FFIEC Guidance: Mobile Financial Services
|
|
- Megan Hood
- 6 years ago
- Views:
Transcription
1 FFIEC Guidance: Mobile Financial Services Written by: Jon Waldman, CISA, CRISC Partner and Senior Information Security Consultant Secure Banking Solutions, LLC FFIEC Updates IT Examination Handbook to include Mobile Financial Services Recently, the FFIEC released an expected and overdue update to its IT Examination Handbook. Retail Payment Systems Booklet Appendix E: Mobile Financial Services was written to encompass the often-used mobile banking product and service line for financial institutions, which has not been explicitly recognized in the IT Exam Handbook until now. According to the guidance, Appendix E: Mobile Financial Services (MFS) focuses on risks associated with MFS and emphasizes an enterprise-wide risk management approach to the effective management and mitigation of those risks. Appendix E: MFS discusses the different types of mobile financial services that institutions are currently implementing and provides an updated work program to help examiners review and provide recommendations regarding MFS. Mobile Financial Services Technologies Appendix E: MFS identifies four (4) current MFS technologies being employed by financial institutions: 1. Short Message Service (SMS) mobile banking (text banking) 2. Mobile-enabled Web sites and browsers 3. Mobile Applications 4. Wireless (mobile) payment technologies SMS Mobile Banking SMS mobile banking utilizes text messaging to allow a customer to provide financial transaction instructions to their financial institution. Typical SMS mobile banking transactions include information gathering (balance checking), transfer of funds between accounts, account alerts or updates, or one-time passwords for website authentication. Mobile-enabled Web Sites/Browsers Mobile-enabled Web sites and browsers allow a customer to access the same Internet banking products and services offered by the financial institution to a desktop computer user, only the website or the browser is optimized for a mobile device (tablet, laptop, or smartphone). Mobile-enabled Web sites or browsers aim to enhance the customer experience by ensuring Internet banking products and services are in the best format for viewing on a mobile device. Mobile Applications Mobile applications are downloadable software applications developed specifically for use on mobile devices. Mobile banking applications are typically customized for a specific financial institution (branding, products, services, look-andfeel) and allow a customer to perform the same services (information gathering, initiate transfers, pay bills, etc.) as Secure Banking Solutions
2 offered via traditional Internet banking. Mobile applications offer a faster, more user-friendly interface the SMS-based or Web-based mobile banking. Wireless (Mobile) Payment Technologies Wireless Payment Technologies (Mobile Payments) come in a variety of applications, including wireless payments at Point-of-Sale (POS) terminals (Apple Pay, Android Pay, or Samsung Pay), Peer-to-Peer Payments (Fiserv Popmoney, PayPal, Venmo), or other types of wireless payments (mobile wallets). Most Mobile Payment technologies allow the user to make a payment without the need for a physical card (or check) during the transaction. Four (4) different types of Mobile Payment technologies are identified in Appendix E: MFS: Near field communication (NFC). NFC is a wireless protocol that allows for the exchange of payment credentials (or other information) stored on the mobile device only while the payment terminal and the device are within direct proximity of one another ( tapping a device on an NFC terminal is often used to initiate the transaction). Image-based. Coded images similar to barcodes (called quick-response or QR codes) used to initiate payments. Credentials may be encoded within a QR code image or stored in the cloud. For example, specific retailers might use quick response (QR) codes to identify customers in a closed-loop mobile payment system. Carrier-based. Carrier-based transactions are billed directly to a customer s mobile carrier (cellular) invoice. Merchants are paid directly by the mobile carrier, bypassing traditional payment networks. For example, a carrier-based payment may occur when mobile users donate money to charity through SMS messages or purchase an add-on in a mobile gaming application. Mobile P2P. Peer-to-Peer Payments (P2P) are most often initiated on a mobile device using the recipient s mobile phone number, address, or another identifier. Payment is through established retail payment technologies. P2P Payments may be made via text message (SMS) or mobile application (Fiserv Popmoney). P2P allows a customer to send money via their mobile device to other users enrolled in the institution s system. While MFS continues to gain market share, as far as payment platforms are concerned, established retail payment channels (ACH, credit/debit card networks, EFT, etc.) are still the backbone of transferring money between financial institutions. The traditional retail payments channels allow financial institutions to leverage existing banking relationships to verify identities, satisfy federal anti-money laundering requirements, and fund accounts despite the new technologies and risks regarding mobile-based transactions. What are the Risks associated with MFS? The Institution s risk management process should incorporate the risk of using Mobile Financial Services. Also, the risk of using MFS is dependent on the types of functionality offered by the institution, the type of information being stored, transmitted, and processed through the MFS, and the rate of adoption. Appendix E: MFS should identify four (4) different types of Mobile Financial Services: Strategic Risk: The institution must determine if utilizing MFS aligns with the existing Strategic vision, goals, and risk appetite. If implementing MFS does not align with these strategic planning items, strategic risk increases Secure Banking Solutions
