What s happening in the area of E-security for the Financial Transactions in China Dr. Wang Jun Head of E-banking Division, Bank of China Sep. 26, 2002
A Tremendous Potential E-financing Market is is coming in China Service Telephone Unit (person) Ten thousand Existed Customers 20352.9 Increased Customers 2316.1 Mobile Ten thousand 18485.5 3963.4 Internet Ten thousand 4331.9 675.7 Penetration of Telephone /100 persons 30.22 Penetration of internet /100 persons 3.25 Penetration of Mobile /100 persons 13.86 Internet banking Ten thousand 250.2 Internet Stockjobbing Ten thousand 491.8
What s happening in the Chinese Finance Industry Almost all the financial industries including retail banks, insurance agents, stockjobbers, etc. have been delivering their products and services by internet and telephone. Almost all the banks are launching more money into developing Internet banking, telephone banking, mobile banking and Call Center. Three major banks are to role out Internet banking with Call Center collaboration. E-security as a key component to the delivery of electronic finance benefits is getting more and more attentions!
Technology-based Banking Products & Services Balance inquiry Transaction information Funds transfer Cash Management Bill payment Bill presentment Loan applications Stored Value Aggregation Electronic Finder Automated clearinghouse (ACH) transactions Internet Payments Wireless Banking Certification Authority Data Storage
Technology and Risk Considerations Legal liabilities Strategic and Business Risks Business Continuity Planning and Continuity of Services Cross Border and International Banking Monetary Loss Direct Lost Productivity (due to Denial of Services) Cost to recreate lost information
Key Technology Risks Authentication, Identity Verification, and Authorization Transactions errors Data Corruption Repudiation of transactions Intercept of data -- privacy and confidentiality Hacking Fraud and illegal acts Virus intrusion
E-Security Framework and Mechanism Policies & Standards Classification & Control Configuration Management Organization Infrastructure Management Administration Procedures Systems Planning Development & Maintenance Monitoring Logging & Reporting Validated Access Authorization Authentication Administration Environment Access Perimeter Network Internal Network Application Facility Internet Extranet Wireless Dial-Up Access Control Secure Communications Workstation Servers LAN WAN Confidentiality email & eforms Web Enterprise Middleware Database Reliable Transactions Integrity Non-Repudiation Accountability Areas Equipment Media Personnel Roles & Responsibility Training & Awareness Incident Response Compliance Virus Operating Systems Infrastructure Integrity Protection Content Configuration Network Devices Intrusion / Misuse Physical Segmentation Third-Party Access Risk Management Recovery Continuity Availability Backup Redundancy
Procedure of E-Security implementation Risk Analysi s Technical Technical Requirements Technical Specifications Hardware Software Systems Management Vulnerability Assessment Intrusion Detection Policies and Strategies Integrated Architecture Execution, Measurement, Feedback, Refinement Management Management Requirement s Management & Administrative Techniques Standards Procedures Guidelines Missions/Roles Job Descriptions Organization
Key Elements of Security Program Reviewing physical and logical security: Review intrusion detection and response capabilities to ensure that intrusions will be detected and controlled Seek necessary expertise and training, as needed, to protect physical locations and networks from unauthorized access Maintain knowledge of current threats facing the bank and the vulnerabilities to systems Assess firewalls and intrusion detection programs at both primary and back-up sites to make sure they are maintained at current industry best practice levels
Key Elements of Security Program Reviewing physical and logical security (cont d): Verify the identity of new employees, contractors, or third parties accessing your systems or facilities. If warranted, perform background checks. Appropriate backup and recovery Evaluate whether physical access to all facilities is adequate. Work with service provider(s) and other relevant customers to ensure effective logical and physical security controls. Proactive network security that effectively prevents, detects, and responds to intrusions Effective authentication can help banks reduce fraud, reputation risk, disclosure of customer information, and promote the legal enforceability of their electronic agreements
Key Elements of E-Security Program 89. 78 86. 11 Integrity Access cont rol 84 81. 33 72. 56 72. 44 76. 11 74 68. 44 Encrypt i on Ant i -vi r us Authentication Moni t or i ng Recover y Digital si gnat ure Non-r epudi at i on Access control is the most crucial to E- security program
Thank you for your attention!