INFORMATION SECURITY IN ELECTRONIC BANKING
Internet banking has become one of the fastest and easiest way of banking. Information security issue is the most important one in using Internet and it becomes more crucial while implementing the Internet in banking sectors. This research revealed a lot of risks and threats to the security of online banking information which are increasing day by day. The demand for high security in banking & financial services creates both challenges and new business opportunities.
Information security is the process by which an organization protects and secures its systems, media, and facilities that process and maintain information vital to its operations. Financial institutions and banks protect their information by instituting a security process that identifies risks, forms a strategy to manage the risks, implements the strategy, tests the implementation, and monitors the environment to control the risks.
RISK CONCERN AREAS
Information security in finance and banking can be increased by striving certain objectives like availability, integrity, confidentiality, accountability and assurance. Security objectives can be achieved by Information Security Risk Assessment, Strategy, Controls Implementation, Monitoring & Process Monitoring and Updating. Monitoring and updating makes the process continuous instead of a one-time event. Security risk variables include threats, vulnerabilities, attack techniques, financial institution operations and technology, and the financial institution’s defensive posture.
These standards provide systematic management approach to adopt the best practice controls, quantify the level of acceptable risk and implement the appropriate measures which protect the confidentiality, integrity and availability (CIA) of information. Technical control improves security by Identity Authentication Management, Access Control Technology, Firewall Technology & Encryption technology (key technology). Internal control reduces the harm caused by internal personnel morals risk, the system resources risk and the computer virus.
CONTROLS MECHANISM IN IT ENVIRONMENT
Every bank and FI should identify the events and circumstances whose occurrence could result in a loss to that organisation. These are called exposures. Controls are those acts which the organisation should implement to minimize the exposures. In addition to knowing the cause(s) of exposure that a particular control is intended to act upon, it is also useful to know the type of role the control is intended to perform. There are basically four categories of control:
Deterrent: These controls are designed to deter people (internal as well as external to the organisation) from undesirable behaviour. For example, written policies to deter people from doing undesired activities.
Preventive: These controls prevent the cause of exposure from occurring, or at least minimize the possibility. For example, security-controls at various levels like hardware, system software, application software, database, network etc.
Detective: When a cause of exposure has occurred, detective controls report its existence in an effort to minimize the extent of the damage. Certain fire precautions (such as heat detectors, smoke detectors etc.) fall into this category. Even auditing function can many times be also treated as a detective control.
Corrective: These controls are necessary to recover from a loss situation. For example, without corrective controls in place (in the form of Disaster Recovery Management System), the bank has risk of loss of business and other losses (which could even result in bank going out of business) due to its inability to recover essential IT-based services, information and other resources, after the disaster strikes.
INFORMATION SECURITY POLICIES
Information Security Policies are the cornerstone of information security effectiveness. The Security Policy is intended to define what is expected from an organization with respect to security of Information Systems. The overall objective is to control or guide human behavior to reduce the risk to information assets by accidental or deliberate actions. Information security policies underpin the security and wellbeing of information resources. They are the foundation, the bottom line, of information security within an organization.
We all practice elements of data security. At home, for example, we make sure that deeds and insurance documents are kept safely so that they are available when we need them. All office information deserves to be treated in the same way. In an office, having the right information at the right time can make the difference between success and failure. Data Security will help the user to control and secure information from inadvertent or malicious changes and deletions or unauthorized disclosure. There are three aspects of data security:
Confidentiality: Protecting information from unauthorized disclosure like to the press, or through improper disposal techniques, or those who are not entitled to have the same.
Integrity: Protecting information from unauthorized modification, and ensuring that information, such as a beneficiary list, can be relied upon and is accurate and complete.
Availability: Ensuring information is available when it is required. Data can be held in many different areas, some of these are:
- Network Servers;
- Personal Computers and Workstations;
- Laptop and Handheld PCs;
- Removable Storage Media (Floppy Disks, CD-ROMS, Zip Disks, Flash Drive etc.);
- Data Backup Media (Tapes and Optical Disks).
