Goin’ Mobile, Not Nuts! · Mobile Web Features •Browser Based • Reformats for the small screen size • Subset of your existing on-line banking features. • Sometimes will

infotex Managing Technology Risk my.infotex.com (800) 466-9939

Confidentiality Notice: The enclosed information is proprietary and confidential, and should not be disclosed to third parties without prior consent of infotex, with the exception of disclosure in the name of audits, regulations, and/or litigation. Copyright © 2003 - 2011 infotex. All rights reserved with the only exception being those listed above.

Goin’ Mobile, Not Nuts!

Presented by: Dan Hadaway, CRISC March 27th, 2012

Goin' Mobile, Not Nuts! 3/27/2013

infotex

Mobile Security and the FFIEC!

Dan Hadaway CRISCManaging Partner, Infotex

“Goin’ Mobile, not Nuts!”

infotexinfotex

The Branchless Bank

IT Governance

Policy

AccessManagement

IncidentResponse

AssetManagement

BusinessContinuity

VendorManagement

TechnicalSecurity

Standards

Awareness

RiskManagement

infotex map of theFFIEC Requirements

for an IT Governance Program!

infotex 1


IT Governance

Policy

AccessManagement

IncidentResponse

AssetManagement

BusinessContinuity

VendorManagement

TechnicalSecurity

Standards

Awareness

RiskManagement

Electronic Record Retention

BranchlessBanking

IT Governance

Policy

AccessManagement

IncidentResponse

AssetManagement

BusinessContinuity

VendorManagement

TechnicalSecurity

Standards

Awareness

RiskManagement


BranchlessBanking

infotex 2


AssetManagement

Branchless Banking Policy

Standards and Tools

Network Diagram Procedure

License Management Procedure

Called forin most otherprograms.

Branchless Banking Management

Procedure

Electronic Record Retention Procedure

Standards and Tools


Branchless Banking

Customer Facing

Internal Facing

infotex 3


Portable Devices

Branchless Banking

BusinessBanking

Internet Banking

Mobile Banking

ATMs

Telephone BankingRemote Access

Portable Devices

Branchless Banking

BusinessBanking

Internet Banking

Mobile Banking

ATMs

Telephone BankingRemote Access

infotex 4


Branchless Banking

BusinessBanking

Remote Capture

ACH / Wire Origination

BusinessBillpay

Social Media

Internet BankingOnline Applications

Online Banking

Mobile Banking

SMS Banking

Mobile Payments

Mobile Apps

ConsumerCapture

ATMs

Telephone Banking

Branchless Banking

BusinessBanking

Remote Capture


BusinessBillpay

Social Media

Internet Banking

Online Applications

Secure Messaging Portal

Consumer Loan

Applications

Mortgage Applications

Online Banking

eStatements

Billpay

Mobile Web

Mobile Banking

SMS Banking

Mobile Payments

Mobile Apps

Future

Android

iPhoneConsumerCapture

ATMs

Telephone Banking

infotex 5


Branchless Banking

BusinessBanking

Remote Capture


BusinessBillpay

Social Media

Internet Banking

Online Applications

Secure Messaging Portal

Consumer Loan Applications

Mortgage Applications

Online Banking

eStatements

Billpay

Mobile Web

Mobile Banking

SMS Banking

Mobile Payments

Mobile Apps

Future

Android

iPhoneConsumerCapture

ATMs

Telephone Banking

Branchless Banking

Customer Facing

Internal Facing

infotex 6


Branchless Banking

Portable Devices

Remote Access

Policy (Procedure)

ConfigurationStandards

EnforcementStandards

Branchless Banking

Portable Devices

Remote Access

Policy (Procedure)



infotex 7


Branchless Banking

Portable Devices

Remote Access

Policy (Procedure)



Policy (Procedure)



IT Governance

Policy

AccessManagement

IncidentResponse

AssetManagement

BusinessContinuity

VendorManagement

TechnicalSecurity

Standards

Awareness

RiskManagement


BranchlessBanking

infotex 8


infotexinfotex

Today’s Agenda

• The Branchless Bank• Workshop and the Workbook• Mobile Risk• FFIEC Requirements (related to Mobile Security)• Drill-down Risk Assessments• BYOD• Pulling it all together!

In this next section

infotex

• We will learn how Dan hopes to control the time in this workshop!

• We will help Dan customize the workshop to why we’re here!

• We will review the Workshop Workbook.

infotexinfotex

How We’ll Do It!

• First we’ll learn each other’s name!

infotex 9


infotex

Chalk Talk

• What are you doing?

• What do you think?

• Who are you using?

infotex

We’ll Play a Trivia Game

Dan will ask a question.

A. Yell out the answer!

B. Help Dan guess who got the right answer first!

C. Figure there’s a reason the question is being asked!

D. All of the above!

infotexinfotex

We’ll be doing some

infotex

Mini-Quizzes are intended to ensure understanding. ASK QUESTIONS!

infotex 10


Handout: Action Plan

• What MIGHT you add to your action plan based on the previous material?

• Give it a name.

• Write it in the top section of your Action Plan sheet.

infotex

infotex

Vulnerabilities and Horror Stories

infotexinfotex

There’ll be some work

• Mini-quizzes• Boilerplates

infotex 11


infotexinfotexinfotex

infotexinfotex

And some homework . . .

• Electronic copies of pertinent policies, procedures, and tools will be available on our “workshop portal.”

infotex

The Workshop Portal

• Resources

• Boilerplates

infotex 12


infotexinfotex

Wireless Banking Kit

• Wireless Banking Risk Assessment• Wireless Banking Vendor Due

Diligence Kit• SSAE-16 Review Checklist• Public Presence Content Checklist• Mobile Banking Tips and Trends

infotexinfotex

BYOD Policy Kit

infotexinfotex

And a customer awareness kit . . .

infotex 13


infotex

Goin’ Mobile Policy Set

• Let’s see the directory structure!

infotex

Who’s Here?

• Name• Title (or role)• Your Bank • Your Town• Size of your Bank• Who has ‘em!

infotexinfotex

Our Credentials

• Information Security–CRISC (a risk management certification)–CISAs, CISMs, CISSPs–Conducted first risk assessment in 1989–Updating our “process” annually

• Though BSA, OFAC, FACTA cross over into GLBA, we don’t see ourselves as experts.

infotex 14


infotexinfotex

A Note About Nomenclature

• Everybody has their own terminology.

• What is important is the concept.

• Be on the lookout for terminology that your examiners are currently using.

infotexinfotex

The Workbook

infotex

Action Plan

• Read your action plan:–Tonight–Tomorrow–Next Week–Next Month–Next Year

infotex

infotex 15


infotexinfotex

infotexinfotex

Today’s Agenda



infotex

• We will talk about two different asset categories:–Wireless Banking (Mobile Banking)–Portable Devices (BYOD)

• We will work off a “drill-down” agenda . . .

infotex 16


infotexinfotex

Today’s Agenda

• Mobile Risk– The Assets – The Threats– The Vulnerabilities– The Controls!

infotexinfotex

A Trio of Questions

• What’s different about branchless banking versus regular banking?

• What’s different about mobile information assets versus regular information assets?

• How do we define “mobile?”

infotexinfotex

What are “portable devices?”

• Cellphones• Laptops• Smart Phones• Tablet PCs (iPads, Android Tablets,

etc.)

infotex 17


infotexinfotex

What about my flash drive?

infotexinfotex

infotexinfotex

What’s the same?

• They are computers.• With the same vulnerabilities and

attack vectors.

infotex 18


infotexinfotex

What’s different?

• They leave the branch.• They connect to several wireless

networks including WiFi, WiDi, 3 &4G, GPS, Bluetooth, Cellular, SMS

• And anything else coming down the road.

infotexinfotex

The Asset: High Level

• Small Form Factor• At least one wireless network• Local data storage (rather than

network)• New and Multiple Operating Systems• Applications available through

multiple channels• Synchronization of Data

infotexinfotex

The Asset: Networking

• Wi-Fi, Wi-Di, 3G, LTE, 4G, SMS• Personal Area Networks (Bluetooth,

NFC, Hotspot Capabilities)• Voice Communications (cellular, but

also Skype, Facetime, etc.)• Location: GPS Capabilities

infotex 19


infotexinfotex

The Asset: Input / Output

• Camera (and Scanner)• Video Camera• Microphone• Speaker• Sound Jack• LED Flash Capabilities• Input Accessories: keyboards, card

readers (like Square)

infotexinfotex

The Asset: Data Storage

• Synchronization to remote storage• Local Storage• Support for removable media

devices.• Ability to become a removable media

device.

infotexinfotex

The Asset: Applications

• Evolving Operating Systems• Application Markets• Built-in Web Browsing Capabilities• Strong Search Capabilities

infotex 20


infotexinfotex

Today’s Agenda

• Mobile Risk– The Assets – The Threats– The Vulnerabilities– The Controls!

infotexinfotex

Inherent Threats

• Lack of Physical Security Controls• Potential Lack of Control (BYOD)

infotexinfotex

Inherent Threats

• Use of Untrusted Networks• Use of Unknown Applications

infotex 21


infotexinfotex

Inherent Threats

• Interaction with Other Systems• Use of Untrusted Content

infotexinfotex

Inherent Threats

• Use of Location Services• Always on, on steroids

–Always on–Always have them.

infotexinfotex

Who are they?

Let’s see Dan use the flip-board!

infotex

infotex 22


infotexinfotex

Strategic Risk

infotexinfotex

Tepid Adoption

The Risk of Losing Reputation and Market Share after spending a lot of money, but not as much as everybody else.

infotexinfotex

infotex 23


infotexinfotex

Six Primary Questions

1. What is the value proposition for mobile banking?

2. What will motivate consumers to adopt mobile banking?

3. How are consumers utilizing mobile banking currently? (who is the existing market and what are they doing in it?)

infotex 2. Tepid Adoption

infotexinfotex

Six Primary Questions

4. Who are the key vendors of wireless banking solutions?

5. What are the key success factors in creating a wireless banking solution?

6. What are financial institutions offering now in mobile banking?


infotexinfotex

Question 1: Value Proposition

• Financial Institution’s customers are on average 46% more profitable when they actively use a suite of mobile banking products.

Source:- Intuit Financial Services advertising

when you try to go to the americanbanker.com website.

2. Tepid Adoption

infotex 24


infotexinfotex

Question 1: Value Proposition

• Which investment offers the most obvious return?–New Branch–Wireless Banking

2. Tepid Adoption

infotexinfotex

2. Motivating Consumer Adoption

• Smart Phone Growth• Peers• Anytime, anywhere• Convenience

infotexinfotex

• Smart Phone Growth• Peers• Anytime, anywhere• Convenience

The customers are already motivated. How long will they wait for YOU to be motivated?

3. How are users currentlyusing mobile banking?

infotex 25


infotexinfotex

Question 4: Key Vendors

• Start with your core and your on-line banking provider.

• Don’t end there.• A list of key wireless banking

providers is in the Vendor Due Diligence Kit on our portal.


infotexinfotex

5. Success Factors

• Access (no longer as impactful)–AT&T or Verizon or Both

• Integration• Security and Risk Management• Features (and quality of app)


infotexinfotex

6. Features (Bird’s Eye View)

• Channels• Platforms• Core App Functionality

(Front end + wallet)• Non-traditional Features


infotex 26


infotexinfotex

Channels

• Mobile Web (browser based)• Text banking• Smart Phone Applications


infotexinfotex

Mobile Web Features

• Browser Based• Reformats for the small screen size• Subset of your existing on-line

banking features.• Sometimes will downplay navigation

features that go to risky transactions.

2. Tepid Adoption

infotexinfotex

Traditional On-line Banking Feature Categories used in Mobile Web

Non‐transactional

o Viewing recent transactions

o Checking Account Balances

o Checking for deposits and when checks clear.

o Reading Secure Messages

o Payments to Third Parties (already set up)

o Funds Transfers (internal)

2. Tepid Adoption

infotex 27


infotexinfotex

Traditional On-line Banking Feature Categories not used in Mobile Web

Transactional

o Setting Up Payments to third parties

o Downloading Bank Statements

(multiple formats: PDF, QIF, CSV)

o Viewing images of checks

o Applications (loans, accounts, etc.)

o Investment purchase or sale


infotexinfotex

SMS Features

• Checking your Balance• Find an ATM or Branch• One-way Account Alerts

–Balances, Transactions, Stock Prices–Recurring Deposits

• OTP Authentication


infotexinfotex

infotex 28


infotexinfotex

Smart-phone Application Features

• Check balances• Pay Bills• Transfer Funds• Trade Stocks

2. Tepid Adoption

(boring)

infotexinfotex


• Status of credit requests• Complaint submission• Branch and ATM Locations

2. Tepid Adoption

(still boring)

infotexinfotex


• Customization–Preferred Language–Date / Time format–Amount format–Monitoring Parameters (for SMS Alerts)

2. Tepid Adoption

(cool)

infotex 29


infotexinfotex


• Front End of Existing Accountso Transact off existing Bank Accounto Starbucks, Subway, Amazon.o Mobile Web and Smart-phone Apps

• Self-Contained Wallet –The money is actually ON the mobile

device

2. Tepid Adoption

(way)

infotexinfotex


• Wallet Capabilities–Scan and Pay–Wave and Go (Europe)–Peer to Peer (P2) Payments–Gift Cards

• Consumer Capture

2. Tepid Adoption

(way)

infotexinfotex

Consumer Captureinfotex 2. Tepid Adoption

infotex 30


infotexinfotex

Walk, not Crawl, Before you Run

• Offer all three distribution channels but:–Have a tactical plan to stagger platform

release.–Update your Incident Response Process

2. Tepid Adoption

infotexinfotex

Walk, not Crawl, Before you Run

• Limit high risk transactions–Changing Authentication Credentials–Transfers to outside accounts–Volume of transactions–Size of transactions

2. Tepid Adoption

infotexinfotex

Compliance Versus Convenience

• Registration of New Users–Drive to make this as lightweight as

possible–Real AML and CTF implications–KYC (Know-your-customer ) usually

complicates registration, leaving the “data set” with some holes until the customer can use other channels to fill them.

infotex 31


infotexinfotex

• Mitigating Controls–Only load limited funds into the wallet

AFTER all CIP fields are complete.– No other transfer of funds.

–Only allow purchase of goods and services until all CIP data fields are completed.

– Limit size of transactions–Enforce funds to be loaded or unloaded

to one specific bank account

Registration of New Users

infotexinfotex

More on Mobile Payments

• Retailers observe an increase in average transaction value when cash is replaced by a mobile payment method.

Juniper ResearchNovember 2011

2. Tepid Adoption

infotexinfotex

Tepid Adoption

• Offer only one of the wireless delivery channels (SMS, Mobile Web, Applications)


infotex 32


infotexinfotex

What do you risk?

• Generation Y Customers.• Reputation with Gen X and Baby

Boomer Customers


infotexinfotex

Today’s Agenda

• The Branchless Bank• Workshop and the Workbook• Mobile Risk

– The Assets – The Threats– The Vulnerabilities– The Controls!

• FFIEC Requirements (related to Mobile Security)• Drill-down Risk Assessments• BYOD• Pulling it all together!

infotexinfotex

Primary Vulnerabilities

• We can lose them.• We can lose them.• We can lose them.

infotex 33


ApplicationVulnerabilities

infotexinfotex

Application Vulnerabilities

• Plain text credentials (in password files, XML files)

• Other sensitive data unencrypted• Poor session handling (no inactivity

log out)• Uncompiled code

infotexinfotex

Application Vulnerabilities

• Check out OWASP Mobile Security Project

https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks.

m.infotex.com/owaspm

infotex 34


infotexinfotex

OWASP Mobile Top Ten

• M1: Insecure Data Storage• M2: Weak Server Side Controls• M3: Insufficient Transport Layer

Protection• M4: Client Side Injection• M5: Poor Authorization and

Authentication

infotexinfotex

OWASP Mobile Top Ten

• M6: Improper Session Handling• M7: Security Decisions Via Untrusted

Inputs• M8: Side Channel Data Leakage• M9: Broken Cryptography• M10: Sensitive Information

Disclosure

Fraudulent Apps

infotex 35


Malware Zitmo

Online Banking Provider

High Risk Transactions

ACH OriginationEnter mTAN here!

mTANs

infotex

infotex 36


Dumb User Mistakes

Non-malicious (dumb user) mistakes

Lost and stolen mobile devices

Retired mobile devicesSMS ends up in at least three places: your

phone, the receiver’s phone, and at least one server somewhere in the middle.

Smishing and Vishing

Phishing: when a bad guy sends an e-mail message with a link to a drive-by attack site or a fake site that asks for sensitive information.

Smishing: a phishing attack via text messaging.

Vishing: a phishing attack via voice mail.

infotex 37


Other potential customer vulnerabilities

Untrained Help Desk Staff

Bad application reviews

Customer Reviews

Smishing phishing, vishing

infotex 38


Man in the Middle

Especially WiFi

infotexinfotex

Unintended Consequences

• Slow Networks–Video, music, apps, app updates

• Lost Customers–Employees give out cell number–Customers call the cell, not the bank.

infotexinfotex

Deployment Vulnerabilities

• Unintended policy violations – (such as “no wireless networking”).

• Inconsistent introduction of new procedures (e.g. test group doesn’t adopt lessons from first post-mortem evaluation).

infotex 39


infotexinfotex


• Did we think through the printing and other output processes – (Will we need to print from portable

devices? –How do we share information between

devices?)

infotexinfotex


• Did we think through the printing and other output processes – (Will we need to print from portable

devices? –How do we share information between

devices?)

infotexinfotex


• Data integrity and other conversion issues –Screen scraping versus integration.–MICR checks for consumer capture.– (Not seeing anything with mobile

deployment.)

infotex 40


infotexinfotex


• Data entry and other input vulnerabilities –Employees input data inconsistently.–Mobile Banking: do consumers really

need to set up new payees on their phones/tablets?

–E-mailing and Texting issues (misspellings, typos, etc.)

infotexinfotex


• Vulnerabilities related to unforeseen attack vectors – (e.g. kids getting hit by buses while

texting).–What attack vectors are we missing?

infotexinfotex


• Version control, licensing vulnerabilities, early adoption vulnerabilities – (Timing: A new version of software is

released before mobile banking is fully deployed).

–How do we ensure employees are updating their phones/tablets/laptops?

infotex 41


infotexinfotex


• Connectivity, access, and other availability issues – (Not all remote users have broadband).

• Setup, configuration, and training issues –BYOD: What are we going to support?–Adjustment to standard settings not

documented.

infotexinfotex


• Unforeseen confidentiality disclosures and/or other security/compliance vulnerabilities – Loan officers advertising new mortgage

pricing via social media.

infotexinfotex

Today’s Agenda

• The Branchless Bank• Workshop and the Workbook• Mobile Risk

– The Assets – The Threats– The Vulnerabilities– The Controls!

• FFIEC Requirements (related to Mobile Security)• Drill-down Risk Assessments• BYOD• Pulling it all together!

infotex 42


infotexinfotex

Primary Controls

• Screen lock. • E-mail Restrictions (3 days)• Remote Wipe

–Requires agreement and warnings for BYOD.

• Application Control• AVS (at least for non-Apple devices)

infotexinfotex

MDM Applications

• AirWatch• Good Technologies• MobileIron• Sophos• ZenPrise

infotexinfotex

App Stores

Most Mobile Device Management (MDM) applications will allow you to distribute approved applications.

infotex 43


infotexinfotex

Mobile Device Management

• Exchange ActiveSync (EAS) comes free with Exchange and offers the four basic controls.

• Mobile Device Management solutions offer total control of the device with functions ranging from AVS to Application Control to Remote Wiping.

infotexinfotex


• You can prohibit apps from being installed, shut down SMS messaging, disable web traffic or media.

• This offers a huge amount of control. • You will eventually want MDM.• We will very briefly run down five

solutions to help us all get on the same page about MDM Controls.

infotex



infotex 44


infotexinfotex

Four Risk Factors

Threats

Vulnerabilities

Impact Severity

Likelihood

infotexinfotex

Integration

Customer Awareness Training (CAT) must integrate with User Awareness Training (UAT) and Management Awareness Training (MAT).

Awareness Training Must Integrate with all aspects of the IT Governance Program.

infotex

Customer Awareness Tools


infotex 45


infotex

Customer Awareness Kit


infotexinfotex

Important CAT Function

• Incident Response–Entirely different workshop–Still, the overlap compels us to consider

Incident Response when we consider CAT.

infotexinfotex

Confucius

• “The reputation of a 1000 years can be ruined in a few minutes.”

infotex 46


infotexinfotex

Incident Response

CAT • Ruthless Integration

BroadcastAwareness

• Involve Customers and Media

MediaRelations

• BroadcastAwareness

infotexinfotex

Wireless Banking Controls

• Customer Awareness Training• Know your assets• Feature-based Risk Assessment• Vendor Due Diligence• On-going Vendor Due Diligence• Strategic Planning

infotex 3. Security Risk

infotexinfotex

Most important control

• Common Sense

infotex 47


infotexinfotex

Most important control

• Applied in real time.

infotexinfotex

Compliance Risk

4. Compliance Risk

infotexinfotex

The bad news

• Wireless banking involves every bank regulation you can think of.

infotex 4. Compliance Risk

infotex 48


infotexinfotex

What the FFIEC says . . .

• GLBA• AML• CTF (Anti-Terrorism)• CIP (KYC)• OFAC• E-sign Act• EFT Act• “And other regulations” FFIEC E-banking

Handbook, Appendix E

4. Compliance Risk

infotexinfotex

What the FFIEC left out:

• There are 18 regulations affected by Mobile Banking.

• That’s 11 more than the FFIEC predicted with Appendix E in 2003.


infotexinfotex

The Good News

• Vendor due diligence is the key control for Compliance Risk.


infotex 49


infotex

Vendor Due Diligence Kit

• Let’s see the spreadsheet!

infotexinfotex

A Word About Template Protocols

• Red: Insert applicable name, title, policy, procedure, etc. in this spot.

• Blue: Instructions (to be deleted)• Green: Examples• Brown: Consider leaving in



• Give it a name.


infotex

infotex 50


infotexinfotex

infotexinfotex

Today’s Agenda


infotexinfotex

Today’s Agenda

• The Branchless Bank• Workshop and the Workbook• Mobile Risk• FFIEC Requirements (related to Mobile Security)

– Okay, we’re done!– What they do have– Branchless Banking Policy– Branchless Banking Management Procedure

infotex 51



infotex

• We will hear about Dan’s attempts to find out what we’re really supposed to do about compliance as it pertains to mobility.

• We will try to predict the (hopefully near) future!

infotexinfotex

The FFIEC

• Federal Reserve System (FRB) • Federal Deposit Insurance

Corporation (FDIC) • National Credit Union Administration

(NCUA) • Office of the Comptroller of the

Currency (OCC)

infotexinfotex

The Search for Guidance

• Vendors are now putting FFIEC in titles of white papers for SEO purposes. (It worked.)–One vendor had a white paper on how

their MDM app would help you comply with the authentication guidance.

infotex 52


infotexinfotex

The Search for Guidance

• Appendix E of the FFIEC Handbook does address wireless banking. It was updated in 2003.

infotexinfotex

How do we prioritize?

• Vendor Risk–Due Diligence–Strategic Risk Mitigation

• Wireless Banking Risk–Three Channels–Customers–Response

• Mobile Payments Risk

infotexinfotex

Adoption Categories

• Innovators • Early adopters• Early majority• Late majority • Laggards

Everett M. Rogers' Diffusion of Innovations

infotex 53


infotexinfotex

Innovators in banking

• Usually a big-bank thing.• Rare for community-based banks.• I have clients who have partnered

with local universities:–2FA on ATMs (thumbprint scanners)–Biopassword –Event Log Management


Security Technologies

infotexinfotex

Early Adopters in Banking

• Physical Security• Information Security

Dan’s Interpretation of Everett M. Rogers' Diffusion of Innovations

infotexinfotex

Early Majority in Banking

• Third Party Assurance (audit)• E-commerce


infotex 54


infotexinfotex

Late Majority / Laggard

• Virtualization• Cloud Computing• Social Media• Telecommuting


Softwareforcloudcomputing.com

infotexinfotex

Stages of Innovation

• Knowledge• Persuasion• Decision• Implementation• Confirmation

Risk Assessment?

Security Controls


infotexinfotex

Risk/Benefit Evolution Curve

Va

lue

Time

Features, Sophistication

Price, Problems

infotex 55


infotexinfotex

Risk/Benefit Evolution Curve

Va

lue

Time

Features, Sophistication

Price, Problems

Innovator

Early Adopter

Early Majority Late Majority Laggards

infotexinfotex

Mobile Payments

• NFC• FDIC Supervisory Insight• Risk Assessment Coming

infotexinfotex

The Workbook

infotex

FDIC Supervisory Insights on Mobile Payments

infotex 56

An IBA Preferred Service Provider CISSPs, CISAs, CISMs, CRISCs

FDIC Supervisory Insight on Mobile Payments my.infotex.com www.emergingthreats.net

�� infotex �� Managing Technology Risk �� my.infotex.com �� (800) 466-9939 ��

Mobile Payments: An Evolving Landscape

As a relatively new financial service, mobile payments have the potential to significantly change how consumers pay for goods and services. Generally, mobile payments1 are defined as the use of a mobile device—commonly, but not exclusively, a smartphone or tablet computer—to initiate a transfer of funds to people or businesses.The widespread adoption of mobile payments raises critical issues, including the extent to which financial institutions may lose payments-system market share; the adequacy of legal protections and disclosures received by consumers; and, more generally, how banks can ensure compliance with existing laws and regulations. Although the potential benefits of mobile payments have received considerable attention in the media and trade publications, less scrutiny has been given to understanding the unique risks and supervisory issues raised by this technology. This article describes mobile payments technologies, identifies the risks associated with mobile payments, and discusses the existing regulatory framework that applies to the use of these technologies.

Market Characteristics The mobile payments marketplace is continuing to expand. More than 87 percent of the U.S. population now has a mobile phone,2 and more than half of those mobile phones are smartphones.3 Nearly one-third of mobile phone users in 2012 have reported using mobile devices to make a purchase. Consumers spent over $20 billion using a mobile browser or application during the year,4 and this number is likely to grow as smartphone ownership increases and mobile payments platforms become more widespread. Mobile payments can be made at the point-of-sale (POS) or to facilitate person-to-person payments. In either case, mobile payments are facilitated by the increasing popularity of smartphones, the availability of POS terminals that are equipped to process transactions using near-field communications (NFC),5 and the growth of alternative cloud-based mobile payment solutions. At least six NFC-equipped cell phones are for sale in the United States,6 and 50 percent of smartphones could be NFC-equipped by 2014.7 Projections for U.S. smartphone and global NFC-ready POS market penetration are shown in Chart 1.

The four major credit card brands (MasterCard, Visa, Discover, and American Express) offer contactless payment technology at the POS, and at least six major merchants accept contactless payments in their stores.8 In partnership with MasterCard and Visa, Google introduced a mobile wallet in 2011.9 A mobile wallet allows users to load payment account information on their smartphones, enabling them to choose the payment option. Depending on the underlying technology, users may wave their smartphones near the POS terminal or communicate their payment credentials through a bar code or other cloud-based solution to make a payment. ISIS (a consortium of three mobile telecommunications providers) is conducting NFC mobile wallet pilot projects in Austin, Texas and Salt Lake City, Utah. According to a 2012 study conducted by Cellular News, 60 to 80 percent of U.S. consumers would use a mobile wallet from one of the major brands, such as Google, PayPal, or Apple, if available.10

Mobile Payments Technologies Mobile payments can be initiated using different core technologies, either individually or in combination. As the mobile payments marketplace continues to evolve, it is unlikely that any one technology will become dominant in the near term. Retail merchants do not know which mobile payments technologies consumers will find preferable, creating little immediate incentive for investment in new POS terminals that can accept mobile payments. Similarly, consumers have little interest in acquiring the capability to make mobile payments until merchants accept them, or additional incentives are offered making it worthwhile for consumers to try a new form of payment. The mobile payments technologies increasing in popularity are identified in Table 1.

infotex 57




Table 1: Mobile Payments Technologies

Near Field Communications

Wireless protocol that allows for encrypted exchange of payment credentials and other data at close range.

Cloud Based Leverages mobile connection to the Internet to obtain credentials not stored on the mobile device.

Image Based Coded images similar to barcodes used to initiate payments. Credentials may be encrypted within image or stored in cloud.

Carrier Based Payments billed directly to mobile phone account. Merchants paid directly by mobile carrier, bypassing traditional payment networks.

Proximity Based Geolocation used to initiate payments. Merchant will identify active users within range and verify identity. Credential exchange is cloud-based.

