Wednesday, June 5, 2019
Security Policy ATM
warranter Policy standard atmosphereThe purpose of this enter is to pay off a surety policy for Bank H. This policy covers. This comprehensive policy is intended to cover whole in each(prenominal) aspects of in mouldation tribute relating to Bank H standard pressure machines including installation, maintenance, and operation ATM machines and net profit, employee responsibilities, ramifications for clients, and the security of ATM trans proceedings.This document is divided into three percentages, each covering a key facet of randomness security organizational PolicyIssue-Specific PolicySystem Specific PolicyOrganizational PolicyInformation security is a prime extend to at Bank H. very much of our selective instruction is critical in nature and mustiness(prenominal) be protect non only for our own sake, but for our customers and to comply with government regulations. This makes it the responsibility of each employee of Bank H to comply with the policies puddlee d in these policies.Program ResponsibilityThe headway Information Security Officer has the prime responsibility for establishing and enforcing the procedures required for the shelter of schooling. This person reports directly to the Chief Executive Officer and Board of Directors.A security oversight committee leave besides be formed consisting of the Chief Information Officer, Chief Financial Office, Chief Information Security Officer and a nonher(prenominal) good examples as seen fit. This committee lead meet at least quarterly to review security procedures and recommend appropriate updates. The Chief Information Security Office entrust be responsible for the establishment, implementation, and enforcement of reading security policies on a day to day basis.Enforcement alone employees of Bank H atomic number 18 required to adhere to the policies contained in this document. Any infringements of this policy get out result in disciplinal action up to an including terminat ion and legal action.Each employee lead be required to review and sign a document indicating that he or she has reviewed and soundless these policies upon hire and as part of the annual employee review process.Any employee who suspects a breach of these policies is required to immediately report the breach to his or her direct supervisor. If that is not possible, then the employee may contact the office of the Chief Information Security Officer directly. Failure to report breaches may result in disciplinary action as specified under these policies.Government RegulationsThe mandate for a comprehensive information security policy comes from many sources. Of foremost importance is Bank Hs c at a timern for it employees, customers, and information assets. Additionally, due diligence is required by many overseeing government agencies. Title 12, chapter II of the Code of Federal Regulations from the Federal Reserve Board defines security policies that must be followed by borders to ens ure compliance with the Bank Secrecy flake and the Bank Security Act (Regulation H Membership of State Banking Institutions in the Federal Reserve System).Part 326 of the Federal Deposit Insurance Corporation also details minimum security fatalitys for banks includingDesignation of a security officeholderImplementation of a security programAnnual reporting necessarys(Part 326Minimum Security Devices and Procedures and Bank Secrecy Act)Therefore, a main goal of this document is to establish and define a security program that meets the requirements of these and other regulatory agencies.Issue-Specific PolicyThe key issues that arise when considering our overall information security purpose involve protect our customers, employees, and assets. Three getitional issues that must be considered argon happen management, misadventure line upy, and training, which all work together to second gear our overall goals for establishing these policies.Protecting Our clientsWhereas ATM mac hines give a valuable suffice to our customers, it is incumbent upon Bank H to take all reasonable steps to mark the security and safety of their assets, personal information, and physio enterical security while they be conducting transactions at a Bank H ATM machine.Regulations in the USA Patriot Act place item requirements on banks regarding the information that customers must provide in order to open and account (Office of Thrift Supervision Staff Summary of USA Patriot Act.).Furthermore, the Sarbanes-Oxley Act of 2002 places certain legal requirements on Bank H regarding the protection of sensitive information customer information (Public Law 107-204 107th Congress).Procedures below will detail required practices for protecting our customers includingATM location and physical environmentAuthentication and verification of identityProtection of private customer informationProtecting Our EmployeesIn a real sense, establishing good security policies will protect our employees and help to insulate them from the daily risks of dealing high volumes of funds and sensitive information.By recognizely outlining security policies and procedures, all employees will have clear guidelines to follow to protect themselves and the assets they come into contact with. Clearly defined control procedures protect two our assets and our employees from accidental or intentional loss.A clearly defined security policy