BRINGS TOGETHER ALL REGULATORS OF THE US FINANCIAL SYSTEM BANKING ACTIVITIES GENERAL RECEIPT OF DEPOSITS (CASH,CHEQUE OR ELECTRONIC) SAFEGUARDING OF DEPOSITS LENDING OF DEPOSITS TO OTHER PARTIES INVESTMENT AND TREASURY ACTIVITIES – PLACEMENT OF FUNDS, FOREX TRADING, DERIVATIVES TRADING AVAILING FUNDS TO THOSE THAT WISH TO WITHDRAW THEM GENERAL MANAGEMENT, ACCOUNTING AND ADMINISTRATION ALL THE ABOVE WILL INVOLVE THE USE OF SOME FORM OF IT SYSTEM OR OTHER ALL THE PROCESSES ABOVE PRESENT RISKS THAT CAN BE EXPLOITED FOR PURPOSES OF FRAUD IT SECURITY IS PARAMOUNT BANKING ACTIVITIES BANKS IN THE ‘TRUST’ BUSINESS LEGAL, PROFESSIONAL AND ETHICAL OBLIGATION TO KEEP CUSTOMER INFORMATION AND AFFAIRS CONFIDENTIAL – ‘A FINANCIAL INSTITUTION’S EARNINGS, AND CAPITAL CAN BE ADVERSELY AFFECTED IF INFORMATION BECOMES KNOWN TO UNAUTHORISED PARTIES, IS ALTERED, OR IS NOT AVAILABLE WHEN IT IS NEEDED’ – FFIEC ADVERSE PUBLICITY CAN LEAD TO REPUTATIONAL RISK AND IN THE WORST CASE A RUN ON A BANK. THE ‘C.I.A’ - CONFIDENTIALITY, INTEGRITY AND AVAILABILITY OF INFORMATION PARAMOUNT IT SECURITY OBJECTIVES CONFIDENTIALITY INTEGRITY AVAILABILITY ACCOUNTABILITY ASSURANCE NOTE - ACCOUNTABILITY AND INTEGRITY REPRESENT ‘NON REPUDIATION’ - FFIEC CHANGING BANK FRAUD AND FRAUSTER PROFILE UGANDA IN THE EARLY 2000’s AND BEFORE KEY FRAUDS WERE CHEQUE FRAUD, FORGED, ALTERED, COUNTERFEIT. DEPOSIT SLIP FRAUD TYPICAL FRAUDSTER – MALE, 35 YEAR OLD, LIMITED EDUCATION. CHANGING BANK FRAUD AND FRAUSTER PROFILE UGANDA MID- 2005 TO DATE ELECTRONIC FRAUD ATM FRAUD IN HOUSE BANK FRAUD – BY BANK EMPLOYEES EITHER ALONE OR IN COLLUSION WITH OUTSIDERS TYPICAL FRAUDSTER – MALE OR FEMALE, BANK EMPLOYEE, TRUSTED INSIDER, EDUCATED, UNIVERSITY GRADUATE, IT LITERATE (NOT NECESSARILY EXPERT!), ONLINE FRAUD IMPLICATIONS 71% MORE CAUTIOUS WHEN SHOPPING ONLINE 67% MORE ATTENTIVE WHEN PROVIDING FINANCIAL AND PERSONAL INFORMATION TO WEBSITES 28% ABANDON A PURCHANSE IF REDIRECTED TO ANOTHER SITE TO PROVIDE PAYMENT INFORMATION 15% STOPPED SHOPPING ALTOGETHER AS A RESULT OF ONLINE FRAUD CONCERNS – USA SURVEY INFORMATION WEBSITES POTENTIAL LIABILITY AND CONSUMER VIOLATIONS FOR INACCURATE OR INCOMPLETE INFORMATION ABOUT PRODUCTS, SERVICES, AND PRICING PRESENTED ON THE WEBSITE; POTENTIAL ACCESS TO CONFIDENTIAL FINANCIAL INSTITUTION OR CUSTOMER INFORMATION IF THE WEBSITE IS NOT PROPERLY ISOLATED FROM THE FINANCIAL INSTITUTION'S INTERNAL NETWORK; POTENTIAL LIABILITY FOR SPREADING VIRUSES AND OTHER MALICIOUS CODE TO COMPUTERS COMMUNICATING WITH THE