3 Operational Risk: Operational Risks of MFS include the risks around transaction initiation, authentication and authorization, and the MFS hardware and software itself. Specific MFS Operational Risks identified in this guidance include: o Rogue Malicious Applications applications that impersonate mobile financial services applications or compromise the code of an MFS app and inject malicious software into the app o SMS Phishing/Spoofing impersonating a text message (SMS) to obtain customer information. Similar to standard phishing s, except via text messages. Also called smishing. o SMS Eavesdropping intercepting and stealing information from text messages o Mobile-Enabled Web Application Vulnerabilities mobile-enabled websites are subject to the same vulnerabilities as a standard website, including Cross-site Scripting, SQL injections, malicious software, and URL redirects o Unauthorized Mobile Applications mobile applications that are not authorized by the manufacturer or listed out in a mobile application store pose higher risk to the institution o Device Rooting/Jailbreaking removing or bypassing manufacturer controls to gain root access to the device, providing additional access to the device s operating system and files, which increases risk o Plain-text Data Storage storing data on the mobile device (including usernames, passwords, account numbers, purchases, location information, etc.) in plaintext, e.g. without utilizing encryption o Insecure Application Development since mobile applications reside or operate over numerous levels of cellular carriers, networks, operating systems, device types, and app stores, this decentralized mobile ecosystems can lead to different vulnerabilities that require patches and updates at different levels, increasing risk to the institution and the user o Lost/Stolen Device a mobile device is much easier to lose or have stolen than a desktop (or even a laptop) o Unauthorized payments/transfers theft or unauthorized access can lead to payments or transactions being performed by unauthorized individuals o Wireless Eavesdropping mobile payment information may be intercepted between the device and the Point-of-Sale terminal if proper encryption is not implemented o Identify Theft unauthorized access to MFS may lead to customer or transaction information, which may, in turn, lead to identity theft o Fake Accounts using stolen identity information to create fake accounts on stolen devices using MFS Compliance Risk: Compliance risks to the institution include not being in compliance with consumer laws, regulations, and supervisory guidance, as well as failure to perform proper due diligence and ongoing management of MFS vendors Reputation Risk: the risk of the financial institution s reputation being harmed as a result of information stored, transmitted, and processed through the MFS becoming compromised or interrupted for a period of time Risk Measurement The answer to preventing these attacks from affecting your institution and customers is layered security. Layered security includes implementing proper technical controls to help prevent phishing s from reaching inboxes, Secure Banking Solutions
4 building procedural controls such as proper backups and restricted user access controls to ensure proper implementation of technical controls, and most importantly, educating and testing employees and customers. Risk Measurement As with all new technologies that a financial institution is looking to implement, everything should start with the risk assessment. The risk assessment should identify the importance of the technology to-be-implemented, as well as the risks associated with the new technology. The institution should then make decisions regarding which controls to implement to mitigate new organizational risk. Mobile Financial Services require the interaction of numerous entities including the institution, mobile network operators, application developers, device manufacturers, and other third parties to ensure the secure transmission and processing of customer transactions. Below is a list of controls that financial institutions should consider implementing when rolling out MFS. Strategic Risk: The institution must evaluate all new technologies during the strategic planning processes. Considerations include the products and services to be offered, types of transactions allowed, transaction limits, mobile architecture design, supported mobile devices, customer needs, and the use of third parties. Operational Risk: Controls around Operational Risk should follow the layered-security approach at different levels, including vendor-controls, bank-controls, application-controls, and customer-controls. Controls to be evaluated include: o Third Party Selection, Management, and Contract Review o Transaction Limits o Transaction Monitoring o Geolocation Transaction Anomaly Detection o Rapid Incident Notification o Strong Authentication o Encryption o Customer Social Engineering Education o Employee Social Engineering Education o Customer Mobile Security Education o Customer Mobile Risk Awareness o Customer Enrollment Process o Multifactor Authentication o Out-of-band Authentication o Formal SDLC process o Annual Secure Source Code Audit o Annual Application Vulnerability Assessment & Penetration Testing o Re-Authentication Per Login o Session Timeout o Application Logging o Anomalous Monitoring Controls for specific MFS application types include the following: o SMS Mobile Banking Secure Banking Solutions