Mobile P2P Payment initiated on mobile device using recipient’s email address, mobile phone number, or other identifier. Payment is via ACH, card networks, or intra-account transfer.

Although the emerging technologies identified in Table 1 can facilitate mobile payments, established retail payments channels (automated clearing house (ACH), credit/debit networks, electronic funds transfers (EFT), and intra-account transfers) remain the principal ways mobile payments accounts are funded and transactions settled. The only notable exception is mobile carrier-based payments models, which currently have only limited adoption in the United States. Mobile payments typically require users to provide verifiable bank account information or a prepaid card to establish and fund an account. This allows mobile payments companies to leverage existing banking relationships to verify identities, satisfy federal anti-money laundering (AML) requirements, and fund accounts. Thus, with regard to the transfer of funds, the risks associated with mobile payments should be familiar to financial institutions and their regulators, and the corresponding risk controls are well established.11

Understanding and Managing Mobile Payments Risk Mobile payments present the same types of risks to financial institutions associated with many traditional banking-related products, including Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) compliance, fraud, credit/liquidity, operations/IT, reputation, and vendor management. As is the case with any new product offering, a financial institution should have a review and approval process sufficiently broad to ensure compliance with internal policies and applicable laws and regulations. However, unlike most banking products that allow institutions to control much of the interaction, mobile payments require the coordinated and secure exchange of payment information among several unrelated entities. Making matters more challenging is that much of the innovation in the mobile payments marketplace is driven by entrepreneurial companies that may not be familiar with supervisory expectations that apply to banks and their service providers. Depending on the type of mobile payment, financial institutions may find that the effective management of risks involves partnering with application developers, mobile network operators, handset manufacturers, specialized security firms, and others.

Financial institutions should be particularly conscious of the potential and perceived risk of fraud in mobile payments. Customers are more likely to adopt mobile payments if they are confident that the provider, often

infotex 58




their bank, has taken appropriate steps to make this service secure by protecting the customer’s funds and confidential account information. Encrypting sensitive information stored on the mobile device and providing the ability to disable or wipe the device clean if it is lost or stolen are examples of effective controls that should be carefully considered as part of any mobile payments service. Table 2 identifies the risks posed by mobile payments and briefly describes the challenges in mitigating those risks.

Table 2: Mobile Payments Risks

Category Risk Challenge

BSA/AML Failure to satisfy recordkeeping, screening and reporting requirements intended to detect financial crimes, deter illicit cross-border payments, and prevent terrorist financing.

Ensuring emerging mobile payments models developed (and sometimes managed by third-party service providers) satisfy BSA/AML/OFAC requirements.

Fraud Failure to prevent or deter unauthorized transactions, the interception of confidential information, or other fraudulent activity.

Ensuring adequate security of account data and other sensitive information and providing methods of “turning off” access to mobile accounts in the event of loss or theft of mobile device. Educating consumers regarding the need to password-protect and otherwise secure their mobile devices.

Compliance Failure to comply with applicable consumer protection laws, disclosure requirements, and supervisory guidance.

Developing ways to translate disclosure and response requirements to the mobile environment.

Credit/Liquidity Possible loss from a failure to collect on a credit obligation or otherwise meet a payments-related contractual commitment.

Managing mobile payments credit risk linked to underlying payment type (e.g., credit/debit card, ACH credits/debits, prepaid, EFT, etc.).

Operations/IT Failure to protect confidential financial information or applications.

Ensuring mobile payments solutions satisfy requirements to safeguard customer information (e.g., Gramm-Leach-Bliley Act) and that such products are developed/configured in a secure manner.

Reputation Negative consumer experience may reflect poorly on the bank or discourage the use of mobile payments.

Selecting and actively managing mobile payments technology partners and ensuring customer satisfaction with new products.

Vendor Management

Third party may fail to meet expectations, perform poorly, or suffer bankruptcy.

Ongoing due diligence of partner relationships with entrepreneurial companies that may be unfamiliar with operating in regulated environment.

The regulatory expectations for managing mobile payments are generally consistent with those associated with other financial services delivered through more traditional channels. No safe harbors or carve-outs from

infotex 59




coverage for mobile payments exist. Thus, mobile payments providers must determine how to comply with existing legal requirements when the application to mobile payments may not be readily apparent. For example, creative solutions may be required to display disclosures on a mobile device’s small screen. As not all mobile payments give rise to the same rights, consumers could become confused about which consumer protections apply, or whether they apply at all, resulting in reputation risk. Consumers also may not understand which regulators supervise the parties providing the mobile payments service. Some mobile payments products may provide contractual rights similar to those contained in certain consumer protection statutes; however, these contractual provisions do not have the force of law as described below.

Legal and Supervisory Framework To date, no federal laws or regulations specifically govern mobile payments. However, to the extent a mobile payment uses an existing payment method, such as ACH or EFT, the laws and regulations that apply to that method also apply to the mobile payment. For example, a mobile payment funded by the user’s credit card will be covered by the laws and regulations governing traditional credit card payments. Table 3 provides an overview of selected federal laws and regulations with applicability to mobile payments transactions.

Table 3: Laws and Regulations That Apply to Mobile Payments Transactions

Law or Regulation / Description: Electronic Fund Transfer Act (EFTA) / Regulation E12

Establishes rules for electronic fund transfers (EFTs) involving consumers.

Coverage: Generally includes any “transaction initiated through an electronic terminal, telephone, computer, or magnetic tape that instructs a financial institution either to credit or debit a consumer’s account.” This includes transactions such as debit card transactions, direct deposits and withdrawals, and automated teller machine (ATM) transactions. The regulation generally applies to financial institutions, but certain provisions apply to “any person.”

Applicability to Mobile Payments: Applies when the underlying payment is made from a consumer’s account via an EFT.

Key Obligations / Other Information:The rule establishes consumer rights to a number of disclosures and error resolution procedures for unauthorized or otherwise erroneous transactions. The disclosures include upfront disclosures regarding, among other things, the terms and conditions of the EFT service and how error resolution procedures will work.

Law or Regulation / Description: Truth in Lending Act (TILA) / Regulation Z13

Establishes rules regarding consumer credit; intended to help consumers understand the cost of credit and compare credit options.

Coverage: Generally applies to “creditors” that offer or extend credit to consumers and includes both open-end and closed-end credit products, including credit cards.

Applicability to Mobile Payments:Applies when the underlying source of payment is a credit card (or other credit account covered by TILA and Regulation Z).

Key Obligations / Other Information:Creditors are required to provide disclosures to consumers describing costs; including interest rate, billing rights, and dispute procedures.

Law or Regulation / Description: Truth-in-Billing14

Requires wireless carriers to provide certain billing information to customers.

Coverage: Applies to wireless carriers. Applicability to Mobile Payments: Applies when mobile payment results in charges to mobile phone bill.

Key Obligations / Other Information:Wireless carriers must provide clear, correct, and detailed billing information to customers. This includes a description of services provided and charges made.

infotex 60




Law or Regulation / Description: Unfair, Deceptive, or Abusive Acts or Practices (UDAP) under the Federal Trade Commission (FTC) Act /Unfair, Deceptive or Abusive Acts or Practices (UDAAP) under the Consumer Financial Protection Act of 201015

Prohibits “unfair or deceptive acts or practices in or affecting commerce.”

Coverage: Applicable to any person or entity engaged in commerce. Made applicable to banks pursuant to Section 8 of the Federal Deposit Insurance Act.16

Applicability to Mobile Payments:Applies to all mobile payments regardless of underlying payment source.

Key Obligations / Other Information:Prohibits “unfair or deceptive acts or practices in or affecting commerce.” The Dodd-Frank Act also added the concept of “abusive” practices to “unfair” or “deceptive” ones, and gave the Consumer Financial Protection Bureau (CFPB) authority to further define abusiveness.

Law or Regulation / Description: Gramm-Leach-Bliley Act (GLBA) Privacy and Data Security Provisions17

Establishes rules regarding consumer privacy and customer data security.

Coverage: The privacy rules and data security guidelines issued under GLBA apply to “financial institutions,” which include depository institutions as well as nonbanks engaged in financial activities.

Applicability to Mobile Payments:Applies when a financial institution handles information of a “consumer” or “customer.”

Key Obligations / Other Information:Financial institutions are required to provide consumers with certain notices regarding the privacy of nonpublic personal information and allow them to opt out of certain types of information sharing. The GLBA data security provisions give guidance on the appropriate safeguarding of customer information.

Law or Regulation / Description: Federal Deposit Insurance18 or NCUA Share Insurance19

Protects funds of depositors in insured depository institutions and of members of insured credit unions in the event of failure of the institution.

Coverage: Applies to “deposits” and “accounts” as defined in laws and regulations of the FDIC and National Credit Union Administration. These include savings accounts and checking accounts at banks and share accounts and share draft accounts at credit unions.

Applicability to Mobile Payments: If the funds underlying a mobile payment are deposited in an account covered by deposit insurance or share insurance, the owner of the funds will receive deposit or share insurance coverage for those funds up to the applicable limit.

Key Obligations / Other Information: Deposit insurance or share insurance does not guarantee that a consumer’s funds will be protected in the event of a bankruptcy or insolvency of a nonbank entity in the mobile payment chain.

Note: This table is not exhaustive, and other laws, regulations, and policies may apply.

Mobile payments technologies that do not use the existing payments infrastructure would not be subject to laws and regulations that currently cover such payments. In addition, certain mobile payments providers may be subject to the jurisdiction of one or more federal or state regulators (e.g. including federal bank regulators, the Federal Communications Commission, and the Federal Trade Commission).20

Looking Forward In the payments business, banks have traditionally served a variety of intermediary roles between merchants and consumers to facilitate non-cash payments. Banks issue payment cards for customers, process payments for merchants, manage credit/settlement risk for pending transactions, and provide a key link to the payments networks. In the near term, the majority of mobile payments in the U.S. marketplace will be funded by the customer’s bank account, and financial institutions will continue to play a key role in facilitating mobile

infotex 61




payments. However, as mobile payments evolve, non-bank mobile payments providers may start to capture greater market share from financial institutions and alter bank/customer relationships. Financial institutions should not assume their place in the new mobile payments marketplace is assured because they are an integral part of the existing payments infrastructure. Non-bank mobile payments providers are devising ways to streamline the current payments system and reduce transaction costs by limiting the role banks play in mobile payments or eliminating them from segments of the payments process altogether.

In economic terms, the elimination of an intermediary in a transaction between two parties is known as “disintermediation.” Banks could increasingly find themselves displaced by non-banks in the mobile payments marketplace. This evolution could result in the gradual disintermediation of banks as the primary provider of mobile payments. This disintermediation could take several forms. One possible scenario may be a consolidation of the intermediary roles served by banks in the payments process. Nowhere is this more evident than in the payment card acquiring business where it is not unusual to have five or more banks involved in a single card payment.21 In an alternative payments model such as PayPal, the non-bank mobile payments provider assumes at least three of these bank roles (that of issuing, acquiring, and sponsoring banks), thereby removing those banks from the payments process and reducing their business opportunities.

Another potential result of bank disintermediation is a loss of access to key customer data. This can occur as customers provide account credentials to an alternative payments provider to fund an account that will be used to pay for all, or a portion of, a transaction. In this scenario, the alternative payments provider and the merchant control the actual exchange of payment transaction data. Banks may never see the total value of the transaction or even know the true identity of the entity receiving the payment. Thus, detailed transaction data used to identify potential anomalous transactions or provide customized content and product offers may no longer be available to the banks in some alternative mobile payments models. It is the value of this direct connection to the customer and transaction information that is driving these new products and partnerships, as banks consider the implications of ceding this important nexus to non-bank mobile payments providers.

ConclusionMobile payments are poised to become an important part of the payments landscape. However, it is unclear when they will achieve popular acceptance and what forms they will take. The majority of industry observers predict a three-to-five year timeframe, and that a limited number of mobile payments models will exist in the marketplace. Both predictions appear well-founded.

The fundamentals of payments risk management should remain constant and, as emphasized in this article, banks offering mobile payments need to ensure compliance with existing laws and regulations. This is particularly important when banks are working with non-bank third-party providers that may not be knowledgeable about the regulatory environment in which financial institutions operate. As a result, banks’ oversight of third-party relationships will become increasingly important as mobile payments evolve.

infotex 62




Robert C. DrozdowskiSenior Technology Specialist Division of Risk Management Supervision Matthew W. HomerPolicy Analyst Division of Depositor and Consumer Protection Elizabeth A. KhalilSenior Policy Analyst Division of Depositor and Consumer Protection Jeffrey M. KopchikSenior Policy Analyst Division of Risk Management Supervision

1 For purposes of this article, mobile payments do not include payments made using financial institution-sponsored online bill payment services. For a discussion of mobile banking, see Jeffrey M. Kopchik, “Mobile Banking Rewards and Risks,” Supervisory Insights, Winter 2011. 2 Board of Governors of the Federal Reserve System, “Consumers and Mobile Financial Services,” March 2012, at http://www.federalreserve.gov/econresdata/mobile-device-report-201203.pdf.3 Javelin Strategy & Research, “Mobile Payments Hits $20 billion in 2012,” September 2012 (private study available for a fee; also on file with authors). 4 Ibid. 5 NFC is a short range wireless communication using an NFC-enabled payment card or smartphone. 6 Robin Sidel and Amir Efrati, “What’s in Your Mobile Wallet? Not Much,” Wall Street Journal, September 26, 2012, athttp://online.wsj.com/article/SB10000872396390444180004578016383395015570.html.7 Mercator Advisory Group, “Too Early to Call: Five Mobile Giants,” May 2012 (private study available for a fee; also on file with authors). 8 See Mercator, supra n. 7 at 32 and 13. 9 Pew Research Center, “The Future of Money: Smartphone Swiping in the Mobile Age,” April 17, 2012, at http://www.pewinternet.org/Reports/2012/Future-of-Money/Overview.aspx.10 “If PayPal Offered a Mobile Wallet, 8 in 10 Consumers Would Use It,” Cellular News, June 2012, at http://www.cellular-news.com/story/54726.php.11 Michele Braun, James McAndrews, William Roberds, and Richard Sullivan, “Understanding Risk Management in Emerging Retail Payments,” Federal Reserve Bank of New York Economic Policy Review, September 2008, atwww.newyorkfed.org/research/epr/08v14n2/0809brau.pdf.12 15 USC § 1693 et seq., 12 CFR 1005. 13 15 USC § 1601 et seq., 12 CFR 1026. 14 47 CFR 64.2401. 15 15 USC § 45(a); 12 USC § 5536(a)(1)(B). 16 12 USC § 1818. 17 15 USC § 6801 et seq.; 12 CFR 332 (FDIC privacy rule); 12 CFR 364 App. B (Interagency Guidelines Establishing Information Security Standards, as published in FDIC’s rules). 18 See 12 CFR 330. 19 See 12 CFR 745. 20 The FDIC, Office of the Comptroller of the Currency, Federal Reserve Board, and National Credit Union Administration supervise depository institutions and examine them for compliance with applicable laws and regulations. The Consumer Financial Protection Bureau (CFPB) has consumer protection, examination and enforcement jurisdiction over certain nonbank institutions that offer consumer financial products and services and over depository institutions with more than $10 billion in consolidated assets. The CFPB has sole rulemaking authority for most financial consumer protection laws, including the EFTA and TILA and, as such, is instrumental in the regulation of mobile payments, whether through direct supervision or rulemaking authority. The Federal Communications Commission (FCC) has jurisdiction over wireless carriers and is responsible for the Truth-in-Billing rule. Mobile payments products that include wireless bill charges as a payment method may be subject to the FCC’s authority. The Federal Trade Commission (FTC) has authority to investigate and take enforcement actions under the FTC Act against almost any entity engaged in commerce, with the exception of entities carved out from FTC jurisdiction, for example, depository institutions and common carriers such as wireless providers. The Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury, is the administrator of the Bank Secrecy Act. 21 In the U.S. marketplace, there are at least five distinct roles served by banks involved in processing a single credit/debit card transaction: (1) an issuing bank that holds the customer relationship and authorizes payment; (2) an acquiring bank responsible for providing access to the payment networks; (3) a merchant business bank that holds the funds collected on payments; (4) a settlement bank that moves money among the issuing/acquiring banks; and in some cases (5) a payment card sponsoring bank used to manage bank payment card programs.

infotex 63


infotex

Adoption Philosophy


infotex

iPads for Board Meetings

Where would you say you are in your bank?

A. Knowledge

B. Persuasion

C. Decision

D. Implementation

E. Confirmation

infotex

iPads for Paperless Meetings


A. Knowledge

B. Persuasion

C. Decision

D. Implementation

E. Confirmation

infotex 64


infotex

Issued Devices


A. Knowledge

B. Persuasion

C. Decision

D. Implementation

E. Confirmation

infotex

BYOD


A. Knowledge

B. Persuasion

C. Decision

D. Implementation

E. Confirmation

infotex

Mobile Banking


A. Knowledge

B. Persuasion

C. Decision

D. Implementation

E. Confirmation

infotex 65


infotex

Social Media


A. Knowledge

B. Persuasion

C. Decision

D. Implementation

E. Confirmation

infotex

Secure Messaging


A. Knowledge

B. Persuasion

C. Decision

D. Implementation

E. Confirmation

infotexinfotex

Today’s Agenda



infotex 66


infotexinfotex

Anything else?

• NIST Special Publication 800-124–Revision 1

• The vendor who used FFIEC Authentication Guidance for search terms was right. –One of the primary control from that

guidance is Customer Awareness!

infotex

Anybody else?

• What are your examiners telling you?

infotexinfotex

The Workbook

infotex

FFIEC Resources: Awareness Training

infotex 67


FFIEC Resources my.infotex.com


Resources Concerning Awareness Training

Supplement to Authentication in an Internet Banking Environment – June 2011 [excerpt] A financial institution’s customer awareness and educational efforts should address both retail and commercial account holders and, at a minimum, include the following elements:

An explanation of protections provided, and not provided, to account holders relative to electronic funds transfers under Regulation E, and a related explanation of the applicability of Regulation E to the types of accounts with Internet access;

An explanation of under what, if any, circumstances and through what means the institution may contact a customer on an unsolicited basis and request the customer’s provision of electronic banking credentials;

A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically;

A listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk, or alternatively, a listing of available resources where such information can be found; and,

A listing of institutional contacts for customers’ discretionary use in the event they notice suspicious account activity or experience customer information security-related events.

FFIEC Information Security Booklet – July 2006

Page 4: Financial institutions should implement an ongoing security process and institute appropriate governance for the security function, as-signing clear and appropriate roles and responsibilities to the board of directors, management, and employees. The security process is the method an organization uses to implement and achieve its security objectives. The process is designed to identify, measure, manage, and control the risks to system and data availability, integrity, and confidentiality, and to ensure accountability for system actions. The process includes five areas that serve as the framework for this booklet: [excerpt]

Information Security Strategy - A plan to mitigate risk that integrates technology, policies, procedures, and training. The plan should be reviewed and approved by the board of directors.

Page 7: Employees should know, understand, and be held accountable for fulfilling their security responsibilities. Institutions should define these responsibilities in their security policy. Job descriptions or contracts should specify any additional security responsibilities beyond the general policies. Financial institutions can achieve effective employee awareness and understanding through security training and ongoing security-related communications, employee certifications of compliance, self-assessments, audits, and monitoring. Page 17: The selection of controls is typically grounded in a cost comparison of different strategic approaches to risk mitigation. The cost comparison typically contrasts the costs of various approaches with the potential gains a financial institution could realize in terms of increased confidentiality, availability, or integrity of systems and data. Those gains could include reduced financial losses, increased customer confidence, positive audit findings, and regulatory compliance. Any particular approach should consider: (1) policies, standards, and procedures; (2) technology design; (3) resource dedication; (4) training; and (5) testing.

infotex 68




Page 19: Primary considerations in a network security architecture are the policies, standards, and procedures employed as a part of the governance structure and the technology design. Other considerations are the necessary resources, personnel training, and testing.

Page 24: The access rights process also constrains user activities through an acceptable-use policy (AUP). Users who can access internal systems typically are required to agree to an AUP before using a system. An AUP details the permitted system uses and user activities and the consequences of noncompliance. AUPs can be created for all categories of system users, from internal programmers to customers. An AUP is a key control for user awareness and administrative policing of system activities. Examples of AUP elements for internal network and stand-alone users include:

The specific access devices that can be used to access the network; Hardware and software changes the user can make to their access device; The purpose and scope of network activity; Network services that can be used and those that cannot be used; Information that is allowable and not allowable for transmission using each allowable service; Bans on attempting to break into accounts, crack passwords, or disrupt service; Responsibilities for secure operation; and Consequences of noncompliance.

Page 25: Depending on the risk associated with the access, authorized internal users should generally receive a copy of the policy and appropriate training, and signify their understanding and agreement with the policy before management grants access to the system. Page 28: [excerpt]

Password guessing attacks also exist. These attacks generally consist of an attacker gaining knowledge about the account holder and password policies and using that knowledge to guess the password.

Controls include training in and enforcement of password policies that make passwords difficult to guess. Such policies address the secrecy, length of the password, character set, prohibition against using well-known user identifiers, and length of time before the password must be changed. Users with greater authorization or privileges, such as root users or administrators, should have longer, more complex passwords than other users.

Users’ inadvertent or unthinking actions can compromise passwords. For instance, when a password is too complex to readily memorize, the user could write the password down but not secure the paper. Frequently, written-down passwords are readily accessible to an attacker under mouse pads or in other places close to the user’s machines. Additionally, attackers frequently are successful in obtaining passwords by using social engineering and tricking the user into giving up their password.

Controls include user training, heuristic intrusion detection, and simpler passwords combined with another authentication mechanism.

Page 35: Social engineering involves an attacker obtaining authenticators by simply asking for them. For instance, the attacker may masquerade as a legitimate user who needs a password reset or as a contractor who must have immediate access to correct a system performance problem. By using persuasion, being aggressive, or using other interpersonal skills, the attackers encourage a legitimate user or other authorized person to give them authentication credentials. Controls against these attacks involve strong identification policies and employee training.

Page 70: Financial institutions should mitigate the risks posed by internal users by

Performing appropriate background checks and screening of new employees;

infotex 69




Obtaining agreements covering confidentiality, nondisclosure, and authorized use; Using job descriptions, employment agreements and training to increase accountability for security; and Providing training to support awareness and policy compliance.

Page 72: Financial institutions need to educate users regarding their security roles and responsibilities. Training should support security awareness and strengthen compliance with security policies, standards, and procedures. Ultimately, the behavior and priorities of senior management heavily influence the level of employee awareness and policy compliance, so training and the commitment to security should start with senior management. Training materials for desktop and workstation users would typically review the acceptable-use policy and include issues like desktop security, log-on requirements, password administration guidelines, etc. Training should also address social engineering and the policies and procedures that protect against social engineering attacks. Many institutions integrate a signed security awareness agreement along with periodic training and refresher courses.

FFIEC Management Booklet – June 2004 Page 27: Financial institutions should use job descriptions, employment agreements (usually higher level positions), training, and awareness programs to promote understanding and increase individual accountability.

Information security awareness and training programs help support these and other management policies.

infotex 70


infotexinfotex

Today’s Agenda



infotex

Branchless Banking Kit


Management Talking Points

infotexinfotex


• Meant to replace the “E-banking Policy” at most banks.

• Establishes Branchless Banking as a function of the overall strategic plan.

• Establishes a “Branchless Banking Committee.”

infotex 71


infotexinfotex


• Calls for Management Awareness Training (if you don’t already have an awareness training procedure.)

• Defines “branchless banking” and establishes “three broad categories” of branchless banking assets.

infotexinfotex

Three Broad Categories

• Delivery Systems• Electronic Payment Processing• Authentication Controls

infotexinfotex

Policy Statements

• Asset Inventory• Compliance• Authentication

infotex 72


infotexinfotex

Policy Statements

• Annual Authentication Risk Assessment

• Drill-down risk assessment for new branchless banking technologies, products, services . . . thoughts!

infotexinfotex

Other Policy Statements

• Privacy Disclosures• Electronic Record Retention• Insurance• Vendor Management• Remote Access

Remote Access

Um, do you let yer employees work from home?

infotex 73


infotexinfotex


• Portable Devices• Require Business Customers to use

Business Accounts Required Content• Disaster Recovery

infotexinfotex


• Audit Requirements• Monitoring• Adoption of new technologies• Privacy Policy Training

infotexinfotex

The Workbook

infotex


infotex 74

Information Security Policies Effective: xx/xx/xx Created/Revised: yy/yy/yy Branchless Banking Policy Owner: Title Here

Insert Financial Institution Name / Logo

Branchless Banking Policy (Approved During DD/MM/YY Board Meeting)

Classified: Internal Use Information Contact if found: Name, Title

Name of Financial Institution City, State

infotex 75


Policy Scope This policy applies to all Name of Financial Institution’s directors, management team, employees, temporary workers, contractors, and consultants. The Information Security Officer is responsible for overseeing the development, implementation, and maintenance of this policy. It should be reviewed at least annually to ensure relevant information is appropriately considered. Senior Management is responsible for enforcing this policy. For questions concerning this policy, see Senior Management. Introduction Studies show that on average more than 70% of bank transactions are now initiated “outside the branch.” Branchless banking has become the corporate vehicle for a wide range of products, services, marketing activities, and management techniques. This policy intends to ensure branchless banking operations remain safe, secure, accurate, compliant, and aligned with the bank’s overall business mission. The policy encompasses all “branchless banking assets,” meaning that it oversees all functions of electronic banking, including internet banking, remote deposit capture, online bill payment, online cash management, telephone banking, mobile banking, ATMs, debit cards, etc. The Board of Directors and Senior Management recognize the need to establish and implement policies and procedures with respect to branchless banking activities. While there are inherent risks with any type of banking activity, the benefit of diversifying banking channels offers our customers more flexibility in traditional bank transactions such as accessing funds, making deposits, requesting information for products, or applying for loans. Likewise, with the right approach, branchless banking can streamline customer services; helping customers manage liquidity or handle other banking transactions, potentially reducing exposures to security and fraud risks, and thus generate more income for the institution. Objective The objective of this policy is to establish guidelines and objectives for Name of Financial Institution’s involvement in branchless banking systems, which are emerging and increasingly important banking activities because of increasing competition, growing demand for more efficient and convenient capabilities offered by “wireless communications,” and accelerating cost-differentials between internet capabilities and traditional delivery channels. Thus, this policy requires the establishment of branchless banking as a function of the overall strategic plan of Name of Financial Institution, so that the objectives of branchless banking remain consistent with the overall business objectives of the institution. A second objective of this policy is to require that management appropriately manage risks in compliance with industry standards, vendor recommendations and applicable laws and regulations. This policy will define what the institution means by branchless banking, and address how electronic payment processing fits into the branchless banking environment. Finally, this policy will provide a framework for management to use when addressing new banking technologies as they arise.

infotex 76


Authority The board appoints the Information Security Officer as the person authorized to maintain and enforce this policy, as well as propose amendments to this policy and associated procedures. The board authorizes the [Chief Information Officer / Branchless Banking Committee / E-commerce Committee] to manage the implementation of new branchless banking technologies as well as the maintenance of existing technologies. This policy identifies the members of the [Branchless Banking Committee / E-commerce Committee]. Changes to this policy will require approval by the Board of Directors. Changes in operating procedures, standards, guidelines and technologies, provided they are consistent with this policy, may be authorized by the Information Security Officer. The Information Security Officer is required to report all critical and high risks associated with branchless banking as part of the institution’s normal information technology risk management practices. The Compliance Officer is authorized to ensure appropriate compliance with all regulations that cover branchless banking assets. Management Team Awareness It is the responsibility of the [Chief Information Officer / Branchless Banking Committee / E-commerce Committee] to ensure that:

1. [Senior Management / Management], as defined in the User Awareness Training Procedure, develops and maintains an understanding and working knowledge of branchless banking activities, and the need to involved the Information Security Officer in the deployment of new assets.

2. [Senior Management / Management], as defined in the User Awareness Training Procedure, understands that Vendor Management, Compliance, and Information Security must be involved organically in the deployment and maintenance of all branchless banking assets.