INSTITUTION'S WEBSITE; AND NEGATIVE PUBLIC PERCEPTION IF THE INSTITUTION'S ON-LINE SERVICES ARE DISRUPTED OR IF ITS WEBSITE IS DEFACED OR OTHERWISE PRESENTS INAPPROPRIATE OR OFFENSIVE MATERIAL. -FFIEC TRANSACTIONAL WEBSITES SECURITY CONTROLS FOR SAFEGUARDING CUSTOMER INFORMATION; AUTHENTICATION PROCESSES -VERIFY THE IDENTITY OF NEW CUSTOMERS AND AUTHENTICATE EXISTING CUSTOMERS WHO ACCESS E-BANKING SERVICES; LIABILITY FOR UNAUTHORIZED TRANSACTIONS; LOSSES FROM FRAUD IF THE INSTITUTION FAILS TO VERIFY THE IDENTITY OF INDIVIDUALS OR BUSINESSES APPLYING FOR NEW ACCOUNTS OR CREDIT ON-LINE - FFIEC RETAIL SERVICES WHOLESALE SERVICES ACCOUNT MANAGEMENT ACCOUNT MANAGEMENT BILL PAYMENT AND PRESENTMENT CASH MANAGEMENT . NEW ACCOUNT OPENING CONSUMER WIRE TRANSFERS INVESTMENT/BROKERAGE SERVICES SMALL BUSINESS LOAN APPLICATIONS, APPROVALS, OR ADVANCES COMMERCIAL WIRE TRANSFERS LOAN APPLICATION AND BUSINESS-TO-BUSINESS PAYMENTS APPROVAL ACCOUNT AGGREGATION EMPLOYEE BENEFITS/PENSION ADMINISTRATION TRANSACTIONAL WEBSITES POSSIBLE VIOLATIONS OF LAWS OR REGULATIONS PERTAINING TO CONSUMER PRIVACY, ANTI-MONEY LAUNDERING, ANTITERRORISM, OR THE CONTENT, TIMING, OR DELIVERY OF REQUIRED CONSUMER DISCLOSURES; AND NEGATIVE PUBLIC PERCEPTION, CUSTOMER DISSATISFACTION, AND POTENTIAL LIABILITY RESULTING FROM FAILURE TO PROCESS THIRD-PARTY PAYMENTS AS DIRECTED OR WITHIN SPECIFIED TIME FRAMES, LACK OF AVAILABILITY OF ON-LINE SERVICES, OR UNAUTHORIZED ACCESS TO CONFIDENTIAL CUSTOMER INFORMATION DURING TRANSMISSION OR STORAGE. - FFIEC SOURCE :FFIEC ATM/CARD- FRAUD WHO PICKS UP THE COST IF YOUR CARD IS MISUSED, YOU OR YOUR BANK? SOUTH AFRICA - TOTAL VALUE OF ONLINE TRANSACTIONS – USD $285 MILLION SOUTH AFRICA - 2009 TOTAL LOSSES TO BANKING INDUSTRY DUE TO LOST AND STOLEN CARDS – USD 13MILLION – PERSONAL FINANCE ATM/DEBIT/CREDIT CARD – RISKS CARD INFORMATION HELD IN MAGNETIC STRIPE INCLUDING PRIMARY ACCOUNT NUMBER, EXPIRY DATE, CARD CAN BE CLONED, IF DETAILS ON MAGNETIC STRIPE CAN BE COPIED USING SKIMMING DEVICES CARD CAN BE STOLEN/LOST USED FOR ‘CARDHOLDER NOT PRESENT’ TRANSACTIONS – OVER PHONE OR ONLINE PIN CAN BE OBTAINED USING HIDDEN CAMERAS IN ATM LOCATION OR CCTV CAMERAS IN VIEW OF THE KEYPAD! CARD SKIMMING INVOLVES THE USE OF DEVICES THAT READ CARD DETAILS CONTAINED IN THE MAGNETIC STRIP OF THE CARD CAB BE PLACED IN THE ATM CARD SLOT OR CAN BE HAND HELD (POCKET) RESTAURANTS HIGH RISK! BEGAN TO OBSERVE COMPLAINTS IN UGANDA DISCUSSION AT BANKERS ASSOSCIATION FRAUD AND FORGERIES SUB-COMMITTEE CASES OF FRAUD