Other business processes part 1 (EFT (Security in an EFT environment…
Other business processes part 1
Point-of-sale (POS) systems enable the capture of data at the time and placethat sales transactions occur
Availability of funds or adequacy of credit limits should be verified before funds are transferred.
application processing level
IS auditor should review the interface between the EFT system and the application systems that process the accounts from which funds are transferred.
An EFT switch involved in the network is also an IS audit concern
switch is the facility that provides the communication linkage for all equipment in the network.
If a third-party audit has not been performed, the IS auditor should consider visiting the switch location.
Security in an EFT environment ensures that
• Regulatory requirements for enforceability of electronic data transmitted and received are explicitly stated.
• Standards for unintelligible transmissions are set.
• Data encryption standards are set.
• On receipt of data, the receiving party will immediately transmit an acknowledgment or notification to communicate to the sender that a successful transmission occurred.
• There are guidelines set for the receipt of data and to ensure that the receipt date and time for data transmitted are the date and time the data have been received.
• Each party uses security procedures that are reasonably sufficient for affecting the authorized transmission of data and for protecting business records and data from improper access.
• All the
equipment and communication linkages
are tested to
effectively and reliably transmit and receive data.
access security and authorization of processing are important controls.
Individual consumer access to an EFT system may be controlled by a plastic card and a PIN or by other means that bypass the need for a card.
auditor should review the physical security of unissued plastic cards, the procedures used to generate PINs, the procedures used to issue cards and PINs, and the conditions under which the consumer uses the access devices.
Risk Management Controls for Ebanking
Legal and reputational risk management:
Compliance to banking sector directives (e.g., Basel Accords)
Incident response planning
Capacity, business continuity and contingency planning to ensure availability of ebanking systems and services
Privacy of customer information
Appropriate disclosures for ebanking services
Confidentiality of key bank information
Establishment of clear audit trails for ebanking transactions
Data integrity of ebanking transactions, records and information
Proper authorization controls within ebanking systems, databases and applications
Appropriate measures to ensure SoD
Nonrepudiation and accountability for ebanking transactions
Authentication of ebanking customers
• Board and management oversight:
Comprehensive due diligence and management oversight process for outsourcing relationships and other third-party dependencies
Establishment of a comprehensive security control process
Effective management oversight of ebanking activities
Risk Management Challenges
Internet significantly magnifies the importance of
audit trail procedures
and customer privacy standards.
customer authentication techniques, ,
bank’s dependence on information technology
increasing the technical complexity of many operational and security issues
outsourcing arrangements with third parties such as Internet service providers, telecommunication companies and other technology firms.
straight-through processing of
ebanking websites and associated retail and wholesale business applications integrated as much as possible with legacy computer systems (old software/hardware used all over in org. mostly happens in case of customized software)
increases dependence on sound system design and
architecture as well as system interoperability and operational scalability.
speed of change relating to technological and service innovation in ebanking
challenge to ensure that adequate strategic assessment, risk analysis and security reviews are conducted prior to implementing new ebanking applications.
IS auditor is most concerned with strategic, operational and reputational risk
because these risk areas are directly related to threats to reliable data flow