Take It To The Bank
Take It To The Bank

Jun 1, 2004 12:00 PM
By Joanne L. Harris

Cash isn't the only asset that financial institutions have to worry about protecting. Critical customer identification and personal financial information for loans, savings and checking accounts can be found at every bank branch. Customer investment portfolio information can be found in every stock brokerage firm. And customer credit card numbers and credit limits are found in every credit card processing facility. Security is a major component in protecting the integrity of the nation's financial infrastructure.
Protecting financial information

Both government agencies and banking consortiums worldwide are getting involved to improve the security of financial information, the compromise of which can lead to embezzlement, fraud and theft.

The Federal Financial Institutions Examination Council (FFIEC) is made up of five federally chartered institutions, including the Federal Reserve Bank, Office of Thrift Supervision and the National Credit Union. The Council decided on a standard regulation for auditors to ensure that financial institutions meet security requirements both for physical access and logical access. Many auditors and consultants use this regulation to perform annual or biannual audits of financial institutions.

The Gramm-Leach - Bliley (GLB) Act, finalized in 1999, was initially enacted to repeal restrictions on banks affiliated with securities firms. However, it also requires financial institutions (and people who receive protected information from financial institutions) to adopt strict privacy measures relating to their customers' information. The GLB Act requires all financial institutions to protect against unauthorized access to customer records that could result in harm or inconvenience to any customer. It also requires them to establish an information security program to assess and control risks to client information, and to install access controls on information systems that hold customer data, including authentication and authorization measures.

Joel Rakow, an e-crimes practice lead and partner of Tatum CIO Partners LLP in Los Angeles, described how he applied the in-depth requirements of the FFIEC regulations and the GLB Act to conduct a security assessment for a banking client.

"We took the 'best practice' approach," said Rakow, "looking at 21 components, from risk management to account management, and authentication to training and awareness."

The assessment revealed that both employees and visitors had available access to any floor, and a guard who was not fully attentive. "The LAN wiring was installed in unlocked closets or in copy rooms where anyone could slip in, install a device and then sit outside and tap into the system," Rakow said. "The institution did not encrypt their transmissions, and they used an easy ID and password system that could be seen going across the line into their mainframe." "Their big hole was in allowing people to go anywhere," said Rakow, "and I don't think they are the exception to that."

Provisioning solutions that track access rights are one method to help companies comply with the GLB Act regulations for customer information protection and privacy.

"When an employee joins a financial institution," says Deb Pappas, vice president of marketing at Courion Corp. in Framingham, Mass., "there are often 20-30 different accounts, including networks, mainframe, and associated applications, that need to be generated in a large enterprise for a new employee to become productive."

If there is no centralized repository or audit trail to show what access rights have been granted, there is no easy way to ensure that access is turned off everywhere when someone leaves the company, Pappas explained. "If I turn off five of your seven accounts, the other two become abandoned, and those accounts can become back doors for hackers."

"Courion developed user-provisioning software called Account Courier to manage access rights with centralized control," Pappas said. The software can turn on access rights, perform move/add/change functions, and turn off all access rights within seconds to minutes, depending on how many accounts an individual has."

The Account Courier solution tracks every request for access by person and by how deep the access goes. "Many companies are failing audits because they can't identify all of their access accounts," Pappas said, "and now they are being forced to comply with the audits."

Audit compliance improves security by ensuring that access is granted only to what a user should have access to, and provides the ability to turn off access rights in near real-time ! versus days, weeks or never.
Security and the Basel Accord

In 1988, the Basel Committee of the Bank of International Settlements, a group of banking regulators from the leading industrialized nations, convened in Basel, Switzerland, to establish regulations regarding the amount of capital that banks should hold against their credit risk. The resulting document became known as the Basel Capital Accord. Originally designed for internationally active banks, it is quickly becoming the standard for regulatory bodies worldwide.

The New Capital Accord (Basel II) is expected to be implemented in each member country by year-end 2006. During this period, financial institutions are expected to adapt and develop necessary systems and processes to conform to the standards of the new Accord.

What does the Basel Capital Accord mean to financial institutions? "Previously, the assessment was only based on the quality of an institution's loan portfolio," said Tari Schreider, director of security services at Hewlett Packard in Atlanta. "If you received an 'A' rating, you might only have to put 8 percent into your capital reserves, but if you were rated a 'B,' you would have to put aside more."

But with the advent of Basel II, said Schreider, part of the assessment is based on operational risk, including the quality of physical security, access control, disaster recovery and Internet security. "This new 'score card approach' allocates capital based on the relative risk of each business unit," Schreider said.

For instance, if the auditors are looking at the foreign exchange department, they will look at how both physical security and logical security (Internet protection, software protection, firewalls) are used and managed. Then they may look at cage operations for clearing stocks. In essence, they will basically "dissect" a bank by department and rate the risk of each department.