REPORTED BY MEMBER BANKS CUSTOMERS USUALLY HAD TRAVELLED ABROAD AT SOME POINT IN TIME SOUTH AFRICA – MENTIONED AS A DESINATION VISITED IN SOME CASES CARD SKIMMING ABSA 177 ARRESTS, 26 SKIMMING DEVICES CAPTURED IN 2011 - PERSONAL FINANCE COST TO THE US - $60 MILLION PER YEAR! – CSO ONLINE ATM RISK MITIGANTS CHIP AND PIN BASED CARDS. AWARENESS TRAINING FOR CUSTOMERS!! PHYSICAL SECURITY CAUTION AT ATM SITES – WATCH OUT FOR CAMERA’S, SKIMMING DEVICES SHIELD ENTRY OF PIN AT ATM WITH HAND/WALLET REGULAR CHECKING OF CARD BALANCES MERCHANT TRAINING INTERNAL ACCOUNT TRANSFERS INCRESINGLY COMMON FRAUD IN INDUSTRY INVOLVES UNAUTHORISED ‘CREATION’ OF DEPOSITS DEBIT ‘OVERCROWDED’ ACCOUNT WITH SEVERAL ITEMS DIFFICULT TO TRACE E.G SUSPENSE ACCOUNT CREDIT IS MADE TO CUSTOMER ACCOUNT FUNDS ARE WITHDRAWN! POSSIBLE SOLUTIONS COMBINATION OF ROLE BASED ACCESS AND LEAST PRIVILEDGE RESTRICTIONS CAN BE ENFORCED RESTRICT TELLER OR OPERATIONS STAFF ABILITY TO POST TRANSACTIONS TO ADMINISTRATIVE ACCOUNTS E.G FIXED ASSET ACCCOUNTS RESTRIC FINANCE DEPARTMENT STAFF ABILITY TO POST TRANSACTIONS DIRECTLY TO CUSTOMER ACCOUNTS G.L AUDIT REVIEW –PERIODIC CLEAR TIMELINES FOR CLEARING OFF ITEMS IN SUSPENSE, TRANSIT AND CLEARING ACCOUNTS IT PROJECT MANAGEMENT RISKS INADEQUATE SECURITY FEATURES ENFORCED DURING IMPLEMENTATION OF IT APPLICATION SYSTEMS OBSERVED IN BANKING INDUSTRY IN THE PAST MUST PROVIDE FOR: GENERAL ACCESS CONTROLS IDENTIFICATION AND AUTHENTICATION CONTROLS AUDIT TRAIL COMMUNICATION CONTROLS – KELLY KIM 2008 DATA MIGRATION CONTROLS – IMPORTANT TAKE ACCOUNT OF FACT THAT BANK SYSTEMS MAY NEED TO BE ONLINE 24/7/365 PROJECT MANAGEMENT PROJECT MANAGEMENT – BASELINE CONTROLS IMPLEMENTED IS AUDIT INVOLVEMENT POST IMPLEMENTATION REVIEW REGULATORY CERTIFICATION PRE IMPLEMENTATION TREASURY HIGH RISK AREA BANK IS INVESTING OR TRADING MONEY MARKET PRODUCTS FOREIGN CURRENCY (FX) DERIVATIVES TRANSACTION SIZES MAY BE VERY LARGE POTENTIAL FOR PROFIT/LOSSES MAY BE VERY LARGE DEPENDING ON MARKET CONDITIONS TREASURY RISK APPROVAL TO COMMIT THE BANK GIVEN TO TRADERS BEFORE TRANSACTION THROUGH THE USE OF VARIOUS LIMITS MONITORING OF COMPLIANCE WITH LIMITS IS CRITICAL TO RISK MANAGEMENT IN TRASURY SEGREGATION OF DUTIES IS ALSO CRITICAL ( FRONT OFFICE, MIDDLE OFFICE, BACK OFFICE) TRADERS MUST NO HAVE ACCESS TO RATE REVALUATION SYSTEMS – COULD HIDE LOSSES TRADERS SHOULD NOT HAVE ACCESS TO CONFIRMATION AND SETTLEMENT SYSTEMS – COULD HIDE TRADES AND LOSSES IT SECURITY DESIGN IMPORTANT TO DEAL WITH THESE ISSUES TREASURY –KEY BANK LOSSES/FRAUDS 2002 TRADER JOHN RUSNACK - £485 MILLION LOSS TO ALLIED IRISH BANK – TAMPERED WITH REUTERS RATES FEED 2008 TRADER JEROME KERVIEL – $ 7 BILLION LOSS – HAD PREVIOUSLY WORKED IN BACK OFFICE, HID TRANSACTIONS (TRADES), FALSIFIED E-MAIL, - FVTER 1995 – trader NICK LEESON – HID £865M LOSSES, BROUGHT DOWN BARINGS BANK…..INTEGRATED IT SYSTEMS COULD HAVE PREVENTED BANK COLLAPSE - COMPUTERWEEKLY COSO –CONTROL MODEL MONITORING INFORMATION AND COMMUNICATION CONTROL PROCEDURES RISK ASSESSMENT CONTROL ENVIRONMENT IT GOVERNANCE ‘FINANCIAL INSTITUTIONS SHOULD IMPLEMENT AN ONGOING SECURITY PROCESS AND INSTITUTE APPROPRIATE GOVERNANCE FOR THE SECURITY FUNCTION, ASSIGNING CLEAR AND APPROPRIATE ROLES AND RESPONSIBILITIES TO THE BOARD OF DIRECTORS, MANAGEMENT AND EMPLOYEES’ - FFIEC IS SECURITY STRATEGY FINANCIAL INSTITUTIONS SHOULD DEVELOP A STRATEGY THAT DEFINES CONTROL OBJECTIVES AND ESTABLISHES AN IMPLEMENTATION PLAN. THE SECURITY STRATEGY SHOULD INCLUDE APPROPRIATE CONSIDERATION OF PREVENTION, DETECTION, AND RESPONSE MECHANISMS, IMPLEMENTATION OF THE LEAST PERMISSIONS AND LEAST PRIVILEGES CONCEPTS, LAYERED CONTROLS THAT ESTABLISH MULTIPLE CONTROL POINTS BETWEEN THREATS AND ORGANIZATION ASSETS, AND POLICIES THAT GUIDE OFFICERS AND EMPLOYEES IN IMPLEMENTING THE SECURITY PROGRAM. -FFIEC IT RISK ASSESSMENT GATHERS DATA REGARDING THE INFORMATION AND TECHNOLOGY ASSETS OF THE ORGANIZATION, THREATS TO THOSE ASSETS, VULNERABILITIES, EXISTING SECURITY CONTROLS AND PROCESSES, AND THE CURRENT SECURITY STANDARDS AND REQUIREMENTS; ANALYZES THE PROBABILITY AND IMPACT ASSOCIATED WITH THE KNOWN THREATS AND VULNERABILITIES TO THEIR ASSETS; AND PRIORITIZES THE RISKS PRESENT DUE TO THREATS AND VULNERABILITIES TO DETERMINE THE APPROPRIATE LEVEL OF TRAINING, CONTROLS, AND ASSURANCE NECESSARY FOR EFFECTIVE MITIGATION. - FFIEC IT RISK ASSESSMENT BOTH TECHNICAL AND NON-TECHNICAL INFORMATION SHOULD BE GATHERED. TECHNICAL INFORMATION – NETWORK MAPS DETAILING INTERNAL AND EXTERNAL CONNECTIVITY; HARDWARE AND SOFTWARE INVENTORIES; DATABASES AND FILES THAT CONTAIN CRITICAL AND/OR CONFIDENTIAL INFORMATION; PROCESSING ARRANGEMENTS AND INTERFACES WITH EXTERNAL ENTITIES; HARDWARE AND SOFTWARE CONFIGURATIONS; POLICIES, STANDARDS, AND PROCEDURES FOR THE OPERATION, MAINTENANCE, UPGRADING, AND MONITORING OF TECHNICAL SYSTEMS.FFIEC IT RISK ASSESSMENT NON-TECHNICAL INFORMATION POLICIES, STANDARDS, AND PROCEDURES ADDRESSING PHYSICAL SECURITY (INCLUDING FACILITIES AS WELL AS INFORMATION ASSETS THAT INCLUDE