Systems auditability and control in an EFTS environment
|
|
- Alan Patterson
- 6 years ago
- Views:
Transcription
1 Systems auditability and control in an EFTS environment by RUSSELL DEWEY SRI International Menlo Park, California INTRODUCTION Losses from accidental and intentional acts involving computers and data communications in financial institutions are growing. The current estimate of losses from credit card fraud alone is $500 million and could rise to $6 billion to $10 billion by Of greater concern than this problem is the growing potential for single instances of massive losses as EFTS grows and participants become highly dependent on continuously available computer services where most of their assets are stored in electronic form. There is obviously a need to apply the principles of secure systems to the emerging development of EFTS, and much work has already been completed and published (See References 1 through 9). Most of this work has been focused primarily on the technology of security, such as: Personal Identification Numbers, Plastic Card Security, Cryptography, Physical Security, and Operating System Integrity. On the other hand, there is also a growing awareness that EFTS security is a "people" problem. The risks, threats, and vulnerabilities to EDP systems derive primarily from the activities of individuals, either accidental or deliberate. 7,10 In the EFTS environment, individuals may be employees of the financial institutions, merchants, telephone company, hardware and software vendors, maintenance personnel, computer service bureaus, security personnel, and auditors. Between the two orientations-technology and occupation-a body of information is emerging regarding audit techniques, and system application controls that, if implemented, could help reduce the potential for significant 10ss.5 The purpose of this paper is to review and summarize the state of that art within the context of the EFTS environment. THE EFTS ENVIRONMENT The number of financial terminals being installed in remote locations to automate all or part of the transfer of credits and debits is increasing. By 1980 there may be over 100,000 terminals providing a variety of EFTS services, including: Deposits With drawls Transfers of balances between accounts Direct Debits for purchases Balance inquiries Check authorization and guarantee Credit card authorization and data capture Corporate cash management Funds concentration Corporate to corporate wire transfers During the last few years, components of EFTS technology have begun to be implemented in a variety of different configurations, including shared access networks. A shared access network is one which allows for the switching of EFTS transactions to more than one possible destination, regardless of ownership considerations. Since this environment is more complex than single institutions dedicated to EFTS, we will focus on shared access networks for this paper. The likely evolution of such shared access networks may be described by its principal components: 1. Remote Terminal-The terminal may be operated entirely by one person, such as an Automated Teller Machine (ATM), check guarantee terminal or cash management terminal. They may also be operated by an intermediary, such as a financial institution teller or merchant sales person. 2. Communications-The terminal may be connected to a computer located at a merchant, corporation, or potentially a government facility. In this case, the originating computer must be connected to the destination computer through intermediate computers and telephone communications facilities. Depending on the complexity of the local environment, the number of institutions participating, and economic considerations, the terminal may optionally be connected directly to a local financial institution, directly to a joint 185
2 186 National Computer Conference, 1978 venture shared EFTS switch, or through common carrier facilities directly to the destination. 3. Files-EFTS files take several forms and may be found in several discrete locations: At the remote operator (merchant, corporation, government agency) there may be audit trails of EFTS transactions passing through, or decision parameters to control the processing of transactions when the remainder of the network is down. There are likely no balances, account data, or financial institution programs. At the acquiring financial institution there may also be audit trails, but also balances and account data for its merchants and corporate customers and for transactions that do not need to be switched, such as an "on-us" debit. The acquiring financial institution may also have decision parameters to control the processing of "not-on-us" transactions when the remainder of the network is down. At the EFTS switch there may be audit trails and decision parameters for any destination facility that may be down. There are likely no financial files, other than reconciliation totals and settlement amounts between institutions. At the destination financial institution there may be audit trails, memo-post master file balances, transaction files with backup and off-line master files with back-up. 4. Communication Equipment-Each computer site will have specialized hardware to interface the EDP system to the external communication lines. 