As well, many banks outsource work through an external bank, or a subsidiary of a bank. Computer processing, applications development, mail room, lock box operations ! virtually every capability of a bank ! can be provided by outsourcing companies.

Previously, banks said that the protection and security of the outsourcing firm was the outsourcer's responsibility, but the Basel Capital Accord will place the onus on the bank.

"Since most outsource contracts are 10 years in length," Schreider said, "if the institution is not ensuring up front that they are compliant with the Basel Capital Accord, they could be setting themselves up for huge liability cases, or spending a lot more money to do so down the line."

"The banks have spent a lot of time focusing on their online banking models and on securing those applications," Schreider said. "They haven't looked at the bricks and mortar physical protection as well. We try to blend them together through our assessments."
Ready, willing and able

Not all financial institutions are waiting for the auditors to show up before they get all their ducks in a row. Fidelity Federal Bank and Trust is a $3 billion community bank based in West Palm Beach, Fla. that serves 41 branches across a four-county area.

"Two years ago," said Andy Hoyt, first vice president, director of security at Fidelity Federal Bank and Trust, "we didn't even have CCTV in our previous operations facility. It is a product of our environment. You need to have the ability to know who is coming in or out of your building. Our corporate office complex now has 60,000 square feet in five floors of office space, and a nine-story parking garage."

Hoyt saw the need to upgrade the existing access control system because "the old system lacked flexibility for such basics as individualized access levels for employees and it could not handle multiple locations."

"We are currently using Lenel's OnGuard 2002 to secure our corporate office complex, the Insurance and Trust departments across the street, our remote check processing facility and three additional two-story branch locations," Hoyt said. "I can now assign access by department and time, and set reader parameters that I couldn't do before."

The bank also uses Panasonic Mini-dome model WS474 fixed cameras and Sensormatic Intellex Digital Recorders. In their parking garage, they installed Panasonic 464 fixed cameras within a Pelco weatherproof housing. The manned control room oversees the bank of monitors.

"The GLB Act and the Office of Thrift Supervision regulations require us to address physical security needs," said Hoyt, "such as a secure computer center with very limited access, and safeguarding customer information. Many of the security changes that we have implemented are based on those regulations."

The Bank Protection Act also mandates alarm and surveillance systems, but according to Hoyt, those regulations have been in place since 1968.

Hoyt said that the problems in the banking industry are more fraud-loss related. "The losses are astronomical," he said, "and that is mostly due to information theft and check fraud. Customer impersonation is a big issue."

In the bank's branches, specifications for additional upgrades to bank-specific alarm systems, upgrades to color CCTV systems and the industry-typical vaults and safes are now under way.

"We no longer need to back-up digital recording with tape. Local law enforcement is able to accept digital images as evidence," Hoyt said. "I'm also in the process of working with our integrator, Security One Systems, to upgrade our branch network to digital recording systems to eliminate VCRs and tape. The best part is that the DVRs can be networked on our LAN and run from my office. Branch managers will no longer need to worry about VCRs not working properly and having poor video quality on tape."

On a deeper security level, the First National Bank of Omaha, Neb., and its affiliates have more than $14 billion in managed assets and more than 7,000 employee associates located across the United States. Primary banking offices are located in Nebraska, Colorado, Illinois, Kansas, South Dakota and Texas.

The bank's operations are housed in its three-story, First National Technology Center in Omaha. The center is part of a more than $300 million, 13-square-block campus comprising five buildings ! a 40-story tower (the tallest building between Chicago and Denver), the main bank building, a branch bank, the technology center and a child development center for employees' children.

"We have credit cards issued to about 4 million customers and we process credit card transactions for merchants," said Jim Van Lent, risk manager at the bank. "We also do contract work for correspondent banks as well, such as check and data processing."

The technology center houses the bank's main cash vault, the computer center and is host to other business's computers on site.

"We wanted biometric access control, and finally decided on LG Iris Recognition System 3000," said Van Lent. "We placed the iris scanning device at the access points to the four areas requiring the highest security."

"Enrollment only takes about 30 seconds," said Van Lent, "and moving through the reader takes about two seconds. All of the other biometrics we looked at required a PIN number to pull up a biometric template, taking more time."

Van Lent said it is also more reliable than other biometric measures, and the probability of two irises being the same is 1:1078. "Sunglasses, contacts ! even bloodshot eyes ! do not affect the iris," he said.

The iris scan device allows access into a mantrap. Once the first door closes, authorized personnel must then present an HID proximity card to the Hughes Proxpro 5355 reader to gain access through the second door.

The bank's campus uses NAVCO 4800 PTZ and fixed color cameras, Pelco Esprit ES 3000 PTZ camera system, and the Pelco CM 9500 Matrix camera controller with NAVCO 8500 DVRs. This controller allows them to view certain cameras on a callup monitor without impacting the recorded images.