5 Redacted Customer Information Limited Customer Access Pre-registration Security Tokens PIN Authentication PIN Regularly Changed SMS Phishing Awareness Campaigns o Mobile-Enabled Website/Browser Customer Education/Awareness for Compromised Sites Secure SDLC Process OWASP Web Application Compliance OWASP Mobile Application Compliance Customer Awareness to Baseline Mobile Controls Detection of Unsupported Web Browsers Detection of Unsupported Mobile Operating System Detection of Anti-XSS Software URL Whitelisting Avoid Redirects/Forwards URL Redirect Notification Website Application Assessment Hard-code URL o Mobile Applications Device Policy Enforcement (allowing MFS after requirements met) Customer Education/Awareness Application Secure Download/Install Security Testing in SDLC Deactivating Older Application Versions Customer Education Rooted/Jailbroken Application Review Storage of Customer Data Device or application encryption Application Development with Minimal Data Collection/App Permissions Detection of Unsupported Mobile Operating System Third Party Management Secure Back-end Servers Application Sandbox Vulnerability Awareness (US-CERT/FS-ISAC) Periodic Functionality Testing o Mobile Payments Traffic Filtering DDOS Trusted Platform Modules SSL/TLS Tokenization Transmission Encryption Anti-malware software Storage Encryption Compliance Risk: Management should reassess mobile service offerings regularly and ensure MFS offerings are in compliance with all current laws, regulations, and consumer protection guidance. Applicable disclosure Secure Banking Solutions
6 requirements must be accessible on mobile devices. All policies and procedures must be updated to include current MFS offerings. The financial institution must train employees to handle MFS compliance issues. Reputation Risk: To ensure the financial institution s reputation is protected and monitored, management should ensure proper controls are in place around the MFS provider(s) that are storing, transmitting, and processing the institution s confidential customer information. Controls to prevent the unauthorized disclosure of customer information and fraudulent transactions must be in place. Monitoring and Reporting Financial Institution management should ensure that proper monitoring and reporting are in place to ensure MFS products are meeting operational expectations. Such reporting should include the following: The acceptable levels of risk the financial institution is willing to assume Specific performance objectives and criteria, including quantitative methods for evaluating performance A comparison of actual performance to projections and benchmarks to identify trends Modify expectations and strategic plans based on the performance of the MFS product, including an exit strategy if the product does not meet expectations or projections. Conclusions Mobile Financial Services are not only here to stay, but they have also become a staple of modern banking practices. This guidance helps to break down the different types of MFS, including very specific threats and risk-mitigating controls applicable to each type of MFS. If your financial institution has not yet reviewed this guidance and updated its risk assessments accordingly, this update to the FFIEC Retail Payments booklet Appendix E - Mobile Financial Services is a great place to start. What can SBS do to help? Secure Banking Solutions has a team of auditors and consultants that can assist you in updating your IT Risk Assessments and ensuring your Information Security Program adequately reflects the risk-mitigating controls around MFS. Additionally, SBS is a leading provider of online risk management solutions designed to be your security expert. The TRAC information security suite of products includes our flagship module IT Risk Assessment. TRAC s IT Risk Assessment module is designed to provide pre-defined, financial institution-specific data that saves you the time of researching all of the applicable threats and controls for a specific IT asset. This pre-defined data acts as your security expert and helps to ensure your risk assessment is comprehensive and correct. No more guessing whether not a threat or a control applies to your Mobile Banking application; it s already included. Contact SBS by calling to speak with one of our Help Desk representatives about our services. If you have any additional questions, comments, or concerns, please let us know; we are always happy to help. For more information, please visit SBS at: Secure Banking Solutions
Best Practices Guide to Electronic Banking
Best Practices Guide to Electronic Banking City Bank & Trust Company offers a variety of services to our customers. As these services have evolved over time, a much higher percentage of customers have
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary
More informationFDIC InTREx What Documentation Are You Expected to Have?