Data Loss Prevention: Leading Causes of Data Loss:
- Natural Disasters
- Human Errors
- Software Malfunction
- Hardware & System Malfunction
Computers are more relied upon now than ever, or more to the point the data that is contained on them. In nearly every instant the system itself can be easily repaired or replaced, but the data once lost may not be retraceable. That’s why of regular system backups and the implementation of some preventative measures are always stressed upon.
Natural Disasters: While the least probable cause of data loss, a natural disaster can have a devastating effect on the physical drive. In instances of severe housing damage, such as scored platters from fire, water emulsion due to flood, or broken or crushed platters, the drive may become unrecoverable.
The best way to prevent data loss from a natural disaster is an off-site back up. Since it is nearly impossible to predict the arrival of such an event, there should be more than one copy of the system back up kept, one onsite and one off. The type of media back up will depend on system, software, and the required frequency needed to back up. Also be sure to check backups to be certain that they have properly backed up.
Viruses: Viral infection increases at rate of nearly 200-300 new Trojans, exploits and viruses every month. With those numbers growing every day, systems are at an ever-increasing risk to become infected with a virus.
There are several ways to protect against a viral threat:
- Install a Firewall on system to prevent hacker’s access to user’s data.
- Install an anti-virus program on the system and use it regularly for scanning and remove the virus if the system has been infected. Many viruses will lie dormant or perform many minor alterations that can cumulatively disrupt system works. Be sure to check for updates for anti-virus program on a regular basis.
- Back up and be sure to test backups from infection as well. There is no use to restore virus infected back up.
- Beware of any email containing an attachment. If it comes from anonymous sender or don’t know from where it has come or what it is, then don’t open it, just delete it & block the sender for future mail.
Human Errors: Even in today’s era of highly trained, certified, and computer literate staffing there is always room for the timelessness of accidents. There are few things that might be followed: -
- Be aware. It sounds simple enough to say, but not so easy to perform. When transferring data, be sure it is going to the destination. If asked "Would you like to replace the existing file" make sure, before clicking "yes".
- In case of uncertainty about a task, make sure there is a copy of the data to restore from.
- Take extra care when using any software that may manipulate drives data storage, such as: partition mergers, format changes, or even disk checkers.
- Before upgrading to a new Operating System, take back up of most important files or directories in case there is a problem during the installation. Keep in mind slaved data drive can also be formatted as well.
- Never shut the system down while programs are running. The open files will, more likely, become truncated and non-functional.
Software Malfunction: Software malfunction is a necessary evil when using a computer. Even the world’s top programs cannot anticipate every error that may occur on any given program. There are still few things that can lessen the risks:
- Be sure the software used will meant ONLY for its intended purpose. Misusing a program may cause it to malfunction.
- Using pirated copies of a program may cause the software to malfunction, resulting in a corruption of data files.
- Be sure that the proper amount of memory installed while running multiple programs simultaneously. If a program shuts down or hangs up, data might be lost or corrupt.
- Back up is a tedious task, but it is very useful if the software gets corrupted.
Hardware Malfunction: The most common cause of data loss, hardware malfunction or hard drive failure, is another necessary evil inherent to computing. There is usually no warning that hard drive will fail, but some steps can be taken to minimize the need for data recovery from a hard drive failure:
- Do not stack drives on top of each other-leave space for ventilation. An overheated drive is likely to fail. Be sure to keep the computer away from heat sources and make sure it is well ventilated.
- Use an UPS (Uninterruptible Power Supply) to lessen malfunction caused by power surges.
- NEVER open the casing on a hard drive. Even the smallest grain of dust settling on the platters in the interior of the drive can cause it to fail.
- If system runs the scan disk on every reboot, it shows that system is carrying high risk for future data loss. Back it up while it is still running.
- If system makes any irregular noises such as clicking or ticking coming from the drive. Shut the system down and call Hardware Engineer for more information.
A virus is a form of malicious code and, as such it is potentially disruptive. It may also be transferred unknowingly from one computer to another. The term Virus includes all sorts of variations on a theme, including the nastier variants of macro- viruses, Trojans, and Worms, but, for convenience, all such programs are classed simply as .virus..