3. All personnel possess a general awareness of our branchless banking programs. All management teams and related functional departments must understand and be prepared to manage those risks that are inherent in branchless banking and functional areas related to banking activities. [Branchless Banking / E-commerce] Committee Note: Many banks use existing committees as the Branchless Banking Committee. If this is the case, it should be documented in this section. [Through this policy, the Board of Directors appoints] or [Each year in the annual appointment meeting, the [Board of Directors / Information Security Officer / Chief Information Officer / President] will appoint] a [Branchless Banking Committee / E-commerce Committee] to govern and administer branchless banking assets. It is anticipated that these committee members will have an understanding and working knowledge of the elements of electronic banking including related electronic funds transfer issues,

infotex 77


managing the development of new e-commerce products, implementing new products and services, and monitoring those same processes. These Committee members will have the authority to work closely with Senior Management to communicate and implement necessary actions across product and departmental lines. Finally, committee members will work closely with the Information Security Officer to measure and report risk related to branchless banking as per policy. This policy requires that the [VP of Compliance / Compliance Officer / Internal Auditor] as well as the Information Security Officer and the [Fraud Prevention Manager / Security Officer] be formal members of the [Branchless Banking Committee / E-commerce Committee]. Note: the following is optional, and can be left to the Branchless Banking Management Procedure, though we believe that in some institutions, listing the members to sit on this committee may be more feasible if a board-level policy states the requirement. The following positions will be required to hold membership on the [Branchless Banking Committee / E-commerce Committee]. Note: We recommend that this committee be chaired by somebody other than the Information Security Officer or Compliance Officer, such as the person most likely to “be in the loop” on new technology deployments.

Chief Information Officer / IT Manager Branchless Banking Manager / VP of E-banking (Chair) Information Security Officer Compliance Officer Fraud Manager / Security Officer Vendor Management IS Steering Committee / Technology Committee / EDP Committee

[Branchless Banking / E-commerce] Committee Responsibilities The [Branchless Banking / E-commerce] Committee is responsible for the implementation of branchless banking assets, management of branchless banking risk, and enforcement of branchless banking standards and controls. The Information Security Officer will document committee responsibilities in the Branchless Banking Management Procedure.

infotex 78


Definitions Definition of Branchless Banking: For the purpose of this policy Branchless Banking includes all information assets used to conduct bank business outside of the branch. Such business includes communication from, to, and with customers; retrieval of information hosted by bank-owned systems; initiation and/or processing of electronic payments; marketing of bank services; etc. It includes refers to the processing and transmission of digitized data, including text, signals, sound, visual images, and unique file formats. There are three broad categories of Branchless Banking Assets: Delivery Systems, Payment Processes, and Authentication Controls. Electronic payment processing includes both “traditional forms” such as ACH and Wire Transfer, as well as “mobile payment processing.” Definition of Electronic Payment Processing: Any electronic process which transacts the movement of funds from one account to another account, either internally or externally, is considered to be electronic payment processing. There are two types of payment processing covered by this policy:

Traditional Payment Processes Electronic Funds Transfer Electronic Wire Transfer ACH Transactions Billpay Consumer Bill Pay Business Bill Pay Remote Deposit Capture Remote Capture Deposit

Mobile Payment Processes

P2P Scan and Pay Zashcash, Square Paypal Consumer Capture

Though we distinguish mobile from traditional payment processing, the provisions of this policy cover both forms equally. Future forms of payment processing, as they arise, will also be covered by this policy.

Note: remove any references to assets which are not in place at the institution at this time, and then delete this text box!

infotex 79


Definition of Delivery Systems: The hardware/software combined to create a “system” used to conduct branchless banking is considered to be a “delivery system.” Examples of delivery systems currently owned by the institution are as follows:

ATMs Kiosks Telephone Banking Web Presence

o Marketing Website o On-line Banking o Commercial On-line Banking o Wireless Banking o Social Media Presence

Facebook Twitter LinkedIn Google+

Remote Access o Secure Messaging o Virtual Private Networks o Remote Desktop Control o Extranet (portal, Sharepoint) o Outlook Web Access

Mobile Devices o Banked-owned o BYOD (Employee-owned devices hosting bank-owned information)


infotex 80


Definition of Authentication Controls: The physical and digital tools used to confirm the identity and authority for a user to conduct a certain transaction is considered to be an “authentication control.” There are three “factors” of authentication controls:

What you know authentication. What you have authentication. Who you are authentication. Where you are authentication.

Examples of “what you know” authentication controls are as follows:

Login Credentials (user name, password) Challenge Questions Out-of-pocket Questions Power-on authentication (for mobile devices)

Examples of “what you have” authentication controls include:

ATM cards Credit cards Debit cards IP Address, MAC Address Tokens (Hard and Soft) Cell or Smart Phone

Examples of “who you are” authentication controls include:

Thumbprint scanners Retinal Scanners Handprint Scanners

Examples of “where you are” authentication controls include:

GPS Position IP Address

Authentication controls will be applied to assets according to risk. However, the Board of Directors recognizes that the institution is in most cases reliant upon our vendor to make controls available. Meanwhile, controls vary in cost. Thus, authentication controls will be applied according to risk, availability, and return on investment. The Board of Directors understands that at times the institution will elect to accept risk for which there are controls available but at a cost that does not warrant the level of risk mitigation such controls would produce. In these cases, the accepted risk will be presented to the Board of Directors as a result of the Annual Authentication Risk Assessment described below.

infotex 81


Policy Statements Inventory of Assets: The Information Security Officer will keep an inventory of all branchless banking assets. For each asset, the Information Security Officer will track criticality and risk, privacy policy disclosure requirements, applicable laws and regulations. The Information Security Officer will also document strategic issues with each asset. This documentation will be updated annually as well as as new assets are deployed, or as major changes are made to existing assets or existing strategies for the branchless banking assets. Legal and Regulatory Risk: This policy requires the institution to comply with all federal and state electronic commerce laws. Uncertainty related to how branchless banking can be impacted by laws, regulations, and jurisdiction issues creates a high level of legal and regulatory risk. To mitigate this risk, a multidisciplinary team which includes the Compliance Officer / Legal Counsel, must be involved in the deployment of any new branchless banking assets. The Information Security Officer will create a Branchless Banking Management Procedure which tracks the laws and regulations impacting branchless banking assets. Authentication: Given the nature of branchless banking, “authentication” as a security control increases in importance. Authentication is the act of confirming the identity and authority of a user to access specific information assets. The Information Security Officer will work with the [Chief Information Officer / Branchless Banking Committee / E-commerce Committee] to maintain an inventory of authentication controls and ensure that appropriate controls are applied to the most critical of assets in accordance with regulations, risk, availability, and return on investment. Annual Authentication Risk Assessment: This policy requires an Annual Authentication Risk Assessment to inventory and determine criticality of all assets requiring authentication based on the risk factors articulated in the 2005 FFIEC Authentication Guidance. The Information Security Officer will create a Branchless Banking Management Procedure that articulates how the [Chief Information Officer / Branchless Banking Committee / E-commerce Committee] will inventory authentication controls, calculate residual risk after the application of those controls, and report accepted risk to the Board of Directors annually. Drill-down Risk Assessments: Whenever a new branchless banking technology is investigated, Management will be trained to involve the Information Security Officer so that a “drill-down risk assessment” can be performed on the new technology, as per our IT Governance Policy. Privacy Disclosure: Statement of On-line Privacy Practices: The issue of privacy of electronic information encompasses individual transactions as well as the commercial information transactions that support general financial activities such as financial settlement arrangements, electronic fund movement, data exchanges, and financial information related to national and/or global economic elements that affect commerce. The Branchless Banking Management Procedure will explain how the Information Security Officer intends to track assets requiring privacy disclosure. Whenever possible, at the time a customer enrolls in a branchless banking service, which encompasses the use of electronic banking channels, the online privacy policy notice will be provided. Electronic Records Retention: Working with the [Chief Information Officer / Branchless Banking

infotex 82


Committee / E-commerce Committee], the Information Security Officer will create and maintain procedures that ensure proper record retention for all branchless banking assets. These procedures [may be documented in the Electronic Records Retention Procedure. / may be documented within existing record retention procedures.] Training: The Information Security Officer, working with the [Chief Information Officer / Branchless Banking Committee / E-commerce Committee] and Management, will ensure that training is appropriately provided at all levels of the organization. High likelihood vulnerabilities, policies, procedures, controls, and top risks will be incorporated into existing awareness programs for the Board of Directors, Management Team, Technical Staff, E-commerce Team, Users, Vendors, and Customers. Insurance: In conjunction with the risk management process, after debriefing, Management will review insurance requirements with the goal of transferring high and critical residual risk where impact is high. The [bank’s / credit union’s] annual insurance assessment review should evaluate the bank’s branchless banking functions along with all information system processing. The level of insurance coverage and types of coverage will be evaluated no less often than annually. Vendor Management: Branchless banking assets usually involve engagement with third parties that will either access or host non-public customer information. Because of this, all vendors of branchless banking assets must undergo the threshold analysis as per the Vendor Management Policy prior to engagement. The Management Team will be trained to involve the Information Security Officer whenever a new vendor is considered. Remote Access: The institution approves the provision of remote access functionality to various users using various technologies. The Information Security Officer will inventory the types of remote access provided to each user type, along with the risk created by such access, as well as the controls in place to mitigate such risk. Such risk will be documented in the Annual Authentication Risk Assessment. The Branchless Banking Management Procedure will declare controls that must be in place (by the institution and remote users) prior to granting remote access, as well as the approval process for granting such access. This policy requires documentation of such approval in the form of an agreement to comply with institution policies and procedures. Portable Devices: The Information Security Officer, working with the [Chief Information Officer / Branchless Banking Committee / E-commerce Committee] and Management, will document procedures, actions, controls, and guidelines for securing information that may find its way onto portable devices, also known as mobile devices (such as laptops, cell phones, iPads, etc.) both owned by the institution as well as portable devices owned by employees. All employees issued a portable device owned by Name of Financial Institution must review and sign off on a Portable Devices Security Procedure that is written and maintained by the Information Security Officer. This procedure will define what we mean by “portable devices.” All employees allowed to store sensitive information owned by Name of Financial Institution on portable devices must also sign off on that procedure. Business Customers Required to Use Business Account: If your institution requires sole proprietors and personal businesses to use business accounts for business transactions, you should refer to it here. If you do not have a policy such as this, you should consider it (for legal and fraud risk mitigation purposes at the least). This document may not the appropriate place for such a policy, but should refer to it if it exists. Or, if you prefer to include this language in this policy, consider the following:

infotex 83


Application platforms for Retail and Business are different with higher security features installed into the Business application than the retail application. Thus, it is Name of Financial Institution’s policy to require that those sole proprietors and businesses use a business checking account instead of a personal checking account. This will be enforced by [CSR’s and Tellers] upon noticing a regular stream of deposits that look business-related. The teller will inform a [CSR], who will contact the customer to explain the risk mitigation benefits of the business account, and then require the customer to establish a new account. Required Content: Various branchless banking assets must present specific content in order to be in compliance with various laws and regulations. For example, weblinking relationships (where the bank links to websites out of the bank’s control) must be accompanied by a warning prior to sending the user to the third-party website. The Information Security Officer will maintain a required content checklist for all branchless banking assets to ensure that as assets are improved, modified, updated and maintained, the required content does not get dropped. Disaster Recovery: All branchless banking assets will be considered in the institution’s disaster recovery program. Assets managed by third parties will require disaster recovery scrutiny as per the institution’s Vendor Management Program. Audit Requirements: This policy requires that appropriate and timely tests, audits and evaluations be conducted of the bank’s branchless banking resources to determine compliance with policies and our regulatory, legal, fiduciary and contractual obligations. The use of self assessment and peer reviews as a cost effective mode of examination is supported but these should be used to supplement, not replace, formal reviews by third parties, either internal or external. Monitoring: All branchless banking assets (which include transactions as inventoried in the Annual Authentication Risk Assessment) will be monitored, using techniques determined by the [Branchless Banking / E-commerce] Committee, for unusual and/or fraudulent activity. The extent of monitoring will be determined based upon risk and regulations. Adoption of New Branchless Banking Technologies: [Executive Management / Senior Management / The Management Team], with the guidance of the [Chief Information Officer / Information Security Officer / Branchless Banking Committee / IS Steering Committee / EDP Committee / Technology Committee] will determine where the institution stands on the adoption of new technologies in general and specifically for each new branchless banking technology as the opportunity to adopt presents itself. Privacy Policy Training: Management and staff will receive in-depth ongoing training pertaining to Name of Financial Institution’s [Privacy Policy / Privacy Statement / On-line Customer Privacy Policy]. The Information Security Officer will ensure this training is integrated with normal User Awareness Training. Periodically, this training will be provided as a refresher to all management and staff. It is critical that all new hires receive this training before having access to any customer information. Training schedules will be established and monitored by the [Information Security Officer / Training Coordinator / HR Manager].

infotex 84


Concluding Sections The following sections may or may not apply to your institution, depending upon your own policy/procedure development protocols. However, we do strongly urge you to include the distribution list, policy owner, and policy reviewers section for your convenience and to ensure appropriate review and training. Please remove this section. Reporting to the Board The Internal Auditor will report to the Board on an annual basis that the all policies listed above have been reviewed for completion, enforcement, and training. Specifically, this report will indicate that all policies listed above have been updated. The report will list deficiencies related to enforcement of the policies and procedures above, as well as indicate the level of training provided to members of the various teams affected by the policies and procedures listed above. The Board of Directors will also receive summary reports of examinations, audits, and other assessments of the risk inherent in information security as they are required. Storage of Policies and Procedures The Information Security Officer is responsible for maintaining current copies of all information security related policies and procedures. These will be stored [state method and location] and an electronic copy will be stored off-site [state location]. The electronic copy will be updated annually (in December) as well as on an as-needed basis any time there is a major revision of a particular policy or procedure. Status Reporting The Information Security Officer must report to the Board of Directors on an annual basis the status and enforcement of the Risk Management Policy, Information Security Strategy, and other Board-level policies. Contribution to Control Objectives for Information Technology Enforcement of this procedure contributes to the achievement of CobiT:

PO1: Define a strategic IT plan. PO2: Define the information architecture. PO3: Determine technological direction. PO5: Manage the IT investment.

infotex 85


Noncompliance Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of Name of Financial Institution’s Information Resources access privileges, and civil and/or criminal prosecution. Distribution List The following positions will receive this policy and any changes to this policy:

Board of Directors [EDP / IT Steering / Technology Steering] Committee Branchless Banking Committee List those individuals. Consider establishing an e-mail alias corresponding to the individuals.

Storage of Policy The active copy of this policy will be stored in the [list location of policy]. Note: We recommend that the Financial Institution develop a method of off-site, on-line, secure storage of policies and procedures such as in a portal, mirrored intranet site, etc. Policy Owner

Title Here

(Note: If you document the policy owner in the header this section would be redundant.) Policy Reviewers

[EDP / IT Steering / Technology Steering] Committee Branchless Banking Committee

infotex 86


Related Policies / Procedures / Tools

Asset Management Program At-large o Branchless Banking Sub-program

Branchless Banking Policy Branchless Banking Management Procedure Mobile Devices Security Procedure Remote Access Procedure Public Presence Elements Checklist Standards for Branchless Banking Regulations Branchless Banking Risk Assessment Guidelines Branchless Banking Monitoring Guidelines Remote Access Authorization Agreement Authentication Risk Assessment

Branchless Banking Asset Inventory Authentication Controls Inventory Asset Criticality Analysis

o License Management Procedure o Network Diagram and System Documentation Procedure o System Inventory / Asset Inventory

Other Programs o Customer Awareness Training Strategy o Drill-down Risk Assessments

Wireless Banking Social Media Mobile Devices On-line Banking Remote Deposit Capture Remote Access

infotex 87


infotexinfotex

Today’s Agenda



infotexinfotex

Management Procedure

• Enforces the Branchless Banking Policy.

• Anything that was not a policy statement but was still documented was put into this document.

infotexinfotex


• Establishes the requirement to analyze asset categories.

• Inventories the regulations which impact categories.

infotex 88


infotexinfotex


• Calls for three guideline documents:–Standards for Branchless Banking

Regulations–Branchless Banking Risk Assessment

Guidelines–Branchless Banking Monitoring

Standards:

infotexinfotex

Should we take a break?

infotexinfotex

The Workbook

infotex

Branchless Banking Management Procedure

infotex 89

Asset Management Program: Branchless Banking Subprogram Effective: xx/xx/xx Created/Revised: yy/yy/yy Branchless Banking Management Procedure Owner: Title Here


Branchless Banking Management Procedure (Approved During DD/MM/YY [EDP / Branchless Banking / IT Steering / Technology] Committee Meeting)

Classified: Internal Use Contact if found: Name, Title


infotex 90


Procedure Scope This procedure applies to all Name of Financial Institution’s directors, management team, employees, temporary workers, contractors, and consultants. The Information Security Officer is responsible for overseeing the development, implementation, and maintenance of this procedure. It should be reviewed at least annually to ensure relevant information is appropriately considered. Senior Management is responsible for enforcing this procedure. For questions concerning this procedure, see Senior Management. Introduction Studies show that on average more than 70% of bank transactions are now initiated “outside the branch.” Branchless banking has become the corporate vehicle for a wide range of products, services, marketing activities, and management techniques. This procedure intends to ensure branchless banking operations remain safe, secure, accurate, compliant, and aligned with the bank’s overall business mission. The procedure encompasses all “branchless banking assets,” meaning that it oversees all functions of electronic banking, including internet banking, online bill payment, online cash management, telephone banking, mobile banking, ATMs, debit cards, etc. The Board of Directors and Senior Management recognize the need to establish and implement policies and procedures with respect to branchless banking activities. While there are inherent risks with any type of banking activity, the benefit of diversifying banking channels offers our customers more flexibility in traditional bank transactions such as accessing funds, making deposits, requesting information for products, or applying for loans. Likewise, with the right approach, branchless banking can streamline customer services; helping customers manage liquidity or handle other banking transactions, potentially reducing exposures to security and fraud risks, and thus generate more income for the institution. Objective The objective of this procedure is to enforce the Branchless Banking Policy, which is a board-level policy. This procedure will establish guidelines for Name of Financial Institution’s involvement in branchless banking systems, which are emerging and increasingly important banking activities because of increasing competition, growing demand for more efficient and convenient capabilities offered by “wireless communications,” and accelerating cost-differentials between internet capabilities and traditional delivery channels. The Branchless Banking Policy requires the establishment of branchless banking as a function of the overall strategic plan of Name of Financial Institution, so that the objectives of branchless banking remain consistent with the overall business objectives of the institution. The policy also requires that management appropriately manage risks in compliance with industry standards, vendor recommendations and applicable laws and regulations. The policy defines what the institution means by branchless banking, and addresses how electronic payment processing fits into the branchless banking environment. Finally, the policy provides a framework for management to use when addressing new banking technologies as they arise.

infotex 91


Authority In the Branchless Banking Policy, the board appointed the Information Security Officer as the person authorized to maintain and enforce the policy, as well as propose amendments to the policy and associated procedures. The board required the Information Security Officer to create and maintain this procedure. The board also [authorized / appointed] the [Chief Information Officer / Branchless Banking Committee / E-commerce Committee] as the person authorized to manage the implementation of new branchless banking technologies as well as the maintenance of existing technologies, consistent with the policy. The Branchless Banking Policy also requires the Information Security Officer to report all critical and high risks associated with branchless banking as part of the institution’s normal information technology risk management practices. The policy authorizes the Compliance Officer to ensure appropriate compliance with all regulations that cover branchless banking assets. Definitions Definition of Branchless Banking: For the purpose of this procedure Branchless Banking includes all information assets used to conduct bank business outside of the branch. Such business includes communication from, to, and with customers; retrieval of information hosted by bank-owned systems; initiation and/or processing of electronic payments; marketing of bank services; etc. There are three broad categories of assets: Delivery Systems, Payment Processes, and Authentication Controls. Electronic payment processing includes both traditional forms as well as “mobile payment processing.” Definition of Electronic Payment Processing: Any electronic process which transacts the movement of funds from one account to another account, either internally or externally, is considered to be electronic payment processing. There are two types of payment processing covered by this procedure:

Traditional Payment Processes Electronic Funds Transfer Electronic Wire Transfer ACH Transactions Billpay / Consumer Bill Pay Business Bill Pay Remote Deposit Capture Remote Capture Deposit

Mobile Payment Processes

P2P Scan and Pay Zashcash Square Paypal Consumer Capture


infotex 92


Though we distinguish mobile from traditional payment processing, the provisions of this procedure cover both forms equally. Future forms of payment processing, as they arise, will also be covered by this procedure. Note: The board recognizes that for the next few years, branchless banking assets are going to be dynamic and deployed on a much more frequent basis than the required annual update to this policy. Since the board will be kept informed of new assets through escalation of risk and other reporting requirements, this policy does not need to be updated each time new payment processes are deployed. Definition of Delivery Systems: The hardware/software combined to create a “system” used to conduct branchless banking is considered to be a “delivery system.” Examples of delivery systems currently owned by the institution are as follows:

ATMs Smart ATMs Kiosks (assets accessed by customers) Telephone Banking Web Presence

o Marketing Website o On-line Banking / Retail Banking o [Business / Commercial] On-line Banking o Mobile Banking / Wireless Banking o Bank-owned Social Media Presence

Facebook Twitter LinkedIn Google+ / etc.

Remote Access o Secure Messaging o Virtual Private Networks o Remote Desktop Control o Extranet (portal, Sharepoint) o Outlook Web Access (OWA)

Mobile Devices o Banked-owned (Issued Devices) o Authorized Devices or employee-owned devices hosting bank-owned information

(sometimes referred to as Bring Your Own Devices or BYOD) Note: The board recognizes that for the next few years, branchless banking assets are going to be dynamic and deployed on a much more frequent basis than the required annual update to this policy. Since the board will be kept informed of new assets through escalation of risk and other reporting requirements, this policy does not need to be updated each time new delivery systems are deployed.


Note: Consider adding assets that you know will be deployed in the next year, with (to be implemented in the future) after the asset name. Then delete this text box!

infotex 93


Definition of Authentication Controls: The physical and digital tools used to confirm the identity and authority for a user to conduct a certain transaction is considered to be an “authentication control.” There are four “factors” of authentication controls:

What you know authentication. What you have authentication. Who you are authentication. Where you are authentication.

Examples of authentication controls are as follows:

Login Credentials (user name, password) Challenge Questions Out-of-pocket Questions Power-on authentication or Screen Lock (for mobile devices)

Examples of “what you have” authentication controls include:

ATM cards Credit cards Debit cards IP Address, MAC Address Tokens (Hard and Soft) Cell or Smart Phone

Examples of “who you are” authentication controls include:

Thumbprint scanners Retinal Scanners Handprint Scanners

Examples of “where you are” authentication controls include:

GPS Position IP Address

Hardware Identification authentication

Machine identification, processor, memory IP address OS Version Browser Version

Authentication controls will be applied to assets according to risk. However, the Board of Directors recognizes that the institution is in most cases reliant upon our vendor to make controls available. Meanwhile, controls vary in cost. Thus, authentication controls will be applied according to risk, availability, and return on investment. The Board of Directors understands that at times the institution will elect to accept risk for which there are controls available but at a cost that does not warrant the level of risk mitigation such controls would produce. In these cases, the accepted risk will be presented to

infotex 94


the Board of Directors as a result of the Annual Authentication Risk Assessment described below. Note: The board recognizes that for the next few years, branchless banking assets are going to be dynamic and deployed on a much more frequent basis than the required annual update to this policy. Since the board will be kept informed of new assets through escalation of risk and other reporting requirements, this policy does not need to be updated each time new authentication controls are deployed. Management Team Awareness It is the responsibility of the [Chief Information Officer / Branchless Banking Committee / E-commerce Committee] to ensure that:

1. Senior Management develops and maintains an understanding and working knowledge of branchless banking activities, and the need to involve the Information Security Officer in the deployment of new assets.

2. Senior Management understands that Vendor Management, Compliance, and Information Security must be involved in the deployment and maintenance of all branchless banking assets.

3. All personnel possess a general awareness of our branchless banking programs. All management teams and related functional departments must understand and be prepared to manage those risks that are inherent in branchless banking and functional areas related to banking activities. [Branchless Banking / E-commerce] Committee Note: Many banks use existing committees as the Branchless Banking Committee. If this is the case, it should be documented in this section. The [Board of Directors / Information Security Officer / Chief Information Officer / President] has appointed a [Branchless Banking Committee / E-commerce Committee] to govern and administer branchless banking assets. It is anticipated that these committee members will have an understanding and working knowledge of the elements of electronic banking including related electronic funds transfer issues, managing the development of new e-commerce products, implementing new products and services, and monitoring those same processes. These Branchless Banking Committee members will have the authority to work closely with Senior Management to communicate and implement necessary actions across product and departmental lines and to the Board of Directors (as resources and risk acceptance decisions are necessary). Additionally, the Branchless Banking Committee will be responsible for carefully considering the impact of any policy or procedural change in current products and services. Finally, committee members will work closely with the Information Security Officer to measure and report risk related to branchless banking as per policy. The Branchless Banking Policy also requires that the [Internal Auditor / Compliance Officer] as well as the Information Security Officer and the [Fraud Prevention Officer / Security Officer] be formal members of the [Branchless Banking Committee / E-commerce Committee]. For 2012, committee members are as follows:

infotex 95


List the members of the E-commerce committee here, and be sure it is congruent with any statements in your policy. Position titles, rather than names, are suggested, and we’ve suggested membership below:

VP of Operations / Chief Operations Officer VP of E-commerce / E-commerce Administrator Chief Information Officer / IT Manager / MIS Director / Director of IT Information Security Officer / Vendor Management Compliance Officer

[Branchless Banking / E-commerce] Committee Responsibilities The [Branchless Banking / E-commerce] Committee is responsible for the implementation of branchless banking assets, management of branchless banking risk, and enforcement of branchless banking standards and controls. The Information Security Officer will document committee responsibilities in the Branchless Banking Management Procedure. Responsibilities include:

1. Be prepared to attend [monthly meetings / meetings as-needed] by reviewing the meeting agenda published in advance by the [Chief Information Officer / Information Security Officer / Compliance Officer / IT Manager], contributing to the meeting, and reviewing minutes of the meeting prepared by the [Chief Information Officer / Information Security Officer / Compliance Officer / IT Manager] as necessary.

2. Developing branchless banking programs with business strategy alignment, customer convenience, return-on-investment, and risk management as primary priorities.

3. Development of risk management controls, including physical protection safeguards to protect branchless banking resources and facilities; procedural safeguards for information; access management safeguards, and other safeguards as required by other IT Governance policies, procedures, standards and guidelines.

4. Developing business resumption plans to ensure continued processing, storage and protection of information in the event of a man-made or natural disaster.

5. Establishing, maintaining, preparing, promoting, enforcing, and measuring the effectiveness of the Branchless Banking Policy and Procedure and their related standards, guidelines, and tools. Ensuring branchless banking asset deployments comply with existing IT Governance Policies and Procedures. Supporting the activities of the Information Security Officer to ensure adherence to documented policies, procedures, guidelines and standards.

6. Participating in a drill-down risk assessment for new branchless banking assets.

7. Performing periodic assessments of branchless banking related controls, which may include:

a) Input and output controls; verification and data validation controls; reconciliation controls;

b) Authentication controls;

c) Physical security controls;

d) Systems internal controls; data transmission controls; and

e) Personnel controls.

f) Data storage and destruction controls, including reviewing access permissions for users as per the existing [Access Management Procedure.]

8. Ensure compliance with all federal and state regulations.

infotex 96


9. Developing and maintaining knowledge on the requirements, resources, applicable protection technology,

industry “best practices” and administrative procedures pertaining to branchless banking technologies.

10. Establishing and maintaining a corporate strategy and architecture for all branchless assets.

11. Providing assistance, support and guidance to those individuals responsible for developing and implementing specific branchless banking technologies.

12. Maintaining a detailed list of regulations or laws impacting branchless banking programs, and ensuring compliance with all federal and state banking laws and regulations.

Risk Management The [Branchless Banking / E-commerce] Committee is required to work with the Information Security Officer to manage technology and information risks arising from branchless banking assets. These responsibilities include addressing the following issues: Inventory of Assets: The Information Security Officer will keep an inventory of all branchless banking assets. For each asset, the Information Security Officer will track criticality and risk, privacy policy disclosure requirements, applicable laws and regulations. The Information Security Officer will also document strategic issues with each asset. This documentation will be updated annually as well as new assets are deployed, or as major changes are made to existing assets or existing strategies for the branchless banking assets. This documentation is currently kept in the Authentication Risk Assessment. Authentication: Authentication is the act of confirming the identity and authority of a user to access specific information assets. Given the nature of branchless banking, “authentication” as a security control increases in importance.