FDIC InTREx What Documentation Are You Expected to Have? Written by: Jon Waldman, CISA, CRISC Co-founder and Executive Vice President, IS Consulting - SBS CyberSecurity, LLC Since the FDIC rolled-out the
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationCybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City
1 Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City The opinions expressed are those of the presenters and are not those of the Federal Reserve Banks, the
More informationProtecting Against Online Fraud. F5 EMEA Webinar August 2014
Protecting Against Online Fraud F5 EMEA Webinar August 2014 Agenda Fraud threat trends and business challenges Web fraud protection Mobile fraud protection Security operations center Example architecture
More informationEffective Strategies for Managing Cybersecurity Risks
October 6, 2015 Effective Strategies for Managing Cybersecurity Risks Larry Hessney, CISA, PCI QSA, CIA 1 Everybody s Doing It! 2 Top 10 Cybersecurity Risks Storing, Processing or Transmitting Sensitive
More informationmobile banking user guide
mobile banking user guide table of contents 2011 Fiserv, Inc. or its affiliates. Mobile Banking Overview 1 SMS Text Messaging Service 1 Mobile Browser Service 1 Downloadable Application 1 Frequently Asked
More informationCyber Criminal Methods & Prevention Techniques. By
Cyber Criminal Methods & Prevention Techniques By Larry.Boettger@Berbee.com Meeting Agenda Trends Attacker Motives and Methods Areas of Concern Typical Assessment Findings ISO-17799 & NIST Typical Remediation
More informationTotal Security Management PCI DSS Compliance Guide
Total Security Management PCI DSS Guide The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations to help protect the security of credit card holders. These regulations apply to
More informationMobile Banking User Guide
Mobile Banking User Guide Table of Contents Mobile Money Overview... 3 SMS Text Messaging Service... 3 Mobile Browser Service... 3 Downloadable Application... 3 Frequently Asked Questions... 4 Mobile Money
More informationPCI Compliance. What is it? Who uses it? Why is it important?
PCI Compliance What is it? Who uses it? Why is it important? Definitions: PCI- Payment Card Industry DSS-Data Security Standard Merchants Anyone who takes a credit card payment 3 rd party processors companies
More informationNORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers
Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.
More informationJanuary 23, Online Banking Risk Management: A Multifaceted Approach for Commercial Customers
January 23, 2012 Online Banking Risk Management: A Multifaceted Approach for Commercial Customers Risk Management Rajiv Donde - CEO Laru Corporation Agenda Risk Premise FFIEC prescription for a layered
More informationMobile Security / Mobile Payments
Mobile Security / Mobile Payments Leslie K. Lambert CISSP, CISM, CISA, CRISC, CIPP/US, CIPP/G VP, Chief Information Security Officer Juniper Networks Professional Techniques - Session T23 MOBILE SECURITY
More informationWhat are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards
PCI DSS What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards Definition: A multifaceted security standard that includes requirements for security management, policies, procedures,
More informationCybersecurity The Evolving Landscape
Cybersecurity The Evolving Landscape 1 Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationHow Next Generation Trusted Identities Can Help Transform Your Business
SESSION ID: SPO-W09B How Next Generation Trusted Identities Can Help Transform Your Business Chris Taylor Senior Product Manager Entrust Datacard @Ctaylor_Entrust Identity underpins our PERSONAL life 2
More informationEmerging Issues: Cybersecurity. Directors College 2015
Emerging Issues: Cybersecurity Directors College 2015 Agenda/Objectives Define Cybersecurity Cyber Fraud Trends/Incidents FFIEC Cybersecurity awareness initiatives Community Bank expectations FFIEC Cybersecurity
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationWHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?
WHAT IS CORPORATE ACCOUNT TAKEOVER? Corporate Account Takeover (also referred to as CATO) is a type of fraud where criminals gain access to a business financial accounts to make unauthorized transactions.
More informationA Security Admin's Survival Guide to the GDPR.
A Security Admin's Survival Guide to the GDPR www.manageengine.com/log-management Table of Contents Scope of this guide... 2 The GDPR requirements that need your attention... 2 Prep steps for GDPR compliance...
