Review
of Central Bank Guideline for Electronic Banking
By
Femi Oyesanya
yeyerolli1@aol.com
INTRODUCTION
The Guideline for Electronic
Banking is a prerequisite for this paper. A copy of the Guideline can be found
at:
http://www.cenbank.org/OUT/PUBLICATIONS/BSD/2003/E-BANKING.PDF
OVERVIEW
The Central Bank of
Nigeria
has proposed a detailed guideline for the Electronic Banking
in Nigeria
. The following is a critical review of the guideline.
Specifically, the review focuses on the Information and Communications
Technology sections of the guideline, and it will attempt to reveal weaknesses
in the CBN’s proposal guideline. Where possible, alternative recommendations
will be defined. In issuing
this review, a key factor that underlies some of the alternative
recommendations, is the corrupt business environment. Information technology
risk are assumed to be higher, hence Information security controls must meet
these risks.
1.0
Technology and Security Standards
Review
The CBN has proposed an
approval process for all technological investments that exceeds 10% of free
funds. The 10% factor is arbitrary. Rather than proposing a 10% percentile, CBN
ought to define in clears terms, a definitive methodology for evaluating
tangible and intangible mid to large-scale technological asset acquisitions
pursued by Banks. As written, an investment that stands at 9.99% of fee funds,
is not subject to CBN approval. A clearer approval process, might involve, a
methodology for the assessment of technological investments, in lieu of tangible
and intangible return on specific technological investments. The entire process
of technological asset acquisition might need to be reevaluated. A 10% of free
fund criteria ought not to be the only criteria for stipulating an approval
process for key technological acquisition.
In
addition to the above suggestions, the proposal also recommends that the core
technological and security standards includes the following:
-
A guideline for criminal background checks for Banking Information
Technology Employees. Such background check, might include psychological
profile examinations, and general character assessment tests.
-
A
guideline for Criminal background checks for Banking business associates
that will participate in the implementation of core Information technology
architecture. Vendors must certify their business reputation.
-
Guideline for new employee hiring and termination. Strict guidelines must
address the issue of disgruntled employees. Information technology assets
belonging to the banks must be must be recovered at the point of
termination.
1.1 Standards for Computer Networks and Internet Review
The
proposed guideline addresses controls for banking data communications, and
specifies specific technologies, such as proxy type firewalls to implement
Security measures for data communications. It specifies controls for external
devices, connecting to a larger Network. However, the review falls short of a
key Network Security criteria. An initial technology environment, and risk
assessment of each individual Financial Institution is not required.
In
the opinion of this review, the CBN ought to
recommend a standard that allows the Banks to examine potential threats that
may already be existing in each individual Financial Institution’s current
Network. The local Intranet facility must not be assumed to be secured.
Furthermore, each external device permanently connected, or otherwise
connecting, to the Banking Network ought to implement the connection in a
layered and trusted basis. All devices are not equals. Each device ought to
have it’s own access control label, that allows it only to a specified layer of
access.
1.2
Standards on Protocols
The CBN’s guideline calls for
steps to ensure access to data is defined by clear access control measures. In
addition, Banks should be encouraged to define clear standards for classifying
data. Data sensitivity classification allows access control of the data to be
more cost effective.
Banks should be encouraged to implement Data
sensitivity schemes into their Information Security Framework. Also, besides
human access to data, Computer Applications also have access to data. The point
here is that, access control lists should not be limited to human operators, but
also to include Computer processes.
In
addition, allowing access to Network protocols that are only needed is not
enough, this review proposes that only secured ports should be open. For example
SSH rather that FTP, and HTTPS, rather than HTTP protocol.
1.3
Standards on
Applications And System Software
Review
This
section of the guideline offers a proposal for architectural implementation,
Banking application interface, data communications, software support, physical
security, and the segregation of IT security personnel from the IT personnel
within a financial division.
It is
the opinion of this review, that the guideline provided for Application and
System Software, is at the very least, inadequate. In general, most security
vulnerabilities occur in Application and System Software level. The CBN ought
to elaborate more on Security issues associated with the deployment of
Applications and Systems Software. Banks must implement policies and procedures
that hold their Systems Personnel accountable for implementing application, and
Systems Software level Security. System Software Security patches must be
applied timely. Banks must review the historic security reputation of potential
Vendor Software application, and implement appropriate steps to address
shortfalls in vendor proprietary Software security issues. Programs developed
in-house, must be subjected to security quality review. Anti Virus and
Intrusion detection Software updates needs to be applied timely. A three-tier
architecture needs to be considered for implementing the technological
infrastructure.