LOAN DOCUMENTATION, DEPOSIT RECORDS AND SIGNATURE CARDS, AND KEY AND ACCESS CODE LISTS), PERSONNEL SECURITY (INCLUDING HIRING BACKGROUND CHECKS AND BEHAVIOUR MONITORING), VENDOR CONTRACTS, PERSONNEL SECURITY TRAINING AND EXPERTISE, AND INSURANCE COVERAGE. ADDITIONALLY, INFORMATION REGARDING CONTROL EFFECTIVENESS SHOULD BE GATHERED. TYPICALLY, THAT INFORMATION COMES FROM SECURITY MONITORING, INCLUDING SELF-ASSESSMENTS, METRICS, AND INDEPENDENT TESTS. FFIEC IT SYSTEMS ASSESSMENT ‘SOME SYSTEMS AND DATA STORES MAY NOT BE READILY APPARENT. FOR EXAMPLE, BACKUP TAPES, PORTABLE COMPUTERS, PERSONAL DIGITAL ASSISTANTS, MEDIA SUCH AS COMPACT DISKS, MICRO DRIVES, AND DISKETTES, AND MEDIA USED IN SOFTWARE DEVELOPMENT AND TESTING SHOULD BE CONSIDERED’. - FFIEC IT THREATS AND VULNERABILITIES THREATS -EVENTS THAT COULD CAUSE HARM TO THE CONFIDENTIALITY, INTEGRITY, OR AVAILABILITY OF INFORMATION OR INFORMATION SYSTEMS. EXPLOITING A VULNERABILITY TO CAUSE HARM THROUGH THE UNAUTHORIZED DISCLOSURE, MISUSE, ALTERATION, OR DESTRUCTION OF INFORMATION OR INFORMATION SYSTEMS. INTERNAL (MALICIOUS OR INCOMPETENT EMPLOYEES, CONTRACTORS, SERVICE PROVIDERS, AND FORMER INSIDERS) EXTERNAL (CRIMINALS, RECREATIONAL HACKERS, COMPETITORS, AND TERRORISTS). FFIEC IT THREATS AND VULNERABILITIES VULNERABILITIES - WEAKNESSES IN A SYSTEM, OR CONTROL GAPS THAT, IF EXPLOITED, COULD RESULT IN THE UNAUTHORIZED DISCLOSURE, MISUSE, ALTERATION, OR DESTRUCTION OF INFORMATION OR INFORMATION SYSTEMS. VULNERABILITIES ARE GENERALLY GROUPED INTO TWO TYPES: KNOWN AND EXPECTED. - FFIEC VULNERABILITIES KNOWN VULNERABILITIES - DISCOVERED BY TESTING OR OTHER REVIEWS OF THE ENVIRONMENT, KNOWLEDGE OF POLICY WEAKNESSES, KNOWLEDGE OF INADEQUATE IMPLEMENTATIONS, AND KNOWLEDGE OF PERSONNEL ISSUES. . EXPECTED VULNERABILITIES - THOSE THAT CAN REASONABLY BE ANTICIPATED TO ARISE IN THE FUTURE. EXAMPLES UNPATCHED SOFTWARE, NEW AND UNIQUE ATTACK METHODOLOGIES THAT BYPASS CURRENT CONTROLS, EMPLOYEE AND CONTRACTOR FAILURES TO PERFORM SECURITY DUTIES SATISFACTORILY, PERSONNEL TURNOVER - FFIEC IT SECURITY POLICY KEY ACTIONS THAT CONTRIBUTE TO THE SUCCESS OF A SECURITY POLICY ARE IMPLEMENTING THROUGH ORDINARY MEANS, SUCH AS SYSTEM ADMINISTRATION PROCEDURES AND ACCEPTABLE-USE POLICIES; ENFORCING POLICY THROUGH SECURITY TOOLS AND SANCTIONS; DELINEATING THE AREAS OF RESPONSIBILITY FOR USERS, ADMINISTRATORS, AND MANAGERS; COMMUNICATING IN A CLEAR, UNDERSTANDABLE MANNER TO ALL CONCERNED; OBTAINING EMPLOYEE CERTIFICATION THAT THEY HAVE READ AND UNDERSTOOD