Information Security Controls
Security threats can affect a financial institution through numerous vulnerabilities. No single control or security device can adequately protect a system connected to a public network. Effective information security comes only from establishing layers of various control, monitoring, and testing methods. While the details of any control and the effectiveness of risk mitigation depend on many factors, in general, each financial institution with external connectivity should ensure the following controls exist internally or at their TSP.
- Ongoing knowledge of attack sources, scenarios, and techniques. Financial institutions should maintain an ongoing awareness of attack threats through membership in information-sharing entities such as the Financial Services - Information Sharing and Analysis Center (FS-ISAC), Infragard, the CERT Coordination Center, private mailing lists, and other security information sources. All defensive measures are based on knowledge of the attacker's capabilities and goals, as well as the probability of attack.
- Up-to-date equipment inventories, and network maps. Financial institutions should have inventories of machines and software sufficient to support timely security updating and audits of authorized equipment and software. In addition, institutions should understand and document the connectivity between various network components including remote users, internal databases, and gateway servers to third parties. Inventories of hardware and the software on each system can accelerate the institution's response to newly discovered vulnerabilities and support the proactive identification of unauthorized devices or software.
- Rapid response capability to react to newly discovered vulnerabilities. Financial institutions should have a reliable process to become aware of new vulnerabilities and to react as necessary to mitigate the risks posed by newly discovered vulnerabilities. Software is seldom flawless. Some of those flaws may represent security vulnerabilities, and the financial institution may need to correct the software code using temporary fixes, sometimes called a "patch." In some cases, management may mitigate the risk by reconfiguring other computing devices. Frequently, the financial institution must respond rapidly, because a widely known vulnerability is subject to an increasing number of attacks.
- Network access controls over external connections. Financial institutions should carefully control external access through all channels including remote dial-up, virtual private network connections, gateway servers, or wireless access points. Typically, firewalls are used to enforce an institution's policy over traffic entering the institution's network. Firewalls are also used to create a logical buffer, called a "demilitarized zone," or DMZ, where servers are placed that receive external traffic. The DMZ is situated between the outside and the internal network and prevents direct access between the two. Financial institutions should use firewalls to enforce policies regarding acceptable traffic and to screen the internal network from directly receiving external traffic.
- System hardening. Financial institutions should "harden" their systems prior to placing them in a production environment. Computer equipment and software are frequently shipped from the manufacturer with default configurations and passwords that are not sufficiently secure for a financial institution environment. System "hardening" is the process of removing or disabling unnecessary or insecure services and files. A number of organizations have current efforts under way to develop security benchmarks for various vendor systems. Financial institutions should assess their systems against these standards when available.
- Controls to prevent malicious code. Financial institutions should reduce the risks posed by malicious code by, among other things, educating employees in safe computing practices, installing anti-virus software on servers and desktops, maintaining up-to-date virus definition files, and configuring their systems to protect against the automatic execution of malicious code. Malicious code can deny or degrade the availability of computing services; steal, alter, or insert information; and destroy any potential evidence for criminal prosecution. Various types of malicious code exist including viruses, worms, and scripts using active content.
- Rapid intrusion detection and response procedures. Financial institutions should have mechanisms in place to reduce the risk of undetected system intrusions. Computing systems are never perfectly secure. When a security failure occurs and an attacker is "in" the institution's system, only rapid detection and reaction can minimize any damage that might occur. Techniques used to identify intrusions include intrusion detection systems (IDS) for the network and individual servers (i.e., host computer), automated log correlation and analysis, and the identification and analysis of operational anomalies.
- Physical security of computing devices. Financial institutions should mitigate the risk posed by unauthorized physical access to computer equipment through such techniques as placing servers and network devices in areas that are available only to specifically authorized personnel and restricting administrative access to machines in those limited access areas. An attacker's physical access to computers and network devices can compromise all other security controls. Computers used by vendors and employees for remote access to the institution's systems are also subject to compromise. Financial institutions should ensure these computers meet security and configuration requirements regardless of the controls governing remote access.
- User enrollment, change, and termination procedures. Financial institutions should have a strong policy and well-administered procedures to positively identify authorized users when given initial system access (enrollment) and, thereafter, to limit the extent of their access to that required for business purposes, to promptly increase or decrease the degree of access to mirror changing job responsibilities, and to terminate access in a timely manner when access is no longer needed.
- Authorized use policy. Each financial institution should have a policy that addresses the systems various users can access, the activities they are authorized to perform, prohibitions against malicious activities and unsafe computing practices, and consequences for noncompliance. All internal system users and contractors should be trained in, and acknowledge that they will abide by, rules that govern their use of the institution's system.
- Training. Financial institutions should have processes to identify, monitor, and address training needs. Each financial institution should train their personnel in the technologies they use and the institution's rules governing the use of that technology. Technical training is particularly important for those who oversee the key technology controls such as firewalls, intrusion detection, and device configuration. Security awareness training is important for all users, including the institution's e-banking customers.
- Independent testing. Financial institutions should have a testing plan that identifies control objectives; schedules tests of the controls used to meet those objectives; ensures prompt corrective action where deficiencies are identified; and provides independent assurance for compliance with security policies. Security tests are necessary to identify control deficiencies. An effective testing plan identifies the key controls, then tests those controls at a frequency based on the risk that the control is not functioning. Security testing should include independent tests conducted by personnel without direct responsibility for security administration. Adverse test results indicate a control is not functioning and cannot be relied upon. Follow-up can include correction of the specific control, as well as a search for, and correction of, a root cause. Types of tests include audits, security assessments, vulnerability scans, and penetration tests.
Authenticating E-Banking Customers