Review of Central Bank Guideline for Electronic BankingByFemi OyesanyaINTRDUCTION
The Guideline for Electronic Banking is a prerequisite for this paper. A copy of the Guideline can be found at:http://www.cenbank.org/OUT/PUBLICATIONS/BSD/2003/E-BANKING.PDF
The
CBN has proposed an approval process for all technological investments
that exceeds 10% of free funds. The
10% factor is arbitrary. Rather than proposing a 10% percentile, CBN
ought to define in clears terms, a definitive methodology for evaluating
tangible and intangible mid to large-scale technological asset
acquisitions pursued by Banks.
As written, an investment that stands at 9.99% of fee funds, is
not subject to CBN approval. A
clearer approval process, might involve, a methodology for the
assessment of technological investments, in lieu of tangible and
intangible return on specific technological investments. The entire
process of technological asset acquisition might need to be reevaluated.
A 10% of free fund criteria ought not to be the only criteria for
stipulating an approval process for key technological acquisition. In addition to the above suggestions, the proposal also recommends that the core technological and security standards includes the following:
1.1
Standards for Computer Networks and Internet Review The
proposed guideline addresses controls for banking data communications,
and
specifies specific technologies, such as proxy type firewalls to
implement Security measures for data communications.
It specifies controls for external devices, connecting to a
larger Network. However, the
review falls short of a key Network Security criteria. An initial
technology environment, and risk assessment of each individual Financial
Institution is not required. In
the opinion of this review, the CBN ought to
recommend
a standard that allows the Banks to examine potential threats
that may already be existing in each individual Financial
Institution’s current Network. The
local Intranet facility must not be assumed to be secured.
Furthermore,
each external device permanently connected, or otherwise connecting, to
the Banking Network ought to implement the connection in a layered and
trusted basis. All devices
are not equals. Each device
ought to have it’s own access control label, that allows it only to a
specified layer of access. 1.2
Standards
on Protocols The
CBN’s guideline calls for steps to ensure access to data is defined by
clear access control measures. In
addition, Banks should be encouraged to define clear standards for
classifying data. Data
sensitivity classification allows access control of the data to be more
cost effective. Banks
should be encouraged to implement Data sensitivity schemes into their
Information Security Framework. Also,
besides human access to data, Computer Applications also have access to
data. The point here is
that, access control lists should not be limited to human operators, but
also to include Computer processes. In
addition, allowing access to Network protocols that are only needed is
not enough, this review proposes that only secured ports should be open.
For example SSH rather that FTP, and HTTPS, rather than HTTP protocol. This
section of the guideline offers a proposal for architectural
implementation, Banking application interface, data communications,
software support, physical security, and the segregation of IT security
personnel from the IT personnel within a financial division. It
is the opinion of this review, that the guideline provided for
Application and System Software, is at the very least, inadequate.
In general, most security vulnerabilities occur in Application
and System Software level. The
CBN ought to elaborate more on Security issues associated with the
deployment of Applications and Systems Software. Banks must implement
policies and procedures that hold their Systems Personnel accountable
for implementing application, and Systems Software level Security.
System Software Security patches must be applied timely. Banks
must review the historic security reputation of potential Vendor
Software application, and implement appropriate steps to address
shortfalls in vendor proprietary Software security issues.
Programs developed in-house, must be subjected to security
quality review. Anti Virus
and Intrusion detection Software updates needs to be applied timely.
A three-tier architecture needs to be considered for implementing
the technological infrastructure. Lastly,
Banks should implement directives for Application Change Management
schemes, and provide an
effective quality assurance over Applications and System Software
implementation. The
delivery channel, is the Communication path between
the Banks, it’s business associates, and it’s customers. The
guideline defines a standard for data confidentiality, integrity and
non-repudiation. Clearly, it
is the goal of the CBN, to implement a process for data security and
integrity as the data travels from source to destination. In the view of
this paper, the CBN should recommend data transmission security
expectations beginning from the origin of the data
transmission, the delivery path, and the end point. The
point of data origination, must
implement security controls, likewise the transmission path, and
the endpoint. A)
Security
recommendations for data transmission that occurs using the highly
vulnerable Public data Transmission network.
EG, Dial UP. B)
Security recommendations for data transmission that occur through a more
secured point to point private Network. C)
Security recommendations for data transmission that occurs through
wireless data transmission. Specific
delivery path needs different security requirements to make the
transmission secured. For
example, data transmission that occurs via the public network, might be
expected to enhance it’s Security by using VPN, while Fiber Optics
point to point might not. Also,
audit trails expectations needs to be clearly defined.
Specific audit trail attributes needs
to be clearly identified by the CBN.
Specific data items that needs to be captured, needs to be
defined by the CBN. 1.4.2
Automatic
Teller Machine The
guideline for ATM primarily focuses on physical and transactional
security. The CBN emphasizes
Customer security and gives recommendation for the careful location of
ATM devices. However, it
fails to recommend a standard for total number of simultaneous
connections to the ATM network. As
a condition of Service, CBN should define acceptable ATM Network
saturation point. What is the acceptable level of simultaneous
connection? 1.4.3
Internet
Banking Review. The
CBN guideline requires that only authorized staff should be able to
change information on the Banks Web Site, the CBN must also specify,
that Banks must put processes in place, to ensure that only authorized
computing processes are allowed to make changes to the Web Site.
The
CBN requires that when hosting services are outsource by the Banks to
ISP’s, the ISP must ensure that firewalls are configured properly by
the ISP. In the opinion of
this review, the ISP must not be allowed to have any technical
administrative controls whatsoever, to any security device protecting
the Banks Information asset. Even when outsource, Banks must make sure
that any gatekeeper technology remains solely in their control.
Allowing Firewalls, and similar devices to be managed by
non-banking employees might open the door for unprecedented security
breaches. In addition, the following Web security measures are also recommended: a)
All
Web Pages displaying customer information must be encrypted.
Banks might want to consider Using
the Https encryption to secure it’s web pagesCustomer Browsers must
also support a higher level encryption bit. b)
The
CBN might opt to own a centralized
digital Certificate issuing Server, specifically for Banks. This gives
the Digital certificate issuing authority, centralized advantages, of
managing issuance, expirations, and renewal of the these digital
certificates. Alternately, Banks can form a centralized body that
performs the same digital certificate issuance function. c)
Banks must implement Web Site change management controls. d)
Banks web sites must contain mechanism thatmakes the customer session
expire, after some set period of inactivity.
Logins sessions to Web Sitesmust not be permanent. e)
Policies should be made to address the response time of processing
transactions on a Banks web site
1.4.7
Switches
In
addition to recommendations in this section of the guideline, the CBN
must also encourage switching companies to implement a structured
security incident reporting policy, which submits it’s formal findings
directly to the CBN. 1.5
Standards
on Security and Privacy Review. The
standard for security and privacy does not particularly recommend any
guideline for privacy. The CBN must outline specific standards for how
Banks manage customer information held by Banking Systems.
There must be clear provision for Customer data confidentiality.
Specific outlines must be provided in the following areas: A)
Access of customer banking records by governmental agencies. B)
Access
of customer banking records by external business associates of the
Banks. C) Marketing of customer banking records. 1.5.5
Backup
recovery and business continuity review.
This section needs to specify data aging criteria. How long should archived data be kept? Clear criteria should be defined for transactional processing data, and detailed records. It must specify the acceptable length of time for which, these records must be stored in archive. |