THE POLICY; PROVIDING FLEXIBILITY TO ADDRESS CHANGES IN THE ENVIRONMENT; AND CONDUCTING ANNUALLY A REVIEW AND APPROVAL BY THE BOARD OF DIRECTORS. - FFIEC SECURITY DOMAINS A SECURITY DOMAIN IS A PART OF THE SYSTEM WITH ITS OWN POLICIES AND CONTROL MECHANISMS. SECURITY DOMAINS FOR A NETWORK ARE TYPICALLY CONSTRUCTED FROM ROUTING CONTROLS AND DIRECTORIES. DOMAINS CONSTRUCTED FROM ROUTING CONTROLS MAY BE BOUNDED BY NETWORK PERIMETERS WITH PERIMETER CONTROLS. THE PERIMETERS SEPARATE WHAT IS NOT TRUSTED FROM WHAT MAY BE TRUSTWORTHY. THE PERIMETERS SERVE AS WELL-DEFINED TRANSITION POINTS BETWEEN TRUST AREAS WHERE POLICY ENFORCEMENT AND MONITORING TAKES PLACE. AN EXAMPLE OF SUCH A DOMAIN IS A DEMILITARIZED ZONE (DMZ), BOUNDED BY A PERIMETER THAT CONTROLS ACCESS FROM OUTSIDE AND INSIDE THE INSTITUTION. DOMAINS CONSTRUCTED FROM DIRECTORIES MAY LIMIT ACCESS TO NETWORK RESOURCES AND APPLICATIONS BASED ON ROLE OR FUNCTION. - FFIEC DEFENSE IN DEPTH FINANCIAL INSTITUTIONS SHOULD DESIGN MULTIPLE LAYERS OF SECURITY CONTROLS ESTABLISH SEVERAL LINES OF DEFENSE BETWEEN THE ATTACKER AND THE ASSET BEING ATTACKED. AN INTERNET SECURITY - A PACKET FILTERING ROUTER WITH STRICT ACCESS CONTROL RULES, IN FRONT OF AN APPLICATION LEVEL FIREWALL, IN FRONT OF WEB SERVERS, IN FRONT OF A TRANSACTIONAL SERVER, IN FRONT OF A DATABASE SERVER, WITH INTRUSION DETECTION SYSTEMS LOCATED AT VARIOUS POINTS BETWEEN THE SERVERS AND ON CERTAIN HOSTS. THE LAYERS SHOULD BE AT MULTIPLE CONTROL POINTS THROUGHOUT THE COMMUNICATION AND TRANSACTIONAL FLOW AND SHOULD INCLUDE BOTH SYSTEMS AND MANUAL PROCESSES. TO SUCCESSFULLY ATTACK AN ASSET, EACH LAYER MUST BE PENETRATED. WITH EACH PENETRATION, THE PROBABILITY OF DETECTING THE ATTACKER INCREASES. - FFIEC NETWORK SECURITY FINANCIAL INSTITUTIONS SHOULD SECURE ACCESS TO THEIR COMPUTER NETWORKS THROUGH MULTIPLE LAYERS OF ACCESS CONTROLS TO PROTECT AGAINST UNAUTHORIZED ACCESS. INSTITUTIONS SHOULD GROUP NETWORK SERVERS, APPLICATIONS, DATA, AND USERS INTO SECURITY DOMAINS (E.G., UNTRUSTED EXTERNAL NETWORKS, EXTERNAL SERVICE PROVIDERS, OR VARIOUS INTERNAL USER SYSTEMS); ESTABLISH APPROPRIATE ACCESS REQUIREMENTS WITHIN AND BETWEEN EACH SECURITY DOMAIN; IMPLEMENT APPROPRIATE TECHNOLOGICAL CONTROLS TO MEET THOSE ACCESS REQUIREMENTS CONSISTENTLY; AND MONITOR CROSS-DOMAIN ACCESS FOR SECURITY POLICY VIOLATIONS AND ANOMALOUS ACTIVITY. - FFIEC OPERATING SYSTEM SECURITY FINANCIAL INSTITUTIONS SHOULD SECURE ACCESS TO THE OPERATING SYSTEMS OF ALL SYSTEM COMPONENTS BY SECURING ACCESS TO SYSTEM