Please enable JavaScript.
Coggle requires JavaScript to display documents.
Other business processes part 1 (EFT (Security in an EFT environment…
Other business processes part 1
Electronic Banking
IS auditor is most concerned with strategic, operational and reputational risk
because these risk areas are directly related to threats to reliable data flow
Risk Management Challenges
speed of change relating to technological and service innovation in ebanking
challenge to ensure that
adequate strategic assessment,
are conducted prior to implementing new ebanking applications.
risk analysis
and security reviews
straight-through processing of
electronic transactions
ebanking websites and associated retail and wholesale business applications integrated as much as possible with legacy computer systems (old software/hardware used all over in org. mostly happens in case of customized software)
increases dependence on sound system design and architecture as well as system interoperability and operational scalability.
bank’s dependence on information technology
increasing the technical complexity of many operational and security issues
outsourcing arrangements with third parties such as Internet service providers, telecommunication companies and other technology firms.
Internet significantly magnifies the importance of
security controls,
customer authentication techniques, ,
and customer privacy standards.
data protection
audit trail procedures
Risk Management Controls for Ebanking
• Board and management oversight:
Effective management oversight of ebanking activities
Establishment of a
comprehensive security control process
Comprehensive due diligence and management oversight process for outsourcing relationships and other third-party dependencies
Security controls
Authentication
of ebanking customers
Nonrepudiation and accountability
for ebanking transactions
Appropriate
measures to ensure SoD
Proper
authorization controls
within ebanking systems, databases and applications
5.
Data integrity
of ebanking transactions, records and information
Establishment of
clear audit trails
for ebanking transactions
Confidentiality
of key bank information
Legal and reputational risk management:
Appropriate disclosures for ebanking services
Privacy of customer information
Capacity, business continuity and contingency planning to ensure availability of ebanking systems and services
4. Incident response planning
Compliance to banking sector directives (e.g., Basel Accords)
EFT
access security
and
authorization of processing
are important controls.
Individual
Consumer Access
to an EFT system may be controlled by a plastic card and a PIN or by other means that bypass the need for a card.
auditor should review ,
the physical security of unissued plastic cards
the procedures used to generate PINs,
the procedures used to issue cards and PINs,
and the conditions under which the consumer uses the access devices.
Security in an EFT environment ensures that
• All the
equipment and communication linkages
are tested to
effectively and reliably transmit and receive data.
•
Each party uses security procedures
that are
reasonably sufficient for affecting the
AUTHORIZED TRANSMISSION
of data
and for
PROTECTING
business records and data from
IMPROPER ACCESS
• There are
GUIDELINES
set for the receipt of data and to ensure that
the receipt date and time for
data transmitted
EQUALS
the date and time the
data have been received.
• On receipt of data, the
receiving party
will immediately transmit an
acknowledgment or notification
to communicate to the sender that a successful transmission occurred.
• Data encryption standards are set.
• Standards for unintelligible transmissions are set.
•
REGULATORY REQUIREMENTS
for enforceability of electronic data transmitted and received are
explicitly stated.
An EFT switch involved in the network is also an IS audit concern
switch is the facility that provides the communication linkage for all equipment in the network.
If a third-party audit has not been performed, the IS auditor should consider visiting the switch location.
application processing level
IS auditor should review the interface between the EFT system and the application systems
that process the accounts from which funds are transferred.
Availability of funds or adequacy of credit limits
should be verified before funds are transferred.
Point-of-sale Systems
Point-of-sale (POS) systems enable the capture of data at the time and placethat sales transactions occur
payment instruments
credit and debit cards.
POS terminals may have
attached peripheral equipment
to improve the efficiency and accuracy of the transaction recording process.
such as optical scanners to read bar codes, magnetic card readers for credit or debit cards, or electronic readers for smart cards—
It is most important for an IS auditor to determine whether any cardholder data, such as primary account numbers (PANs) or personal identification numbers (PINs), are stored on the local POS system.
Any such information, ifstored on the POS system, should be encrypted using strong encryption methods. Certain data, such as card verification value (CVV) numbers, can never be stored on these devices.
E MAIL
At the most basic level, the email process can be divided into two principal components:
• Mail servers—Hosts that deliver, forward and store mail
• Clients—Interface with users, allowing users to read, compose, send and store email messages
SEND PROCESS
user sends an email message, it is first broken up by the
Transmission Control Protocol (TCP) into Internet Protocol (IP) packets.
packets are then sent to an internal router,
mail is meant for an internal client, the mail is delivered to them
mail is to be delivered outside the network, it may pass through a firewall, which will determine if it can be sent or received
AFTER SENDING PROCESS
Once out on the Internet, the message is sent to an
INTERNET ROUTER
which
examines the address and determines where the message should be sent
GATEWAY
at the receiving network receives the email message, which
uses TCP to reconstruct the IP packets into a full message and translates the message into the protocol the target network uses.
message may be required to also pass through a firewall on the receiving network.
receiving network examines the email address and sends the message to a specific mailbox
Gateways IN EMAIL PROCESSING
closed network, an email has to travel through a series of networks before it reaches the recipient.
These networks might use different email formats.
Gateways perform the job of
translating email formats from one network to another
, so the messages can make their way through all the networks
A
AN
SoD