The processes by which information resources are used and disseminated within the bank determine the nature of the potential risks that the bank may face.
In the continual process to maintain the bank’s position and preserve customer loyalty, the Bank employs fortified external defence mechanisms – firewalls, intrusion detection systems; access controls instruments and security awareness programmes. These, to a large extent, protect the bank from external malicious attacks.
Security breaches can occur, particularly in change management scenarios or the introduction of new products and services. The change management processes relating to this introduction and how to integrate legacy systems into new processes must be carefully thought out during the roll out.
This often results in breaches of confidentiality, availability and in some cases the integrity of information assets. It is particularly important to ensure that third party access to critical applications is restricted during the introductory phase of new technology related products.
Ensuring systems integrity
The process of ensuring a safe, sound and secure information system can be complemented with a structured approach to auditing the internal control systems in the information technology space. Information technology audit is critical in evaluating internal controls over the integrity, confidentiality, and availability of data maintained in information systems.
The IT Auditor must be competent and ethically inclined. This resource must conduct independent review and examination of records and activities to assess the adequacy of system controls as a means to ensuring compliance with established policies and operational procedures. As part of his core responsibilities, the IT Auditor must recommend changes in controls, policies, or procedures to maintain the continual integrity of the systems.
The product factor in information risk management
The complexity of the product range offered by the bank exposes it to different degrees of risk. Individual products have inherent risks embedded in them. A software installed in a customer’s premises to enable the customer interface with the bank poses more security challenges than the simple use of ATMs, for instance.
Security challenges may emanate from unauthorized use of systems by the customer’s employees or the interception or manipulation of information through any point in the communication channel that is employed to relay messages to and from the bank.
Even more importantly, at the point of reception of customer instructions in the bank, risk still prevails. A bank staff may manipulate the information before it is acted upon by the appropriate personnel. This risk is especially endemic in payroll systems and instructions for claims settlement. Encryption technologies may be helpful in this regard.
E-mail usage and text messaging
Banks are increasingly under pressure to ensure that all records, including communications such as e-mail and text messaging systems are secure and safe from malicious users both within and outside the organisation. While these two products have experienced widespread usage and have become competitive advantages in customer satisfaction, they have also become “killer” applications for many banks in view of the exposures to phishing scams and other e-mail related scams.
The bank is particularly exposed to third party providers of the related telecommunication systems considering the deepened collaboration with the telecommunication companies. This has resulted in the integration of external systems into the bank’s mainstream operational processes to permit customers to make inter account transfers, among others.
Though a competitive imperative, such inevitable collaboration exposes the bank to a new wave of risks outside their sphere of control, comforted merely by service level agreements which may be easily breached by staff of the external agency.
Some banks deliberately block access to certain internet sites, esp. the social networking sites like Facebook, Viadeo, Twitter and pornographic sites. The USB portals on staff computers may also be blocked to prevent the introduction of contaminated devices that may infect the network with viruses.
The external factor in information security
Government regulations usually force companies, including banks, to take security and control more seriously by mandating the protection of data from abuse, exposure and unauthorized access.
In many jurisdictions there are also legal obligations regarding electronic records management, document retention and privacy requirements. Data may be required to be stored on a secure medium and held for defined periods. Failure to comply may expose the bank to penalties. Special security measures may also be expected to be enforced to protect such data on specific media during transmission.
The other key external factor to consider in information risk management is the relationship with outsourcing agents. Where the bank considers it appropriate to use the services of external parties to minimize cost, new risk issues emerge.
Control factors necessary to mitigate these risks include effective due diligence in the selection of new service providers. Evaluation must cover the financial condition, experiences, expertise, technical compatibility and customer satisfaction of the outsourcing agency. Written contracts with specific provisions to protect the privacy and security of the bank’s data, ownership of data, right to audit security controls and the ability to monitor quality of service and termination of contract must be core conditions in the selection process of third party agents.
Information risk assessment
A proper risk assessment of information risk starts with an understanding of the potential sources of threats to the information system. A threat is the potential for the exercise of a particular vulnerability to cause mayhem regarding the confidentiality, integrity or availability of the bank’s information systems.
Key threats to an information system could be summed up as follows;
- Natural threats arising from flood, earthquakes, hurricanes
- Human threats (including deliberate or inadvertent data entry) and/or;
- Accidental disclosure
- Deliberate alteration to software.
- Malicious use of communication
- Intentional alteration, deletion, or insertion of spurious data to aid fraud perpetration.
- Environmental threats, including;
- Electrical interference or disruption which may result in a denial of service
- System configuration error during initial installation or upgrade of hardware, software or telecommunication equipment
- Telecommunication malfunction or interruption affecting the transfer of data between computer terminals, remote or distributed processors and the host facility.
