Bank information security
Bank information security
Bank information security starts from an audit. An information security audit provides a bank with certain types of activities. Thus, it shows weaknesses in the bank's systems. Therefore, it is necessary to make the right decision when and in what form conducting an audit.
An audit is an independent check of the accounting (financial) statements for expressing an opinion on the reliability of such statements.
This definition of the term has nothing to do with information security. However, information security professionals actively use it in their speech. In this case, the audit refers to independently evaluating an organization, system, process, project, or product.
In regulatory enactments, the term information security audit is not always used. It is often replaced by the term conformity assessment or by the slightly outdated but still used term attestation. Sometimes, the term certification is used.
Whichever term is used, in essence, an information security audit is conducted to verify compliance with regulations or the validity and security of applied solutions. In the first case, it is impossible to refuse to conduct an audit. Otherwise, it will entail the violation of the requirements of regulatory enactments and fines, suspension of activities, and other forms of punishment. In the second case, the audit is voluntary, and the organization itself decides to conduct it.
A statutory audit can be performed by:
- the bank itself, for example, in the form of self-assessment (however, there is no longer any talk of independence and the term audit is not entirely appropriate);
- external independent organization – auditor;
- regulatory bodies empowered to carry out the appropriate supervisory activities (this option is often called not an audit, but an inspection).
A voluntary audit can be conducted for any reason: checking the security of the remote banking system, controlling the assets of an acquired bank, checking a newly opened branch, and so on. In this case, it is impossible to clearly outline the boundaries, nor describe the reporting forms, nor talk about the regularity of the audit - all this is decided by an agreement between the auditor and the auditee. Let's turn to the forms of statutory audit, which are important for the information security of banks.
The international standard ISO / IEC 27001: 2005 is a set of best practices for information security management in large organizations. Small organizations, including banks, are not always able to comply with the requirements of the standard in full. ISO 27001 is a voluntary document. It is up to each bank to accept or not accept its terms. However, ISO 27001 is the intended global standard, and experts in different countries use it as a universal guide for everyone involved in information security.
There are several subtle and not often mentioned but important points associated with ISO 27001.
Firstly, not the entire information security system of the bank is subject to audit according to this standard, but only one or several components. For example, the remote banking protection system, a head office protection system, or a personnel management process protection system. In other words, obtaining a certificate of conformity for one of the processes assessed in the audit does not guarantee that the rest of the processes are in the same close to an ideal state.
The second point is related to the fact that ISO 27001 is a universal standard, that is, applicable to any organization, which means that it does not take into account the specifics of the industry. This has led to the fact that the international organization for standardization ISO has long been talking about the creation of the ISO 27015 standard, which is a transposition of ISO 27001/27002 for the financial industry. Visa and MasterCard opposed the already developed project. Visa believes that there is too little information in the project that is necessary for the financial industry, for example, on payment systems. However, if the missing provisions are added, the standard would have to be moved to another ISO committee. MasterCard proposes to stop developing ISO 27015, arguing that the financial industry already has enough documents that regulate the information security.
Furthermore, only a few organizations in the world have the right to carry out certification of compliance with ISO 27001 requirements. And integrators only ensure that the requirements of the standard are met, which are verified by certified auditors.
While the debate continues, whether banks should implement ISO 27001 or not, some daredevils go for it and go through three stages of compliance audit:
- a preliminary informal study of the main documents by the auditor both on the territory of the audit client and outside;
- a formal and in-depth audit and assessment of the effectiveness of the implemented protection measures, a study of the developed necessary documents, after which the auditor usually confirms compliance and issues a certificate recognized worldwide.
- an annual audit to confirm the obtained certificate of conformity.
Who needs ISO 27001? If we consider the standard not only as a set of best practices that should be implemented without going through an audit, but also as a certification process that confirms the bank's compliance with international security requirements, then it makes sense to implement ISO 27001 either by banks belonging to banking groups, where ISO 27001 is a standard, or to banks planning to enter the international arena. In other cases, an audit of compliance with ISO 27001 and obtaining a certificate is most often unnecessary.
PCI DSS Payment Card Security Standard
PCI DSS – Payment Card Industry Data Security Standard - payment card data security standard. It was developed by the Payment Card Industry Security Standards Council (PCI SSC), which was established by the international payment systems Visa, MasterCard, American Express, JCB, and Discover.
The PCI DSS standard is a set of 12 high-level and more than 200 detailed requirements for ensuring the security of data about payment cardholders that are transmitted, stored, and processed in the information systems of organizations.
The requirements of the standard apply to all companies that work with international payment systems Visa and MasterCard. Each company, depending on the number of processed transactions, is assigned a level, for each level – its own set of requirements. The levels for each payment system are different.
Verification of compliance with the PCI DSS standard is carried out as part of mandatory certification, the requirements for which differ depending on the type of company being checked: a merchant that accepts cards for payment for goods and services, or a supplier that provides services to merchants, banks-acquirers, issuers and so on (processing centers, payment gateways).
Assessment is carried out in different forms:
- annual audits with the help of accredited companies with the status of Qualified Security Assessors (QSA);
- annual self-assessment;
- scanning networks quarterly by authorized organizations with an Approved Scanning Vendor (ASV) status.
Each of the main regulations sets out its own requirements for conducting conformity assessment in one form or another: from self-assessment in the form of filling out questionnaires (PCI DSS) to passing a statutory audit once a year (ISO 27001). There are other forms of conformity assessment: payment system operator notifications, quarterly scans, and so on.
On the other hand, there is still no single system of views not only on state regulation of information security audits of organizations and information technology systems but also on the very topic of an information security audit. Different approaches, different standards, different levels of maturity... All this hinders the establishment of uniform rules of the game.
The appearance of one-day firms only compound matters. They, in pursuit of profit, offer low-quality services in the field of assessing compliance with information security requirements. And the situation is unlikely to change for the better.
Since there is a need, there will be those who want to satisfy it, while there will not be enough qualified auditors for all. With a small number of them and audit duration from several weeks to several months, it is obvious that the audit request seriously exceeds the capabilities of auditors.
Successful completion of the audit does not mean that everything is fine with the security in the bank. Many tricks allow an auditee to hide security flaws. Much depends on the qualifications and independence of the auditors. Experience shows that even in organizations that have been audited to PCI DSS or ISO 27001 standards, there are incidents.