The Information Security Officer will work with the [Chief Information Officer / Branchless Banking Committee / E-commerce Committee] to maintain an inventory of authentication controls and ensure that the most robust controls are applied to the most critical of assets in accordance with regulations. The inventory of authentication controls, including inherent and residual risk rankings, by branchless banking asset, is included in the Authentication Risk Assessment. Annual Authentication Risk Assessment: The Branchless Banking Policy requires an Annual Authentication Risk Assessment to determine criticality of all assets requiring authentication based on the risk factors articulated in the 2005 FFIEC Authentication Guidance. The Information Security Officer will create a Branchless Banking Management Procedure that articulates how the [Chief Information Officer / Branchless Banking Committee / E-commerce Committee] will inventory authentication controls, calculate residual risk after the application of those controls, and report accepted risk to the Board of Directors annually. Prior to deploying new branchless banking assets, the Information Security Officer will update the Authentication Risk Assessment.

Updated risk assessments should consider, but not be limited to, the following factors: changes in the internal and external threat environment, including those discussed in the

Appendix to the June 2011 Supplement; changes in the customer base adopting electronic banking; changes in the customer functionality offered through electronic banking; and actual incidents of security breaches, identity theft, or fraud experienced by the institution or

industry

infotex 97


Drill-down Risk Assessments: Whenever a new branchless banking technology is investigated, the Information Security Officer will lead the [Branchless Banking / E-commerce] Committee through a “drill-down risk assessment” process PRIOR TO IMPLEMENTATION (note: some banks will not put the prior three words “prior to implementation” in all-caps, and may even choose to use the language “whenever possible” or “prior to implementation whenever possible.” Other banks, who feel there are too many “rogue technology acquisitions,” will choose to use all-caps.) so that new controls can be planned and installed on a timely basis. The Branchless Banking Policy requires that Management be trained to involve the Information Security Officer on any and all new branchless banking technology deployments. Insurance: In conjunction with the risk management process, after debriefing, Management will review insurance requirements with the goal of transferring high and critical residual risk where impact is high. The [Information Security Officer / Risk Management Officer / President / Internal Auditor / Compliance Officer] will report to the [Branchless Banking / E-commerce] Committee how insurance is being used to transfer risk on an annual basis. Vendor Management: Branchless banking assets usually involve engagement with third parties that will either access or host non-public customer information. Such engagement exposes the institution to risk based on the practices of the vendors we engage with. Because of this, all vendors of branchless banking assets must undergo the threshold analysis as per the Vendor Management Policy prior to engagement. The Management Team will be trained to involve the Information Security Officer anytime a new vendor is considered. Vendors of all branchless banking assets are documented in the Authentication Risk Assessment. Legal and Regulatory Risk: The Branchless Banking Policy requires the institution to comply with all federal and state electronic commerce laws. Uncertainty related to how branchless banking can be impacted by laws, regulations, and jurisdiction issues creates a high level of legal and regulatory risk. To mitigate this risk, a multidisciplinary team which includes the Compliance Officer / Legal Counsel, must be involved in the deployment of any new branchless banking assets. The Information Security Officer will document which laws apply to assets in the Authentication Risk Assessment. The following is a list of laws and regulations that could impact the implementation of branchless banking assets.

Applicable Laws BSA / AML Children’s On-line Privacy Protection Act (COPPA) CTF ADA EFT Act (see Reg E below) E-Sign Act FACTA (and the Red Flags Rule) GLBA OFAC UCC Article 4A US Patriot Act (CIP and KYC)

infotex 98


Applicable Regulations Regulation B, Equal Credit Opportunity Regulation CC, Availability of Funds and Collection of Checks Regulation DD, Truth in Savings Regulation E, Electronic Fund Transfers Regulation M, Consumer Leasing Regulation Z, Truth in Lending 2005 FFIEC Guidance on Authentication (and the 2011 Supplement)

The Information Security Officer will track which branchless banking assets are impacted by which regulations in the Authentication Risk Assessment. The E-commerce Committee, led by the [Information Security Officer / Compliance Manager] will maintain a Standards for Branchless Banking Regulations document. Monitoring: The FFIEC’s June 2011 Supplement to the 2005 Authentication Guidance clearly establishes objectives and standards for monitoring branchless banking assets to detect and respond to potential fraudulent activity. The E-commerce Committee will comply with this supplement. Assets with residual risk that is critical or high will be monitored closely for unusual and/or fraudulent activity. Monitoring techniques will determined by the [Branchless Banking / E-commerce] Committee. Activities and plans for monitoring is documented in the Monitoring Standards document maintained by the Information Security Officer. Privacy Disclosure: Statement of On-line Privacy Practices: Note: If your Privacy Policy already has a component meant for the bank, consider removing this section should be removed. See suggested replacement language at the bottom of this section. The issue of privacy of electronic information encompasses individual transactions as well as the commercial information transactions that support general financial activities such as financial settlement arrangements, electronic fund movement, data exchanges, and financial information related to national and/or global economic elements that affect commerce. To assist each Name of Financial Institution customer (existing or potential) in understanding electronic banking and online privacy issues, to detail specific customer rights and choices, plus to provide each customer the option to access his or her own information, a [Privacy Policy / Privacy Statement / Online Customer Privacy Notice] will be provided to the customer. This statement reflects Name of Financial Institution’s online privacy principles, and statement addresses these basic privacy principals:

Recognition of a customer’s expectation of privacy. Notice detailing information practices before any personal information is collected. Use, collection, and retention of customer information. Security and accuracy of consumer information collected, protecting against unauthorized access

to information, security to prevent unauthorized disclosure of information, and protection against loss of information.

Limiting employee access to customer information. infotex 99


Restrictions on the disclosure of account information.

Maintaining customer privacy in business relationships with third parties. Disclosure or privacy principles to customers.

The online privacy practices notice parallels the internal operational policies, procedures, and controls of Name of Financial Institution. Whenever possible, at the time a customer enrolls in a branchless banking service, the [Privacy Policy / Privacy Statement / Online Customer Privacy Notice] will be provided EVEN IF NOT REQUIRED BY REGULATIONS. The Authentication Risk Assessment will document which assets require privacy policy disclosures at the point of engagement. Note: If your Privacy Policy already has a component meant for the bank, this section can merely be: Management will ensure, through all branchless banking operations, that privacy disclosure requirements as documented in the [Privacy Policy / Privacy Statement / Online Customer Privacy Notice]. Communicating the Offer of and Enforcement of Customer Choice on Data Sharing Each time the [Privacy Policy / Privacy Statement / Online Customer Privacy Notice] is delivered to a customer, the customer will be required to provide a noted acknowledgment that he or she received a copy of the [Privacy Policy / Privacy Statement / Online Customer Privacy Notice]. Failure to acknowledge receipt of the notice or an unwillingness to provide a choice of data sharing must result in the our refusal to provide the customer with branchless banking services. Subsequently, Name of Financial Institution will provide periodic update awareness advisories regarding online privacy issues and our efforts to ensure that proper controls are in effect, as per our Customer Awareness Training Strategy. The [Information Security Officer / IT Steering Committee / Compliance Officer] will ensure that these notices are provided as needed. Customer Requests to See Account Information: As provided by our [Privacy Policy / Privacy Statement / Customer Online Privacy Practice Notice], a customer will have the opportunity to access collected information and review it for potential errors in a timely, inexpensive manner. Data accuracy is important not only for each customer, but also for reducing reputation and strategic risks arising from reporting erroneous data about customers. For each customer request to see account information pertaining to potential errors, researching lost data, and/or providing opportunities for customers to review data profiles for a specific product or service, data confidentiality and assurance of customer identity must be assured. Using procedures defined in our Acceptable Use Policy, specifically those related to “authenticating customers,” employees must ensure the identity of the individual or customer requesting account information prior to releasing any information.

infotex 100


Customer Complaints and Resolutions: Be sure to shop this next section to the appropriate person so that it can be accurately aligned with existing customer complaint tracking procedures. Using procedures in compliance with Regulation E; any complaint, exception, or security violation will be investigated, with appropriate documentation retained. The [Customer Service Department / Branch Manager] will use existing troubleshooting procedures to track all customer online privacy complaints. Management Reporting Systems To ensure proper online functionality and oversight, some examples of management reporting systems that should be instituted and maintained include:

Description of each electronic banking activity by product or service (e.g., ATMs, Internet Banking,).

Detailed performance analysis of current period, prior period, and related benchmarks. Downtime due to equipment failure, maintenance, etc. Security infractions. Customer complaints.

o Number of customer accounts opened or closed. o Any status memos warranted. o Related risk management reports.

Outstanding control, documentation, audit, exception reports. Controls review reports.

The above list is a summary of minimum reports and should not be considered all-inclusive. The departments creating the reports should maintain copies of the reports. Records Retention: Portions of or all assets contained within Branchless Banking may be subject to Name of Financial Institution’s established record retention policies and procedures as documented in our [Record Retention Procedure / E-discovery Procedure / Record Retention and E-discovery Procedures] as well as our Destruction of NPI Procedure. Any decisions regarding record retention must adhere to laws and regulations regarding the retention of various records. Working with the [Chief Information Officer / Branchless Banking Committee / E-commerce Committee], the Information Security Officer will create and maintain procedures that ensure proper record retention for all branchless banking assets. These procedures [are documented in the record retention procedure / destruction of NPI procedure / record retention policy]. Disaster Recovery: All branchless banking assets will be considered in the institution’s disaster recovery program. Assets managed by third parties will require disaster recovery scrutiny as per the institution’s Vendor Management Program.

infotex 101


Audit Requirements: The Branchless Banking Policy requires that appropriate and timely tests, audits and evaluations be conducted of the bank’s branchless banking resources to determine compliance with policies and our regulatory, legal, fiduciary and contractual obligations. The use of self assessment and peer reviews as a cost effective mode of examination is supported but these should be used to supplement, not replace, formal reviews by third parties, either internal or external. The Branchless Banking assets will fall under one or more of the following audit processes defined by Name of Financial Institution:

IT Audit Program may set the timing for Branchless banking audits Internal Audit performs standalone audits on the various channels of branchless banking

defined by the IT Audit Program 3rd party and / or regulatory audits/examinations

Required Content: Various branchless banking assets must present specific content in order to be in compliance with various laws and regulations. For example, “weblinking relationships” (where the bank links to websites out of the bank’s control, see below) must be accompanied by a warning prior to sending the user to the third-party website. The Information Security Officer will maintain a required content checklist for all branchless banking assets to ensure that as assets are improved, modified, updated and maintained, the required content does not get dropped. Training: The Information Security Officer, working with the [Chief Information Officer / Branchless Banking Committee / E-commerce Committee] and Management, will ensure that training is appropriately provided at all levels of the organization. High likelihood vulnerabilities, policies, procedures, controls, and top risks will be incorporated into existing awareness programs for the Board of Directors, Management Team, Technical Staff, E-commerce Team, Users, Vendors, and Customers. The [AUP / Internet Banking Operations Manual / Awareness Training PowerPoint Presentation / User Awareness Procedure / Management Awareness Procedure] are all documents involved in the training process that must be updated as new branchless banking assets are deployed. A [Customer Awareness Strategy] is on file documenting our existing approach, along with planned approaches, to provide the required customer awareness training for customers based on the risk-level of the customer.

infotex 102


Issues that need to be considered during customer awareness training include:

How to report suspicious activity Vulnerabilities (specific to the branchless banking asset) and potential controls to mitigate the

risk of threats exploiting such vulnerabilities. What the bank will never do (ie send links in e-mail, ask for account numbers, etc.) Authentication Controls and “Authentication Best Practices” such as the use of strong

passwords, not memorizing credentials in browsers, etc. E-mail vulnerabilities and the use of Secure Messaging Systems (both Internet like [Zix /

Mailguard / Mailsafe] and application based secure messaging.) Billpay Provisions, Electronic Funds Transfer Provisions, Commercial Account Provisions Fraud Coverages and Procedures (and that commercial accounts are not covered) E-statements Fees Privacy Disclosures (see separate section below) User Responsibilities Disclosures (as required by law and regulation) Record Retention

See the [Customer Awareness Strategy] for more details. Authenticating New Customers We will open new accounts consistent with our Customer Identification Program as mandated by the Bank Secrecy Act (12 USC 1951, 31 USC 5311, 31 CFR Chapter X). Procedures in the program describe how we verify the identity of the customer using documents, nondocumentary methods, or a combination of both. If we choose to open accounts via branchless banking assets, the account opening process must include:

Positive verification to ensure that material information provided by an applicant matches information available from third-party sources

Logical verification to ensure that information provided is logically consistent Negative verification to ensure that information provided has not previously been associated with

fraudulent activity (e.g., an address previously associated with a fraudulent application)

All questions related to new account opening during deployment of new technologies should involve the input of the BSA Officer and the Compliance Officer.

infotex 103


Weblinking Weblinking occurs when we link out to a third-party site from one of our own internet-based sites. For example, many institutions link out to third-party “calculators” for the purpose of loan and retirement planning. If we choose to use weblinking relationships, we will comply with the following requirements:

The [Compliance Officer / Information Security Officer] will ensure that we comply with the Interagency Guidance on Weblinking: Identifying Risks and Risk Management Techniques issued in 2003.

We will include clear and conspicuous web page disclosures to explain their limited role and responsibility with respect to products and services offered through linked third-party web sites.

Links will be designed to use an intermediate web page to notify customers they are leaving our web site.

The [Information Security Officer / E-banking Officer / Marketing Director] will monitor the activities of linked third parties as a part of our risk management strategy. Monitoring procedures should include periodic content review and testing to ensure that links function properly, and to verify that the levels of services provided by third parties are in accordance with contracts and agreements.

Note: If the institution does not offer remote access, the following language should be adopted: Remote Access: Remote access is prohibited at [Name of Financial Institution.] In the event we decide to change this, the process of deployment remote access will be treated as a branchless banking asset and all provisions of the Branchless Banking Policy and this procedure will apply. If the institution has a “stand-alone” Remote Access Procedure (or Remote Access Security Procedure), the following language can be used: Remote Access: An important branchless banking asset that needs to be monitored is “Remote Access” granted to privileged users by an approval process documented in our [Remote Access Procedure / Remote Access Security Procedure / Remote Access Standards document.] The [Branchless Banking / E-commerce] Committee will monitor this procedure for compliance and ensure that Management fully understands the approval process for granting remote access, as well as the provisions of the [Remote Access Authorization Agreement] that users are required to sign. If the institution allows remote access, but does not have a “stand-alone” Remote Access Procedure (or Remote Access Security Procedure), the following language can be used: Remote Access: The institution approves the provision of remote access functionality to various users using various technologies. The Information Security Officer will inventory the types of remote access provided to each user type, along with the risk created by such access, as well as the controls in place to mitigate

infotex 104


such risk. Such risk will be documented in a “drill-down risk assessment” for remote access. Authentication risk related to remote access for various user types will also be documented in the Authentication Risk Assessment. All employees by default will have account settings set to deny remote access. Only upon approval will the account settings be changed to allow remote access. Any remote access to the Home Bank network must be reviewed and approved by [a member of the bank’s senior management / the Information Security Officer / the Branchless Banking Committee / the E-commerce Committee / the Technology Committee / the IS Steering Committee]. The Branchless Banking Policy requires documentation of such approval in the form of an agreement to comply with institution policies and procedures. The approval will be documented in the Remote Access Authorization Agreement, which will be signed by the [Information Security Officer / employee’s supervisor] and the employee. The Information Security Officer will store all signed Remote Access Authorization Agreements, will keep a list of all users with approved remote access (and type), and will monitor event logs to ensure that those logging in after business hours from outside the bank are on the approved access list. Remote Access Types: Note: You will want to edit the following to describe the types of remote access that the bank makes available. If you make certain types available for certain entities (like VPN for vendors, OWA for all management team members, etc.) you may want to document this here as well (or in the Authentication Risk Assessment). The following remote access methods, considered by this procedure to be “remote access types,” are available:

VPN with Remote Desktop Control VPN using Windows Explorer Outlook Web Access iMap E-mail Account Portal, SharePoint Site

Required Controls: Note: You will want to edit the following to describe the types of controls necessary for each type of remote access method being offered. This will need to be aligned with your Remote Access Authorization Agreement as well. Thus, if you offer OWA and RDC over a VPN, you will have three bullet-point sets: One for OWA, one for RDC, and one for VPN. (There can still be one Remote Access Authorization Agreement.) The following controls are required for the [remote access type here] type of remote access:

Username and Password RSA Token (or other type of true two-factor authentication)

infotex 105


Software based tokens No memorizing credentials on the endpoint. MAC Filtering on the Endpoint. Network Access Control (NAC) through [vendor name]. AntiVirus

Asset Categorization: The Annual GLBA Risk Assessment will analyze information assets and establish asset categories for the simplification of vulnerability analysis as well as to fully understand the complexity of branchless banking assets. Portable Devices: The Branchless Banking Policy requires that the E-commerce Committee document procedures, actions, controls, and guidelines for securing information that may find its way onto mobile devices (such as laptops, cell phones, iPads, etc.) both owned by the bank as well as mobile devices owned by employees. To comply with this Branchless Banking Policy, controls will be documented in both the Acceptable Use Policy but also in the Portable Devices Security Procedure. Because the bank must be careful to respect the privacy of our employees, controls for bank-owned assets (including devices as well as information) will be documented in the Acceptable Use Policy and the Portable Devices Security Procedure. If bank-owned information is permitted on employee-owned devices (referred to as “Bring Your Own Device Assets” or BYOD assets), the Portable Devices Security Procedure must be signed by those employees granted this permission. The Portable Devices Security Procedure will be maintained by the Information Security Officer and reviewed annually by the [E-commerce / Branchless Banking / IT Steering] Committee. Strategic Plan for Existing Assets: The Branchless Banking Policy requires that the E-commerce Committee document a strategic plan for all existing branchless banking assets. The strategic plan will consider the following issues:

Alignment with Business Strategy: How does the asset contribute to the business strategy of the institution?

Return on Investment Considerations: How much did the asset cost compared to expectations? How much is the asset continuing to cost and how does that compare to original expectations? What actions can be taken to get the asset more in line with cost expectations? What expectations were considered as potential benefits when the asset was originally deployed and what actions still need to be taken to ensure that these expectations are being met?

Training Objectives: Who should be trained, who will be providing the training, and how will training be provided?

Competitive Analysis: What are our close competitors doing?

infotex 106


Adoption of New Branchless Banking Technologies: The range of branchless banking options or scope of electronic commerce (e-commerce) is an ever-changing environment. Each year, new branchless banking options emerge, which not only represent opportunity and the ability to be more competitive, but also represent a concern in protecting a customer’s privacy and protecting confidential personal and account information. As required by the Branchless Banking Policy, the management team has determined that the institution will adopt new technologies, in general, during the [Early Adopter / Early Majority / Late Majority / Laggard] phase of adoption according to the “Diffusion Theory of Innovation” as written by Everett Rogers. Strategic Plan for New Branchless Banking Technologies: The Branchless Banking Policy requires that the E-commerce Committee document a strategic plan for all new branchless banking technologies being considered. The strategic plan will consider the following issues:

Alignment with Business Strategy: How will the new asset contribute to the business strategy of the institution?

Return on Investment Considerations: How much will the asset cost? What expectations are emerging as potential benefits if the technology is deployed? the asset was originally deployed and what actions still need to be taken to ensure that these expectations are being met?

Training Objectives: Who should be trained, who will be providing the training, and how will training be provided?

Competitive Analysis: What are our close competitors doing? Adoption Strategy (Diffusion Theory): For new technologies being considered, the

strategic plan should determine when the bank wants to initiate adoption of the asset. Does the institution want to be an early adopter of the technology, an early majority adopter, a late majority adopter, or a “laggard,” meaning that the institution will not adopt the technology until well after it has stabilized.

Deployment Objectives: What is the plan for deployment? What milestones must be met? When will the asset be placed “into production” and what needs to happen in order to make that happen?

Strategic Risk: Above and beyond the drill-down risk assessment required elsewhere in this procedure, what strategic risk issues should the institution monitor related to the planned technology? What can be done to mitigate this risk? What will we consider to be minimum requirements for the deployment to be a success? When will we consider the deployment to be a failure and actions will be taken if the asset does not prove to meet planned expectations?

infotex 107


Guidelines Documents: The E-commerce Committee, through the guidance and coordination of the Compliance Officer, will maintain the following guideline documents related to managing branchless banking assets:

Standards for Branchless Banking Regulations: This document will collect the institution’s current positions, actions, and tools used to maintain the most financially viable and risk-free position pertaining to compliance with the various regulations impacting Branchless Banking (see applicable laws and regulations in risk management above.)

Branchless Banking Risk Assessment Guidelines: This document will inventory the various drill-down risk assessments related to Branchless Banking, as well as collect procedural and position statements related to the various processes, schedules, and results of such risk assessments.

Branchless Banking Monitoring Standards: This document will inventory the various fraud monitoring techniques currently in use at the institution.

The concluding sections have been left off to save paper.

infotex 108


infotexinfotex

Today’s Agenda



infotex

• We’ll all get on the same page about what Dan calls “drill-down risk assessments.”

• We’ll have another “drill-down agenda” about “drill-down risk assessments!”


infotex

• We’ll look at risk for three asset categories:–Wireless Banking–Portable Devices–Wireless Networking

infotex 109


infotexinfotex

Today’s Agenda

• Drill-down Risk Assessments–Wireless Banking (Three Channels)–Portable Devices

• Laptops (issued and authorized)• Smartphones (issued and authorized)• Tablets (issued and authorized)

–Wireless Access Points• BYOD• Pulling it all together!

infotexinfotex

Drill Down Process

• Define the Asset• Brainstorm Vulnerabilities• Brainstorm Controls

–Existing, Anticipated• Measure Inherent Risk• Measure Residual Risk• Measure Anticipated Residual Risk• Plan New Controls

infotexinfotex

Asset Description

• Why are we doing this?• What’s different and the same?• The Six Primary Questions

–Value Proposition–Consumer Motivation–Key Vendors–Success Factors–What are others offering?

infotex 110


infotexinfotex

Asset Description

• What data does the asset contain?• What is the highest classification of

data?• Where does the data come from,

what happens to it while we have it, and where does it go?

infotexinfotex

Asset Description

• What are the “inherent threats?”• What makes this asset vulnerable?• What are the “deployment

vulnerabilities?”

infotex

Portable Device Asset Inventory

• Let’s see the Spreadsheet!

infotex 111


infotexinfotex

infotexinfotex

Four Risk Factors

Threats

Vulnerabilities

Impact Severity

Likelihood

infotexinfotex

Threats

• Terrorists • Hackers• Vandals• Scammers / Con-

men /Fraudsters / Thieves

• Technology Itself• Users / Vendors• Nosy Neighbors• Ex-Spouses• Dumb Customers

infotex 112


infotexinfotex

Threats

• Terrorists • Hackers• Vandals• Scammers / Con-

men /Fraudsters / Thieves

• Technology Itself• Users / Vendors• Nosy Neighbors• Ex-Spouses• Dumb Customers

infotexinfotex

Vulnerabilities

• Airplanes • Ports• Subway System• Buildings• Public Places

• Access to Accounts• Inherent Threats• Easy to lose

• Employees• Customers

• See Risk Assessment

infotexinfotex

Impact Severity

• Almost 3000 people

• Financial System• Airlines• Convenience

• Customers’ Identities

• Time

• Convenience

• Fraud Losses

• Reputation

infotex 113


infotexinfotex

Likelihood

• It can happen on American Soil

• Lost Device -Very High

• Smishing - High• Corporate Account

Takeover - High

• Malware - Medium• Hacking - Medium

• Bluesnarfing - Low

infotexinfotex

infotexinfotex

“Real knowledge is to know the extent of one’s ignorance.”

- Confucius

infotex 114


infotexinfotex

Why Measure Risk?

infotexinfotex

Why Make Management Team Measure Risk!

infotex

Near-future Deployments?

• What are you looking at deploying in the next year?

• Do you have a risk assessment already?

infotex 115


infotexinfotex

infotexinfotex

Today’s Agenda




infotexinfotex

Risk Metrics

• Likelihood scale of 1-8• Impact scale of 1-5• Overall Risk scale of 2-13

infotex 116


infotexinfotex

Acceptable Guidelines

• Likelihood– Already happening

means a 7 or 8– Never happens

could be a 1 or 2.– On an audit report:

gonna be an 8.

• Impact– Aggregated NPI

could be a five.– Individual NPI could

be a four.– Critical Systems

unavailable could be a four.

– Non-critical Systems gone could be a three.

infotexinfotex

It’s all relative.

infotexinfotex

Wireless Banking Risk Assessment

• Risk Metrics• Inherent, Residual, Anticipated

Residual Risk• Declaration of Controls• Declaration of Anticipated Controls

infotex 117


infotexinfotex

Wireless Banking

infotex

ASSET DESCRIPTION

infotexinfotex

The Workbook

infotex

Wireless Banking Risk Assessment

infotex 118

An IBA Preferred Service Provider CISSPs, CISAs, CISMs, CRISCs, CPAs

Asset Description : Wireless Banking my.infotex.com Page X


1. What is the value proposition for mobile banking?

_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________

2. What will motivate consumers to adopt mobile banking?

_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________

3. Who is the existing market and what are they doing in it?

_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________

4. Who are the key vendors of wireless banking solutions?

A.________________________________________C.___________________________________ B.________________________________________D.___________________________________

5. What are the key success factors in creating a wireless banking solution?

A.________________________________________D.___________________________________ B.________________________________________E.____________________________________

C.________________________________________F.____________________________________

6. What are institutions offering now in mobile banking? What controls are already available?

_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________

infotex 119


Asset Description : Wireless Banking my.infotex.com Page X


7. What similar information assets does the financial institutions already own? What is similar?

_______________________________________________________________________________ _______________________________________________________________________________ 8. What makes this information asset different than the other information assets?

_______________________________________________________________________________ _______________________________________________________________________________ 9. What vulnerabilities and/or threats are “inherent” in this asset? What do we already know?

_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________

10. Who will have access to this asset? 11. Who will have possession of this asset?

_______________________________________________________________________________ _______________________________________________________________________________

_______________________________________________________________________________ 12. What type of data will this asset store? What is the highest classification of data? _______________________________________________________________________________

_______________________________________________________________________________

13. Discuss the volume of data. Is it high, low, start-low hope high? _______________________________________________________________________________

_______________________________________________________________________________

14. What policy or program will “govern” the deployment, maintenance, and use of this asset? _______________________________________________________________________________

_______________________________________________________________________________

infotex 120

Asset Name:

Item#

SMS, Mobile Web, Mobile Apps, All Three Vulnerability

NameDescription

Inh

eren

t R

isk

(2

- 13

)

Mitigating Controls

Action Plan - Actions we can take in the future to reduce

residual risk, proposed safeguards or institute mitigating controls

1 All Three Late Majority Deployment

If we do not adopt wireless banking by 2013, we will be late majority adopters, which will affect our competitiveness and our reputation not only with Gen Y customers, but older generations as well.

13 Start by confirming that existing on-line banking is already offering the mobile web channel (on-line banking site is resized for the smaller screen-size of internet-connected "dumb phones". Then create a strategic plan for adopting other channels of Wireless Banking as soon as possible, Be sure to properly test the initial adoption, then train help desk and call center employees, then market that the bank has Wireless Banking available. Try to get on the path of adoption in 2011.

2 Mobile Apps Tepid Deployment If we do not aggressively adopt mobile banking, and have our foot in "all three channels" soon, our reputation will be affected. This is similar to #1 but it's focused more on all three channels that adoption alone.

13 Create a strategic plan for adopting all three channels as soon as possible, but definitely prior to 2013. Walk instead of crawl before we run, meaning that we develop all three channels focusing on limiting risk in each channel, rather than eliminating the channel.

3 All Three Low or Moderate Quality Application

If the institution does not hit the ground running with a good solid high-quality solution, market share and reputation could be lost, and operational risk could also increase.

13 Don't just go with your on-line banking provider. Look around. Send out RFPs. Now is when your vendor due diligence process can pay off!

4 All Three Business Strategy If the institution's wireless offering does not properly integrate with the overall business strategy, a cohesive "organic" approach to adoption will not be implemented, resulting in cost, operational, and morale issues.

13 The institution's overall business strategy needs to be updated to include Wireless Banking, and the Wireless Banking strategic plan needs to consider the overall business strategy. Executive Management should understand the Wireless Strategic plan (and how it fits into the overall Technology Plan). Debriefing of the plan should address all four corners of the bank, including retail operations, help desk operations, technology, accounting, compliance, and of course senior management and the board of directors.

Note: Risk rankings are proposed, and you will want to adjust them and controls to fit your own unique perspective. For example, if you do not offer consumer capture, that vulnerability wo

t

Copyright © 2011 infotex. All rights reserved. Page 1 of 10

infotex 121

Asset Name:

Item#


NameDescription

Inh

eren

t R

isk

(2

- 13

)

Mitigating Controls



t

5 Mobile Apps Evolving Standards

Because communication, authentication, and smart-phone standards are quickly evolving, we could be adopting a solution today that will be quickly outdated.