- Pollution, and water damage
Knowledge of the possible sources of threats enables management to determine the likelihood and impact of each risk. Vulnerabilities can be assessed through various methods. These exercises are usually qualitative in nature since it is not easy to measure quantitative risks in information systems.
Quantitative measures do not lend themselves to precise measurement in information systems in view of;
- the difficulties in identifying and assigning values to assets, and
- the lack of statistical information to enable management to determine frequency of occurrences. Reliance is therefore placed on the best available information, which may itself not be well grounded in documented past experiences.
Vendor websites and public vulnerability archives such as Common Vulnerabilities and
Previous audit reports are invaluable reference points in assessing the likelihood and impact of information risk events. The findings also help in risk event impact ratings, eg. low, medium or high.
Establishing a security policy
Following a risk assessment which basically identifies what security threats face the bank in terms of information security, the board must establish a policy for protecting the bank’s information assets.
Key among the issues would be an Acceptable Use Policy (AUP). This would define what the bank considers to be acceptable uses of its information resources. Coverage includes all computing equipment, laptops, wireless devices, and acceptable use of the internet.
A relevant security policy would cover critical issues like authorization processes. It would also define who would have access to what information resource and establish a hierarchy of controls on the use of all information resources. For instance, in some banks, the emoluments and accounts of key staff are kept outside the purview of unauthorized staff.
The Bank’s Information Security Policy Manual must identify ‘sensitive areas’. Sensitive areas are locations that house components that are key points of failure and as such could be exploited to disrupt the Bank’s IT systems or gain access to its electronic files.
Access to sensitive areas should be restricted to personnel who have a legitimate business need. In high risk situations this should be recorded.
A formal role for audit in ensuring compliance to laid down rules would be a key ingredient in establishing an information security policy. Audit inspections must cover critical areas to ensure that;
- Server rooms have air conditioners and that they are in good working order.
- Server room has entry controls and access to is strictly on a need to use basis.
- Server rooms are equipped with temperature controls.
Banks shall put in place physical protection against damage from fire, flood, explosion and other forms of natural or man-made disasters. Audit inspections must also cover emergency/fire exits with visible signages, fire extinguishers, smoke detectors and alarm systems, and risk transfer/sharing mechanisms like insurance coverage.
Dissaster recovery planning within the totality of the banks business continuity management systems must be integrated into the security systems.
A key characteristic of information systems is that change is inevitable to ensure adaptation to new developments in the technological space. It is critical to follow a systematic change management process when a database is extensively corrupted by a software bug and requires direct data editing to resolve the problem.
Change management also occurs dduring the introduction of SMS, transactions alerts and Internet Banking services where modifications have to be made to the software that operates the ATMs, Transactions Alert and the Internet Banking services, in an era where these have become basic enhancements to customer service.
Similarly, when further ATM terminals are connected to the network that requires it to be extended and its capacity scaled up, a conscious process must be in place, just as when system changes are made by maintenance personnel who were not members of the original system development team, and thus not as familiar with its original design.
The complexity of modern interconnected systems is such that a change to one component can easily result in unanticipated consequences elsewhere.
TOOLS FOR MANAGING INFORMATION SECURITY
Various tools and technologies are available to secure information systems from identified security threats.
Access controls: include policies and procedures a bank may use to prevent unauthorized access to information resources. This could come by way of access control software which authenticates who uses any part of the system, usually through passwords, tokens or smart card /chip –based technologies.
Included in this are biometric authentication that reads and interprets a user’s finger prints, face, eyeball or voice to grant or deny access to anyone whose data has not previously been authorized and stored for the purpose of identification.
Firewalls come in the form of hardware and software technologies. These seek to protect the information system from external penetration.
A comprehensive review of operational and management controls could be established to compare the current documentation to best practices or by comparing actual practices against current documented processes. The ISO 17799 is an invaluable reference point in this regard.
Vulnerability scanners are software that can be used to examine an operating system, network application or code for known weaknesses by comparing the system to a database of flawed signatures.
Intrusion detection systems are software monitoring tools fixed at the most vulnerable points of the organisation’s networks to detect and deter intruders continually. The systems are usually designed to generate alarm where any suspicious activity occurs in the system, for example where a criminal repeatedly uses false passwords to enter a system or attempts to delete or modify data or files.
Anti-virus and anti-spyware softwares are available as tools to check computer systems and drives for the presence of computer viruses. They are usually designed to flush out criminal introduction of viruses into the network. They must be continually updated to acquire the capability to deal with emerging viruses and the bank’s scale and complexity of operations.
- Management Information Systems, Kenneth C. Laudon and Jane P Laudon. 2006
- NIST Special Publication (SP) 800-30. Risk Management Guide for Information Technology – a National Institute of Standards & Technology (NIST) US Federal Government standard.