also establishes a legal standard of informed consent which is a judicial requirement that has been established by legal precedent. This document will establish procedures specific to our employees and their interactions with ATMs includingContact with sensitive informationContact with money and other cash instruments memory access to ATM equipmentProtecting Our AssetsInformation, like money, is a valuable asset that must be protected from theft, destruction, and unauthorized access. ATMs re indicate a unique exposure to risk since they are often installed i n locations that are outside the physical perimeter of the banks facilities. Extra precautions must be taken to protect external ATMs and ATMS located at other facilities since they will often be unattended. This policy will establish procedures to protect ATMs includingATM LocationsEnvironmental guidelinesMinimum hardware security issues info transmission, store and encryptionRisk ManagementRisk management is one of the root lines of defense in the effort to protect our customers, employees, and assets. Although the details of risk management set outside the scope of this document, basic risk protection guidelines will be established by the Security Oversight Commission and a senior representative from risk management will be on that committee. In general, it is important that all reasonable steps will be taken to insure the conjunction and customer assets includingFDIC insurance covering customer depositsApplicable insurance to protect ATM equipmentApplicable liability covera ge Disaster RecoveryThe ability to recover from natural and man-made disasters is an essential component of any security program. It is not the intent of the policy to create a comprehensive disaster recovery plan for the company. However, issues carry ond to disaster recovery will be covered as applicable to ATMs includingRecovery of information and assets from equipment involved in an accident or disaster that renders the equipment inaccessible or damages or destroys the equipmentPlanning to mitigate the loss caused by such eventsRestoration of service, where applicableTraining and AwarenessAll employees are required to attend security awareness training sessions to be coordinated and conducted by the Chief Information Security Officer a minimum of once a year. These sessions will be designed to educate employees of their responsibilities. Topics will overwhelmEducation on new and existing policies and proceduresPractical training on tools and applied scienceAwareness training on risks and mitigationSystem Specific PolicySpecial consideration must be used in protecting the systems that support our ATMs and data networks. As technology changes, so will the challenges and tools available for the security of these systems. Therefore, these policies should be reviewed on a quarterly basis and updated as necessary.ATM MachinesATMs form the core systems covered by these policies. Since many ATMs are outside the physical protection of our facilities, special care must be taken to protect them. Policies must be implemented to deal with these unique systems includingMoney control proceduresTechnology to monitor ATMs against fiddle and abuseBest-practices for installation and maintenance of ATMsNetworksData networks are necessary components of an ATM system and in some cases the most vulnerable. Therefore, all due care must be taken to insure the integrity, reliability, and security of our networks. Policies must be established regardingNetwork installation and ma intenanceNetwork monitoringNetwork protocols and standardsThe use of encryptionSection 2 Security SystemsAs the field of information security has matured, several recognized standards have evolved. Following these standards help to insure the development of comprehensive and effective security policies. A key concept in information protection is the concept of security systems. Security systems are domains of protection that establish the best practices. Our policies will be developed to cover each of these domains as appropriate.ConfidentialityConfidentiality protects information from disclosure or exposure to unauthorized agents. Confidential information must be clearly indentified and reasonable steps must be taken to maintain its unavowedity. The future(a) policies relate to secludedity in the context of Bank H ATM securityInformation will be classification so that confidential information can be identified and protected.Measures will be taken to protect confidential informa tion in both physical and electronic form.The confidentiality of customer information is of prime importance.The confidentiality of personal employee information will also be protected.IntegrityIntegrity insures that information is kept in its original state and does not become corrupted at any point in the system. Systems must be implemented to protect assets from both intentional and unintentional corruption. The following policies relate to integrity in the context of Bank H ATM securityError-checking data protocols will be used to insure the integrity of information in electronic form.Proper control procedures will be used in the handling and transport of information in physical media.Backup and archival policies will be constructed so that information may be re-created in the event of loss.All hardware and software will be maintained to insure