11 Vendor due diligence should include questions related to the future of Wireless Banking to ensure selected vendor(s) are positioning themselves properly. Meanwhile, management should monitor changes in Wireless Technology, and be ready to offer wireless banking to newer platforms (especially Windows Mobile, which has the potential to be "the VHS" of mobile banking.)

6 All Three Unencrypted Data (at rest or in

motion)

If the application provider does not encrypt data as it flows to and from the Smartphone, AND while it is on the Smartphone, the data could be intercepted or stolen.

11 Vendor Due Diligence MUST address encryption.

7 All Three Evolving Operating Systems

Because operating systems are continually evolving, we could adopt solutions today that are quickly outdated, or not be in a good position to adopt newer operating systems as they gain market share. This is similar to #X but is focused on the operating system.

10 Very similar to #1, the risk management controls are similar with Vendor due diligence and change monitoring.

8 All Three Lack of SDLC Controls

If a mobile solutions provider does not have adequate System Development Lifecycle (SDLC) controls in place, including adequate application security testing, security vulnerabilities could arise and not be patched on a timely basis.

10 During due diligence, be sure to determine what extent of application security testing is included in the provider's standard operating procedure. Inquire about audits to ensure application testing is performed on a periodic basis. Compare providers to determine what period is "reasonable."

9 All Three Help Desk Risk Once we deploy Mobile Banking, we need to recognize that our Help Desk employees will be taking calls from customers who do not fully understand what they have. For an outrageous example: "Why is your app not working" could lead to "maam, why are you calling me from your regular phone" to "maam, the mobile banking app won't work without a cell connection."

12 Train employees on all aspects of wireless communications, as wide a base as possible. We also need to take advantage of "for your protection" customer awareness training opportunities.


infotex 122

Asset Name:

Item#


NameDescription

Inh

eren

t R

isk

(2

- 13

)

Mitigating Controls



t

10 Mobile Apps Inexperience with Wireless Banking

Fraud

With the wireless banking channel in it's infancy, there are many unknowns when it comes to fraud attack vectors. The bad guys haven't figured out how they're going to attack us yet, and we don't have answers for questions we don't yet know to ask.

12 Our incident response team will be meeting more regularly with Wireless Banking as a top agenda item. We will also work with vendors, seek additional training on threats, and stay abreast of both emerging threats as well as mitigation strategies in order to best prevent fraud.

11 All Three Lack of Understanding

If the technical team as well as normal help-desk and back-office personnel are not familiar with the bank's wireless offerings, this lack of understanding could increase security and reputational risk, not to mention operational issues affecting integrity and availability.

10 Know your assets. Be sure that the deployment of the mobile banking solution includes all affected personnel and that training is a high priority.

12 Mobile Apps GLBA Even if we mitigate all security risks in this assessment, there may still be compliance risk if we do not make sure we update appropriate documents. Because wireless banking touches so many different programs (asset management, electronic banking, access management, authentication, awareness training, business continuity, incident response, risk management, vendor management, technical security standards, red flags program, BSA, KYC, CIP, and others), we could be found deficient if we do not track down all documents that need to be updated.

10 We are restructuring our IT Governance Program to address Branchless Banking all in one "subprogram." It will be a subprogram of Asset Management. Beyond that, we still need to focus on Vendor Due Diligence, IT Audit Plan, BSA, Red Flags, CIP, KYC, etc. The Branchless Banking Management Procedure will track all regulations that impact the wireless banking asset, and how we are addressing the particular regulation.

13 Mobile Apps, SMS BSA/AML Especially if we allow new user registration (thus impacting on disclosure policies), we could fall out of compliance with the US Patriot Act when we roll out Wireless Banking.

10 Update our BSA Policy, be sure that Wireless Banking transactions flow into the deposit monitoring processes during Vendor Due Diligence. Consider utilizing GPS information to prioritize monitoring.


infotex 123

Asset Name:

Item#


NameDescription

Inh

eren

t R

isk

(2

- 13

)

Mitigating Controls



t

14 All Three E-Sign Act Especially if we allow new user registration from the smart phone, we need to be sure we consider the E-Sign Act carefully.

10 The disclosure method already approved for existing customers will allow us to send disclosures electronically via e-mail. New user registration will require a method of approving disclosure delivery, delivery of disclosures to the smart phone, and then confirmation that the disclosures have been delivered, prior to the first transaction. Vendor Due Diligence must check for this.

15 All Three Reg E (EFT Act) The fact that we are adding another delivery system needs to be reflected in our responses to Regulation E (in terms of documentation and processing).

10 Update the E-banking Policy.

16 All Three Red Flags The checklists used in the Red Flag Program might not be properly processed if Wireless Banking Transactions are not applied to them.

10 Update the Red Flags program description.

17 All Three Due Diligence If the institution does not appear to be bending over backwards to educate its customers, its position in litigation could be weakened.

10 Update the institution's customer awareness training program to focus in on ways that customers can protect themselves in smartphone usage, as well as including regular and consistent reminder messages in the institutions marketing program. Consider offering flyers, creating posters, and finding other creative ways to get the messages declared as controls in this risk assessment to the customer.

18 All Three AML If our BSA/AML program does not consider transactions initiated via Mobile Applications, compliance risk increases substantially.

12 Review the BSA/AML program based on the types of transactions that are allowed via the mobile application. Vendor Due Diligence should scrutinize how the application delivers data into existing monitoring systems (to ensure appropriate integration). Continue this review each time a new channel or platform is offered.


infotex 124

Asset Name:

Item#


NameDescription

Inh

eren

t R

isk

(2

- 13

)

Mitigating Controls



t

19 All Three Non-Compliance Wireless banking affects not only GLBA, but also AML, CTF, CIP (KYC), OFAC, BSA, and other regulations.

11 Vendor due diligence should outsource compliance concerns to the mobile banking solution provider as much as possible. The bank will be responsible for developing and implementing procedures, but the vendor must design the application to support compliance procedures. Look for vendors who provide guidance on compliance processes.

20 All Three Red Flags The red flags program currently does not address activities initiated from mobile applications.

11 Review the Red Flags Program based on the types of transactions that are allowed via the mobile application. Vendor due diligence should look into how the mobile application facilitates the red flag program. For example, does the app track GPS locations in the transactions so that fraud monitoring can flag transactions that are from anomaly locations?

21 All Three CIP and/or KYC For mobile application deployments and SMS deployments that allow user registration from the Smart Phone, the compliance issues related to the bank's Know Your Customer or Customer Identification Program must be considered.

11 Review the bank's CIP and/or KYC program with the banks SMS and Mobile Banking deployment selections in mind, and update this annually as the bank adds functionality to the two Wireless Banking channels.

22 All Three US Patriot Act (KYC, CIP, CDD)

The provisions of our Know Your Customers, Customer Identification Program, or Customer Due Diligence Program, must be updated to address Wireless Banking issues. Especially if we allow new user registration (thus impacting on disclosure policies), we could fall out of compliance with the US Patriot Act when we roll out Wireless Banking.

11 Be sure all provisions addressing the US Patriot Act are properly accounted for in the processing of new user registrations.


infotex 125

Asset Name:

Item#


NameDescription

Inh

eren

t R

isk

(2

- 13

)

Mitigating Controls



t

23 All Three Policy Development

When we deploy Mobile Banking, if we do not update our E-banking Policy and other related policies and procedures, we will be found deficient in our audits and/or examinations.

10 Update our E-banking Policy to address the three channels of Wireless Banking.

26 Mobile Apps Incident Response A fraudulent app could target the bank and the longer it takes for the bank to be aware of this, the higher the impact would be.

10 Teach and encourage customers to report malicious or fraudulent applications to your financial institution.

27 All Three Incident Response Slow response, caused by customers not knowing to report an incident,could increase the impact of the incident.

10 Teach and encourage customers to call our hotline at xxx-xxx-xxxx!

28 Mobile Apps Incident Response Slow response to an incident, because nobody catches an issue, could increase the impact of the incident.

10 Teach and encourage customers to monitor financial records regularly.

29 All Three Incident Response Slow response to an incident, because the perpetrator intercepts hard-copy statements, could increase the impact of the incident.

10 Teach and encourage customers to regularly review statements via on-line banking, e-statements, and other channels. Encourage customers to use different channels.

30 All Three Incident Response Slow response to an incident, because the perpetrator controls the customer's information asset, could increase the impact of the incident.

10 Teach and encourage customers to not rely solely on one channel: use on-line banking, mobile banking (both SMS and Mobile App) and maybe even visit the branch! I mean, after all, that's what we Community Banks want to have happen anyway, right?

31 All Three Incident Response Once aware of an incident, a slow response by the bank could cause the impact of the incident to increase.

10 Revise the Incident Response Program to consider customer complaints, fraudulent apps, smishing, and other common wireless banking vulnerabilities. Be sure to include a process for dealing with lost / stolen devices.


infotex 126

Asset Name:

Item#


NameDescription

Inh

eren

t R

isk

(2

- 13

)

Mitigating Controls



t

32 Mobile Apps Incident Response Without strong fraud monitoring controls, the impact of a security incident could be very high.

12 The institution should update documentation of fraud monitoring tools and processes as a deliverable in the mobile banking deployment.

33 Mobile Apps Fraud When somebody commits fraud on a customer's Smart Phone, ultimately the bank may be liable for the impact.

10 Update our insurance to include Wireless Banking, update fraud monitoring, try to get vendors to integrate key fraud indicators from wireless banking activity into existing fraud monitoring applications.

34 All Three Lost or Stolen Device

If a malicious person gets access to a victim's smartphone, and passwords, account numbers, usernames, etc, are memorized in the smartphone's applications, the malicious person could use this information to further breach other systems or the smartphone's access to wireless banking.

13 Teach and encourage customers not to memorize authentication credentials.


A customer could lose their smartphone, or it could be stolen, giving malicious persons access to all information on the phone including the bank's apps and credentials.

13 Teach and encourage customers to subscribe to remote wiping programs.

36 All Three Unpatched Mobile Devices

If customers do not update their phones as often as they should, operating system and application vulnerabilities could increase the risk of a breach.

13 Customer Awareness Training must encourage customers to update their devices. The training should be specific to each device channel. For example, Apple does not offer "over-the-air" updates, so this should be leveraged in the awareness training to ensure customers understand whether or not they are truly patching their phone. Droid on the other hand does.


A malicious person could quickly grab sensitive information on a victim's phone if there is no means of authentication.

12 Teach and encourage customers to use power-on authentication.


Since smartphone authentication is often pattern recognition or pin-based, which is much easier to guess, a malicious person may be able to quickly guess authentication credentials.

12 Teach and encourage customers to require failure lockouts on authentication.


infotex 127

Asset Name:

Item#


NameDescription

Inh

eren

t R

isk

(2

- 13

)

Mitigating Controls



t

39 Mobile Apps Lost or Stolen Device

If customers do not purge text messages from the financial institution on a regular basis, and the smartphone is lost or stolen, a malicious person could use information in texts to execute a wider breach of other systems, or steal the victim's identity.

12 Teach and encourage customers to purge text messages and e-mails that are no longer necessary.


If a smartphone is lost or stolen, and sensitive information is stored in e-mail that is considered "internal" to the user, a malicious person could leverage that information for a wider breach.

12 Teach and encourage customers to limit viewable e-mail to a day or two at the most.

41 SMS Smishing Malicious persons could send spoof texts with links that go to sites that download malicious software or provide fraudulent apps on the smartphone.

12 Continually market that the financial institution will never ask for sensitive information in text messages.

42 All Three Malware Malware could be installed on the Smartphone that executes fraudulent transactions such as keylogging or data scraping.

12 Teach and encourage customers to use AVS on their smartphones.

43 iPhones Smishing Malicious persons could send spoof texts with links that go to sites that download malicious software or provide fraudulent apps on the smartphone.

12 Teach customers what Smishing is, how it works, and how to protect themselves.

44 All Three Duplicate Deposits in Consumer

Capture

One feature of mobile applications that provide for consumer capture (a retail version of remote deposit capture where you take a picture of the check with your phone) is "duplicate capture," and there have already been incidents where customers are non-maliciously depositing checks more than once.

11 Teach customers to write "void" on captured checks. In addition, use an app that does MICR screening and checks back with the core database before processing a remote deposit.

45 Mobile Apps Password Recovery

Automated password recovery systems can increase risk of a customers credentials being compromised.

11 Do not offer password recovery through the Wireless Channel.


infotex 128

Asset Name:

Item#


NameDescription

Inh

eren

t R

isk

(2

- 13

)

Mitigating Controls



t

46 All Three Bluesnarfing Bluesnarfing is the theft of information from a wireless device through a Bluetooth connection. Bluetooth is a short range high speed wireless technology used for sharing information between devices. Devices with Bluetooth enabled by default and 'always on' may present a target for exploitation and interception of data which can be done undetected.

11 Encourage customers to keep Bluetooth turned off by default and use only when necessary. Make sure that Bluetooth is turned off when conducting any mobile banking transactions/inquiries.

47 All Three Definition of a Smart Phone

Many consumers currently believe they have a "smart phone" because their older model cell phone can surf the web and does have a few applications available.

10 Be sure to offer all three channels of wireless banking (meaning that mobile web is still an important channel, because it is what the "dumb phones" are hitting. Meanwhile, train our Helpdesk staff to recognize the difference between the different types of wireless channels.

48 Mobile Apps Jailbreaking Customers who jailbreak their phones could unknowingly install fraudulent apps or have their phone hijacked by malicious persons who can log in using the default password.

10 Remind customers of the dangers of Jailbreaking (fraudulent apps and default root passwords).

49 All Three New User Registration

Malicious persons could sign up for a mobile account using somebody else's credentials and modify the victim's on-line account, thereby allowing fraudulent transactions to occur.

10 For new user registration, limit transaction size, out-of-institution transfers, and other high risk transactions (such as changing address or passwords) until all authentication fields are properly populated and verified.


An attempt could be made to register for mobile banking using a stolen device gaining access to the victims accounts via mobile banking.

10 User Registration from the Smart Phone is limited to low risk, low impact transaction. Beyond those transactions, the user most come to a branch to complete the registration. Note: The control could be: At present customers must register for mobile banking via the normal Internet Banking channel on a traditional computer which cannot be done via a mobile device.


infotex 129

Asset Name:

Item#


NameDescription

Inh

eren

t R

isk

(2

- 13

)

Mitigating Controls



t

51 Mobile Apps Fraudulent Apps While "borrowing" the smartphone, a malicious person could download a fraudulent app to an unsuspecting person's smartphone.

9 Discourage customers from letting others use their mobile phones.

52 All Three Fraudulent Apps Customers could sign up for mobile banking using a fraudulent app that requires authentication information that can be used on the legitimate bank's on-line banking site.

9 Make the institution's app available through the website as well as the mobile marketplace. Encourage customers to go through the Financial Institution's website to download mobile banking app.

53 All Three App Reviews We could get a bad app review from a customer in the Mobile Marketplace.

9 We should discuss this with Vendor to determine if there is a way to control this, and include this in our Incident Response Plan.

54 All Three What is fraud? Some consumers believe that their Debit Card protects them from transactions that are not really fraud. For example, they purchase a product that does not work the way it was advertised, so they want the bank to credit their account. This could be compounded by mobile payments.

11 Customer Awareness Training should include definitions of fraud versus transactions that the bank can do nothing about.


infotex 130


infotex

Portable Devices Risk Assessment

• Let’s see the spreadsheet!

• Asset Categories

• Laptops

infotexinfotex

Laptops

infotex

ASSET DESCRIPTION

infotexinfotex

The Workbook

infotex

Laptop Risk Assessment

infotex 131


Asset Description : Laptops my.infotex.com Page X


1. What is the value proposition for using laptops in the organization?

_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________

2. What will motivate consumers employees(?) to adopt laptops?

_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________


_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________

4. Who are the key vendors of laptop and laptop security solutions?

A.________________________________________C.___________________________________ B.________________________________________D.___________________________________

5. What are the key success factors in creating a laptop solution?

A.________________________________________D.___________________________________ B.________________________________________E.____________________________________

C.________________________________________F.____________________________________

6. What are institutions offering now in the use of laptops? What controls are already available?

_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________

infotex 132


Asset Description : Laptops my.infotex.com Page X





_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________


_______________________________________________________________________________ _______________________________________________________________________________


_______________________________________________________________________________


_______________________________________________________________________________


_______________________________________________________________________________

infotex 133

Item#

Vulnerability Name Description

Lik

elih

oo

d o

f O

ccu

rren

ce

(1

- 8)

Imp

act

Sev

erit

y

(1

- 5)

Inh

eren

t R

isk

(

2 -

13)

Mitigating Controls



1 Family Use Family members of employees who are issued laptops could want to use the laptop, thus increasing risk of illegitimate access to sensitive information, not to mention policy violation and security risk related to downloaded malware, etc.

7 5 12 Policy prohibits users from sharing company-owned assets with non-employees. OR Policy requires a separate account to be established for non-employee use.

2 Lost or Stolen Device

A laptop with institution data on it could be lost or stolen, such as leaving them in the library, a taxi-cab, on an airplane, etc. and the person finding the lost device could access classified information.

7 5 12 Security Awareness Training stresses the vulnerabilities with portable devices. Remote Wipe applications are being investigated. We use (identify encryption methodology here) to encrypt all laptops.


Some malicious persons could be actively looking to steal laptops, and the person stealing the device could access classified information.

7 5 12 Security Awareness Training stresses the vulnerabilities with portable devices. Remote Wipe applications are being investigated. We use (identify encryption methodology here) to encrypt all laptops.

4 Policy Violation Use of the laptops could violate our "no Wi-Fi policy." 8 3 11 Update the policy to allow Wi-Fi in the financial institution only according to published configuration standards that include MAC Filtering, WPA2 encryption, etc. OR We will disable the Wi-Fi capabilities on laptops.

5 Wireless Availability Connectivity, access, and other availability issues (not all remote users have broadband nor do they have Wi-Fi).

6 3 9 Connectivity is required via Wi-Fi into a broadband home Internet connection, but, as an exception approved by the Information Security Officer, we also have made 3G available to users with no broadband Internet connectivity in their area.

6 Patch Issues Operating system updates, anti-virus signatures, etc. become out of date because users do not know (or follow-through) on the updating process.

8 5 13 Security Awareness Training stresses the vulnerabilities with portable devices. Devices are audited regularly to ensure proper updating. Devices are checked in and out, and are rotated and inspected by IT to ensure proper updating. We use a NAC architecture (describe application here) so that when laptops try to connect to our network, AVS and patch controls are confirmed prior to allowing the connection.

Note: Risk rankings are proposed, and you will want to adjust them and controls to fit your own unique perspective. For example, if you do not offer consumer capture, that vulnerability would have no inherent ri

Inherent


infotex 134

Item#


Lik

elih

oo

d o

f O

ccu

rren

ce

(1

- 8)

Imp

act

Sev

erit

y

(1

- 5)

Inh

eren

t R

isk

(

2 -

13)

Mitigating Controls



Inherent


If a malicious person gets access to a laptop, the malicious person could use sensitive information on the laptop (MAC address, authentication credentials, vulnerability reports, etc.) to further breach other systems.

5 5 10 Security Awareness Training stresses the vulnerabilities with portable devices. We use Exchange ActiveSync to restore the device to factory settings upon demand. (Document MDM application here.) Remote Wipe applications are being investigated. Our MDM and policy requires the use of passcodes, and requires a factory reset in the event of X failed login attempts. All company data on the device is encrypted. We use (identify encryption methodology here) to encrypt all laptops.


If users do not purge sensitive information from the laptop regularly, and it is lost or stolen, a malicious person could use information on the laptop to execute a wider breach of other systems or steal the victim's identity.

7 5 12 Devices are inspected (audited) by IT regularly. Devices are checked in and out, and rotated through IT to ensure appropriate purging of sensitive information. Security Awareness Training stresses the vulnerabilities with portable devices. Remote Wipe applications are being investigated. All company data on the device is encrypted. We use (identify encryption methodology here) to encrypt all laptops.

9 Malware Malware could be installed on the laptop that executes fraudulent transactions such as keylogging or data scraping.

6 5 11 Security Awareness Training stresses the vulnerabilities with portable devices. Devices are audited regularly to ensure proper DAT updating. Devices are checked in and out, and are rotated and inspected by IT to ensure proper updating. We use a NAC architecture which checks laptops against security policies prior to allowing connection back to our network.

10 Using Cloud Computing

Resources (such as iCloud)

If employees use cloud backup services (such as Dropbox or Carbonite) to back up their laptops, company data could end up on third party assets without our knowledge, increasing risk of breach.

6 5 11 The Mobile Devices Security Procedure prohibits the use of cloud computing services (such as Dropbox or Carbonite) for issued and authorized devices.

11 BYOD devices are owned by the

Employee.

Since authorized devices are owned by the employee, there may be reluctance on the part of the employee to implement security controls.

6 5 11 The Mobile Devices Security Procedure requires employees to sign a declaration page acknowledging that in consideration for storing company data on their device, they agree to follow all policies and procedures as if the device was owned by the financial institution.

12 Inadequate Patching of Applications

Employees could be slow to install updates to applications, causing vulnerabilities.

6 5 11 Security Awareness Training and policy requires the installation of operating system updates. The Audit Checklist includes operating system updates as one of the audit items.


infotex 135

Item#


Lik

elih

oo

d o

f O

ccu

rren

ce

(1

- 8)

Imp

act

Sev

erit

y

(1

- 5)

Inh

eren

t R

isk

(

2 -

13)

Mitigating Controls



Inherent

13 Memorized Credentials

If a malicious person gets access to a victim's laptop, and passwords, account numbers, usernames, etc., are memorized in the device's applications, the malicious person could use this information to further breach other systems or the laptop's access to wireless banking.

6 5 11 Security Awareness Training teaches and encourages employees not to memorize credentials in their devices. Policy prohibits memorization of credentials. Meanwhile, company applications encrypt these credentials as much as possible.

14 Outdated Controls Mobile technology is constantly changing. Even if we mitigate all security risks in this assessment, there may still be compliance risk if we do not make sure we update appropriate documents.

6 5 11 We will return to our portable devices risk assessment on an annual basis.

15 Bypassing Controls Given the 3G and Wi-Fi capabilities of many laptops, employees could bypass existing controls such as firewall protection, content filters, policies against social media use during business hours, etc. by connecting to a wireless network or 3G while also connected to the organization's network.

6 5 11 Policy prohibits bypassing controls. Security Awareness Training establishes why this is not a good practice.

16 Streaming Audio, Video, App

Updates, App Downloads

The use of portable devices in the corporate office and in the branches could cause a reduction in network speed due to users downloading videos, music, apps, and app updates.

8 3 11 Policy prohibits this type of use on corporate access, content filtering enforces this policy, and users will be reminded of this.

17

18

19

20

21


infotex 136


infotexinfotex

Today’s Agenda




infotexinfotex

Smartphones

infotex

ASSET DESCRIPTION

infotexinfotex

The Workbook

infotex

Smartphone Risk Assessment

infotex 137


Asset Description : ISSUED Smart Phones my.infotex.com Page X


1. What is the value proposition for issued smart phones?

_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________

2. What will motivate consumers to adopt issued smart phones?

_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________


_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________

4. Who are the key vendors of issued smart phone solutions?

A.________________________________________C.___________________________________ B.________________________________________D.___________________________________

5. What are the key success factors in creating an issued smartphone solution?

A.________________________________________D.___________________________________ B.________________________________________E.____________________________________

C.________________________________________F.____________________________________

6. How are other institutions offering smartphones? What controls are already available?

_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________

infotex 138


Asset Description : ISSUED Smart Phones my.infotex.com Page X





_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________


_______________________________________________________________________________ _______________________________________________________________________________


_______________________________________________________________________________


_______________________________________________________________________________


_______________________________________________________________________________

infotex 139


Asset Description : AUTHORIZED Smart Phones my.infotex.com Page X


1. What is the value proposition for authorized smart phones?

_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________

2. What will motivate consumers to adopt authorized smart phones?

_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________


_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________

4. Who are the key vendors of authorized smart phone solutions?

A.________________________________________C.___________________________________ B.________________________________________D.___________________________________

5. What are the key success factors in creating an authorized smartphone solution?

A.________________________________________D.___________________________________ B.________________________________________E.____________________________________

C.________________________________________F.____________________________________

6. How are other institutions offering smartphones? What controls are already available?

_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________

infotex 140


Asset Description : AUTHORIZED Smart Phones my.infotex.com Page X





_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________


_______________________________________________________________________________ _______________________________________________________________________________


_______________________________________________________________________________


_______________________________________________________________________________


_______________________________________________________________________________

infotex 141

Item#


Lik

elih

oo

d o

f O

ccu

rren

ce

(1

- 8)

Imp

act

Sev

erit

y

(1

- 5)

Inh

eren

t R

isk

(

2 -

13)

Mitigating Controls



1 Family Use Family members of employees who are issued smart phones could want to use the smart phone, thus increasing risk of illegitimate access to sensitive information, not to mention policy violation and security risk related to downloaded malware, etc.

7 5 12 Policy prohibits users from sharing company-owned assets with non-employees.


A smart phone with institution data on it could be lost or stolen, such as leaving them in the library, a taxi-cab, on an airplane, etc. and the person finding the lost device could access classified information.

7 5 12 Security Awareness Training stresses the vulnerabilities with portable devices. Remote Wipe applications are being investigated. We use (identify encryption methodology here) to encrypt all smart phones.


Some malicious persons could be actively looking to steal smart phones, and the person stealing the device could access classified information.

7 5 12 Security Awareness Training stresses the vulnerabilities with portable devices. Remote Wipe applications are being investigated. We use (identify encryption methodology here) to encrypt all smart phones.

4 Sloppy Deployment Rolling out the smart phones could create unforeseen problems.

8 3 11 We will develop a deployment plan including this risk assessment, and we will test deployment in an isolated manner before rolling out the full deployment.

5 Policy Violation Use of the smart phones could violate our "no Wi-Fi policy."

8 3 11 Update the policy to allow Wi-Fi in the organization only according to published configuration standards that include MAC Filtering, WPA2 encryption, etc. OR We will disable the Wi-Fi capabilities on smart phones.

6 Confused Users Vulnerabilities related to the inconsistent introduction of new procedures (e.g. test group doesn't adopt lessons from first post-mortem evaluation).

7 3 10 The deployment strategy should specifically design test groups and those in the test groups should be instructed that policies / usages / habits may require change as a result of the test.


6 3 9 Connectivity is required via Wi-Fi into a broadband home Internet connection, but, as an exception approved by the Information Security Officer, we also have made 3G available to users with no broadband internet connectivity in their area.

8 Patch Issues Operating system updates, antivirus signatures, etc. become out of date because users do not know (or follow-through) on the updating process.

8 5 13 Security Awareness Training stresses the vulnerabilities with portable devices. Devices are audited regularly to ensure proper updating. Devices are checked in and out, and are rotated and inspected by IT to ensure proper updating.


Inherent


infotex 142

Item#


Lik

elih

oo

d o

f O

ccu

rren

ce

(1

- 8)

Imp

act

Sev

erit

y

(1

- 5)

Inh

eren

t R

isk

(

2 -

13)

Mitigating Controls



Inherent


If a malicious person gets access to a smart phone, the malicious person could use sensitive information on the smart phone (MAC address, authentication credentials, vulnerability reports, etc.) to further breach other systems.

5 5 10 Security Awareness Training stresses the vulnerabilities with portable devices. We use Exchange ActiveSync to restore the device to factory settings upon demand. (Document MDM application here.) Remote Wipe applications are being investigated. Our MDM and policy requires the use of passcodes, and requires a factory reset in the event of X failed login attempts. All company data on the device is encrypted. We use (identify encryption methodology here) to encrypt all smart phones.


If users do not purge sensitive information from the smart phone regularly, and it is lost or stolen, a malicious person could use information on the smart phone to execute a wider breach of other systems, or steal the victim's identity.

7 5 12 Devices are inspected (audited) by IT regularly. Devices are checked in and out, and rotated through IT to ensure appropriate purging of sensitive information. Security Awareness Training stresses the vulnerabilities with portable devices. Remote Wipe applications are being investigated. All company data on the device is encrypted. We use (identify encryption methodology here) to encrypt all smart phones.

11 Fraudulent Apps While "borrowing" the smart phone, a malicious person could download a fraudulent app or malware to an unsuspecting person's smart phone. Note: this is currently very unlikely with Apple devices because of the way Apple controls applications and app installation.

5 5 10 Policy prohibits users from sharing company-owned assets with non-employees. Security Awareness Training warns of the horror stories of borrowed smart phones.

12 Malware Malware could be installed on the smart phone that executes fraudulent transactions such as keylogging or data scraping. Note: this is currently very unlikely with Apple devices because of the way Apple controls applications and app installation.