5. EFTS Software (Program Logic)-Each computer that is expected to participate in such an EFTS network must have specialized programs developed. These include: Terminal protocols Message format conversions Switching and routing logic Interface logic/protocol to other computers Interface to existing financial software, such as: - Demand deposit accounting - Savings account accounting - Customer information data bases - New account processing Specialized audit techniques and application controls EFTS APPLICATION AUDIT TOOLS AND TECHNIQUES The transition from traditional financial institution recordkeeping to today's EFTS application systems-characterized by large on-line master files, lack of manual intervention, and remote terminal entry-has brought with it design concepts that cannot rely on traditional manual control procedures. The accuracy and reliability of EFTS application processing is becoming more dependent on the incorporation of automated application controls (discussed in the next section). The purpose of the EFTS audit tools and techniques is to evaluate those controls, verify processing accuracy and continued compliance with processing procedures. Some of the key audit tools and techniques that apply to the EFTS environment and verify the correctness of processing logic and controls include the following: Base Case System Evaluation-Execute application programs against test transaction data, entered through a "test mode" EFTS terminal, and compare results against pre-determined test results. Parallel operations-execute new or revised application programs and existing application programs and compare results. Integrated Test Facility (ITF)-Enter test transaction data through live terminals commingled with live transaction data. Parallel Simulation-Live transactions are copied and processed against auditor programs that simulate processing logic. The simulation results are then compared to the live results. Transaction Selection-Systematically screening and selecting transaction samples entered through EFTS terminals for subsequent manual verification. Embedded Audit Data Collection (Sometimes known as System Control Audit Review File: SCARF)-Audit subroutines are embedded in the application programs to screen and select internal generated messages between EFTS logic modules that result from the original terminal transaction. Terminal Audit Software-Direct access to inspect live files during actual operation of the EFTS. The auditor will want to examine terminal polling lists, routing tables, merchant codes, floor limits, and default authorization tables. Snapshot and Trace-Secure documentary evidence of logic paths, control conditions, and processing sequence of a specific transaction. This is done by continuously recording transaction status for some selected transaction as it passes through the system. Job Accounting Data Analysis-Select, extract, and display job accounting data to monitor access to sensitive data files and on-line libraries. Code Comparison-Use of an off-line program to compare two versions of an application program to identify differences in coding. EFTS APPLICATION SYSTEM CONTROLS The purpose of the EFTS Application System Controls are to assure the accuracy and completeness of the processing results, the security of the environment in which the EFTS transaction is effected, and the effectiveness of the overall computer design and operations.
3 Systems Auditability and Control 187 The controls described in the following sections are some of those likely to be beneficial in the remote terminal EFTS environment. They are grouped according to five phases: Transaction Origination and Data Entry Data Communications Computer Processing Data Storage and Retrieval Output Processing TRANSACTION ORIGINATION AND DATA ENTRY CONTROLS Special-Purpose Forms-At merchant operated or teller operated terminal locations. Proper form design encourages completeness and accuracy of data. In the cardholder operated terminal environment, Video Display Units (VDU) may be used for pre-formatted and! or interactive input. Transaction Identification Cross-Reference and Source Document Numbers-This control calls for sequentially assigned source document numbers (or sequential screen numbers) which are transmitted to the EFT processor as part of the transaction identification. Sequence Log-An internal log of which sequence numbers have been assigned to which merchant/teller locations or cardholder operated terminal location. Signatures-In the EFTS environment this control consists of appending a series of endorsements to each transaction as an audit trail of each node that handles it. It also serves as a "return destination" for undeliverable messages. The first endorsement is the terminal I.D. User Identification-A unique identification by class of user (cardholder, merchant, teller, bank supervisor) used to restrict the transaction to be processed as well as files that may be accessed. Batch Serial Numbers-Batches are identified by serial number to provide accountability of data, and to assist in the isolation of errors when an EFTS terminal cannot successfully reconcile at end of day (or other cut-off time). Limit the Number of Transactions in a Batch-This is done to simplify the reconciliation process. Turn-Around Documents-The source documents contain pre-recorded data in machine readable format. This will simplify processing in the event the on-line system is down and paper documents are used as back-up. Retention Dates on All Transaction Logs-This is based on legal requirements and management policy. Source Documents Maintained at Origin-In the EFTS interchange environment this means two things: (1) The paper documents (credit card vouchers, debit card vouchers, deposit slips, withdrawal slips) are maintained as closely as possible to the acquiring bank, to prevent unnecessary risk of loss through transportation, and (2) the electronic version of the EFTS transaction is also maintained at the acquiring facility until balanced at the end of the day. Subsequent settlement between banks, and actual movement of value data for posting can occur in batch mode at lower cost and higher reliability. Error Logging-Maintained by the acquiring facility to record and monitor the type of errors occurring at the terminal. Suspicious patterns of such errors could imply an attempt by an outsider to breech system security. Verification of Re-Entered Data-The data fields on resubmitted transactions are subjected to the same verification procedures as the original transaction. Security of EFTS Terminals-EFTS data entry terminals should be physically secure by placement in a lockable room, putting a keylock on the terminal itself, or by placing a lockable cover