If you have issues viewing or accessing this file, please contact us at NCJRS.gov. (,) ~\ .. 1.1 " r,' ' FDIPrf;lparf.)d by 'Pivisi,onof Man­ o '~!lement Svstem~ and, Finan- " clal Statistics/Federal Deposit f) Insl,mmce Corporation, Wash· ington, 0.t.20429 o o \), ! \' A GU~IDE, TO" EDP" AND EFT '~ f 'f SECURITY 1 '" ',I t o~BASED "ON '. o OCCUPATIONS fl, o o 'Z:) ------.----~~--------- A GUIDE TO EDP AND EFT SECURITY BASED ON OCCUPATIONS NOVEfviBER 1977 , , Prepared by: Division of Management Systems and Financial Statistics Federal Deposit Insurance Corporation Washington, D.C. 20429 Consultants: Don B. Parker and Russell Dewey SRI International TABLE OF CONTENTS I INTRODUCTION. .. 3 Pu rpose .................................. , ............ , ........ , 3 Limitations. .. 3 Applicability To Small Organizations. .. 3 II EXECUTIVE SUMMARY .............................. , . .. 5 III THE EDP AND EFT ENVIRONMENT.. ..... .. .. .. ........... 7 EFT Network (Figure 1). • . .. 8 Occupations by Employers (Figure 2) .................................. 10 IV BASIC SECURITY MEASURES ...............•..............•....... 11 V CLASSES OF VULNERABILITIES ...........................•....... 13 Class I - Physical ................................................. 13 Class II - Transactional. ........................................... , 13 Class III - Programming ........................................... , 13 Class IV - Electronic ............................................. , 13 Vulnerabilities by Occupation (Figure 3) ............................... 13 Vulnerabilities by EDP Controls and Audit Tools and Techniques (Figure 4) .... 14 VI EDP AUDIT TOOLS AND TECHNIQUES ..............•.......•....... 15 Introduction .............................................•....... 15 EDP Audit Tools and Techni'lues by Occupation Applicability (Figure 5) ...... 15 Ranking of Occupations by Number of Applicable Tools and Techniques. .• 15 Ranking of Tools and Techniques by Number of Occupations Affected ....... , 16 Page Listing of Audit Tools and Techniques Descriptions ................... 16 Descriptions of Audit Tools and Techniques .....................•....... 17 VII EDP CONTROLS .......•................................... '" ... 27 Introduction ..............•.............................. , . • . .. 27 EDP Controls by Occupation Applicability (Figure 6) ..................... 27 Ranking of Occupations by Number of Applicable Controls ...............• 27 Object of Controls ....................•..................•....... 27 Responsibility for Controls ................................•....... 27 Ranking of Controls by Number of Occupations Affected ............ , ..... 28 Page Listing of EDP Controls Descriptions .............................. 28 Types of EDP Controls ............................................. 29 VIII OCCUPATION VULNERABILITIES .................................. 33 Introduction ........................................ : . .. 33 Knowledge by EDP and EFT Occupations (Figure 7) ...................... 35 Skills by EDP and EFT Occupations (Figure 8) .••.......••....... , ....... 35 Physical Access by EDP and EFT Occupations (Figure 9) ................... 36 Functional Access by EDP and EFT Occupations (Figure 10) ................ 36 Page Listing of Occupation Descriptions ................................ 37 Descriptions of Occupations. .. 38 IX CONCLUSION ................................................... 79 Vulnerabilities .................................................... 79 Controls and Audits Tools and Techniques ................•............. 79 Occupational Access. • . • • . • . • . • • . .. 80 Skills and Knowledge .....................•........................ 80 I INTRODUCTION Purpose - This guide is part of a set of papers on • conclusion, including issues and problems the subject of Electronic Funds Transfer (EFT).* concerning the vulnerabilities and remedies The primary purpose of this guide is to supply all Other sections of this guide provide the fellow­ people charged with the safe use of E DP (whether ing: in traditional financial institutions or in EFT) with • a ')ummary for executives (Section II) a means of more effectively providing for and eval­ uating EDP and data communications security • a descri ption of the E DP and EFT environ­ from the source of vulnerabilities - people in EFT ment (Section III) and banking related EDP occupations. • general remedies which apply to EDP and Losses are growing from accidental and inten­ EFT personnel ~Section IV) tional acts involving computers and data communi­ • classification of vulnerabilities (Section V) cations in financial institutions. Current estimated • descriptions of applicable EDP audit tools and losses from credit card fraud alone are $500 mil­ techniques (Section VI) lion and could