If employees use Cloud Computing (such as the iCloud) to back up their smart phones, company data could end up on third party assets without our knowledge, increasing risk of breach.

6 5 11 The Mobile Devices Security Procedure prohibits the use of cloud computing services (such as iCloud) for issued and authorized devices.


Employee.


6 5 11 The Mobile Devices Security Procedure requires employees to sign a declaration page acknowledging that in consideration for storing company data on their device, they agree to follow all policies and procedures as if the device was owned by the company.


infotex 143

Item#


Lik

elih

oo

d o

f O

ccu

rren

ce

(1

- 8)

Imp

act

Sev

erit

y

(1

- 5)

Inh

eren

t R

isk

(

2 -

13)

Mitigating Controls



Inherent

15 Retired Devices For authorized (BYOD) devices, an employee could return the device to a provider (such as AT&T or Verizon Wireless) in exchange for an upgrade, forgetting to inform the financial institution that the device needs to be remote wiped.

6 5 11 The remote wipe application (document here) that we use allows the device to be wiped as soon as it is turned on. All information on the device owned by the organization is encrypted.





If a malicious person gets access to a victim's mobile device, and passwords, account numbers, usernames, etc., are memorized in the device's applications, the malicious person could use this information to further breach other systems or the smart phone's access to wireless banking.

6 5 11 Security Awareness Training teaches and encourages employees not to memorize credentials in their devices. Policy prohibits memorization of credentials. Meanwhile, financial institution applications encrypt these credentials as much as possible.

18 Inadequate Authentication


6 5 11 Screen-lock passcodes are required by policy and technically enforced by Exchange ActiveSync (or MDM if you use it).

19 Passcode Guessing Since smart phone authentication is often pattern recognition or pin-based, which is much easier to guess, a malicious person may be able to quickly guess authentication credentials.

6 5 11 Devices are configured to return to factory settings after X failed login attempts and this is technically enforced by Exchange ActiveSync (or MDM if you use it).

20 Text Messages Containing Sensitive

Information could be found on phone

If employees do not purge text messages from the financial institution on a regular basis, and the smart phone is lost or stolen, a malicious person could use information in texts to execute a wider breach of other systems, or steal the victim's identity.

6 5 11 Security Awareness Training teaches and encourages employees to purge text messages and e-mails that are no longer necessary. Policy requires purging after 30 days. MDM enforces purging of text messages.

21 Smishing Malicious persons could send spoof texts with links that go to sites that download malicious software or provide fraudulent apps on the smart phone.

6 5 11 Security Awareness Training warns employees of the dangers of phishing and smishing.

22 Malware Malware could be installed on the smart phone that executes fraudulent transactions such as keylogging or data scraping.

6 5 11 Security Awareness Training warns employees of the dangers of fraudulent apps. Our MDM app has strong application control and we restrict applications to those we whitelist.


infotex 144

Item#


Lik

elih

oo

d o

f O

ccu

rren

ce

(1

- 8)

Imp

act

Sev

erit

y

(1

- 5)

Inh

eren

t R

isk

(

2 -

13)

Mitigating Controls



Inherent

23 Bluesnarfing Bluesnarfing is the theft of information from a wireless device through a Bluetooth connection. Bluetooth is a short range high speed wireless technology used for sharing information between devices. Devices with Bluetooth enabled by default and 'always on' may present a target for exploitation and interception of data which can be done undetected.

6 5 11 Encourage employees to keep Bluetooth turned off by default and use only when necessary. Make sure that Bluetooth is turned off while conducting sensitive transactions. All company applications encrypt data in motion.

24 Jailbreaking Employees who jailbreak their phones could unknowingly install fraudulent apps or have their phone hijacked by malicious persons who can log in using the default password.

6 5 11 Policy prohibits users from using jailbroken smart phones as authorized devices or from jailbreaking issued devices.



26 Bypassing Controls Portable devices could be used to bypass existing controls such as firewall protection, policies against social media use during business hours, etc.






28 Ownership of Phone Number

If an employee leaves the bank, and customers are used to calling that employee on his/her authorized device, the bank could lose customers.

8 4 12 Policy requires employees to agree to leave their phone number at the bank in the event their employment is terminated (and the Portable Device Agreement establishes this.)

29 Device Retirement Employees could trade in their own devices without remembering to inform the organization so that the device can be remotely wiped before turned over to the phone provider's control.

8 5 13 Policy requires employees to agree to inform the bank in advance of upgrading or trading in or otherwise retiring their device. Our MDM application will still wipe the device when the phone company turns it on.

30

31

32


infotex 145


infotexinfotex

Today’s Agenda




infotexinfotex

Tablets

infotex

ASSET DESCRIPTION

infotexinfotex

The Workbook

infotex

Tablet Risk Assessment

infotex 146


Asset Description : Tablet PCs my.infotex.com Page X


1. What is the value proposition for using tablets in the institution?

_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________

2. What will motivate consumers users(?) to adopt tablets?

_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________


_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________

4. Who are the key vendors of tablets?

A.________________________________________C.___________________________________ B.________________________________________D.___________________________________

5. What are the key success factors in creating a tablet solution?

A.________________________________________D.___________________________________ B.________________________________________E.____________________________________

C.________________________________________F.____________________________________

6. What are other institutions offering now in tablets? What controls are already available?

_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________

infotex 147


Asset Description : Tablet PCs my.infotex.com Page X





_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________


_______________________________________________________________________________ _______________________________________________________________________________


_______________________________________________________________________________


_______________________________________________________________________________


_______________________________________________________________________________

infotex 148

Item#


Lik

elih

oo

d o

f O

ccu

rren

ce

(1

- 8)

Imp

act

Sev

erit

y

(1

- 5)

Inh

eren

t R

isk

(

2 -

13)

Mitigating Controls



1 Family Use Family members of employees who are issued iPad or Android Tablets could want to use the iPad or Android Tablet, thus increasing risk of illegitimate access to sensitive information, not to mention policy violation and security risk related to downloaded malware, etc.



An iPad or Android Tablet with institution data on it could be lost or stolen, such as leaving them in the library, a taxi-cab, on an airplane, etc. and the person finding the lost device could access classified information.

7 5 12 Security Awareness Training stresses the vulnerabilities with portable devices. Remote Wipe applications are being investigated. We use (identify encryption methodology here) to encrypt all iPads and/or Tablets.


Some malicious persons could be actively looking to steal iPad or Android Tablets, and the person stealing the device could access classified information.

7 5 12 Security Awareness Training stresses the vulnerabilities with portable devices. Remote Wipe applications are being investigated. We use (identify encryption methodology here) to encrypt all iPads and/or Tablets.

4 Sloppy Deployment Rolling out the iPad or Android Tablets could create unforeseen problems.

8 3 11 We will develop a deployment plan including this risk assessment, and we will test deployment in an isolated manner before rolling out the full deployment.

5 Policy Violation Use of the iPad or Android Tablets could violate our "no Wi-Fi policy."

8 3 11 Update the policy to allow Wi-Fi in the organization only according to published configuration standards that include MAC Filtering, WPA2 encryption, etc. OR We will disable the Wi-Fi capabilities on iPad or Android Tablets.

6 Confused Users Vulnerabilities related to the inconsistent introduction of new procedures (e.g. test group doesn't adopt lessons from first post-mortem evaluation).

7 3 10 The deployment strategy should specifically design test groups and those in the test groups should be instructed that policies / usages / habits may require change as a result of the test.


6 3 9 Connectivity is required via Wi-Fi into a broadband home Internet connection, but, as an exception approved by the Information Security Officer, we also have made 3G available to users with no broadband Internet connectivity in their area.

8 Patch Issues Operating system updates, antivirus signatures, etc. become out of date because users do not know (or follow-through) on the updating process.



Inherent


infotex 149

Item#


Lik

elih

oo

d o

f O

ccu

rren

ce

(1

- 8)

Imp

act

Sev

erit

y

(1

- 5)

Inh

eren

t R

isk

(

2 -

13)

Mitigating Controls



Inherent


If a malicious person gets access to an iPad or Android Tablet, the malicious person could use sensitive information on the iPad or Android Tablet (MAC Address, Authentication Credentials, vulnerability reports, etc.) to further breach other systems.

5 5 10 Security Awareness Training stresses the vulnerabilities with portable devices. We use Exchange ActiveSync to restore the device to factory settings upon demand. (Document MDM application here.) Remote Wipe applications are being investigated. Our MDM and policy requires the use of passcodes, and requires a factory reset in the event of X failed login attempts. All company data on the device is encrypted. We use (identify encryption methodology here) to encrypt all iPads and/or Tablets.


If users do not purge sensitive information from the iPad or Android Tablet regularly, and it is lost or stolen, a malicious person could use information on the iPad or Android Tablet to execute a wider breach of other systems, or steal the victim's identity.

7 5 12 Devices are inspected (audited) by IT regularly. Devices are checked in and out, and rotated through IT to ensure appropriate purging of sensitive information. Security Awareness Training stresses the vulnerabilities with portable devices. Remote Wipe applications are being investigated. All company data on the device is encrypted. We use (identify encryption methodology here) to encrypt all iPads and/or Tablets.

11 Fraudulent Apps While "borrowing" the iPad or Android Tablet, a malicious person could download a fraudulent app or malware to an unsuspecting person's iPad or Android Tablet. Note: this is currently very unlikely with Apple devices because of the way Apple controls applications and app installation.


12 Malware Malware could be installed on the iPad or Android Tablet that executes fraudulent transactions such as keylogging or data scraping. Note: this is currently very unlikely with Apple devices because of the way Apple controls applications and app installation.




If employees use Cloud Computing (such as the iCloud) to back up their iPads, financial institution data could end up on third party assets without our knowledge, increasing risk of breach.

6 5 11 The Mobile Devices Security Procedure prohibits the use of cloud computing services (such as iCloud) for issued and authorized devices.


Employee.


6 5 11 The Mobile Devices Security Procedure requires employees to sign a declaration page acknowledging that in consideration for storing financial institution data on their device, they agree to follow all policies and procedures as if the device was owned by the organization.


infotex 150

Item#


Lik

elih

oo

d o

f O

ccu

rren

ce

(1

- 8)

Imp

act

Sev

erit

y

(1

- 5)

Inh

eren

t R

isk

(

2 -

13)

Mitigating Controls



Inherent

15 Retired Devices For authorized (BYOD) devices, an employee could return the device to a provider (such as AT&T or Verizon Wireless) in exchange for an upgrade, forgetting to inform the company that the device needs to be remote wiped.

6 5 11 The remote wipe application (document here) that we use allows the device to be wiped as soon as it is turned on. All information on the device owned by the financial institution is encrypted.





If a malicious person gets access to a victim's mobile device, and passwords, account numbers, usernames, etc., are memorized in the device's applications, the malicious person could use this information to further breach other systems or the smart phone's access to wireless banking.

6 5 11 Security Awareness Training teaches and encourages employees not to memorize credentials in their devices. Policy prohibits memorization of credentials. Meanwhile, applications encrypt these credentials as much as possible.

18 Inadequate Authentication


6 5 11 Screen-lock passcodes are required by policy and technically enforced by Exchange ActiveSync (or MDM if you use it).

19 Passcode Guessing Since smart phone authentication is often pattern recognition or pin-based, which is much easier to guess, a malicious person may be able to quickly guess authentication credentials.

6 5 11 Devices are configured to return to factory settings after X failed login attempts and this is technically enforced by Exchange ActiveSync (or MDM if you use it).

20 Text Messages Containing Sensitive

Information could be found on phone

If customers do not purge text messages from the financial institution on a regular basis, and the smart phone is lost or stolen, a malicious person could use information in texts to execute a wider breach of other systems, or steal the victim's identity.

6 5 11 Security Awareness Training teaches and encourages employees to purge text messages and e-mails that are no longer necessary. Policy requires purging after 30 days. MDM enforces purging of text messages.

21 Smishing Malicious persons could send spoof texts with links that go to sites that download malicious software or provide fraudulent apps on the smart phone.

6 5 11 Security Awareness Training warns employees of the dangers of phishing and smishing.

22 Malware Malware could be installed on the iPad or Android Tablet that executes fraudulent transactions such as keylogging or data scraping.

6 5 11 Security Awareness Training warns employees of the dangers of fraudulent apps. Our MDM app has strong application control and we restrict applications to those we whitelist.

23 Bluesnarfing Bluesnarfing is the theft of information from a wireless device through a Bluetooth connection. Bluetooth is a short range high speed wireless technology used for sharing information between devices. Devices with Bluetooth enabled by default and 'always on' may present a target for exploitation and interception of data which can be done undetected.

6 5 11 Encourage employees to keep Bluetooth turned off by default and use only when necessary. Make sure that Bluetooth is turned off while conducting sensitive transactions. All applications encrypt data in motion.


infotex 151

Item#


Lik

elih

oo

d o

f O

ccu

rren

ce

(1

- 8)

Imp

act

Sev

erit

y

(1

- 5)

Inh

eren

t R

isk

(

2 -

13)

Mitigating Controls



Inherent

24 Jailbreaking Employees who jailbreak their phones could unknowingly install fraudulent apps or have their phone hijacked by malicious persons who can log in using the default password.

6 5 11 Policy prohibits users from using jailbroken iPads as authorized devices or from jailbreaking issued devices.



26 Bypassing Controls Portable devices could be used to bypass existing controls such as firewall protection, policies against social media use during business hours, etc.






28 Device Retirement Employees could trade in their own devices without remembering to inform the organization so that the device can be remotely wiped before turned over to the phone provider's control.

8 5 13 Policy requires employees to agree to inform the bank in advance of upgrading or trading in or otherwise retiring their device. Our MDM application will still wipe the device when the phone company turns it on.

29

30

31

32


infotex 152


infotexinfotex

Today’s Agenda




infotexinfotex

Wireless Networking

• Consider three risk assessments:–One for your internal network.–One for your guest network.–One for your employees’ home network.

infotexinfotex

Wireless Networking

• Get your management team used to the fact that they should learn how to use their router.

infotex 153




• Give it a name.


infotex

infotexinfotex

Wireless Access Points

infotex

ASSET DESCRIPTION

infotexinfotex

The Workbook

infotex

Wi-Fi Risk Assessment

infotex 154


Asset Description : Wireless Networking my.infotex.com Page X


1. What is the value proposition for wireless networking?

_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________

2. What will motivate consumers to adopt wireless networking?

_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________


_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________

4. Who are the key vendors of wireless networking?

A.________________________________________C.___________________________________ B.________________________________________D.___________________________________

5. What are the key success factors in creating a wireless networking solution?

A.________________________________________D.___________________________________ B.________________________________________E.____________________________________

C.________________________________________F.____________________________________

6. What are institutions offering now in mobile banking? What controls are already available?

_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________

infotex 155


Asset Description : Wireless Networking my.infotex.com Page X





_______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________


_______________________________________________________________________________ _______________________________________________________________________________


_______________________________________________________________________________


_______________________________________________________________________________


_______________________________________________________________________________

infotex 156

Item#


Lik

elih

oo

d o

f O

ccu

rren

ce

(1

- 8)

Imp

act

Sev

erit

y

(1

- 5)

Inh

eren

t R

isk

(

2 -

13)

Mitigating Controls



1 Insecure Configuration

The wireless access point installed in the corporate office for the purposes of creating a guest network for examiners, auditors, and other third parties could be configured in a manner that does not mitigate vulnerabilities.

5 5 10 In 2013, the corporate guest wireless access point is on it's own internet connection and thus will be treated the same a a public network is treated in a hotel if, for some reason, bank employees need to connect to it. They shouldn't, however, because of our private wireless network..


The wireless access point installed in the corporate office for employee use could be configured in a manner that does not mitigate vulnerabilities.

5 5 10 In 2013, the configuration of the wireless access point for the corporate office's private network should include WPA2 Encryption, the use of a Strong Password for the network key, an Unbroadcasted SSID, and MAC Filtering. The network administrator will be given access to the device and taught how to manage the Access Control List (for MAC filtering.) The Information Security Officer will be trained to audit this and all other configuration files. The IT Audit Plan will include a review of the configuration file internal audit procedure, and the configuration of the private wireless access point (as well as randomly selected branch wireless access points.)


The wireless access point installed in the corporate office could be configured in a manner that does not mitigate vulnerabilities.

5 5 10 In 2013, the configuration of the wireless access point for each branch should include WPA2 Encryption, the use of a Strong Password for the network key, an Unbroadcasted SSID, and MAC Filtering. Branch managers will be given access to the device and taught how to manage the Access Control List (for MAC filtering.) They will also be trained to save and submit the configuration file for audit purposes.


The wireless access point installed in the employee's home could be configured in a manner that does not mitigate vulnerabilities.

7 5 12 Require a specific configuration and train appropriate users to meet the requirements of that configuration. In 2013, the configuration should include WPA2 Encryption, the use of a Strong Password for the network key, an Unbroadcasted SSID, and MAC Filtering. Users will be trained to save the WAP's configuration file in a manner that can be submitted for audit purposes.

Do the audits


The wireless access point installed in a hotel, coffee shop, or other third-party location, could be configured in a manner that does not mitigate vulnerabilities.

8 5 13 Assume it is not, require that users choose public network upon connecting, require the OWA configuration selection to be public network, and only use the connection (for bank purposes) through a VPN.


Inherent


infotex 157

Item#


Lik

elih

oo

d o

f O

ccu

rren

ce

(1

- 8)

Imp

act

Sev

erit

y

(1

- 5)

Inh

eren

t R

isk

(

2 -

13)

Mitigating Controls



Inherent

6 Lack of Knowledge/Confide

nce to Configure Own Device

Employees may not know how to properly configure a wireless access point.

8 5 13 Assume that they do not. Create a training program centered around common wireless access points and provide training to employees. Require employees to submit their configuration file for audit purposes. Grant use from home only with approved router equipment. Provide routers to employees. Each remote access approved employee must know how to configure their router to meet specifications of the Portable Devices Configuration Standards. Home installations are randomlly audited.

7 Access to Device A malicious person could gain access to the wireless device from the employee's home.

4 5 9 Require employees to report robberies, break-ins, or other suspcious activity.

8 Unwillingness to Comply with Policy

An employee could decide that the policy is over-reaching or otherwise not worth enforcing.

4 5 9 Require employees to submit their configuraiton files for audit purposes.

9 Slow Networks Wireless Access Points in our office could cause people to use the network to download music, apps, books, and other non-business data that will unnecessarily slow our network down.

8 3 11 Content filters (or our MDM system) enforces good bandwidth practices on our guest and internal wireless networks. The Acceptable Use Policy will be updated to reflect concerns regarding the new guest nework, and policy will prohibit the use of the wireless network for personal downloads during business hours. Policy will NOT prohibit using the wireless network to update systems (such as os or application updates), as we want to encourage employees to do that, and the difference in policy just might get their attention in that respect. If examiners, auditors, and other vendors use the guest network for downloading/updating purposes, will will not control it at this time.

10 0

11 0

12 0

13 0

14 0

15 0

16 0

17 0

17 0

18


infotex 158


infotexinfotex

Today’s Agenda


infotexinfotex

Today’s Agenda

• BYOD–User Policy (we call it a Procedure)–Configuration Standards Development–Mobile Device Audit Practices –Mobile Device Management

• Exchange ActiveSync• A rundown of five MDM Providers

• Pulling it all together!


infotex

• We’ll work off yet another drill-down agenda.

• We’ll review a typical “BYOD Policy.”• We’ll review a typical “Configuration

Standard.”• We’ll discuss enforcement methods.

infotex 159


IT Governance

Policy

AccessManagement

IncidentResponse

AssetManagement

BusinessContinuity

VendorManagement

TechnicalSecurity

Standards

Awareness

RiskManagement

BranchlessBanking

RecordRetention

Traditional(Inventory,

License, Replacement)

IT Governance

Policy

AccessManagement

IncidentResponse

AssetManagement

BusinessContinuity

VendorManagement

TechnicalSecurity

Standards

Awareness

RiskManagement

infotex 160


EducationMotivationActivation

ProceduresIT

Governance Policy

AccessManagement

IncidentResponse

AssetManagement

BusinessContinuity

VendorManagement

TechnicalSecurity

Standards

Awareness

RiskManagement

AcceptableUse

Policy

Agreements

infotex 161


infotex

Mobile Device Security Kit


infotexinfotex

Two types (from risk view)

• Issued devices• Authorized devices

infotexinfotex

Two types (from risk view)

• Issued devices• Authorized devices (BYOD)

infotex 162


infotexinfotex

Three Considerations

1. Both employee-owned (Bring Your Own Device [BYOD]) and Bank-owned devices should be addressed.

2. All devices that access Bank assets from outside the branch should be addressed.

3. The entire device lifecycle (introduction, management, retirement) should be addressed.

infotexinfotex

The Workbook

infotex

Portable Device Security Procedure

infotex 163

Awareness Program: User (and Branchless Banking) Effective: xx/xx/xx Created/Revised: yy/yy/yy Portable Devices Security Procedure Procedure Owner: Title Here

Acceptable Use Policy Insertion: We suggest the following be inserted into your existing Acceptable Use Policy:

Employees are prohibited from putting company-owned data on information assets without specific instructions, approvals, or policies to do so. This includes all types of devices, from portable, stationary, or electronic media to company-owned or employee-owned devices (often referred to as BYOD devices).

Some employees, based on defined business needs, may be approved to store data upon what the organization considers to be portable devices. Your supervisor will approach you if there is a need for this. The Board of Directors, by approving this Acceptable Use Policy, requires management to maintain a stringent process for approving eligible employees. The Board requires that those employees must learn and follow the Portable Devices Security Procedure. The approval to store company data on portable devices is accompanied by an agreement signed by the employee agreeing to comply with the Portable Devices Security Procedure.

IT Governance Policy Insertion: We suggest the following be inserted into your high-level IT Governance Policy (sometimes called the IT Risk Management Policy or the Information Security Program):

Mobile Security: Management will create and maintain a risk-based method to manage risk arising from mobile computing including the use of wireless portable devices including smart phones (iPhones, Android phones, BlackBerries) and Tablet PCs (iPads, Xooms, Playbooks). Management will create a stringent process for approving access to company information and/or storage of company information on any device that connects to the organization’s network outside of a branch.

infotex 164



Portable Devices Security [Policy / Procedure]

(Approved During xx/yy/zz [IT Steering / EDP / Branchless Banking / Technology] Committee Meeting)



Note: This will be the last time we use [Policy / Procedure] to indicate that some organizations may choose to make this a policy document. If you choose to elevate the status of this document from a procedure to a policy, be sure to modify all references to policy / procedure appropriately. Also, be sure to reference this document appropriately as you customize the related documents (the Portable Devices Configuration Standards, Portable Devices Audit Checklist, etc.).

infotex 165


Procedure Scope All individuals issued a portable device owned by Name of Financial Institution are required to read this procedure and sign the declaration form located on the last page prior to receiving such device. All individuals given permission to store information owned by Name of Financial Institution on their own device are also required to read this procedure and sign the declaration form located on the last page prior to receiving such information. This procedure applies to all Name of Financial Institution’s employees, temporary workers, contractors, and consultants who use company owned and non-company owned portable devices (such as, but not limited to, laptop computers, PDAs, BlackBerries, cell phones, smart phones, etc.) that are connected to information assets owned by Name of Financial Institution or that are allowed to store information owned by Name of Financial Institution. The [Information Security Officer / IT Steering Committee / EDP Committee / Branchless Banking Committee / Technology Committee] is responsible for overseeing the development, implementation, and maintenance of this procedure. It should be reviewed at least annually to ensure relevant information is appropriately considered. The [IT Steering / EDP / Branchless Banking / Technology] Committee is responsible for enforcing this procedure. For questions concerning this procedure, see the Information Security Officer. Introduction Name of Financial Institution’s information must be protected in a manner commensurate with Name of Financial Institution’s policies. Consistent security must take place regardless of the medium used for storage, the location of the storage, the systems used for processing, or the methods used for handling the information. This means that employees must protect information in a similar manner whether they are in Name of Financial Institution’s office or a location outside of company premises. Some devices are “portable” in nature, meaning that they are easily transported from one location to another and are “self-contained,” meaning they do not need to have consistent power from a wall electrical outlet. Portable devices such as laptops and smart phones represent an increasing amount of risk to the organization. These devices are often not even owned by the financial institution. As the Information Revolution continues, more and more portable devices will pose risk as well as opportunity for Name of Financial Institution. For example, smart phones allow us to check our calendars and e-mail while at conventions or conferences. However, if we’re not careful, these same smart phones could be lost, allowing unauthorized access to sensitive information. Therefore, this procedure has been developed to ensure that those users who are issued company-owned portable devices, or those users who are allowed to store company-owned information on their own portable devices, protect that information.

infotex 166


Objective The purpose of this procedure is to establish security policies that apply to employees using portable devices that connect to Name of Financial Institution’s computer system, or that store information owned by Name of Financial Institution. The Federal Financial Institutions Examination Council (FFIEC) indicates that the financial institution should implement policies and procedures to prevent the removal of sensitive electronic information and data. These policies should address the use of laptop computers, personal digital assistants, and portable electronic storage devices. Referenced in FFIEC Operations Booklet. This procedure complies with the organization’s IT Governance Policy as well as the Acceptable Use Policy. Definition of Portable Device Name of Financial Institution defines portable devices as “any self-contained device that can transfer and store data that has the ability to be routinely removed from the network and carried outside of the organization, whether owned by the financial institution or not.” The following is a non-inclusive list of typical portable devices:

Laptops

iPads or other Tablet PCs (e.g. Motorola Xoom)

Smart Phones (e.g. iPhone, Droid, etc.)

Regular Cell Phones with Storage Capabilities (e.g. BlackBerry, Treo, etc.)

Digital Cameras

iPods and/or MP3 Players This definition does NOT intend to include “portable electronic media” such as CDs, DVDs, USB drives, or SD-flash cards, though such media may be used in portable devices. The Acceptable Use Policy governs the use of electronic media. Additional Definitions Authorized Device: A device that is not company-owned that has been approved to store company-owned information is, for the sake of this procedure, considered to be an “authorized device.” Bring Your Own Device (BYOD): Industry buzzwords for what we refer to as “authorized devices.” Company-Owned Device: Any device that is owned by the organization is considered to be a “company-owned” device. A device that is owned by an employee is not company-owned. Company-Owned Information: Information that originates on the financial institution’s information system, or that is given to an employee by a customer of the institution, is considered to be “company-owned” information. This information is required to be protected by law and if it is given to an

infotex 167


employee as part of the employee’s job, it is considered to be owned by the financial institution regardless of the circumstances of the transfer of information. Issued Device: A company-owned portable device is, for the sake of this procedure, considered to be an “issued device.” Jailbreaking (or Rooting): Some portable devices have controls in them to prevent malicious software and applications from being downloaded and installed on them. Bypassing these controls, sometimes called “jailbreaking” or “rooting,” is not allowed. User Accountability for Issued Devices Employees are responsible for all activity that takes place from an issued device. Likewise, by signing the declaration page of this procedure, employees agree that they are responsible for all activities originating from issued devices, even if that activity is not the business of Name of Financial Institution. If Name of Financial Institution’s security is compromised, the employee is still responsible and liable for all activity via the use of the issued portable device. Therefore, in order to receive an issued device, employees must learn and take very seriously all issues related to portable device security. Note: If you do not prohibit the use of issued devices by non-company employees, consider the following language: For devices that can be configured to have more than one user account, users of issued devices by individuals that are not employees of the organization must be in an account that is NOT that of an employee’s account. Only employees of the financial institution are allowed to use issued devices that do not allow more than one user account to be configured. In other words, issued [iPads / Tablets] and/or smart phones must not be shared with family members. If you DO prohibit the use of issued devices by non-company employees, consider the following language: Use of issued devices by individuals that are not employees of the organization is prohibited. In other words, issued [iPads / Tablets] and/or smart phones must not be shared with family members.

infotex 168


User Accountability for Authorized (BYOD) Devices Employees are responsible for all activity that takes place from an authorized device. Likewise, by signing the declaration page of this procedure, employees agree that they are responsible for all activities originating from authorized devices, even if that activity is not the business of Name of Financial Institution. If Name of Financial Institution’s security is compromised, the employee is still responsible and liable for all activity via the use of the authorized portable device, whether the compromise originated from company activity or not. In order to receive permission to store company-owned information on an employee-owned (authorized) device, employees must learn and take very seriously all issues related to portable device security. Employees should beware of attack vectors (phishing, smishing, fraudulent apps, etc.) and recognize that they are vulnerable without adequate awareness. Note: If you do not prohibit the use of authorized devices by non-company employees, consider the following language: For devices that can be configured to have more than one user account, users of authorized devices by individuals that are not employees of the organization must be in an account that is NOT that of an employee’s account. Only company employees are allowed to use authorized devices that do not allow more than one user account to be configured. If you DO prohibit use of authorized devices by non-bank employees, consider the following language: Use of authorized devices by individuals not employed by the organization is prohibited. In other words, by signing the declaration page of this procedure, you agree that authorized [iPads / Tablets] and/or smart phones must not be shared with family members even though you own the device. Physical Security Given their small size and portable nature, it is more likely that these portable computing devices will fall into the wrong hands than a desktop system. Users must protect issued and authorized devices from physical threats and vulnerabilities. Physical security measures shall, at a minimum, include the following:

Portable computing devices, computer media, and removable components, such as disk drives and network cards, must be stored in a secure environment. Devices must not be left unattended without employing adequate safeguards such as cable locks, restricted access environments or lockable cabinets.