over the terminal device when not in use.. Terminal Logs-Journals in the terminals to record all transactions. Terminal Control Logs-Journals in the terminal controllers to identify imposter terminals on the network (i.e. controller total of transactions should equal the sum of the legal terminals.) Built-In Terminal and Terminal Controller I.D.'s These devices are provided with electronic identification that can be queried by the computer; used to validate proper terminal authorization. Editing and Validating Routines-These may be partially performed in the terminal itself, given anticipated hardware capabilities. Passwords-Used to verify that the input is being received from an authorized source. Likely to be the Personal Identification Number (PIN), although other techniques are being actively explored. Unauthorized Access Attempts-An immediate report is produced of unauthorized attempts to access the system. After a threshold of repeated attempts the system shuts down the terminal in question and allows access from that terminal only after intervention by security personnel. DATA COMMUNICATION CONTROLS Secure Phone Equipment Rooms-Locks and alarms are used to control access. Network Configuration Polling Table-No open addresses for unauthorized terminals to gain access. Communication System Control Log-To detect any unauthorized changes to the network done through network supervisor terminals. Communication Line Routing-Data communication lines are not put through public switchboards (PBX). Local Loop Security-Between the terminal, or termi-
4 188 National Computer Conference, 1978 nal controller, or computer, and the telephone company branch office. Encryption Techniques-Such as the National Bureau of Standards (NBS) Algorithm. For an excellent discussion of encryption techniques, see Kaufman and Auerbach. 1 Forward Error Correction (FEC) and Automatic Request for Retransmission (ARQ)-Common types of link control; to control transmission errors on each segment of a transaction path through the EFTS network to the cardholder data base and back to the terminal. Message Sequence Number-Each transaction at an EFTS terminal may generate several messages (terminal-to-acquiring CPU, acquiring CPU-to-switch, switchto-cardholder CPU, etc.). This provides a traceable log to match inquiry with response, detect lost messages, or detect imposter messages. COMPUTER PROCESSING CONTROLS Monitoring of Internal-Generated Messages-Internal generated messages (such as an authorization request to the issuer on an interchange withdrawal transaction) should be uniquely identified and cross referenced to the external transaction that spawned them. Control Totals-Reasonableness checks and internal control totals between program modules. Default Option-Each level in the system hierarchy may need to make decisions in default when the rest of the system is down, or whe~ it is uneconomical to do so (e.g., the merchant bank may authorize a $3.00 transaction against a negative file instead of requesting authorization from the issuer). Dual Fields-All entries should be carried as a credit against one account and a corresponding debit against another, throughout the life of the transaction. Arithmetic Accuracy-Techniques such as double arithmetic and arithmetic overflow checks are placed in critical points in the application. Destructive Update-Debit and credit type entries are used to correct error conditions, not delete or erase commands. DATA STORAGE AND RETRIEVAL CONTROLS File Classification-Each file is classified by security level, and access is restricted by level. Data Base Control Table-No data base access is allowed unless it comes from an authorized program module. Program Linkage Control Table-These tables control the authorized module linkage between programs. Dormant Files/Accounts-The system reports on dormant files/accounts that suddenly have activity on them. Many attempts at EFTS fraud try to make use of dormant accounts. Excessive Activity-The system reports on records and data fields that have excess activity over a certain threshold. It could mean that a lost or stolen card is being used. OUTPUT PROCESSING CONTROLS Reconciliation-The response to an EFTS request is matched up and reconciled with the original request before completing the transaction. Transaction Log-The central transaction log is periodically matched against the journal tape in the EFTS terminal. These totals are also verified against individual application control totals. Output Activity Review-Real-time statistics such as the number of terminals on-line, transaction quantities, and circuit traffic are reviewed by the appropriate management. System generated subjective judgments, such as default authorization, are reviewed by user departments. Device Verification-EFTS devices whose action such as imprinting a card or dispensing cash is controlled by the application programs will send a status report back to the host computer to verify completion of the requested mechanical operation. CONCLUSION Any remote terminal-based interactive system will face a variety of threats. EFTS, in particular, because of the electronic movement of funds and value, will be particularly vulnerable. Fortunately, a number of system audit techniques and application controls are available to the system designer; and more are under development. Depending on the particular system design, careful implementation of these audit techniques and application controls is likely to diminish the vulnerability to those threats. REFERENCES 1. Kaufman, D. and K. Auerbach, "A Secure National System for Electronic Funds Transfer," Proceedings 1976 Nee, pp Mazzetti, Joseph P., "Design Considerations for Electronic Funds Transfer Switch System Development," Proceedings 1976 Nee, pp Backman, Frank, "Are Computers Ready for the Checkless Society?," Proceedings 1976 Nee, pp "The Analysis of Certain Threats to EFT System Sanctity," Kranzley & Co., Cherry Hill, N.J.-A study done for the Electronic Industries Foundation; January lcfn.