UTILITIES, RESTRICTING AND MONITORING PRIVILEGED ACCESS, LOGGING AND MONITORING USER OR PROGRAM ACCESS TO SENSITIVE RESOURCES AND ALERTING ON SECURITY EVENTS, UPDATING THE OPERATING SYSTEMS WITH SECURITY PATCHES, AND SECURING THE DEVICES THAT CAN ACCESS THE OPERATING SYSTEM THROUGH PHYSICAL AND LOGICAL MEANS. -FFIEC APPLICATION SECURITY FINANCIAL INSTITUTIONS SHOULD CONTROL ACCESS TO APPLICATIONS BY USING AUTHENTICATION AND AUTHORIZATION CONTROLS APPROPRIATELY ROBUST FOR THE RISK OF THE APPLICATION, MONITORING ACCESS RIGHTS TO ENSURE THEY ARE THE MINIMUM REQUIRED FOR THE USER'S CURRENT BUSINESS NEEDS, USING TIME-OF-DAY LIMITATIONS ON ACCESS AS APPROPRIATE, LOGGING ACCESS AND SECURITY EVENTS, AND USING SOFTWARE THAT ENABLES RAPID ANALYSIS OF USER ACTIVITIES. - FFIEC REMOTE ACCESS CONTROLS FINANCIAL INSTITUTIONS SHOULD SECURE REMOTE ACCESS TO AND FROM THEIR SYSTEMS BY DISABLING REMOTE COMMUNICATIONS IF NO BUSINESS NEED EXISTS, TIGHTLY CONTROLLING ACCESS THROUGH MANAGEMENT APPROVALS AND SUBSEQUENT AUDITS, IMPLEMENTING ROBUST CONTROLS OVER CONFIGURATIONS AT BOTH ENDS OF THE REMOTE CONNECTION TO PREVENT POTENTIAL MALICIOUS USE, LOGGING AND MONITORING ALL REMOTE ACCESS COMMUNICATIONS, SECURING REMOTE ACCESS DEVICES, AND USING STRONG AUTHENTICATION AND ENCRYPTION TO SECURE COMMUNICATIONS - FFIEC PHYSICAL ACCESS CONTROLS FINANCIAL INSTITUTIONS SHOULD DEFINE PHYSICAL SECURITY ZONES AND IMPLEMENT APPROPRIATE PREVENTATIVE AND DETECTIVE CONTROLS IN EACH ZONE TO PROTECT AGAINST THE RISKS OF PHYSICAL PENETRATION BY MALICIOUS OR UNAUTHORIZED PEOPLE, DAMAGE FROM ENVIRONMENTAL CONTAMINANTS, AND ELECTRONIC PENETRATION THROUGH ACTIVE OR PASSIVE ELECTRONIC EMISSIONS. - FFIEC ENCRYPTION CONTROLS FINANCIAL INSTITUTIONS SHOULD EMPLOY ENCRYPTION TO MITIGATE THE RISK OF DISCLOSURE OR ALTERATION OF SENSITIVE INFORMATION IN STORAGE AND TRANSIT. ENCRYPTION IMPLEMENTATIONS SHOULD INCLUDE ENCRYPTION STRENGTH SUFFICIENT TO PROTECT THE INFORMATION FROM DISCLOSURE UNTIL SUCH TIME AS DISCLOSURE POSES NO MATERIAL RISK, EFFECTIVE KEY MANAGEMENT PRACTICES, ROBUST RELIABILITY, AND APPROPRIATE PROTECTION OF THE ENCRYPTED COMMUNICATION'S ENDPOINTS FFIEC ENCRYPTION KEY MANAGEMENT GENERATING KEYS FOR DIFFERENT CRYPTOGRAPHIC SYSTEMS AND DIFFERENT APPLICATIONS; GENERATING AND OBTAINING PUBLIC KEYS; DISTRIBUTING KEYS TO INTENDED USERS, INCLUDING HOW KEYS SHOULD BE ACTIVATED WHEN RECEIVED; STORING KEYS, INCLUDING HOW AUTHORIZED USERS OBTAIN ACCESS TO KEYS; CHANGING OR UPDATING KEYS, INCLUDING RULES ON WHEN KEYS SHOULD