rise to $6-10 billion by 1986 (Frost • descriptions of EDP controls (Section VII) and Sullivan, as reported in Bank Systems and • concluding recommendations (Section IX) Equipment Journal, June 1977). Of even greater Tables are included throughout the guide which concern is the growing potential for single in­ cross-refer occupations with remedies. stances of massive loss through EF-T. As EFT grows, participants will become highly dependent limitations - No guide on vulnerability and secur­ on continuously available computer services in ity can completely and directly apply to each EDP which most of their assets are stored in electronic organization. Variations in job descriptions, system form. Fortunately, the use of automated systems configurations, organizations, environments, and offers a great potential for prevention, effective procedures require adaptation of the information detection, and recovery from such losses. This and advice presented. The occupations included are guide describes ways to put that potential to use. based on a depiction of the EDP and EFT environ­ Losses, whether intentional or accidental, can ments described in this guide (Section III). The only be caused by two sources: natural events. vulnerabilities (Section V) are based on four (such as storms) or people. This guide focuses on classes! physical, transactional, programming, and the people who have the skills, knowledge, and electronic. The audit tools and techniques and the necessary access to cause material losses. Exam­ EDP controls (Sections VI and VII) were selected iners, certified public accountants, internal audio from the Institute of Internal Auditors Systems tors, security special ists, and line managers need to Auditability and Control reports (1977). which understand the vulnerabilities caused by various describe the current state of the art of E DP audit­ groups of people. This understanding is essential in ing. providing adequate security from losses. To meet If the observed practices among EFT participant that objective, this guide identifies most of these organizations differ from those prescribed in this groups, describes the related vulnerabilities, and guide, the guide users should not immediately offers advice on protection. assume they have found weaknesses in the organi­ The principal section of this guide, Occupation zation. As there are few standards or generally Vulnerabilities (Section VIII), contains a vulner­ accepted practices in the computer field, many ability analysis and two-page description of each of variations and deviations from descriptions and twenty EDP related occupations in financial insti­ statements in this guide will be found. When differ­ tutions and EFT. Ea':!/l description includes the ent practices occur, the guide user should consider I' following information: the factors of the particular situation. The differ­ .. job functions ent practices may be as beneficial as the practices I. recommended in this guide. • probable EFT employers Applicability to Small Organizations - The small • knowledge, skills, and work area access EFT merchant or financial institution has serious needed in the occupation related to the posi­ vulnerabilities and often more difficult protection tion of trust problems than the large organization. Although the • vulnerabilities of an EDP system related to small organization has the same exposure as the accidental and intentional acts that might be large organization, it has less resources to Jevote to perpetrated by an individual in this position security. Assuming a network is only as safe as its • audit tools and tech niques and E DP controls which could reduce the identified vulnerabil­ *Other publications in the series are listed on the last page of this ities guide. 3 weakest link, the exposure of the small EFT mer­ chant or institution adds to the exposure of other EFT participants in the same network. Larger net­ work participants may resist interfacing their elec­ tronic functions with those of smaller EFT partic­ ipants until certain standards are met. 4 II EXECUTlVE SUMMARY This guide was written to help ensure the safe by programmers and engineers. Only computer use of computer and data communications tech­ center controls and application system develop­ nology. It was designed for bank examiners who ment controls were found to effectivelY apply to evaluate audit effectiveness, for auditors who eval­ programming and electronic classes of vulnerabil­ uate computer systems and networks security, and ities. Few apply to transaction and physical vu Iner­ for E DP managers who are responsible for the per­ abilities. formance of their employees. We face a problem today with the advancing use Guides to electronic data
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages85 Page
-
File Size-