5 Systems Auditability and Control "Systems Auditability and Control Study," SRI International, January (Available from the Institute ofinternal Auditors, Orlando, Florida) 6. "Introduction to EFT Security," prepared by the Division of Management Systems and Economic Analysis, FDIC, Washington, D.C., August Parker, Donn, Crime By Computer, Charles Scribner's Sons, New York, Martin, James, Security, Accuracy and Privacy in Computer Systems, Prentice-Hall, Englewood Cliffs, New Jersey, Hoffman, Lance J. Security and Privacy in Computer Systems, Melville Publishing Company, Los Angeles, "A Guide to EDP and EFTS Security Based on Occupations," A report prepared for the FDIC by SRI International, Menlo Park, California, 1977.
6
RISK ASSESSMENTS AND INTERNAL CONTROL CIS CHARACTERISTICS AND CONSIDERATIONS CONTENTS
CONTENTS Paragraphs Introduction... 1 Organizational Structure... 2 Nature of Processing... 3 Design and Procedural Aspects... 4 Internal Controls in a CIS Environment... 5 General CIS Controls... 6-7
More informationIntroduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?
Introduction Controlling Information Systems When computer systems fail to work as required, firms that depend heavily on them experience a serious loss of business function. M7011 Peter Lo 2005 1 M7011
More informationYou can use your PIN to complete your purchases at point-of-sale and for ATM transactions.
Westpac Business Prepaid MasterCard FAQs General Questions Is the Business Prepaid card a credit card? No. The Business Prepaid card has funds loaded on it by your employer. You can use the Business Prepaid
More informationChapter 8: General Controls and Application Controls
Accounting Information Systems: Essential Concepts and Applications Fourth Edition by Wilkinson, Cerullo, Raval, and Wong-On-Wing Chapter 8: General Controls and Application Controls Slides Authored by
More informationIT Auditing, Hall, 3e
IT Auditing, an economic event that affects the assets and equities of the firm, is reflected in its accounts, and is measured in monetary terms. similar types of transactions are grouped together into
More informationChapter 08. Consideration of Internal Control in an Information Technology Environment. McGraw-Hill/Irwin
Chapter 08 Consideration of Internal Control in an Information Technology Environment McGraw-Hill/Irwin Copyright 2012 by The McGraw-Hill Companies, Inc. All rights reserved. Nature of IT Based Systems
More informationDefinition of Internal Control
Definition of Internal Control - To address and limit potential risks - designed, implemented and maintained by those charged with governance to provide reasonable assurance about the achievement of the
More informationCONTROL AUDIT AND SECURITY OF INFORMATION SYSTEM
MODULE 12 CONTROL AUDIT AND SECURITY OF INFORMATION SYSTEM Contents 1. MOTIVATION AND LEARNING GOALS 2. LEARNING UNIT 1 Controls in Information systems 3. LEARNING UNIT 2 Need and methods of auditing Information
More informationNigeria Central Switch Interface Specifications ISO 8583 (1987)
Nigeria Central Switch Interface Specifications ISO 8583 (1987) Prepared by: Nigeria Inter Bank Settlement System (NIBSS) Version: 1.1 September 12, 2014 Page 1 of 64 Document Control File Name: NIBSS
More informationIntroduction To IS Auditing
Introduction To IS Auditing Instructor: Bryan McAtee, ASA, CISA Bryan McAtee & Associates - Brisbane, Australia * Course, Presenter and Delegate Introductions * Definition of Information Technology (IT)
More informationAuditing in an Automated Environment: Appendix B: Application Controls
Accountability Modules Auditing in an Automated Environment: Initials Date Agency Prepared By Reviewed By Audit Program - Application W/P Ref Page 1 of 1 The SAO follows control objectives established
More informationChapter 2 Introduction to Transaction Processing
Chapter 2 Introduction to Transaction Processing TRUE/FALSE 1. Processing more transactions at a lower unit cost makes batch processing more efficient than real-time systems. T 2. The process of acquiring
More informationData Entry Oracle FLEXCUBE Universal Banking Release [May] [2011] Oracle Part Number E
Data Entry Oracle FLEXCUBE Universal Banking Release 11.3.0 [May] [2011] Oracle Part Number E51511-01 Table of Contents Data Entry 1. ABOUT THIS MANUAL... 1-1 1.1 INTRODUCTION... 1-1 1.1.1 Audience...