Viruses tend to fall into 3 groups: -
Dangerous: Such as ‘Resume’ and ‘Love letter’ which do real, sometimes irrevocable, damage to a computer system files, and the programs and data held on the computer’s storage media, as well as attempting to steal and transmit user ID and password information.
Childish: - Such as ‘Yeke’, ‘Hitchcock’, ‘Flip’, and Diamond, which do not, generally, corrupt or destroy data, programs, or boot records, but restrict themselves to irritating activities such as displaying childish messages, playing sounds, flipping the screen upside down, or displaying animated graphics.
Ineffective: - Those, such as ‘Bleah’, which appear to do nothing at all except reproduce themselves, or attach themselves to files in the system, thereby clogging up the storage media with unnecessary clutter. Some of these viruses are ineffective because of badly written code, - they should do something, but the virus writer didn.t get it quite right.
Within all types there are some which operate on the basis of a ‘triggered event’ usually a date such as April 1st, or October 31st, or a time such 15:10 each day when the. ‘Tea Time’ virus activates.
Protection of computer from virus infection:
- Make regular backups of important data.
- Install antivirus software on computer and use it daily.
- Update the antivirus software with the latest signature files on weekly/fortnightly basis. Antivirus software does no good unless it is frequently updated to protect against the most recent viruses.
- Upgrade the antivirus software when new releases are provided.
Never open or execute a file or e-mail attachment from an unidentified source. If user is unsure of the source, delete it. Recent viruses have been written so that they come from friends and colleagues. Be cautious with attachments even from trusted sources.
If it was sent knowingly, an attachment could still contain a virus. Saving it as a file and running the virus scan software will catch any virus that it has been set up to find, therefore will catch most of them.
INFORMATION SYSTEMS AUDIT (IS AUDIT)
‘The Working Group on Information Systems Security for the Banking and Financial Sector’ constituted by Reserve Bank of India enumerated that each Bank in the country should conduct ‘Information Systems Audit Policy’ of the Bank. Accordingly Information Systems Audit and Security cell prepare Information Systems Audit Policy. The fundamental principle is that risk and controls are continuously evaluated by the owners, where necessary, with the assistant of IS Audit function.
The business operations in the Banking and Financial sector have been increasingly dependent on the computerized information systems over the years. It has now become impossible to separate Information Technology from the business of the banks. There is a need for focused attention of the issues of the corporate governance of the information systems in computerized environment and the security controls to safeguard information and information systems. The developments in Information Technology have a tremendous impact on auditing. Well-planned and structured audit is essential for risk management and monitoring and control Information systems in any organization.
Safeguarding IS Assets: The Information systems assets of the organization must be protected by a system of internal controls. It includes protection of hardware, software, facilities, people, data, technology, system documentation and supplies. This is because hardware can be damaged maliciously, software and data files may be stolen, deleted or altered and supplies of negotiable forms can be used for unauthorized purposes. The IS auditor will be require to review the physical security over the facilities, the security over the systems software and the adequacy of the internal controls. The IT facilities must be protected against all hazards. The hazards can be accidental hazards or intentional hazards.
Maintenance of Data Integrity: Data integrity includes the safeguarding of the information against unauthorized addition, deletion, modification or alteration. The desired features of the data are described here under:
- Accuracy: Data should be accurate. Inaccurate data may lead to wrong decisions and thereby hindering the business development process.
- Confidentiality: Information should not lose its confidentiality. It should be protected from being read or copied by anyone who is not authorized to do so.
- Completeness: Data should be complete.
- Reliability: Data should be reliable because all business decision are taken on the basis of the current database.
- Efficiency: The ratio of the output to the input is known as efficiency. If output is more with the same or less actual input, system efficiency is achieved, or else system is inefficient. If computerization results in the degradation of efficiency, the effort for making the process automated stands defeated. IS auditors are responsible to examine how efficient the application in relation to the users and workload.
It summarizes the influence elements introducing the concept of information technologies in financial and banking industries and analyze the relationship of information technology risk factors. It explores why information security should be a priority for businesses and deals with how a security expert can model potential losses for their organization. It also provides guidelines for professionals to make well informed decisions.