Lastly, Banks should implement directives for Application Change Management
schemes, and provide
an
effective quality assurance over Applications and System Software
implementation.
1.4
Standards on Delivery Channels
The
delivery channel, is the Communication path between the Banks, it’s business
associates, and it’s customers. The guideline defines a standard for data
confidentiality, integrity and non-repudiation. Clearly, it is the goal of the
CBN, to implement a process for data security and integrity as the data travels
from source to destination. In the view of this paper, the CBN should recommend
data transmission security expectations beginning from the origin of the data
transmission, the delivery path, and the end point.
The
point of data origination, must implement security controls, likewise the
transmission path,
and
the endpoint.
Also, since each transmission path might face varying security challenges, the
CBN might want to specify varying security controls, for the diffrent data
transmission Networks. In a very general sense, transmission Networks and their
security recommendations might be classified as follows:
A)
Security recommendations for data transmission that occurs using the
highly vulnerable Public data Transmission network. EG, Dial UP.
B)
Security recommendations for data transmission that occur through a more secured
point to point private Network.
C)
Security recommendations for data transmission that occurs through wireless data
transmission.
Specific delivery path needs different security requirements to make the
transmission secured. For example, data transmission that occurs via the public
network, might be expected to enhance it’s Security by using VPN, while Fiber
Optics point to point might not.
Also,
audit trails expectations needs to be clearly defined. Specific audit trail
attributes
needs
to be clearly identified by the CBN. Specific data items that needs to be
captured, needs to be defined by the CBN.
1.4.2
Automatic Teller Machine
The
guideline for ATM primarily focuses on physical and transactional security. The
CBN emphasizes Customer security and gives recommendation for the careful
location of ATM devices. However, it fails to recommend a standard for total
number of simultaneous connections to the ATM network. As a condition of
Service, CBN should define acceptable ATM Network saturation point. What is the
acceptable level of simultaneous connection?
1.4.3
Internet Banking Review.
The
CBN guideline requires that only authorized staff should be able to change
information on the Banks Web Site, the CBN must also specify, that Banks must
put processes in place, to ensure that only authorized computing processes are
allowed to make changes to the Web Site.
The
CBN requires that when hosting services are outsource by the Banks to ISP’s, the
ISP must ensure that firewalls are configured properly by the ISP. In the
opinion of this review, the ISP must not be allowed to have any technical
administrative controls whatsoever, to any security device protecting the Banks
Information asset. Even when outsource, Banks must make sure that any gatekeeper
technology remains solely in their control. Allowing Firewalls, and similar
devices to be managed by non-banking employees might open the door for
unprecedented security breaches.
In
addition, the following Web security measures are also recommended:
a)
All Web Pages displaying customer information must be encrypted. Banks
might want to consider
Using
the Https encryption to secure it’s web pagesCustomer Browsers must also support
a higher level
encryption bit.
b)
The CBN might opt to own a centralized digital Certificate issuing
Server, specifically for Banks. This gives the Digital certificate issuing
authority, centralized advantages, of managing issuance, expirations, and
renewal of the these digital certificates. Alternately, Banks can form a
centralized body that performs the same digital certificate issuance function.
c)
Banks must implement Web Site change management controls.
d)
Banks web sites must contain mechanism thatmakes the customer session expire,
after some set period of inactivity. Logins sessions to Web Sitesmust not be
permanent.
e)
Policies should be made to address the response time of processing transactions
on a Banks web site
1.4.7 Switches
In
addition to recommendations in this section of the guideline, the CBN must also
encourage switching companies to implement a structured security incident
reporting policy, which submits it’s formal findings directly to the CBN.
1.5
Standards on Security and Privacy
Review.
The
standard for security and privacy does not particularly recommend any guideline
for privacy. The CBN must outline specific standards for how Banks manage
customer information held by Banking Systems. There must be clear provision for
Customer data confidentiality. Specific outlines must be provided in the
following areas:
A)
Access of customer banking records by governmental agencies.
B)
Access of customer banking records by external business associates of the
Banks.
C)
Marketing of customer banking records.
1.5.5
Backup recovery and business
continuity
review.
This
section needs to specify data aging criteria. How long should archived data be
kept? Clear criteria should be defined for transactional processing data, and
detailed records. It must specify the acceptable length of time for which,
these records must be stored in archive.