the highest level of integrity when working with our data.AvailabilityIn order to be useful, assets must be available to those authorize d to access. Some security risks are designed to block access to information and other assets. Policies that support availability includeSystems connected to external networks will have software and hardware to protect them against defense reaction of service attacks.Disaster recovery plans will be developed and tested to insure the quick recovery of operations in the event of a disaster.ATMs will be located in areas that are accessible and convenient while appropriate measures are taken to secure them. recover controlOne of the first lines of defense is to limit access to an asset to authorized personnel only. This starts with locking the door and may include other devices and techniques to control access. Examples of access control includeLocked areas will be used as appropriate and policies will be developed to manage keys and access codes.The use of automated access tease or key-code locks will be used as appropriate to limit access to authorized personnel.The use of usernames , racewords, and other methods will be used to limit calculating machine system access.Keys, codes, and other information relating to access to ATMs will be closely managed.Non-repudiationAccountability is the final key to a good security system. A clear and authentic trail of ownership and access to information and other assets must be established and maintained at all times. Examples of policies designed to enforce non-repudiation areFingerprints will be used to irrefutabley identify parties, as appropriate, when dealing with information in physical media.Digital certificates and digital signatures will be used to add irrefutable identification to electronic information as appropriate.Section 3 StandardsThe following standards have been established as minimum set of requrements that must be met in order to insure our security and protection of our assets. Compliance with these standards in mandatory at all levels. Any exceptions must be cleared in writing by the Chief Informati on Security Officer with the agreement of the Security Oversight Committee.EmployeesBefore hire, all employees will sign a clit document authorizing the company to fulfill or contract with a third party to perform a background investigation. Employees will be required to present a verified set of fingerprints which will be sent to appropriate law enforcement agencies for a criminal background check. Potential candidates who do not pass such background checks or fail to submit to them will not be considered for employment.All employees, upon hire, will be required to review and sign the following documentsA non-disclosure agreement stating that they will not disclose company information to third parties.An information confidentiality policy describing the banks information classification system and the handling of information at each level.A privacy statement informing the employee that their personal information will be held as company confidential and will not be released to thir d parties except as required by law.An accepted use of company resourced policy which clearly explains that all company equipment and resources, including information and service, are wholly owned by Bank H. Employees may not use any company equipment or resources for personal use. Upon hire, each employee will be issued a photo id card. This card must be displayed at all times while on company premises.When an employee leaves the company for any reason, the following procedures are to be followedWhether the termination was for voluntary or involuntary reasons, employees will not be allowed to stay on the premises. The standard 2 week notice will be foregone and the employee will be expected to depart the premises on the same day. Any compensation due will be determined by human resource policy.Before leaving the premises, employees will conduct an exit interview. During this time the employee will advertise or return any access instruments that are outstanding in their file.Access to all computer systems or any other system that was granted to the employee will be immediately removed.CustomersA legal government ID and social security card must be presented by all bank customers before an account of any kind can be opened. Copies of these documents will be made and kept on file in a secure manner.Potential customers must be cleared using persistence appropriate services to insure that they are free and clear form obligations to other financial institutions before they will be allowed to establish and account.Each customer will be issued a secret Personal Identification Number (PIN) at the time they open an account. The PIN must be created using a system either randomly generates a PIN that is only known to the customer or allows the customer to enter the PIN without the revealing it to the bank employees.PINs will be immediately encrypted. At not time will a PIN be stored or transmitted in an unencrypted form.ATM cards will clearly show the full name of the customer, their card number, and a clear expiration date. ATM cards and any corresponding PIN shall not be mailed or otherwise transmitted within the same document or package. Upon closing their account, customers will return any ATM Cards in their possession. All ATM cards will be immediately