"The cameras have allowed us to catch everything from transients who were trying to sneak into the building to get warm to embezzlements," Van Lent said. "Having such a strong security system has given us success in selling our bank services to host other companies' computers."

Delivery vehicles entering the facility must approach an exterior gate and be cleared through security via a remote gate release. Then the vehicle proceeds up the ramp to the armored car doors. Security raises the outer door, the armored car backs into the bay, which is the first part of the armored car trap. When the outer door is securely closed, the driver phones the bank vault representative, who comes to the dock and view the vehicle and driver through the bullet-resistant glass window before opening the inner door.

"Our main control center uses Diebold's GMS (Graphic Management System) with a redundant system at an off-site location to control the mixture of Diebold alarms and Hughes card readers throughout the complex and our 60 branch banks," said Van Lent. In addition to the five buildings on the complex, the system also monitors several parking garages, parking lots, and parks.

The primary critical power is produced by two separate feeds of gas supplying fuel to the fuel cells. If one line is ruptured, they have fuel coming in from the other. Should the fuel cells go down, the UPS will carry the load, and two large diesel generators are used for backup if the fuel cells fail. A "last ditch effort" is the regular public utility.

"The entire power system was designed for 99.99999 reliability," said Van Lent, "and the facility has met the expectation. We have never been down since the building was completed."

The most important advice to others is to get involved in the design stage, said Van Lent. "I was integrally involved in the security design, working with the architects to see what did or didn't work," he said.

All in all, the audits are here to stay, and may well become more stringent as the requirements for information protection and privacy increase. The answer for financial institutions, it appears, is to be prepared with solid security on both the physical and logical levels.
Homeland security expert advises banks to make security top priority

Financial institutions should be prepared with specific plans to ensure continued operations and to protect their employees in the face of possible, future terrorist attacks, advised one of the nation's foremost Homeland security experts during a speech to nearly 40 senior bank security officials gathered at the recent ADT Financial Security Symposium.

"If you expect the government to come in and do it for you, it won't happen," said Stephen E. Flynn, Ph.D., a retired United States Coast Guard commander and a leading authority on Homeland security and border control. "We have to assume that the things we value need to be protected and then build in the necessary safeguards to do so."

Flynn and security experts from the law enforcement and financial sectors shared knowledge with attendees at the two-day conference held at the PGA National Resort in Palm Beach Gardens, Fla. ADT Security Services Inc., a unit of Tyco International's Fire & Security Division, has sponsored the event for the last three years.

Due to its importance to the U.S. economy, the financial industry would again be a likely target for future terrorist activities, Flynn said. But he also said the banking industry has been more proactive in protecting itself than many other critical industries, but much more needs to be done.

"As new safeguards are put into place, you must integrate them into normal business practices," Flynn said. "You must take the steps to make security a part of the corporate culture from the top down."

Flynn recommends implementing a layered security process that relies on more than one approach to create a stronger, more flexible system. Then, should one portion of the system develop problems, he says, changes could be made to that one portion without having to re-engineer the entire system.

Flynn urged security officials to work closely with local, state and federal law enforcement agencies to keep abreast of the latest intelligence reports on terrorism. And he urged them to act swiftly to protect their workplaces.

"Sept. 11 showed we were wide open to attack, and we haven't done a lot to fix things," he said. "We are living on borrowed time, and we need to take advantage of this and fix our problems quickly."

Conference attendees also received some advice specific to their industry. Thomas Musheno, a forensics examiner for the FBI's Forensics Audio, Video and Imaging Analysis Unit, reminded the security officials of the need for sharp detail from bank cameras in order to definitively identify robbery and fraud suspects.

Identification can result from matching bank video system images with known pictures of the suspect's face, clothing, vehicle or weapon, he said.

"He said financial institutions should insist on receiving quality, high-resolution digital systems from their security vendors. And once in place, cameras and lenses must be carefully positioned and angled to maximize the likelihood of identification. Adequate lighting is also important, as is regular equipment maintenance, Musheno said. He also shared preliminary digital video recorder and camera system guidelines for financial institutions that the FBI plans to publish later this year.

  • New Harmony X10 Two Wire Dimmer Module
  • do touch-sensitive lamps work?
  • Watching out for customers
  • Portal to Portland
  • Elegance meets electronics Combining old-fashioned luxury with modern security systems
  • Traveling Sprinklers Work
  • Tools exist ? from biometrics to smart cards ? that can verify a citizen?s identity, but a
  • At the corporate headquarters of The Principal Financial Group
  • 17" Color Flat Panel TFT-LCD Quad Monitor Observation Systems
  • Focused on the Bottom Line
  • Wireless Outdoor Home Security Camera
  • Security Camera Related Information