More informationCONNECT TRANSIT CARD Pilot Program - Privacy Policy Effective Date: April 18, 2014
CONNECT TRANSIT CARD Pilot Program - Privacy Policy Effective Date: April 18, 2014 1. Welcome 1.1 Welcome to the Connect Transit Card Program. The Connect Card Program makes using public transit easier
More informationAuditing in an Automated Environment: Appendix E: System Design, Development, and Maintenance
Accountability Modules Auditing in an Automated Environment: Agency Prepared By Initials Date Reviewed By Audit Program - System Design, Development, and Maintenance W/P Ref Page 1 of 1 Procedures Initials
More informationTable of Contents. PCI Information Security Policy
PCI Information Security Policy Policy Number: ECOMM-P-002 Effective Date: December, 14, 2016 Version Number: 1.0 Date Last Reviewed: December, 14, 2016 Classification: Business, Finance, and Technology
More informationData Classification, Security, and Privacy
Data Classification, Security, and Privacy Jennifer Bayuk Securities Industry and Financial Markets Association Internal Audit Division October, 2007 Overview of Information Classification Logical Relationship
More informationEXTERNAL CONFIRMATIONS SRI LANKA AUDITING STANDARD 505 EXTERNAL CONFIRMATIONS
SRI LANKA STANDARD 505 EXTERNAL CONFIRMATIONS (Effective for audits of financial statements for periods beginning on or after 01 January 2014) CONTENTS Paragraph Introduction Scope of this SLAuS... 1 External
More informationSECTION 15 KEY AND ACCESS CONTROLS
15.1 Definitions A. The definitions in this section shall apply to all sections of the part unless otherwise noted. B. Definitions: Access Badge / Card a credential used to gain entry to an area having
More informationHow does the Prepaid Travel Card work?
How does the Prepaid Travel Card work? The American Airlines Federal Credit Union ( Credit Union ) Prepaid Travel Card is a reloadable prepaid card, which means you can spend up to the value placed on
More informationAUDITING (PART-18) (UNIT-III) INTERNAL CONTROL (PART 4)
1. INTRODUCTION AUDITING (PART-18) (UNIT-III) INTERNAL CONTROL (PART 4) Hello students welcome to the lecture series of auditing. Today we shall be taking up unit 3 rd and under unit 3 rd we shall continue
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Interim Director
More informationFinancials Module: General Ledger
The Priority Enterprise Management System Financials Module: General Ledger Contents Introduction... 2 Chart of Accounts... 2 Entry Journal... 4 Reconciliations... 7 Financial Statements... 9 Cash Flow...
More informationPublications. ACH Audit Requirements. A new approach to payments advising SM. Sound Practices Checklists
Publications ACH Audit Requirements Sound Practices Checklists Price: $150 Member Discounted Price: $75 (489) Revised: 02/2019 A new approach to payments advising SM Purpose of this Document WesPay Advisors
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationConsideration of Internal Control in an Information Technology Environment
CHAPTER 8 Consideration of Internal Control in an Information Technology Environment Review Questions 8 1 System software monitors and controls hardware and provides other support to application programs.
More informationPCI Compliance. What is it? Who uses it? Why is it important?
PCI Compliance What is it? Who uses it? Why is it important? Definitions: PCI- Payment Card Industry DSS-Data Security Standard Merchants Anyone who takes a credit card payment 3 rd party processors companies
More informationISO Data Element Definitions
SECTION 4 ISO 8583 1987 DATA ELEMENT DEFINITIONS Overview...4-1 Bit Maps...4-2 Annotation Conventions For Data Element s...4-3 General Representation...4-3 Length s...4-4 Field Content s...4-5 Conventions
More informationSecurity Policies and Procedures Principles and Practices
Security Policies and Procedures Principles and Practices by Sari Stern Greene Chapter 3: Information Security Framework Objectives Plan the protection of the confidentiality, integrity and availability
More informationINTERNATIONAL STANDARD ON AUDITING 505 EXTERNAL CONFIRMATIONS CONTENTS
INTERNATIONAL STANDARD ON AUDITING 505 EXTERNAL CONFIRMATIONS (Effective for audits of financial statements for periods beginning on or after December 15, 2009) CONTENTS Paragraph Introduction Scope of
More informationExecutive Summary of the Prepaid Rule
1700 G Street NW, Washington, DC 20552 October 5, 2016 This summary is current as of October 5, 2016. It has not been updated to reflect final rules, guidance, or other interpretations issued after this
More informationYou are signing up to use the Middlesex Savings Bank Person to Person Service powered by Acculynk that allows you to send funds to another person.
Middlesex Bank Person to Person Service You are signing up to use the Middlesex Savings Bank Person to Person Service powered by Acculynk that allows you to send funds to another person. This Agreement
More informationPeopleSoft Finance Access and Security Audit
PeopleSoft Finance Access and Security Audit City of Minneapolis Internal Audit Department September 20, 2016 1 Contents Page Background... 3 Objective, Scope and Approach... 3 Audit Results and Recommendations...