More informationMobile Banking FAQ. 1 P a g e 1 0 / 1 9 /
Mobile Banking FAQ Q) Can anyone sign up for Mobile Banking? A) Mobile Banking enables any consumer with online banking to access their account information from a mobile device. Mobile Banking offers three
More informationSecure Application Development. OWASP September 28, The OWASP Foundation
Secure Application Development September 28, 2011 Rohini Sulatycki Senior Security Consultant Trustwave rsulatycki@trustwave.com Copyright The Foundation Permission is granted to copy, distribute and/or
More informationHow Cyber-Criminals Steal and Profit from your Data
How Cyber-Criminals Steal and Profit from your Data Presented by: Nick Podhradsky, SVP Operations SBS CyberSecurity www.sbscyber.com Consulting Network Security IT Audit Education 1 Agenda Why cybersecurity
More informationSecuring Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)
Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF) A Guide to Leveraging Privileged Account Security to Assist with SWIFT CSCF Compliance Table of Contents Executive Summary...
More informationPCI Compliance Updates
PCI Compliance Updates PCI Mobile Payment Acceptance Security Guidelines Adam Goslin, Chief Operations Officer AGoslin@HighBitSecurity.com Direct: 248.388.4328 PCI Guidance February, 2013 - PCI Mobile
More informationFairWarning Mapping to PCI DSS 3.0, Requirement 10
FairWarning Mapping to PCI DSS 3.0, Requirement 10 Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are
More informationWeb Cash Fraud Prevention Best Practices
Web Cash Fraud Prevention Best Practices Tips on what you can do to prevent Online fraud. This document provides best practices to avoid or reduce exposure to fraud. You can use it to educate your Web
More information10 Cybersecurity Questions for Bank CEOs and the Board of Directors
4 th Annual UBA Bank Executive Winter Conference February, 2015 10 Cybersecurity Questions for Bank CEOs and the Board of Directors Dr. Kevin Streff Founder, Secure Banking Solutions 1 Board of Directors
More informationRegulator s Perspective of Best Practices in Combatting Cybercrime Executive Fraud Forum October 30, 2013
Regulator s Perspective of Best Practices in Combatting Cybercrime Executive Fraud Forum October 30, 2013 Tony DaSilva, AAP, CISA Senior Examiner Federal Reserve Bank of Atlanta Disclaimer The views and
More informationTechnology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 04/12/2017
Technology Roadmap for Managed IT and Security Michael Kirby II, Scott Yoshimura 04/12/2017 Agenda Managed IT Roadmap Operational Risk and Compliance Cybersecurity Managed Security Services 2 Managed IT
More informationSecurity Audit What Why
What A systematic, measurable technical assessment of how the organization's security policy is employed at a specific site Physical configuration, environment, software, information handling processes,
More informationInterpreting the FFIEC Cybersecurity Assessment Tool
Interpreting the FFIEC Cybersecurity Assessment Tool Wayne H. Trout, CISA, CRISC, CBCA, CBRA, CBRITP NCUA Supervisor, Critical Infrastructure and Cybersecurity What We ll Cover Cyber risk management Cybersecurity
More informationEnsuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard
Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure
More informationThe Honest Advantage
The Honest Advantage READY TO CHALLENGE THE STATUS QUO GSA Security Policy and PCI Guidelines The GreenStar Alliance 2017 2017 GreenStar Alliance All Rights Reserved Table of Contents Table of Contents
More informationSecurity Solutions. Overview. Business Needs
Security Solutions Overview Information security is not a one time event. The dynamic nature of computer networks mandates that examining and ensuring information security be a constant and vigilant effort.
More informationCLICK TO EDIT MASTER TITLE STYLE Fraud Overview and Mitigation Strategies
Fraud Overview and Mitigation Strategies SUNTRUST TEAM: DOUG HICKMAN SENIOR VICE PRESIDENT FOUNDATIONS AND ENDOWMENTS SPECIALTY PRACTICE JAMES BERNAL ASSISTANT VICE PRESIDENT FOUNDATIONS AND ENDOWMENTS
More informationAuthentication and Fraud Detection Buyer s Guide
Entrust, Inc. North America Sales: 1-888-690-2424 entrust@entrust.com EMEA Sales: +44 (0) 118 953 3000 emea.sales@entrust.com November 2008 Copyright 2008 Entrust. All rights reserved. Entrust is a registered
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Version 1.0 Release: December 2004 How to Complete the Questionnaire The questionnaire is divided into six sections. Each
More informationMOBILE BANKING USER GUIDE. ftrst Ctty BanK lwgb)( S,mb. Colfflt1111l)'
MOBILE BANKING USER GUIDE ~ ftrst Ctty BanK lwgb)( S,mb. Colfflt1111l)' Table of Contents Mobile Banking Overview 1 SMS Text Messaging Service 1 Mobile Browser Service 1 Downloadable Application 1 Frequently
More informationNEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?
NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:
More informationASSESSMENT LAYERED SECURITY
FFIEC BUSINESS ACCOUNT GUIDANCE RISK & ASSESSMENT LAYERED SECURITY FOR ONLINE BUSINESS TRANSACTIONS New financial standards will assist banks and business account holders to make online banking safer and
More informationMobile Devices prioritize User Experience
Mobile Security 1 Uniqueness of Mobile Mobile Devices are Shared More Often Mobile Devices are Used in More Locations Mobile Devices prioritize User Experience Mobile Devices have multiple personas Mobile
More informationSafelayer's Adaptive Authentication: Increased security through context information
1 Safelayer's Adaptive Authentication: Increased security through context information The password continues to be the most widely used credential, although awareness is growing that it provides insufficient
More information6 Vulnerabilities of the Retail Payment Ecosystem
6 Vulnerabilities of the Retail Payment Ecosystem FINANCIAL INSTITUTION PAYMENT GATEWAY DATABASES POINT OF SALE POINT OF INTERACTION SOFTWARE VENDOR Table of Contents 4 7 8 11 12 14 16 18 Intercepting
More informationTechnology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 05/24/2017
Technology Roadmap for Managed IT and Security Michael Kirby II, Scott Yoshimura 05/24/2017 Agenda Managed IT Roadmap Operational Risk and Compliance Cybersecurity Managed Security Services 2 Managed IT
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationTOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION
INFORMATION TECHNOLOGY SECURITY GUIDANCE TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION ITSM.10.189 October 2017 INTRODUCTION The Top 10 Information Technology (IT) Security
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More informationCyber security tips and self-assessment for business
Cyber security tips and self-assessment for business Last year one in five New Zealand SMEs experienced a cyber-attack, so it s essential to be prepared. Our friends at Deloitte have put together this
More informationFFIEC Cyber Security Assessment Tool. Overview and Key Considerations
FFIEC Cyber Security Assessment Tool Overview and Key Considerations Overview of FFIEC Cybersecurity Assessment Tool Agenda Overview of assessment tool Review inherent risk profile categories Review domain
More informationIT Audit and Risk Trends for Credit Union Internal Auditors. Blair Bautista, Director Bob Grill, Manager David Dyk, Manager
IT Audit and Risk Trends for Credit Union Internal Auditors Blair Bautista, Director Bob Grill, Manager David Dyk, Manager 1 AGENDA Internet Banking Authentication ATM Security and PIN Compliance Social
More informationMobiliti. 4.1 Training Guide for Retail Online User Training Guide
Mobiliti 4.1 Training Guide for Retail Online User Training Guide October 2014 2014, Inc. or its affiliates. All rights reserved. This work is confidential and its use is strictly limited. Use is permitted
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationCarbon Black PCI Compliance Mapping Checklist
Carbon Black PCI Compliance Mapping Checklist The following table identifies selected PCI 3.0 requirements, the test definition per the PCI validation plan and how Carbon Black Enterprise Protection and
More informationmhealth SECURITY: STATS AND SOLUTIONS
mhealth SECURITY: STATS AND SOLUTIONS www.eset.com WHAT IS mhealth? mhealth (also written as m-health) is an abbreviation for mobile health, a term used for the practice of medicine and public health supported
More informationFiserv, Inc. or its affiliates. All rights reserved. This work is confidential and its use is strictly limited. Use is permitted only in
Mobiliti User Guide 2 2011-2013 Fiserv, Inc. or its affiliates. All rights reserved. This work is confidential and its use is strictly limited. Use is permitted only in accordance with the terms of the
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationSecurity Architecture
Security Architecture RDX s top priority is to safeguard our customers sensitive information. Introduction RDX understands that our customers have turned over the keys to their sensitive data stores to
More informationFFIEC CONSUMER GUIDANCE