BE CHANGED AND HOW THIS WILL BE DONE; DEALING WITH COMPROMISED KEYS; REVOKING KEYS AND SPECIFYING HOW KEYS SHOULD BE WITHDRAWN OR DEACTIVATED; RECOVERING KEYS THAT ARE LOST OR CORRUPTED AS PART OF BUSINESS CONTINUITY MANAGEMENT; ARCHIVING KEYS; DESTROYING KEYS -FFIEC MONITORING MONITORING NETWORK AND HOST ACTIVITY TO IDENTIFY POLICY VIOLATIONS AND ANOMALOUS BEHAVIOR; MONITORING HOST AND NETWORK CONDITION TO IDENTIFY UNAUTHORIZED CONFIGURATION AND OTHER CONDITIONS WHICH INCREASE THE RISK OF INTRUSION OR OTHER SECURITY EVENTS; ANALYZING THE RESULTS OF MONITORING TO ACCURATELY AND QUICKLY IDENTIFY, CLASSIFY, ESCALATE, REPORT, AND GUIDE RESPONSES TO SECURITY EVENTS; AND RESPONDING TO INTRUSIONS AND OTHER SECURITY EVENTS AND WEAKNESSES TO APPROPRIATELY MITIGATE THE RISK TO THE INSTITUTION AND ITS CUSTOMERS, AND TO RESTORE THE INSTITUTION'S SYSTEMS. MONITORING SHOULD, COMMENSURATE WITH THE RISK, IDENTIFY CONTROL FAILURES BEFORE A SECURITY INCIDENT OCCURS, DETECT AN INTRUSION IN SUFFICIENT TIME TO ENABLE AN EFFECTIVE AND TIMELY RESPONSE, SUPPORT POST-EVENT FORENSICS ACTIVITIES. - FFIEC FUTURE TRENDS/THREATS DEPEND ON TECHNOLOGY TRENDS TELECOMS AND BANKING CONVERGENCE RISKS IN MOBILE MONEY INDUSTRY CLOUD COMPUTING MOBILE COMPUTING AND WIRELESS COMPUTING THREATS EASE OF ACCESS TO INTERNET AND TOOLS TO COMMIT FRAUD FASTER SPEEDS FOR INTERNET ACCESS IN EAST AFRICA GREATER OUTSOURCING? NEW IT SAVVY GENERATION? SOLUTIONS IT AWARENESS USER AND CUSTOMER TRAINING STAFF SCREEENING ETHICAL EMPHASIS EMBEDDING STRONG CONTROL AND RISK CULTURE IN BANKS SYSTEMS CERTIFICATION BY REGULATORS BEFORE DEPLOYMENT STRENGHTEN IT CONTROL, SECURITY, AUDIT PROFESSION AND TRAIN MORE PROFESSIONALS INCREASE CEO AND BOARD AWARENESS OTHER BEST PRACTICES ISO 17799 : CODE OF PRACTIVE FOR INFORMATION SECURITY MANAGEMENT BS 7799: SPECIFICATION FOR INFORMATION SECURITY MANAGEMENT SYSTEMS COBIT . QUESTIONS? REFERENCES http://ithandbook.ffiec.gov/it-booklets.aspx http://www.securitymanagement.com/article/atm-fraud-trendseurope-006362 http://www.bizreport.com/2009/03/consumers_in_the_us_are.html# http://www.csoonline.com/article/555863/atm-skimming-how-torecognize-card-fraud http://iss.gwu.edu/merlincgi/p/downloadFile/d/21440/n/off/other/1/name/BaselineSecurityRequi rementsandControls-Techn/ http://fvter.wordpress.com/2008/01/30/kervielsociete-generaleinformation-security-insider-threat/ http://www.computerweekly.com/Articles/2009/10/27/238308/Podcastinterview-Nick-Leeson-says-Integrated-IT-could-have-preventedBarings.htm