More informationNAB EFTPOS USER GUIDE. for Countertop
NAB EFTPOS USER GUIDE for Countertop & Mobile Terminals About your NAB EFTPOS Terminal NAB EFTPOS Mobile NAB EFTPOS Countertop 2 Table of Contents Getting to know your NAB EFTPOS VeriFone terminal...5
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationSeattle University Identity Theft Prevention Program. Purpose. Definitions
Seattle University Identity Theft Prevention Program Purpose The purpose of the program is to establish an Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft in connection
More informationNEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE
COMPLIANCE ADVISOR NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE A PUBLICATION BY THE EXCESS LINE ASSOCIATION OF NEW YORK One Exchange Plaza 55 Broadway 29th Floor New York, New York 10006-3728 Telephone:
More informationExecutive Summary of the 2018 Prepaid Amendments
1700 G Street NW, Washington, DC 20552 January 25, 2018 Executive Summary of the 2018 Prepaid Amendments On January 25, 2018, the Consumer Financial Protection Bureau (Bureau) issued a final rule (2018
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationPrivacy Policy Effective May 25 th 2018
Privacy Policy Effective May 25 th 2018 1. General Information 1.1 This policy ( Privacy Policy ) explains what information Safety Management Systems, 2. Scope Inc. and its subsidiaries ( SMS ), it s brand
More informationOverview Bank IT examination perspective Background information Elements of a sound plan Customer notifications
Gramm-Leach Bliley Act Section 501(b) and Customer Notification Roger Pittman Director of Operations Risk Federal Reserve Bank of Atlanta Overview Bank IT examination perspective Background information
More informationREVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009
APPENDIX 1 REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto
More informationDonor Credit Card Security Policy
Donor Credit Card Security Policy INTRODUCTION This document explains the Community Foundation of Northeast Alabama s credit card security requirements for donors as required by the Payment Card Industry
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More information4. The portion of the monthly bill from a credit card company is an example of a turn-around document.
Chapter 2 Introduction to Transaction Processing Introduction to Accounting Information Systems, 8e Test Bank, Chapter 2 TRUE/FALSE 1. Processing more transactions at a lower unit cost makes batch processing
More informationBring Your Own Device Policy
Title: Status: Effective : Last Revised: Policy Point of Contact: Synopsis: Bring Your Own Device Policy Final 2017-Jan-01 2016-Nov-16 Chief Information Officer, Information and Instructional Technology
More informationRed Flags/Identity Theft Prevention Policy: Purpose
Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and
More informationTexas Lottery Commission Internal Audit. Mailroom Processes. August 30, 2018 Report # An Internal Audit of. Prepared by:
Texas Lottery Commission Internal Audit An Internal Audit of Mailroom Processes August 30, 2018 Report #18-005 Prepared by: This report provides management with information about the condition of risks
More informationRegions Quick Deposit
Regions Quick Deposit Frequently Asked Questions It s time to expect more. Regions Bank Member FDIC Revised April 2016 Regions Quick Deposit Note: Select a question below to view the answer. Where can
More informationSecurity Standards for Electric Market Participants
Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationData Entry Oracle FLEXCUBE Universal Banking Release [July] [2014]
Data Entry Oracle FLEXCUBE Universal Banking Release 11.5.0.0.0 [July] [2014] Table of Contents Data Entry 1. ABOUT THIS MANUAL... 1-1 1.1 INTRODUCTION... 1-1 1.1.1 Audience... 1-1 1.1.2 Organization...
More informationRegistration. Adding Accounts. How do I sign up for this service? The sign-up process for this service is quite simple.
Registration How do I sign up for this service? The sign-up process for this service is quite simple. Step 1: Complete a short registration form. If you want to, you can register the accounts you hold
More informationInformation Technology Risks & Controls for Financial Systems PEM-PAL Treasury CoP Workshop 2011 Kristin Lado Tufan
Information Technology Risks & Controls for Financial Systems PEM-PAL Treasury CoP Workshop 2011 Kristin Lado Tufan 1 Introduction IT Risk and Compliance Officer in Information Management and Technology
More informationFRAUD-RELATED INTERNAL CONTROLS
GLOBAL HEADQUARTERS THE GREGOR BUILDING 716 WEST AVE AUSTIN, TX 78701-2727 USA TABLE OF CONTENTS I. THE NEED FOR INTERNAL CONTROLS Example... 1 Threats to an Organization s Internal Control Environment...