Do not allow individuals not employed by the organization to utilize issued devices. Be careful who you allow to use authorized devices.

Safeguards shall be taken to avoid unauthorized viewing of sensitive or confidential data in public or common areas.

When possible, portable computing devices, computer media, and removable components must

infotex 169


remain under visual control while traveling. If visual control cannot be maintained, then necessary safeguards shall be employed to protect the physical device, computer media, and removable components.

When a laptop is to be left in a vehicle, it must be stowed in the trunk, and placed there before driving to the destination. If the vehicle does not have a trunk, the laptop must be secured out of sight inside the vehicle to a non-mobile structure through the use of a cable system with integral combination or key lock.

Whenever possible, portable devices should enable password or PIN protected screen locks, meaning that before being usable the device should require a password, PIN, or pattern inputted by the user that only the company employee knows.

Configuration Name of Financial Institution has established minimum portable computing device configuration requirements, which are documented in our Portable Devices Configuration Standards, for company-owned, privately-owned, or contractor-owned devices authorized for work use. These standards create requirements for both issued and authorized devices. These requirements include:

Applications that are unknown or applications that are known to be negative (because of many different reasons such as security flaws, battery-use, information sharing, obscenity, etc.) should not be installed on either issued or authorized devices. The organization reserves the right to control applications installed on both issued and authorized devices.

Applications that host financial institution data must be configured so that any data stored on the portable device (including account names, passwords, and other credentials) is encrypted as per the current approach. As portable device encryption is still under development, the Portable Devices Audit Checklist will require the Network Administrator to check against the organization’s current approach and advise accordingly.

For organizations with application control capabilities that use this capability: The organization uses a control application that, upon enrollment of your portable device as an issued or authorized device, will restrict applications that can be installed on your device. A list of approved applications is published in the [Portable Devices Configuration Standards / Mobile Device Management Application / break room / state where-ever you would publish such a list]. If you wish to install an application that is not on this list, please send an e-mail request to the Information Security Officer.

All portable computing devices, whether issued or authorized, must be equipped with anti-virus software. Note: Currently some banks will add “except for Apple devices” to this language.

Mandatory system configurations, settings, and software for issued devices must not be modified without prior authorization by the Information Security Officer. At any time issued devices may be restored to the “default” configuration as per the Portable Devices Configuration Standards.

Name of Financial Institution’s applications that reside on issued and authorized devices must be installed by the [Network Administrator / IT Manager].

All portable device operating systems (issued and authorized) must be maintained with appropriate vendor security patches and updates.

All portable devices must store company-owned information “at rest” in encrypted fashion. For

infotex 170


assistance with this, you must see the [Network Administrator / IT Manager] who will ensure your device has encryption allowed by our Portable Devices Configuration Standards. Exceptions to this must be approved by the Information Security Officer. These exceptions will be documented in the Annual GLBA Technology Risk Assessment Systems Inventory.

Note: If you have a Remote Access Procedure, you can refer to this document if possible, like this: Encryption requirements for connecting to company information assets is defined in the Remote Access Procedure. If your remote access documentation does not adequately define encryption requirements, consider the following language: Whether sensitive data is transferred/synchronized either via wire (LAN/WAN or Public Internet) or wireless connections (including to and from web sites, server databases, or e-mail servers), the data must be transmitted in an encrypted format using Name of Financial Institution’s approved method, as documented in our Portable Devices Configuration Standards. See the [Network Administrator / IT Manager] to ensure you are using this method. The approved methods include: [Document the type of approved in-motion encryption. Examples of this could include: Portal, Extranet, Secure Messaging System, SharePoint Site, etc.]

Real time access to sensitive data using internal or public wireless networks must meet the provisions of Name of Financial Institution’s Remote Access Procedure.

Passwords that grant access to Name of Financial Institution’s information assets must not be saved in browsers, e-mail clients, SSH clients, VPN clients, Terminal Services clients, and/or Remote Desktop Connection clients. [Note: This is probably a duplicate of the Acceptable Use Policy, but we recommend you repeat this for portable device users.]

Screensavers and/or screen locks on laptops and other devices that allow them should be set for 15 minute or less timeout with password prompts.

For authorized devices, if more persons than the employee uses the device, separate accounts must be configured and used for activities that are prohibited by Name of Financial Institution’s Acceptable Use Policy. For example, if games are played on the device, a separate account must be used (even if the employee is playing the game) than the account used to access stored company-owned information. If family members utilize a device that cannot have more than one user profile, such as an iPad or smart phone, the device cannot be authorized as per this procedure.

Note: the following is to address the fact that company-owned tablets are going to be shared with family members. You could prohibit this activity (see other provisions of this procedure) or make an exception for it. If you make an exception, it could be written as: Name of Financial Institution recognizes that family members may use company-owned iPads. If this is the case, the applications including e-mail that are company-owned must be authenticated if users other than the company employee are going to be using the iPad. Smart phones must have “screen-lock” authentication enabled. Though this authentication does not have to require strong passwords, it must require a password each time the device is accessed after the screen blanks.

The browser must be configured to clear all cache.

Devices accessing Outlook Web Access (OWA) will conform to existing controls and parameters for OWA.

Smart phones and other types of cell phones that have access to e-mail must be configured to store e-mails no more than three days old.

infotex 171


Note: Some organizations go as high as two weeks, but we recommend no more than five days. As a consulting firm, ours is set at three days and that works fine. Some organizations have selected not to govern how much e-mail is kept on the device. We would see that as an audit deficiency unless other mitigating controls were declared.

Access to company-owned e-mail systems by smart phones will require that smart phones utilize “screen-lock,” “passcode,” or some other form of power-on authentication prior to such access. This document will refer to this type of authentication as “screen-lock” from now on.

E-mail sent from portable devices using Name of Financial Institution’s e-mail system must be configured to use the appropriate e-mail signature and disclosure as per the Acceptable Use Policy, even if sent from authorized devices.

Smart phones must have remote wipe configured as per the Portable Devices Configuration Standards.

Text messages to and from company employees or customers for the purpose of company business must be purged after thirty days.

Issued devices are for employee use only. Those with authorized devices should be careful about who they let use their device.

Whenever possible do not memorize credentials in applications on the device.

Jailbreaking (or rooting) is prohibited on both issued and authorized devices.

Employees are prohibited from using cloud computing (such as the iCloud) for both issued and authorized devices.

Wireless Encryption Standards Note: If you offer wireless access at your branch locations, you should have a separate standards document governing that [See our template: Wireless Security Procedure.] If you already have a wireless encryption standards document you should still refer to it from this document. Meanwhile, you may address this, from a user’s perspective, in your Remote Access Procedure. If so, be sure to refer to it here. Otherwise, consider the following language: Name of Financial Institution tightly controls wireless access points in our branches. However, portable devices can still connect to wireless access points outside our branches and thus the following standards must be met:

Real time access to sensitive data using internal or public wireless networks must meet the provisions of Name of Financial Institution’s Remote Access Security Procedure.

or

Select “do not broadcast SSID” on your home wireless router.

Home wireless routers should be configured to run through WPA/WPA2 shared-key encryption as well as MAC filtering whenever possible.

infotex 172


Whenever “joining a network” that is not your home network, choose “public network.”

Arrange with the Network Administrator to have a user certificate installed on your portable device.

Be sure you understand all requirements of remote access security before connecting to the organization over an unsecured wireless network. Specifically:

o You must connect through a VPN. See the [Network Administrator / IT Manager] if you do not understand this.

o You must comply with the Acceptable Use Policy while connected to the organization’s assets EVEN IF YOU OWN THE DEVICE.

o Do not save passwords for VPNs, e-mail, network login, or information assets accessed through your Internet browser.

Device Sanitizing When portable devices are no longer used for the organization’s business, it must have all company-owned information securely removed. The [Network Administrator / IT Manager] knows how to do this.

When an issued device is removed from service, it must be sanitized to remove company-owned information. The Information Security Officer must ensure that all company data and software are recovered, deleted, and securely overwritten as appropriate from privately-owned and contractor-owned portable computing devices when the user’s employment or contract terminates, or when the portable computing device is no longer authorized for work use.

Note: the next bullet point may require legal review. It could be worded as: In the event an employee with an authorized device is terminated from employment, this procedure (and the signature page attached) gives the organization permission to remotely control and sanitize the authorized device. or this could be worded like: In the event an employee with an authorized device is terminated from employment, the [Network Administrator / IT Manager] must inspect the authorized device to ensure appropriate sanitization.

This procedure will remain in compliance with the organization’s Record Retention Policy[. / as well as our E-discovery Policy.]

If an issued device is lost or stolen, immediately notify the [Information Security Officer / Network Administrator / IT Manager] who will initiate a remote wipe.

infotex 173


Inventory and Audit The [Information Security Officer / Network Administrator / IT Manager] will maintain an inventory of all issued and authorized portable devices. The inventory shall include the device make, model, serial number, date introduced into service (or authorized), and party responsible for the device. Consider the following: Audits will be performed by the [Information Security Officer / Network Administrator / IT Manager] against a Portable Devices Audit Template. All issued and authorized portable devices must undergo at least one audits per [month / quarter / year / in its lifetime]. The Information Security Officer will maintain both the current Portable Device Audit Template as well as completed audit forms. Or the above could be worded like this: Audits of both issued and authorized portable devices are conducted and documented on both a scheduled and random basis. All issued and authorized portable devices must undergo at least one audit per year. The Information Security Officer will maintain both the current Portable Device Audit Template as well as completed audit forms. Or the above could be worded like this: Audits of both issued and authorized portable devices will be performed at the discretion of the [Information Security Officer / Information Technology Manager / CIO / Compliance Officer] to ensure compliance with this procedure. Audits will be performed by the [Network Administrator / Systems Administrator / PC Technician] and results of audits will be e-mailed to the [Information Security Officer / Information Technology Manager / CIO / Compliance Officer]. Or any combination of the above will work. We have clients who audit every time a device connects via NAC-enabled solutions. We have clients who audit devices against a manual checklist quarterly. And we have clients who have elected to audit “as-needed.” Failed Audit Devices that fail audits must be mitigated prior to continued use, even if the device is an authorized device. To be clear, if mitigation of an authorized device cannot be immediately performed, the owner of the authorized device may be required to surrender the device until mitigation is approved by the Information Security Officer. By signing the declaration page of this procedure, employees with authorized devices are agreeing to this provision. Account Status Name of Financial Institution reserves the right to recall any portable device issued to an employee at any time without warning or reason. The Information Security Officer reserves the right to rescind authorization for any authorized device at any time without warning or reason.

infotex 174


Technical Support Note: Smaller organizations should consider taking this next section completely out. Name of Financial Institution [does / does not] support authorized devices with the exception of ensuring sanitization, audits, and other provisions inherent in this procedure. Consider adding a list of supported devices and/or allowed issued devices. For example: Supported Devices:

iPhone – 4 & 4s iPad – 1, 2, ‘new iPad’ Android versions X.X – X.Y, etc.

Not Supported

Palm Devices Blackberry Devices manufactured prior to 2010 other than those listed above

infotex 175


Declaration I have received a copy of the Portable Devices Security Procedure from Name of Financial Institution. I understand that, as an employee of Name of Financial Institution, I am to adhere to the standards as described within the procedure and any updates to this procedure. I also understand that any violation of this procedure can lead to disciplinary action, up to and including dismissal. I understand some provisions of this procedure may outlast my employment at Name of Financial Institution. In particular, I agree to the provisions of this procedure regarding configuration, device sanitization, and failed audits. I understand that not following these provisions could cause me to lose the use of my portable device. Furthermore, I understand that if I leave the organization, my portable device may be wiped, meaning that I could lose music, pictures, and apps that have not been backed up.

____________________________________________________________ ______________________

Employee Date

Many financial institutions do not have a second signature. We recommend it, and it can be any of the following positions or others:

____________________________________________________________ ______________________

[Compliance Officer / President / Human Resources Coordinator / Date Information Security Officer / Supervisor Network Administrator]

infotex 176


FFIEC Resources

Operations Booklet:

Page 21: An institution should implement policies and procedures to prevent the removal of sensitive electronic information and data. These policies should address the use of laptop computers, personal digital assistants, and portable electronic storage devices. The policies and procedures should further address shredding of confidential paper documents and erasing electronic media prior to disposal. In addition, policies and procedures should delineate the circumstances under which employees’ personal property may be subject to search.

Information Security Booklet:

Page 7: Senior management should enforce its security program by clearly communicating responsibilities and holding appropriate individuals accountable for complying with these requirements. [Excerpt]

Page 7: Employees should know, understand, and be held accountable for fulfilling their security responsibilities. Institutions should define these responsibilities in their security policy. Job descriptions or contracts should specify any additional security responsibilities beyond the general policies. Financial institutions can achieve effective employee awareness and understanding through security training and ongoing security-related communications, employee certifications of compliance, self-assessments, audits, and monitoring.

Page 38: Before establishing security domains, financial institutions should map and configure the network to identify and control all access points. Network configuration considerations could include the following actions:

o Identifying the various applications and systems accessed via the network, o Identifying all access points to the network including various telecommunications

channels (e.g., wireless, Ethernet, frame relay, dedicated lines, remote dial-up access, extranets, Internet), � Mapping the internal and external connectivity between various network segments,

o Defining minimum access requirements for network services (i.e., most often referenced as a network services access policy), and

o Determining the most appropriate network configuration to ensure adequate security and performance.

Page 74: The storage of data in portable devices, such as laptops and PDAs, poses unique problems. Those devices may be removed from the institution and not protected by any physical security arrangements. Additionally, the devices may be lost or stolen. Mitigation of those risks typically involves encryption of sensitive data, host-provided access controls, homing beacons, and remote deletion capabilities. The latter two controls can be Internet-based. Homing beacons send a message to the institution whenever they are connected to a network and enable recovery of the device. Remote deletion uses a similar communication to the institution, and also enables a communication from the institution to the device that commands certain data to be deleted.

infotex 177


infotexinfotex

Today’s Agenda




infotexinfotex

The Workbook

infotex

Portable Devices Configuration Standards

infotex 178

Technical Security Standards (and Branchless Banking Subprogram) Effective: xx/xx/xx Created/Revised: yy/yy/yy Portable Devices and Electronic Media Configuration Standards Standards Owner: Title

Name of Financial Institution / Logo

Portable Devices and Electronic Media Configuration Standards

(Approved During xx/yy/zz [IT Steering / EDP / Branchless Banking / Technology] Committee Meeting)



infotex 179


Standards Scope Consider the first paragraph carefully. You may want to escalate a definition of standards in your IT Governance Policy. Your Compliance Officer should approve statements like this just so that he/she can be aware that they exist. San-serif text is on purpose, but you can also change the text to match the normal text. “Note: This document is a standards document, and thus is a collection of our current thoughts, guidelines, and potential plans. It is created with the knowledge that it therefore does not need to be submitted as part of an audit or examination production unless specifically requested. It is NOT a part of the formal IT Governance Program. It is merely documentation of our existing thoughts, guidelines, and potential plans on how to enforce particular policies and procedures. We do not, by documenting these thoughts and ideas, commit to enforcing them. Or, if you’d rather be more informal about this, you could choose to not include the above section in the IT Governance Policy, and instead include the following language in the appropriate standards documents: Note: The following standards are meant for the [IT Manager / CIO / EDP Committee / etc.] and the [Information Security Officer] for training purposes only. These are unofficial standards, and this document is intended as a guideline, not a policy or procedure to be enforced. As such, it is an internal document and is not intended for review by examiners and/or auditors, unless, of course, this document is specifically requested. Or, you could simply choose to not use either of the above two statements. This document applies to all Name of Financial Institution’s technical employees, temporary workers, contractors, and consultants who use issued and/or authorized portable devices, who connect electronic media to Name of Financial Institution’s network, or who offload data from the network onto electronic media. These standards apply to all portable devices owned by Name of Financial Institution whether they would connect to the network or not. They also apply to protecting against portable devices which are NOT owned by the financial institution. They apply to mitigating risk of electronic media. The Information Security Officer is responsible for overseeing the development, implementation, and maintenance of this document. It should be reviewed at least annually to ensure relevant information is appropriately considered. The [Branchless Banking Committee / E-banking Committee / IS Steering Committee / The Technology Committee / Senior Management] is responsible for enforcing this document. For questions concerning these standards, see the [Information Security Officer / Network Administrator / IT Manager].

infotex 180


Introduction Portable devices, such as laptops, PDAs, and cell phones are being issued to employees and represent an increasing amount of risk to the financial institution. Meanwhile, devices such as smart cards, SD flash cards, USB drives, etc. are being used by individuals that may or may not work at the financial institution. These devices are often not owned by the financial institution. This Portable Devices and Electronic Media Configuration Standards document provides security directives to protect the financial institution against the risks associated with devices whether they are owned by the organization or not. The purpose of this document is to establish standards for administration, encryption, endpoint security, and other processes that will mitigate such risk. Other issues related to network security (incident response, password management, log monitoring, etc.) are covered in other policies, procedures and standards. Objective The purpose of this standards document is to establish security policies that apply to portable devices and other electronic media that connect to Name of Financial Institution’s computer system, or that store information owned by Name of Financial Institution. The Federal Financial Institutions Examination Council (FFIEC) indicates that the financial institution should implement policies and procedures to prevent the removal of sensitive electronic information and data. These policies should address the use of laptop computers, personal digital assistants, and portable electronic storage devices. Referenced in FFIEC Operations Booklet. These standards comply with the organization’s IT Governance Policy as well as the Acceptable Use Policy. Data Classifications Be sure to equalize the following to your appropriate Data Classification document. Name of Financial Institution defines sensitive information in our Access Management Procedure. For clarity, the following data classifications have been identified: 1. Critical: Business processes and information assigned to the “Critical” classification are generally

essential to Name of Financial Institution’s business, proprietary and/or trade secrets. This would include information protected by law (such as GLBA or HIPAA), as well as information that, if disclosed to unauthorized individuals, could reduce Name of Financial Institution’s competitive advantage or cause other damage to the organization.

2. Confidential: Business processes and respective information that, if lost, disclosed, misused, or modified by unauthorized persons, might result in harm to individuals causing monetary loss, criminal or civil liability, or significant damage to Name of Financial Institution’s reputation. This information is of a private nature that an individual would not want disclosed to others.

infotex 181


3. Internal Use: Business processes and respective information that, if lost, disclosed, misused, or

modified by unauthorized persons, might result in significant monetary loss, significant productivity loss or significant damage to Name of Financial Institution’s reputation. The information is not to be shared with entities outside the organization unless it is authorized by management and in direct support of Name of Financial Institution’s business.

4. Unrestricted/Public: Business processes and respective information used to support Name of Financial Institution’s business. This is information that has been authorized to be made available to the public. Although this information can be published to the general public, copyrighting must be considered. Integrity of this information is relevant as well.

For the sake of these standards, “sensitive information” would mean any information that falls into the first [two / three] classifications. See the Access Management Procedure for a more thorough definition of data classification. Definition of Portable Device Name of Financial Institution defines portable devices as “any self-contained device that can transfer and store data which has the ability to be routinely removed from the network and carried outside of the organization, whether owned by the financial institution or not.” The following is a non-inclusive list of typical portable devices:

Laptops

iPads or other Tablet PCs (e.g. Motorola Xoom)

Smart Phones (e.g. iPhone, Droid, etc.)

Regular Cell Phones with Storage Capabilities (e.g. BlackBerry, Treo, etc.)

Digital Cameras iPods and/or MP3 Players

Definition of Electronic Media The definition of portable devices, and thus the user-level Portable Device Security Procedure, does NOT intend to include “portable electronic media” such as CDs, DVDs, USB drives, or SD-flash cards, though such media may be used in portable devices. The reason for this is that we address electronic media in the Acceptable Use Policy, because the use of electronic media applies to all users, whereas portable devices apply only to those issued portable devices or authorized to store data on portable devices. However, these standards DO intend to address configuration standards to mitigate risk from electronic media. Thus, we define electronic media as the following:

“Any device that can store data but cannot be used as a stand-alone device that is meant to transfer data from one stand-alone device to another.”

Thus, a flash drive is electronic media, because it can store data but it cannot be used as a stand-alone device. A printer is not considered to be electronic media because even though it can store information,

infotex 182


and can sometimes be used as a “stand-alone device,” it is not meant to transfer data from one stand-alone device to another. Issued Versus Authorized Devices The Portable Devices Security Procedure distinguishes between “Issued” and “Authorized” devices. Issued devices are company-owned devices that are issued to employees, directors, and third parties. The level of control we have over these devices can be very high. Whereas, authorized devices (or BYODs) are employee-owned devices that Name of Financial Institution has authorized to store “sensitive data” upon. If you are using Exchange ActiveSync (EAS) to enforce technical controls or a Mobile Device Management (MDM) solution, the following statement should be considered: Only devices compatible with [Microsoft’s Exchange ActiveSync / Name of Mobile Device Management solution] will be approved as authorized devices. Audits will confirm and document that BYOD devices are compatible with Exchange ActiveSync (EAS). Encryption Standards Be sure to equalize this section with your Portable Devices Security Procedure and other Encryption Standards documents. You can simply refer to those documents, but if they do not exist, consider: At Rest Encryption: All portable devices must store company-owned information “at rest” in encrypted fashion. The [Network Administrator / IT Manager] will ensure the device has proper encryption and provide training to the user as to how to use that encryption methodology. Exceptions to this must be approved by the Information Security Officer. These exceptions will be documented in the Annual GLBA Technology Risk Assessment Systems Inventory. In Motion Encryption: Note: If you have a Remote Access Procedure, you can refer to this document if possible, like this: Encryption requirements for connecting to the financial institution’s information assets is defined in the Remote Access Procedure. If your remote access documentation does not adequately define encryption requirements, consider the following language: Whether sensitive data is transferred/synchronized either via wire (LAN/WAN or Public Internet) or wireless connections (including to and from web sites, server databases, or email servers), the data must be transmitted in an encrypted format using Name of Financial Institution’s approved method, as documented here. [Document the type of approved in-motion encryption. Examples of this could include: Portal, Extranet, Secure Messaging System, SharePoint Site, etc.] Auditing for Encryption: The [Network Administrator / IT Manager] will audit for current proper encryption and provide training to the user as to how to use that encryption methodology. The Portable Devices Audit Checklist will cover encryption compliance. Current Approved Encryption Standards: At this time, the approved methodology is:

Laptops: Describe current encryption methodology used on laptops. Your description could be

infotex 183


something like this: We currently use [publisher name] to provide hard-drive encryption on all laptops. Connections into our network are via VPN with two-factor authentication using [application name].

Smart Phones: Describe current encryption methodology used on smart phones. Your description could be something like this: We currently use [publisher name] to encrypt all [iPhones, Android phones, BlackBerries]. Note: If you use an MDM application to encrypt smart phones, then declare that here. Connections into our network via smartphones are [prohibited / via VPN with two-factor authentication using [application name].]

Tablets: Describe current encryption methodology used on tablets. Your description could be something like this: We currently use [publisher name] to encrypt all [iPads, Android tablets, BlackBerry Playbooks]. Note: If you use an MDM application to encrypt tablets, declare that here. Connections into our network via tablets are [prohibited / via VPN with two-factor authentication using [application name].]

Flash Drives: Describe current encryption methodology used on flash drives. Your description could be something like this: Certain employees are authorized to use encrypted flash drives to store sensitive information. We currently use [manufacture name] to encrypt all [flash drives approved for sensitive data].

Wireless Encryption Standards Note: If you offer wireless access at your branch locations, you should have a separate standards document governing that (see our boilerplate: Wireless Security Procedure.] If you already have a wireless encryption standards document, you should still refer to it from this document. Meanwhile, you may address this, from a user’s perspective, in your Remote Access Procedure. If so, be sure to refer to it here. Otherwise, consider the following language: Name of Financial Institution tightly controls wireless access points in our branches. However, portable devices can still connect to wireless access points outside our branches and thus the following standards must be met: Real time access to sensitive data using internal or public wireless networks must meet the provisions of Name of Financial Institution’s Remote Access Security Procedure.

or

Home wireless routers should be configured to run through WPA/WPA2 shared-key

encryption as well as MAC filtering whenever possible. The option to broadcast SSID should be turned off.

Whenever “joining a network” that is not your home network, choose “public network.” Be sure you understand all requirements of remote access security before connecting to the

organization over an unsecured wireless network. Specifically: o You must connect through a VPN. See the [Network Administrator / IT Manager] if

you do not understand this. o You must comply with the Acceptable Use Policy while connected to the financial

institution’s assets EVEN IF YOU OWN THE DEVICE. o Do not save passwords for VPNs, e-mail, network login, or information assets

infotex 184


accessed through your Internet browser.

Network Connections There are three ways a device connecting to the network can affect the risk exposure of the financial institution: permanent connection, temporary connection, non-owner connection. The Access Management Procedure addresses these types of connections. Note: if you do not address this in your Access Management Procedure, consider the following language: Permanent Connection: All devices (portable or not) connected as a matter of policy or procedure to Name of Financial Institution’s network shall be approved before connection by the Information Security Officer. The inspection shall be guided by this document. Temporary Connection: Any device (portable or not) that needs to be temporarily connected to Name of Financial Institution’s network shall be approved before connection by the Information Security Officer, the [Network Administrator / IT Manager], or the [President / Senior Vice President / Senior Management]. List who can make such approval here and be sure to equalize this list with the Acceptable Use Policy. Those listed should be added to the Distribution List. Each person listed will be trained on this standards document and such approval needs to be communicated via e-mail to the Information Security Officer the same day such approval is granted. It will be made explicit that this approval is granted on a temporary basis. The Information Security Officer will follow-up with the person granting approval to ensure standards were enforced. Non-Owner Connection: Any portable device owned by a third party that needs to be connected to Name of Financial Institution’s network shall be approved before connection by the Information Security Officer, the [Network Administrator / IT Manager], or the [President / Senior Vice President / Senior Management]. List who can make such approval here and be sure to equalize this list with the Acceptable Use Policy. Those listed should be added to the Distribution List. Approval for this type of connection needs to be communicated via e-mail to the [Network Administrator / IT Manager], who will assist in establishing the connection. The e-mail must include contact information for the person whose device connected to the network, and the e-mail must be sent PRIOR to the connection. It will be made explicit that this approval is granted on a temporary basis. The Information Security Officer will follow-up with the person granting approval to ensure standards were enforced. Consider adding the following to your Acceptable Use Policy as well as keeping in these standards: In the event that data needs to be shared with third parties such as auditors or examiners, the financial institution encourages that such data be shared using devices owned by the financial institution rather than the third party. Permanent Connection Control Standards Certain controls should be in place for any device that is connected on a permanent basis as defined above. In the event that all controls cannot be in place, the Information Security Officer must communicate such risk acceptance decision to the [Incident Response Team / Audit Committee / IS Steering Committee] state the appropriate method of communicating risk prior to deploying the

infotex 185


permanent connection. Connection can be granted on a temporary status until such risk acceptance is communicated.

Authorized Personnel: The following positions are authorized to perform setup of portable devices that will be permanently deployed in the organization: SVP of Whatever, [Network Administrator / IT Manager], Information Security Officer, and the Outsourced Network Service Provider. These positions are also authorized to delegate the setup as long as such delegation is approved by the Information Security Officer.

Encryption: An appropriate level of encryption will be used on the portable devices as

approved by the Information Security Officer. Such encryption will follow other encryption standards documented elsewhere. Specifically, encryption standards for existing approved portable devices is as follows:

o Laptops: Describe the encryption methodology used for laptops, whether using encryption available in operating systems or third party encryption processes. Be sure to include information regarding the management and storage of keys, shared password storage, etc.

o iPads and Tablet PCs: Describe the encryption methodology used for tablet PCs, whether using encryption available in operating systems or third party encryption processes. Be sure to include information regarding the management and storage of keys, shared password storage, etc.

o Smart Phones and PDAs: If you are allowing PDAs to be connected to the network, consider the following language: Though no encryption is used on PDAs, the mitigating control for this is that no NPI is allowed to be stored on such PDAs. The Portable Devices Security Procedure document that the user signs provides for auditing of such devices. See “Portable Device Audits” below.

o USB Drives (and Other Storage Devices): If you are allowing USB drives to be connected to the network, consider the following language: Though no encryption is used on USB drives, the mitigating control for this is that no NPI is allowed to be stored on such devices. The Portable Devices Security Procedure document that the user signs provides for auditing of such devices. See “Portable Device Audits” below.