FFIEC CONSUMER GUIDANCE Important Facts About Your Account Authentication Online Banking & Multi-factor authentication and layered security are helping assure safe Internet transactions for banks and their
More informationRed Flags/Identity Theft Prevention Policy: Purpose
Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationCybersecurity and the Role of Mobile Financial Transactions. Jackie McCarthy Director, Regulatory Affairs NCSL Capitol Forum December 5, 2016
Cybersecurity and the Role of Mobile Financial Transactions Jackie McCarthy Director, Regulatory Affairs NCSL Capitol Forum December 5, 2016 Outline About CTIA and wireless s role in payments Mobile Payments
More informationMobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing
Mobile Malfeasance Exploring Dangerous Mobile Code Jason Haddix, Director of Penetration Testing Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to
More informationSECURITY TRENDS & VULNERABILITIES REVIEW FINANCIAL SYSTEMS
SECURITY TRENDS & VULNERABILITIES REVIEW FINANCIAL SYSTEMS 2017 CONTENTS Introduction...3 Executive summary...3 1. Research data...5 2. Protection flaws...6 2.1. Overall statistics...6 2.2. Comparison
More informationW H IT E P A P E R. Salesforce Security for the IT Executive
W HITEPAPER Salesforce Security for the IT Executive Contents Contents...1 Introduction...1 Background...1 Settings Related to Security and Compliance...1 Password Settings... 1 Session Settings... 2 Login
More informationA Measurement Companion to the CIS Critical Security Controls (Version 6) October
A Measurement Companion to the CIS Critical Security Controls (Version 6) October 2015 1 A Measurement Companion to the CIS Critical Security Controls (Version 6) Introduction... 3 Description... 4 CIS
More informationGuidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17
GUIDELINES ON SECURITY MEASURES FOR OPERATIONAL AND SECURITY RISKS UNDER EBA/GL/2017/17 12/01/2018 Guidelines on the security measures for operational and security risks of payment services under Directive
More informationPCI DSS Compliance. White Paper Parallels Remote Application Server
PCI DSS Compliance White Paper Parallels Remote Application Server Table of Contents Introduction... 3 What Is PCI DSS?... 3 Why Businesses Need to Be PCI DSS Compliant... 3 What Is Parallels RAS?... 3
More informationFrequently Asked Questions (FAQ)
Your personal information and account security is important to us. This product employs a Secure Sign On process that includes layers of protection at time of product log in to mitigate risk, and thwart
More informationCybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank
Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank NJ Bankers Association Annual Convention May 19, 2017 Presented by: Jeremy Burris, Principal, S.R. Snodgrass,
More informationOverview Bank IT examination perspective Background information Elements of a sound plan Customer notifications
Gramm-Leach Bliley Act Section 501(b) and Customer Notification Roger Pittman Director of Operations Risk Federal Reserve Bank of Atlanta Overview Bank IT examination perspective Background information
More informationInternet of Things Toolkit for Small and Medium Businesses
Your Guide #IoTatWork to IoT Security #IoTatWork Internet of Things Toolkit for Small and Medium Businesses Table of Contents Introduction 1 The Internet of Things (IoT) 2 Presence of IoT in Business Sectors
More informationSneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security
Sneak Peak at CIS Critical Security Controls V 7 Release Date: March 2018 2017 Presented by Kelli Tarala Principal Consultant Enclave Security 2 Standards and Frameworks 3 Information Assurance Frameworks
More informationFFIEC CONSUMER GUIDANCE
FFIEC CONSUMER GUIDANCE Important Facts About Your Account Authentication Online Banking & Multi-factor authentication and layered security are helping assure safe Internet transactions for banks and their
More information2017 IT Examination Preparedness. Iowa Bankers 2017 Technology Conference October 24, 2017
2017 IT Examination Preparedness Iowa Bankers 2017 Technology Conference October 24, 2017 1 Disclaimer Materials designed to give general information on the specific subjects covered and are educational
More informationHow do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?