More information9/11/ FALL CONFERENCE & TRAINING SEMINAR 2014 FALL CONFERENCE & TRAINING SEMINAR
1 2 1 Agenda: Types of Fraud Things you can do internally Things that companies can do Services Provided by the Bank 3 Because that is where the money is. 4 2 Checks Credit Cards ACH (Debits / Credits)
More informationInternational Standard on Auditing (Ireland) 505 External Confirmations
International Standard on Auditing (Ireland) 505 External Confirmations MISSION To contribute to Ireland having a strong regulatory environment in which to do business by supervising and promoting high
More informationPART 5: INFORMATION TECHNOLOGY RECORDS
PART 5: INFORMATION TECHNOLOGY RECORDS SECTION 5 1: RECORDS OF AUTOMATED APPLICATIONS GR5800 01 AUDIT TRAIL RECORDS Files needed for electronic data audits such as files or reports showing transactions
More informationChapter 2 Introduction to Transaction Processing
Chapter 2 Introduction to Transaction Processing TRUE/FALSE 1. Processing more transactions at a lower unit cost makes batch processing more efficient than real-time systems. T 2. The process of acquiring
More informationSparta Systems TrackWise Digital Solution
Systems TrackWise Digital Solution 21 CFR Part 11 and Annex 11 Assessment February 2018 Systems TrackWise Digital Solution Introduction The purpose of this document is to outline the roles and responsibilities
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationThe BUSINESS of Fraud. Don t let it put you out of business. AFFILIATE LOGO
The BUSINESS of Fraud. Don t let it put you out of business. Veenindra J. Singh, First Vice President, Treasury Management Consultant California Bank & Trust 300 Lakeside Drive, Suite 800 Oakland, Ca 94612
More informationProjectplace: A Secure Project Collaboration Solution
Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the
More informationBest Practices Guide to Electronic Banking
Best Practices Guide to Electronic Banking City Bank & Trust Company offers a variety of services to our customers. As these services have evolved over time, a much higher percentage of customers have
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationPayment Authorization A Journey to Continuous Availability A Gravic, Inc. Case Study
Payment Authorization A Journey to Continuous Availability A Executive Summary A major provider of merchant services to over four million small to medium-sized businesses throughout the world provides
More informationDCB PREPAID CARD TERMS AND CONDITIONS
DCB PREPAID CARD TERMS AND CONDITIONS These Terms and Conditions are for DCB Prepaid Cards issued to DCB Prepaid Cardholders by DCB Bank Limited, a Banking Company incorporated under the Companies Act,
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) 1. Domain 1 The Process of Auditing Information Systems Provide audit services in accordance with IT audit standards to assist the organization in protecting
More information4.2 Electronic Mail Policy
Policy Statement E-mail is an accepted, efficient communications tool for supporting departmental business. As provided in the Government Records Act, e-mail messages are included in the definition of
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationSmart Cards and Authentication. Jose Diaz Director, Technical and Strategic Business Development Thales Information Systems Security
Smart Cards and Authentication Jose Diaz Director, Technical and Strategic Business Development Thales Information Systems Security Payment Landscape Contactless payment technology being deployed Speeds
More informationRecords Management and Retention
Records Management and Retention Category: Governance Number: Audience: University employees and Board members Last Revised: January 29, 2017 Owner: Secretary to the Board Approved by: Board of Governors
More informationBusiness Online Banking & Bill Pay Guide to Getting Started
Business Online Banking & Bill Pay Guide to Getting Started What s Inside Contents Security at Vectra Bank... 4 Getting Started Online... 5 Welcome to Vectra Bank Business Online Banking. Whether you re
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationFrequently Asked Question Regarding 201 CMR 17.00
Frequently Asked Question Regarding 201 CMR 17.00 What are the differences between this version of 201 CMR 17.00 and the version issued in February of 2009? There are some important differences in the
More informationTarget Breach Overview
Target Breach Overview Q: Media reports are stating that Target experienced a data breach. Can you provide more specifics? A: Yes, Target has confirmed that it experienced unauthorized access to its systems
More informationQuestion 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:
Cybercrime Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1: Organizations can prevent cybercrime from occurring through the proper use of personnel, resources,
More informationPRIVACY AND ONLINE DATA: CAN WE HAVE BOTH?
