Commercial Internet Banking Risk Assessment and Controls Evaluation
by Kevin Piowaty
Purpose
The following internet banking risk assessment and controls evaluation is provided to help commercial internet banking users identify threats and measure the strength of their controls.
Risk Assessment Questions
For each question, select the answer that best represents your environment. Following the assessment, use the “Control Evaluation – Tips” to evaluate your environment.
Personnel Security:
Are employees required to sign an Acceptable Use Policy (AUP)?
Does each employee using internet banking go through security awareness training?
Do you complete background checks on employees prior to hire?
System Security:
Is a dedicated system used for internet banking activities?
Do systems have up-to-date antivirus software?
Is there a process in place to ensure software updates and patches are applied (e.g., Microsoft, web browser, Adobe products, etc.)?
Do users run as local administrators on their computer systems?
Does a firewall protect the network?
Do you have an Intrusion Detection/Prevention System (IDS/IPS) in place to monitor and protect the network?
Is internet content filtering being used?
Is email filtering being used?
Are users of the internet banking system trained to manually lock their workstations when they leave them?
Is wireless technology used on the network with the internet banking system?
Physical Security:
Are critical systems (including systems used to access internet banking) located in a secure area?
How are passwords protected?
Previous Experience:
Have you experienced fraud through internet banking in the past?
Has malware been discovered on systems used for internet banking activities in the past?
Risk Rating
LOW
MEDIUM
HIGH
EXTREME
Note: this risk rating is designed to give a general idea of your risk posture based only on the answers in this questionnaire. Additional factors could either increase or decrease the risk.
Control Evaluation – Tips
Your answers indicate you have implemented this assessment’s recommended controls.
Create an Acceptable Use Policy (AUP), if you don’t already have one, and require your employees sign it at least annually.
An Acceptable Use Policy (AUP) details the permitted user activities and consequences of noncompliance. Examples of elements included in an AUP are: purpose and scope of network activity; devices that can be used to access the network, bans on attempting to break into accounts, crack passwords, circumvent controls or disrupt services; expected user behavior; and consequences of noncompliance.
Require each employee who uses internet banking to go through security awareness training at least annually.
Security Awareness Training (SAT) for internet banking users, at a minimum, should include a review of the acceptable use policy, desktop security, log-on requirements, password administration guidelines, social engineering tactics, etc.
Run background checks on all employees prior to hire.
Companies should have a process to verify job application information on all new employees. The sensitivity of a particular position or job junction may warrant additional background and credit checks. After employment, companies should remain alert to changes in employees’ circumstances that could increase incentives for abuse or fraud.
Dedicate a system to only internet banking activities.
It is best to have a dedicated system for high-risk internet banking activities.
Ensure all computer systems have up-to-date antivirus software.
Companies should maintain active and up-to-date antivirus protection provided by a reputable vendor. Schedule regular scans of your computer in addition to real-time scanning.
Implement a process to ensure software updates and patches are applied frequently.
This includes a computer’s operating system and other installed software (e.g., web browsers, Adobe products, Microsoft Office, etc.). In many cases, it is best to automate software updates when the software supports it.
Limit local administrator privilege on computer systems where possible.
Use firewalls on your local network to add another layer of protection for all the devices that connect through the firewall (e.g., workstations, smart-phones, tablets, etc.).
Implement an Intrusion Detection/Prevention System (IDS/IPS) to protect your network.
An IDS/IPS is used to monitor network/internet traffic and report or respond to potential attacks.
Restrict internet traffic on the systems used for internet banking activities.
Filter web traffic to restrict potentially harmful or unwanted internet sites from being accessed by computer systems. For “high risk” systems, it is best to limit internet sites to only business sites that are required.
Implement an email filter to help eliminate potentially harmful or unwanted email messages from making it to end users’ inboxes.
Configure workstations to timeout after a period of inactivity and train users to manually lock their work stations when they leave them.
Systems should be locked (requiring a password to reconnect) when users walk away from their desks to prevent unauthorized access to the system.
Secure wireless traffic using industry-approved encryption.
Wireless networks are considered public networks because they use radio waves to communicate. Radio waves are not confined to specific areas and are easily intercepted by unauthorized individuals. Therefore, if wireless is used, security controls such as encryption, authentication, and segregation are necessary to ensure confidentiality and integrity.
Locate critical systems (including systems used to access internet banking) in a secure area.
Only allow approved employees access to the critical systems.
Ensure passwords are securely stored and kept confidential.
Passwords should never be left out for unauthorized individuals to gain access.
Review previous fraud experiences and implement security measures to reduce
the risk of similar incidents.
Ensure the system is clean of all malware.
It is best to do this by rebuilding the system.