Cybersecurity Due Diligence Checklist Control # Control Name Risks Questions for IT 1 Make an Benign Case: Employees Inventory of using unapproved Authorized devices without Devices appropriate security
More informationDHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1
Addressing the Evolving Cybersecurity Tom Tollerton, CISSP, CISA, PCI QSA Manager Cybersecurity Advisory Services DHG presenter Tom Tollerton, Manager DHG IT Advisory 704.367.7061 tom.tollerton@dhgllp.com
More informationIntegrated Access Management Solutions. Access Televentures
Integrated Access Management Solutions Access Televentures Table of Contents OVERCOMING THE AUTHENTICATION CHALLENGE... 2 1 EXECUTIVE SUMMARY... 2 2 Challenges to Providing Users Secure Access... 2 2.1
More information10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS
10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS WHITE PAPER INTRODUCTION BANKS ARE A COMMON TARGET FOR CYBER CRIMINALS AND OVER THE LAST YEAR, FIREEYE HAS BEEN HELPING CUSTOMERS RESPOND
More informationFirst aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018
First aid toolkit for the management of data breaches Mary Deligianni Senior Associate 15 February 2018 What is a personal data breach? Breach of security which leads to the accidental or unlawful destruction,
More informationGLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications
GLOBALPROTECT Prevent Breaches and Secure the Mobile Workforce GlobalProtect extends the protection of Palo Alto Networks Next-Generation Security Platform to the members of your mobile workforce, no matter
More informationClient Computing Security Standard (CCSS)
Client Computing Security Standard (CCSS) 1. Background The purpose of the Client Computing Security Standard (CCSS) is to (a) help protect each user s device from harm, (b) to protect other users devices
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationMay 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations
May 14, 2018 1:30PM to 2:30PM CST In Plain English: Cybersecurity and IT Exam Expectations Options to Join Webinar and audio Click on the link: https://www.webcaster4.com/webcast/page/584/24606 Choose
More informationQuickBooks Online Security White Paper July 2017
QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a
More informationthe SWIFT Customer Security
TECH BRIEF Mapping BeyondTrust Solutions to the SWIFT Customer Security Controls Framework Privileged Access Management and Vulnerability Management Table of ContentsTable of Contents... 2 Purpose of This
More informationProtecting Against Modern Attacks. Protection Against Modern Attack Vectors
Protecting Against Modern Attacks Protection Against Modern Attack Vectors CYBER SECURITY IS A CEO ISSUE. - M C K I N S E Y $4.0M 81% >300K 87% is the average cost of a data breach per incident. of breaches
More informationKaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity
Kaspersky Enterprise Cybersecurity Kaspersky Security Assessment Services www.kaspersky.com #truecybersecurity Security Assessment Services Security Assessment Services from Kaspersky Lab. the services
More informationREGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES. Dynamic Solutions. Superior Results.
REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES Dynamic Solutions. Superior Results. PERSONALIZED HELP THAT RELIEVES THE BURDEN OF MANAGING COMPLIANCE The burden of managing risk and compliance is
More informationWell north of your expectations. TM. NSB Mobile MOBILE BANKING USER GUIDE
NSB Mobile Well north of your expectations. TM MOBILE BANKING USER GUIDE TABLE OF CONTENTS Mobile Banking Overview SMS Text Messaging Service 1 Mobile Browser Service 1 Downloadable Application 1 Frequently
More informationHow NOT To Get Hacked
How NOT To Get Hacked The right things to do so the bad guys can t do the wrong ones Mark Burnette Partner, LBMC -Risk Services October 25, 2016 Today s Agenda Protecting Against A Hack How should I start?
More informationOffice 365 Buyers Guide: Best Practices for Securing Office 365
Office 365 Buyers Guide: Best Practices for Securing Office 365 Microsoft Office 365 has become the standard productivity platform for the majority of organizations, large and small, around the world.
More informationPerforming a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH
Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH 1 Speaker Bio Katie McIntosh, CISM, CRISC, CISA, CIA, CRMA, is the Cyber Security Specialist for Central Hudson Gas &
More informationSession 2: Understanding the payment ecosystem and the issues Visa Europe
Session 2: Understanding the payment ecosystem and the issues Visa Europe Agnes Revel Martineau VP, Head of Product Specifications, Standards and Industry Liaison ETSI 01st, July, 2014 Agenda You said
More informationMaaS360 Secure Productivity Suite
MaaS360 Secure Productivity Suite Frequently Asked Questions (FAQs) What is MaaS360 Secure Productivity Suite? MaaS360 Secure Productivity Suite integrates a set of comprehensive mobile security and productivity
More information