PAPER PRIVACY AND ONLINE DATA: CAN WE HAVE BOTH? By Peter Varhol www.actian.com ignificant change has arrived in how computing and storage consumes data concerning individuals. Merchants, data collection
More informationHORIZON ACH, EFT and integrated Card Management
HORIZON ACH, EFT and integrated Card Management Managing Payment Innovation Heather Womack, Business Systems Analyst Patricia Herrera, Business Systems Analyst May 23, 2017 HORIZON Automated Clearing House
More informationSparta Systems TrackWise Solution
Systems Solution 21 CFR Part 11 and Annex 11 Assessment October 2017 Systems Solution Introduction The purpose of this document is to outline the roles and responsibilities for compliance with the FDA
More informationIT Audit and Risk Trends for Credit Union Internal Auditors. Blair Bautista, Director Bob Grill, Manager David Dyk, Manager
IT Audit and Risk Trends for Credit Union Internal Auditors Blair Bautista, Director Bob Grill, Manager David Dyk, Manager 1 AGENDA Internet Banking Authentication ATM Security and PIN Compliance Social
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationGM Information Security Controls
: Table of Contents 2... 2-1 2.1 Responsibility to Maintain... 2-2 2.2 GM s Right to Monitor... 2-2 2.3 Personal Privacy... 2-3 2.4 Comply with Applicable Laws and Site Specific Restrictions... 2-3 2.5
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationControl-M and Payment Card Industry Data Security Standard (PCI DSS)
Control-M and Payment Card Industry Data Security Standard (PCI DSS) White paper PAGE 1 OF 16 Copyright BMC Software, Inc. 2016 Contents Introduction...3 The Need...3 PCI DSS Related to Control-M...4 Control-M
More informationINFORMATION SECURITY FOR MANAGERS
INFORMATION SECURITY FOR MANAGERS INFORMATION SECURITY FOR MANAGERS William Caelli Dennis Longley Michael Shain M stockton press Macmillan Publishers Ltd, 1989 Softcover reprint of the hardcover 1st edition
More informationBackground Search & People Search Data
Ultimate Background Search & People Search Data The Finest Due Diligence & Investigative Data Solutions Available! - Find People - Verify Identities - Prevent Fraud FOR A NO RISK TRIAL Call Trent Martin
More informationTotal Security Management PCI DSS Compliance Guide
Total Security Management PCI DSS Guide The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations to help protect the security of credit card holders. These regulations apply to
More informationProcessing a Deposit via ipayments
Processing a Deposit via ipayments Several items must be considered prior to engaging in the sale of goods or services. Does the department have written cash handling procedures? Are the persons accepting
More informationsecurity FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.
security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name. Security for Your Business Mitigating risk is a daily reality for business owners, but you don t have
More informationEmployee Security Awareness Training
Employee Security Awareness Training September 2016 Purpose Employees have access to sensitive data through the work they perform for York. Examples of sensitive data include social security numbers, medical
More informationBeam Technologies Inc. Privacy Policy
Beam Technologies Inc. Privacy Policy Introduction Beam Technologies Inc., Beam Dental Insurance Services LLC, Beam Insurance Administrators LLC, Beam Perks LLC, and Beam Insurance Services LLC, (collectively,
More informationStopping Insider Threats Before They Start: Using Leading Techniques and Predictive Analysis to Presage Your Environment
Stopping Insider Threats Before They Start: Using Leading Techniques and Predictive Analysis to Presage Your Environment 1 Attachmate Corporation. All rights reserved. Results show that it can take more
More informationMobile Banking: Boldly Go WNOHGB
Mobile Banking: Boldly Go WNOHGB Regional & Community Bankers Conference October 16, 2008 Mike Stewart, Assistant Vice President Business Development & Customer Services 1 Discussion Topics Some Definitions
More informationAltitude Software. Data Protection Heading 2018
Altitude Software Data Protection Heading 2018 How to prevent our Contact Centers from Data Leaks? Why is this a priority for Altitude? How does it affect the Contact Center environment? How does this
More informationATM Frauds Telecom Frauds
ATM Frauds Telecom Frauds V Rajendran venkrajen@yahoo.com Evolution of banking Nationalisation Post nationalisation era Privatisation and Globalisation Private sector banks New Generation Banks Evolution
More informationPolicy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4
Policy Sensitive Information Version 3.4 Table of Contents Sensitive Information Policy -... 2 Overview... 2 Policy... 2 PCI... 3 HIPAA... 3 Gramm-Leach-Bliley (Financial Services Modernization Act of
More informationInternational Standard on Auditing (UK) 505
Standard Audit and Assurance Financial Reporting Council July 2017 International Standard on Auditing (UK) 505 External Confi rmations The FRC s mission is to promote transparency and integrity in business.
More informationACH Audit Guide for Third-Party Senders Step-by-Step Guidance and Interactive Form For Internal ACH Audits Audit Year 2017
Publications ACH Audit Guide for Third-Party Senders Step-by-Step Guidance and Interactive Form For Internal ACH Audits Audit Year 2017 Price: $250 Member Price: $125 (Publication #505-17) A new approach
More informationInformation Lifecycle Management for Business Data. An Oracle White Paper September 2005
Information Lifecycle Management for Business Data An Oracle White Paper September 2005 Information Lifecycle Management for Business Data Introduction... 3 Regulatory Requirements... 3 What is ILM?...
More information