We perform the Internet Banking Assessment in compliance with the new FFIEC guidance which includes seven steps:
Step 1: Gather Necessary Information
The first step in the FFIEC risk assessment framework is to “Gather Necessary Information”. The risk assessment should be based on current and detailed knowledge of the financial institution’s operating and business environment.
For your online banking risk assessment, relevant information may include:
- A list of the web services provided by your financial institution and their capabilities
- Network diagrams, data flow diagrams, and authentication documentation for relevant in-house systems.
- Contracts, diagrams, and other documentation for outsourced online banking services.
- Reports of prior online fraud incidents
- Current and past audit findings related to online services
- Documentation related to current online fraud trends and techniques. (Our next blog posting in this series will provide an outline of the current state of online banking fraud.)
- List of available security enhancements or the road-map for new enhancements from your online platform software vendor or service provider.
Step 2: Inventory Systems and Data
The next step in the FFIEC framework is to Inventory systems and data. For your Internet banking risk assessment you may want to consider including the following information in your inventory for each of your web services:
- Website name/URL
- Purpose and target audience
- Does it allow for viewing of balances or other sensitive customer information?
- Does it allow for internal transfers between accounts within the system?
- Does it permit transactions that send funds out of the system?
- Does it permit high-risk transactions such as ACH or Wire Transfers that send funds immediately out of the account.
- Current authentication method(s) utilized
- Current password reset/lockout method utilized
- Any fraud detection or other security layers employed
- What is the impact of an outage
Also consider the scope of your risk assessment. Will it only include services available to customers, or will you also perform a risk assessment of services available only to your institution’s employees? Will it only include web services, or will it also include items such as your telephone banking automated voice response, merchant capture services, or mobile banking applications. An appropriate scope may be any automated/electronic service that is utilized by customers of your institution.
Step 3: Data Classification
Once your inventory is complete, the next step is to classify and rank the systems based on their data and capabilities. To come up with this initial risk rating, consider the impact to your customers or your institution if an account was breached. Websites that contain general information, such as a listing of your locations and the products and services you have available, would likely be a lower risk in terms of client impact. A system that allows a client to view account balances and perhaps transfer funds between related accounts may be a medium initial risk. If the system allows transactions that can send funds out, such as an online bill pay service, it is likely a high initial risk for fraud. Systems that allow high risk transactions such as ACH and Wire would be a very high initial risk.
Step 4: Assess Threats and Vulnerabilities
Next you need to assess the threats and vulnerabilities impacting each of your online services. A good way to approach this may be to brainstorm a list of the threats and vulnerabilities that may impact your online services, and then go through your list of online services and consider/document if that service is vulnerable to each threat.
Some of the threats and vulnerabilities to consider include:
- Passwords stolen by malware on customer machines
- Weak passwords/password guessing or cracking by hackers
- Creation of unauthorized “money mule” fund recipients
- Creation of unauthorized transactions
- Creation of unauthorized login ID’s or accounts
- Man in the browser Trojan attacks
- Man in the middle network attacks
- Denial of service attacks
- Account sharing by customers
- Insider fraud at your FI
- Web application vulnerabilities (SQL injection, Cross site scripting, etc.)
Step 5: Evaluate Control Effectiveness
The next step in the FFIEC framework is to identify controls that will reduce the likelihood or impact of the threats and vulnerabilities. Controls are generally categorized as preventative, detective or corrective. When evaluating control effectiveness, you need to measure or judge how reliable the control is at preventing or detecting the event that it was designed to protect against.
Some Preventative controls to consider for your online banking risk assessment include:
- Multifactor authentication
- Any IP blocking or whitelisting
- Transaction limits
- Intrusion Prevention systems
- Password policies
- Client education
- Account access controls/rights assignment
Some Detective and Corrective controls to consider include:
- Hueristic monitoring or other fraud detection systems
- Transaction approval processes
- Report review
- Intrusion Detection systems
- Email alerts
- Incident response and escalation procedures
Step 6: Assign Risk Ratings
The next step is to assign a residual risk rating for each identified system. There are many ways to determine this residual risk rating. One possible approach could be to look at each identified threat or vulnerability and assign a control adequacy rating to it (“controls are strong”, “controls are adequate”, “controls are weak”) . You could then pull the control adequacy ratings together with your initial risk ratings to determine a residual risk. For example, if you had a system with high initial risk, but all the controls are at least adequate, then that system may have a medium residual risk. However, if you have a high initial risk and weak controls, you likely have a high or very high residual risk. The ratings and logic is something you’ll want to map out in a way that fits your organization.
Step 7: Develop response plan for unacceptable risks
Through your assignment of risk ratings, your risk assessment process should highlight areas where your controls are weak or inadequate. The final step in your risk assessment should be to assess and report these unacceptable risks and develop and plan of action to reduce the risk.
For further information on our Online Banking Assessment service, please contact one of our Sales representatives by calling +1 800 916-6037 or by completing our Online Inquiry Form.