Blocking Philosophy: As much as possible, whitelisting will be used for approved devices.

Systems will be configured to block all traffic except what we know is legitimate traffic whenever possible.

Portable Device Audits: Users with issued and authorized devices will sign a Portable Devices Security Procedure document that grants the organization the ability to audit any and all portable devices. It is essential that such audits take place on a periodic as well as random basis. All audits should be unannounced and unscheduled with the user. Note: If you choose to use a formal audit checklist, include the following language: The Information Security Officer will audit the device against the Portable Devices Audit Checklist for that type of device. or, you could list in this standards document what should be checked for, as such: The audit should check for the following during such audit:

o Existence and storage location of nonpublic information outside of an encrypted folder. o Installation of software that is not owned by the financial institution on issued devices

infotex 186


(remove such installation). (Note: Authorized devices should not have company-owned software unless properly licensed, but can have employee-owned software.)

o Check that anti-virus and anti-spyware are completely up-to-date on laptops. o History in browsers and documents are set to clear upon exit. o Evidence of any policy violation. o Screen lock or password-protected screensaver is enabled. o List other areas to check here. (See our current “Portable Devices Audit Checklist” for

additional items to add.)

Regardless of whether you use the checklist or not, the following language should be included: The Information Security Officer should deliver an informal report to the audited user, that user’s supervisor, and the [Incident Response Team / IS Steering Committee / Audit Committee] summarizing any deficiencies discovered in each audit. (The checklist, if used, can act as that report.)

Temporary Connection Control Standards Definition of Temporary Connection: Though the Acceptable Use Policy prohibits the connection of portable devices such as financial institution issued cell phones or USB drives to the network, at times these devices need to be connected. The key definition of a temporary connection is that the device being connected to the network on a temporary basis is owned by the financial institution. If the device is owned by an employee or a third party, the controls listed in “non-owner connection” apply. Controls: The following procedures must be followed by the person approving a temporary connection:

Need for Connection: The person approving the temporary connection should understand the need for the connection. Under no circumstances should a temporary connection be approved to transfer critically classified information (such as NPI) without following the procedure defined below.

Critically Classified Information: The easiest way to approve the transfer of critically classified data is to just insist that the Information Security Officer handle the approval. However, if necessary the [Network Administrator / IT Manager] or the [President / Senior Vice President / Senior Management] can still make this approval. The person approving the temporary connection must be on guard against the potential for social engineering. If the person connecting temporarily to the network wants to transfer critically classified information (for example, audit reports to give to an examiner), it is important that you confirm not only the identity of the person wanting to receive the data from the organization-owned device being connected to the network, but also that you involve the person who has authorized such person to work with the financial institution. For example, if an examiner asks the [Network Administrator / IT Manager] to download previous audit reports on behalf of the Compliance Officer, [Network Administrator / IT Manager] should confirm with the Compliance Officer that that the person is indeed an examiner and authorized to transfer such data. Then, all critically classified data being transferred should be inventoried in the e-mail that is sent to the Information Security Officer. It is okay to write out that inventory in front of the person asking for the data to be transferred. Critically classified information must also be encrypted in motion and at rest. See below.

infotex 187


Confirmation of Ownership: The person approving the temporary connection must confirm

that the device being connected to the network is indeed owned by the financial institution.

Logging of Temporary Connection: The person approving the temporary connection must send an e-mail logging such to the Information Security Officer. The message should establish what device is being connected to the network by whom, as well as an inventory of the purpose of the connection. If critically classified data is being transferred, the e-mail should include an inventory of this data as well. The Information Security Officer should follow-up on this e-mail if necessary to ensure proper controls were followed.

Communication of Temporary Connection Approval: The person approving the temporary connection should be sure to establish with the employee seeking the approval that it is only on a temporary basis. The communication should also establish that the information being transferred is NOT critically classified information, or inventory such information as described above. Unlike non-owner connections, the approving person does NOT need to witness the actual connection.

Encryption: The person approving the temporary connection must also insist upon encryption if the information being transferred is critically classified information. An appropriate level of encryption will be used on the portable devices as approved by the Information Security Officer. Such encryption will follow other encryption standards documented elsewhere. Specifically, encryption standards for existing approved portable devices is as follows:

o Laptops: Describe the encryption methodology used for laptops, whether using encryption available in operating systems or third party encryption processes. Be sure to include information regarding the management and storage of keys, shared password storage, etc.

o iPads and Tablet PCs: Describe the encryption methodology used for tablet PCs, whether using encryption available in operating systems or third party encryption processes. Be sure to include information regarding the management and storage of keys, shared password storage, etc.

o Smart Phones and PDAs: If you are allowing PDAs to be connected to the network, consider the following language: Though no encryption is used on PDAs, the mitigating control for this is that no NPI is allowed to be stored on such PDAs. The Portable Devices Security Procedure document that the user signs provides for auditing of such devices. See Portable Device Audits below.

o USB Drives (and Other Storage Devices): If you are allowing USB drives to be connected to the network, consider the following language: Though no encryption is used on USB drives, the mitigating control for this is that no NPI is allowed to be stored on such devices. The Portable Devices Security Procedure document that the user signs provides for auditing of such devices. See Portable Device Audits below.

Portable Device Audits: Users with issued and authorized devices will sign a Portable Devices Security Procedure document that grants the organization the ability to audit any and all portable devices. It is essential that such audits take place on a periodic as well as random basis. All audits should be unannounced and unscheduled with the user. Note: If you choose to use a formal audit checklist, include the following language: The Information Security Officer will audit the device against the Portable Devices Audit Checklist for that type of device. or, you could list in this standards document what should be checked for, as such:

infotex 188


The audit should check for the following during such audit:

o Existence and storage location of nonpublic information outside of an encrypted folder. o Installation of software that is not owned by the financial institution on issued devices

(remove such installation). (Note: Authorized devices should not have company-owned software unless properly licensed, but can have employee-owned software.)

o Check that anti-virus and anti-spyware are completely up-to-date on laptops. o History in browsers and documents are set to clear upon exit. o Evidence of any policy violation. o Screen lock or password-protected screensaver is enabled. o List other areas to check here. (See our current “Portable Devices Audit Checklist” for

additional items to add.)

Regardless of whether you use the checklist or not, the following language should be included:

The Information Security Officer should deliver an informal report to the audited user, that user’s supervisor, and the [Incident Response Team / IS Steering Committee / Audit Committee] summarizing any deficiencies discovered in each audit. (The checklist, if used, can act as that report.)

Non-Owner Connection Control Standards Definition of Non-Owner Connection: Though the Acceptable Use Policy prohibits the connection of portable devices such as laptops and/or USB drives to the network, at times these devices need to be connected to facilitate audits, examinations, and such. The Acceptable Use Policy and User Awareness Training identify who can make an exception to this policy. The Administrative section of these standards also identifies who can authorize such a connection. (Be sure to equalize all documents.) The key definition of a non-owner connection is that the device being connected to the network on a temporary basis is NOT owned by the financial institution. If the device is owned by an employee or a third party, the controls listed in “non-owner connection” apply.

Approval of Non-Owner Connection: The easiest way to approve the transfer of critically classified data is to just insist that the Information Security Officer handle the approval. However, if necessary those listed in the Administration Section above can still make this approval. (Again, be sure to equalize this with the Acceptable Use Policy.)

Need for Connection: The person approving the non-owner connection should understand the need for the connection and monitor it to ensure it is only for the purpose expressed. Under no circumstances should a non-owner connection be approved to transfer critically classified information such as NPI. Use company-owned devices to transfer this type of data.

Confirmation of Authorization (Not Just Identity): The person approving the non-owner connection must be on guard against the increased potential for social engineering. It is important that you confirm not only the identity of the person wanting to connect a device to the network, but also that you involve the person who has authorized such person to work with the organization. For example, if an auditor asks the [Network Administrator / IT Manager] to connect a laptop to the infrastructure, even if not logging onto the network, the [Network Administrator / IT Manager] should confirm that the person is indeed an auditor, with the person the auditor is claiming has authorized him to have such a connection.

Logging of Non-Owner Connection: The person approving the temporary connection must send an e-mail logging such to the Information Security Officer. This message must be sent BEFORE the person connects the device to the network. The purpose for this is to slow the

infotex 189


process down as well as ensure the e-mail is sent on a timely basis. The message should include contact information for the person connecting to the network, as well as the person authorizing the connection, as well as an inventory of the purpose of the connection. The Information Security Officer should follow-up on this e-mail if necessary to ensure proper controls were followed.

Communication of Non-owner Connection Approval: The person approving the non-owner connection should be sure to establish with the employee seeking the approval that it is only on a temporary basis. The communication should also establish that the information being transferred is NOT critically classified information.

Monitoring of Non-owner Connection: The person approving the non-owner connection should watch the interaction with the connected device from the time it is installed until the time it is removed. It is okay to explain to the person connecting the device what you are doing. You can even insist that it is YOU who actually connects the device and moves the data.

Exchange ActiveSync Mailbox Policies: All provisions of this standard document that apply to smart phones and tablet PCs, when possible, will be enforced with Microsoft Exchange’s ActiveSync Mailbox Policies: http://technet.microsoft.com/en-us/library/bb123484.aspx.

Technical Controls All permanent changes to Name of Financial Institution’s network devices for the sake of implementing permanent installation of portable devices will be in accordance with this standards document as well as with the Change Control Procedure. The following applications/processes are in place to ensure endpoint security:

All USB ports on the network have been disabled except in cases where a business need requires it. These exceptions should be documented by the Information Security Officer and reviewed on a quarterly basis. Note: If you are using an application to manage USB ports or endpoint security in general, you should articulate that here, who manages the application, and how it is being monitored, something like this: Name of Financial Institution uses [name of application] to manage [endpoint security / USB ports]. This application is managed by the [Information Security Officer / Network Administrator / IT Manager] and is monitored [periodically / by bringing reports into the Incident Response Team Meetings].

Laptops and tablet PCs should use a password-protected screen lock.

Laptops and tablet PCs should use current updated antivirus software.

o Antivirus on Apple Devices: As long as an Apple device is not jailbroken, it is very difficult to install applications that have not been Apple-approved and thus viruses are not an issue with Apple devices. At this time, the organization has decided NOT to require antivirus software on Apple devices.

o Antivirus on Android Devices: The organization DOES require that users utilize antivirus applications on Android devices. The [Network Administrator / IT Manager] will consult with Android device users about the current antivirus program that the organization recommends, and audit for it during the audits.

Laptops and tablet PCs should use an automated logoff or password protected screensaver that locks the device after 15 minutes of inactivity.

Laptops and tablet PCs should be integrated into the Patch Management Procedure such that

infotex 190


security updates and patches are applied regularly.

Smart phones and PDAs should have a screen-lock enabled.

Smart phones must have remote wipe functionality configured [via Microsoft Exchange ActiveSync / as per our use of (document your MDM application here.).]

All portable devices should NOT store sensitive information except in cases where a business need requires it. In those cases, the [Network Administrator / IT Manager] will ensure the device has proper encryption and provide training to the user as to how to use that encryption methodology. Exceptions to this must be approved by the Information Security Officer. The encryption method we use is [name of application for each device type, such as: “TrueCrypt on Laptops, Ironkey on USB Drives, etc.”].

Note: If you have a Remote Access Security Procedure you should be sure that this section aligns with that procedure or to simply refer to that procedure. All data transmitted wirelessly to and from issued and authorized portable devices must be encrypted through the use of an accepted wireless encryption standard or the use of a VPN. Smart phones, cell phones and PDAs with wireless enabled should be using appropriate encryption with all wireless connections. Name of Financial Institution currently requires wireless encryption to be at [levels specified in the Remote Access Security Procedure / WPA2 Shared Encryption Key standards at a minimum]. This applies both to the issued and authorized device as well as the wireless router being used by the user.

Smart phones that have access to e-mail must be configured to store e-mail less than 3 days in age. (Be sure this is equalized to the Portable Devices Security procedure).

For authorized devices, if more persons than the employee uses the device, separate accounts must be configured and used for activities that are prohibited by Name of Financial Institution’s Acceptable Use Policy. For example, if games are played on the device, a separate account must be used (even if the employee is playing the game) than the account used to access stored company-owned information. Only the financial institution’s employee is allowed to use devices that do not allow more than one user account to be configured.

The iCloud offers remote wipe for devices with connections to the organization’s iCloud. Though the financial institution does NOT sync sensitive information to the iCloud, it DOES use the iCloud for remote wipe when possible/applicable.

The [Network Administrator / IT Manager] will use Apple Configurator to address several users accessing the bank-owned iOS devices.

If you augment or replace Exchange ActiveSync with a Mobile Device Management (MDM) Solution, consider documenting MDM Solution you are using in this section. Mobile Device Management is a phrase for a system similar to a BlackBerry Enterprise Server for iPhone and Droid, BlackBerry’s Mobile Fusion product, or third-party applications such as Sophos Mobile Device Manager. Other providers that we have seen include Maas360, Good Technologies, Mobile Iron, Zenprise, and AirWatch. We do not endorse any of these providers, though if we had heard anything negative about them we would have removed them from this list (check the date of the boilerplate file for last review-date.) Keep in mind that Microsoft’s solution includes policies that trust the phone manufacturers will comply, where Mobile Device Management solutions (there are now at least 100 solutions including those named above) purports to offer total control of the device with functions ranging from AVS to Application Control to Remote Wiping. You can prohibit apps from being installed, shut down SMS messaging, disable web traffic or media. This offers a huge amount of control.

infotex 191


Non-Technical Controls

Issued devices can only have properly licensed company-owned software installed upon them. The Portable Devices Audit Checklist requires a check for employee-owned software and an uninstall if necessary.

Unattended portable devices should be physically secured such as in a locked room, cabinet, or desk drawer. When transported in a vehicle, all portable devices except cell phones should be secured in the trunk (if possible) or at least hidden from view.

Note: Some believe that e-mail sent from a portable device such as a smart phone or iPad should NOT include the standard signature, and instead should announce that the e-mail has been sent from the smart phone or iPad so that recipients are inherently warned that the user is “on the road.” If this is the case, you might want to document this here. And, if this is the case, this bullet point should NOT be included: E-mail sent from portable devices using Name of Financial Institution’s e-mail system must be configured to use the appropriate e-mail signature and disclosure as per the Acceptable Use Policy, even if sent from authorized devices.

The [IT Manager / Network Administrator] will document for each issued device prior to delivery the “default configuration” that the device is initially set up with. In the event there are issues with the device, or it is transferred to other users, it may be restored to the default configuration. For example, this can be as simple as writing down the way an iPad is set up (or noting it in the Portable Device Audit Checklist).

Incident Reporting All activity, whether observed through log records or other means, which has possible security aspects to it, shall be reported to the Information Security Officer. All changes to servers and network devices must conform to Name of Financial Institution’s Change Control Procedure. Changes without following proper procedures may be considered a reportable incident if the change has security implications.

infotex 192


FFIEC Resources

Operations Booklet:

Page 21: An institution should implement policies and procedures to prevent the removal of sensitive electronic information and data. These policies should address the use of laptop computers, personal digital assistants, and portable electronic storage devices. The policies and procedures should further address shredding of confidential paper documents and erasing electronic media prior to disposal. In addition, policies and procedures should delineate the circumstances under which employees’ personal property may be subject to search.

Information Security Booklet:

Page 38: Before establishing security domains, financial institutions should map and configure the network to identify and control all access points. Network configuration considerations could include the following actions:

o Identifying the various applications and systems accessed via the network, o Identifying all access points to the network including various telecommunications

channels (e.g., wireless, Ethernet, frame relay, dedicated lines, remote dial-up access, extranets, Internet), � Mapping the internal and external connectivity between various network segments,

o Defining minimum access requirements for network services (i.e., most often referenced as a network services access policy), and

o Determining the most appropriate network configuration to ensure adequate security and performance.

Page 74: The storage of data in portable devices, such as laptops and PDAs, poses unique problems. Those devices may be removed from the institution and not protected by any physical security arrangements. Additionally, the devices may be lost or stolen. Mitigation of those risks typically involves encryption of sensitive data, host-provided access controls, homing beacons, and remote deletion capabilities. The latter two controls can be Internet-based. Homing beacons send a message to the institution whenever they are connected to a network and enable recovery of the device. Remote deletion uses a similar communication to the institution, and also enables a communication from the institution to the device that commands certain data to be deleted.

infotex 193


infotexinfotex

Today’s Agenda




infotex

Mobile Device Security Kit

• White Paper (for your management team)

• MTM Providers review

infotexinfotex

The Workbook

infotex

Portable Devices Audit Checklist

infotex 194

Laptop Owner: _________________________________________Make of Laptop: ___________________________________Model: ________________________Date of Audit: __________________________________________Operating System: _________________________________AVS: __________________________

Item#

Element Finding / Response / NotesCompleted

Enter 1

Likelihoodof

Occurrence (Scale of

1 - 8)

ImpactSeverity (scale of

1 - 5)

Risk(scale of 1 to 13)

1 Are all operating system patches up to date? 7 5 122 Is antivirus software installed, updated, and configured

properly for real-time file system and e-mail scanning?7 5 12

3 Confirm that system passwords are NOT saved in browsers, e-mail clients, SSH clients, VPN clients, or RDP clients.

6 5 11

4 Are wireless connections configured for WPA/WPA2 shared-key encryption? Be sure to ask user which connection in the configuration is his/her home wireless connection, and investigate any other connections that show up.

6 5 11

5 Confirm that the screen blank (or screensaver) is configured for 15 minute timeout and is password prompted.

6 4 10

6 Does the laptop comply with current encryption requirements? Note: If hard-drive encryption is not used, at a minimum the following question should be asked: Are all sensitive documents stored in an encrypted folder?

(Please note type of encryption used.) 6 4 10

7 Confirm that there are separate accounts configured if the workstation is shared between multiple users and/or used for applications prohibited by the Acceptable Use Policy (e.g. games).

6 4 10

8 Confirm that the browser is configured to clear all cache and history in browsers upon exit.

5 4 9

9 Confirm that company-owned software is properly installed and licensed.

6 4 10

Response Is -

Portable Devices Audit Checklist: Laptops

Signature of Auditor: ______________________________________________________

Type of Device: Authorized or Issued?

Auditor: Name, Title

Page 1 of 2

infotex 195

Item#


Enter 1

Likelihoodof


1 - 8)


1 - 5)


Response Is -

10 Confirm that issued devices do not have employee-owned software installed (and uninstall if necessary).

5 4 9

11 Check for evidence of any policy violation and note. 6 4 1012 Is Firefox or Chrome configured as the default browser? 5 3 8

Summary:

122 Total Inherent Risk 012 Total Issues 120% % Completion:

# Issues Addressed# Issues Not Addressed

Page 2 of 2

infotex 196

Owner: ____________________________________________ Make of Phone: ___________________________________Model: ________________________Date of Audit: __________________________________________Operating System: _________________________________AVS: __________________________

Item#


Enter 1

Likelihoodof


1 - 8)


1 - 5)



properly for real-time file system and e-mail scanning?Note: If you do not require AVS for Apple devices (iPhones) you should note it here.

7 5 12


6 5 11


6 5 11


6 4 10

6 Confirm that there is "power-on" authentication (authentication required whenever one goes to use the smart phone). (Note: this authentication can be a "weak" password.)

6 4 10

7 Confirm that e-mail is configured to store a maximum of 3 days worth of e-mail.

6 4 10

8 Confirm that e-mail is configured to utilize the appropriate signature.

5 4 9

9 Confirm that the appropriate remote wipe configuration is in place.

5 3 8

10 Confirm that text messages from and to company employees or customers for the purpose of company business are purged after thirty days.

5 4 9

11 Confirm that the device is not "jail broken." 5 4 9

Portable Devices Audit Checklist: Smart Phones and Cell Phones


Auditor: Name, TitleSignature of Auditor: ______________________________________________________

Response Is -

Page 1 of 2

infotex 197

Item#


Enter 1

Likelihoodof


1 - 8)


1 - 5)


Signature of Auditor: ______________________________________________________Response Is -

12 If using Microsoft's Exchange Active Sync, and if this is an authorized (BYOD) device, confirm and document that this telephone manufacturer is supported by EAS.

5 4 9

13 If using a Mobile Device Management (MDM) solution, confirm and document that the this device (and telephone manufacturer) is compatible with the MDM solution.

5 4 9

14 Does the smartphone comply with current encryption requirements? Note: Financial institution data should not be stored on the device unless it is in encrypted form. A possible exception to this could be company e-mail.

(Please note type of encryption used.) 5 4 9

15 Confirm that only the organization's employee is using the device.

5 4 9

Summary:



Page 2 of 2

infotex 198

Owner: ____________________________________________ Make of Tablet: ___________________________________Model: ________________________Date of Audit: __________________________________________Operating System: _________________________________AVS: __________________________

Item#


Enter 1

Likelihoodof


1 - 8)


1 - 5)



properly for real-time file system and e-mail scanning?Note: If you do not require AVS for Apple devices (iPads) you should note it here.

7 5 12


6 5 11


6 5 11


6 4 10

6 Confirm that there is "power-on" authentication . . . . Authentication required whenever one goes to use the smart phone. (Note: this authentication can be a "weak" password.)

6 4 10

7 Confirm that e-mail is configured to store a maximum of 3 days worth of e-mail.

6 4 10

8 Confirm that e-mail is configured to utilize the appropriate signature.

5 4 9

9 Confirm that the appropriate remote wipe configuration is in place.

5 3 8

10 Confirm that text messages from and to company employees or customers for the purpose of company business are purged after thirty days.

5 4 9

11 Confirm that the device is not "jail broken." 5 4 9

Portable Devices Audit Checklist: Tablets



Response Is -

Page 1 of 2

infotex 199

Item#


Enter 1

Likelihoodof


1 - 8)


1 - 5)


Signature of Auditor: ______________________________________________________Response Is -

12 If using Microsoft's Exchange Active Sync, and if this is an authorized (BYOD) device, confirm and document that the manufacturer is supported by EAS.

5 4 9

13 If using a Mobile Device Management (MDM) solution, confirm and document that the this device (and manufacturer) is compatible with the MDM solution.

5 4 9

14 Does the smartphone comply with current encryption requirements? Note: Financial institution data should not be stored on the device unless it is in encrypted form. A possible exception to this could be company e-mail.

5 4 9

15 Confirm that only the organization's employee is using the device.

5 4 9

Summary:



Page 2 of 2

infotex 200

Owner: ____________________________________________ Make of WAP: ___________________________________Model: ________________________Date of Audit: ____________________________________________

Item#


Enter 1

Likelihoodof


1 - 8)


1 - 5)


1 Is the firmware on the wireless access point up to date? Answer should be Yes. 7 5 122 Is the SSID broadcast selection DISABLED. (No SSID

broadcasting)?Answer should be Yes. 7 5 12

3 Does the WAP share a connection with other organizations on it's way to the internet, or does it connect directly to the internet?

Answer should be No, list organizations that data mixes with on it's way to the internet.

6 5 11

4 Are wireless connections configured for WPA/WPA2 shared-key encryption?

Answer should be yes. 6 5 11

5 Is the network key a strong password? Answer should be yes. 6 4 106 Is MAC Filtering being used? Answer should be yes. Be sure to confirm primary

device, but also try confirming other non-organization devices.

6 4 10

7 Are authorized and issued devices set up on the approved devices list?

Answer should be yes. Confirm all devices that are owned by organization.

6 4 10

00000000

Summary:

76 Total Inherent Risk 07 Total Issues 7

0% % Completion:


Portable Devices Audit Checklist: Wireless Access Points (WAPs)



Response Is -

Page 1 of 1

infotex 201


infotexinfotex

Today’s Agenda




infotexinfotex


• MDM = EAS + Audit Checklist

infotexinfotex

Today’s Agenda




infotex 202


infotexinfotex

Exchange ActiveSync (EAS)

• Only works with iOS, Android, and Microsoft devices.

• Good for basic controls.• Very inexpensive (comes free with

Exchange.)

infotexinfotex

EAS Controls

• Exchange does good with:–Restrict E-mail and Calendar Days–Enforce Screen Lock–Enforce Timeout–Remote Wipe

• Blunt, non-granular.• Returns device to factory settings.

Set Policy

infotex 203


infotex

E-mail Restrictions

• Anybody already restricting e-mail?

• How many days?

infotex 204


infotexinfotex

Today’s Agenda




infotexinfotex


• Abbreviated: MDM• Offers granular controls.

– i.e.: can wipe bank data, but not employees’ music, apps, pictures, etc.

• Often works hand-in-hand with endpoint security.

• Will work with most phones.

infotexinfotex

The Workbook

infotex

Five MDM Providers

infotex 205


Five MDM Providers my.infotex.com www.emergingthreats.net


This list is more a starting point than a suggested list of alternatives! As IT Auditors, Infotex does not endorse third provider parties. The following providers were analyzed on behalf of a client who wanted us to find the “top five providers.” A sixth provider could be just as good as any of these five providers.

MobileIron http://www.mobileiron.com/en/product-tour/advanced-management/smartphone-dashboard

* Restrict device features, apps, or web browsing as well as enforce encryption * Extensive reporting including device usage and inventory capabilities * Ability to remote lock and wipe devices * Supports Android, Apple, Blackberry, and Windows Phone * Offered as on-premise service or cloud service * Does not support containerization for corporate data and applications

AirWatch http://www.air-watch.com/solutions/mobile-device-management

* Secure distribution of documents through the content locker * Ability to remote control screens, remote lock and wipe functions * Restrict device features, apps, or web browsing as well as enforce encryption. * Offers deployment through cloud, on-premise service, or appliance * Supports Android, Apple, Blackberry, and Windows Phone * Pricing is $3.25/mo or $50/perpetual per device plus additional fees for cloud ($0.75/mo/device) or appliance ($5000/once)

Sophos http://www.sophos.com/en-us/products/mobile.aspx

* Offered as on-premise service or cloud service * Ability to remote lock and wipe devices * Restrict device features, apps, or web browsing as well as enforce encryption. * Integrates with Enterprise Management product * Supports Android, Apple, Blackberry, and Windows Mobile * Good reporting including device inventory capabilities

Good Technology http://www1.good.com/products/mobile-manager

* Manages secure mobile email as well as document access as part of a Suite. * Restrict device features, apps, or web browsing as well as enforce encryption * Ability to remote wipe devices * Supports Android, Apple, and Windows Phone * Requires Enterprise Suite product for management capabilities * Allows for multi-factor authentication and strong crypto standards

Zenprise http://www.zenprise.com/products/zenprise-mobilemanager

* Secure content container with context aware policies for data protection * Ability to remote lock and wipe devices * Restrict device features, apps, or web browsing as well as enforce encryption * Offered as on-premise service or cloud service * Integrates with third-party NAC solutions * Supports Android, Apple, Blackberry, and Windows Phone

infotex 206


infotex

MDM Providers

• Anybody using MDM?

• Who?• Happy?• Any additional

providers besides the five listed?

infotexinfotex

infotexinfotex

Today’s Agenda


infotex 207



infotex

• We’ll share our top action items with the rest of the group!

• We’ll discuss ways to make this workshop pay off!

infotexinfotex

Three Critical Needs

1. Development of a User-level Policy signed by BYOD or Issued Device users.

2. Documentation of technical enforcement standards.

3. Method of auditing portable devices.

infotexinfotex

What are they?

Let’s see Dan use the flip-board!

infotex

infotex 208


Action Plan

• Read your action plan:–Tonight–Tomorrow–Next Week–Next Month–Next Year

infotex

infotexinfotex

Thank you!

infotex 209


Workshop Portal my.infotex.com

infotex Indiana Illinois Ohio Michigan (800) 466-9939

Contents: The following kits are available on the workshop port:

- Mobile Security Kit - Wireless Banking Kit - Customer Awareness Kit - Branchless Banking Kit - Goin’ Mobile Tools

They will be stored in one zip file. You can access this file by going to Location: http://my.infotex.com/goin-mobile-with-the-ffiec/ Simply act like you want to purchase the product, and then use the following promo code: Promo Code: Cartoons313

MARK YOUR CALENDARS: 06/06/13: Customer Awareness Workshop at the

IBA Training Center!

11/19/13 and 11/20/13: IBA/CBAO IT Risk and Security Conference