disabled.Customers will be required to read and sign a document that explains their obligations for ensuring the security of their ATM cards and transactions. At a minimum, customers must agree toTake reasonable steps to ensure that the ATM card issued to them is kept secureNotify the bank as soon as they believe that an ATM card has been lost or stolenNot let anyone else user their ATM cardNot reveal their PIN to anyone elseNotify the bank if their PIN has become compromised.Non customers wishing to conduct business with the bank will be required to show a effectual government issued ID and must leave a fingerprint on file, preferably on the document being transacted.Employee and customer a reas will be clearly marked. Customer will not be allowed in employee areas.Physical SecurityAll company facilities shall be secured, at a minimum by doors with manual locks. Doors shall prevail locked during non-business hours and at any time the facility is not occupied.A log must be kept of keys, the number of copies that have been made, and who the keys have been distributed to. Records must also be kept of keys that are reported as lost and who was reported to be in possession of the key at the time it was lost.A log must be kept of electronic codes and door access cards including who such instruments have been distributed to. Records must also be kept of access cards that are reported as lost and who was reported to be in possession of the key at the time it was lost.Employees must notify security as soon as they believe that a key, access card, or lock access code has been compromised.All bank facilities that hold money and similar must be secured by an alarm system. Employe es should have the ability to trigger such alarms without detection.All ATMs must be secured with alarm systems that are triggered by unauthorized tampering. All alarm systems must be tied directly to local authorities or a registered alarm service that monitors the alarm status at all times.Monetary AccessAppropriate control procedures and accounting procedures must be adhered to when dealing with money.Any area in which money is handled, held, or transported must be under constant video surveillance.Any monetary transactions exceeding $1000 must be verified and meet by a second employee.Any monetary transactions exceeding $10000 must be continuously observed by an employee who is at a higher level than the employee complementary the transaction.The transport of money outside the bank facility must be handled by an authorized armored transport service and escorted by qualified arm personnel.Information ClassificationAll information, whether in physical or electronic form, shall be assigned an appropriate level of classification based on its sensitiveness and criticality. Data shall be assigned a minimum of three levels of classification.Public this information is neither sensitive nor critical to the company, nor is there any legal requirement to protect it.Confidential this is information that is sensitive in nature and should not be reveled to the general public. This classification is further subdivided into two categoriesCompany Confidential this information is sensitive information related to bank.Customer Confidential this is private information that belongs to a customer and must be protected by law.Critical information that is not necessarily (but may be) confidential, but is nevertheless critical to the successful functioning of the bank.ATM EquipmentATMs that require external access must still be secured in such a way that any access panels are not visible and cannot be easily accessed.All ATM machines must be under constant video surveillanc e.All networks shall be protected by a hardware-based firewall and other hardware and software deemed appropriate.The banks privileged network shall not be exposed to public networks such as the Internet.All data transmitted via a network must be encrypted to prevent exposure to unauthorized tapping.Data protocols must be in place to validate that data is both transmitted and reliable in its original form. Data that does not pass confirmation should be rejected and logged.Network security software must be installed that constantly monitors the network for patterns and signs of act or actual unauthorized access. Activity that represents a threat must trigger an alarm to appropriate agencies and personnel. The daily stocking and removal of cash to and from an ATM shall be done in adherence to policies in section regarding the handling of cash flesh out above.Each ATM shall use a PIN encryption device that encrypts and stores the information in a secure manner. computer hardware m ust be implemented monitor, analyze, and authenticate any external source attempting to connect to the ATM. Unauthorized attempts must be logged and reported immediately to the monitoring direction.ATMs shall be connected to a monitoring system that automatically tracks the status of the ATM. The ATM should be configured with software that can log and firm transmit information about usage for external profiling to detect potential attacks.All ATMs must be under continual video surveillance as detailed in section 2.3 above.At no time will the customers PIN, account number, or other confidential information be displayed on the screen or any receipt.NetworksAll networks shall be protected by a hardware-based firewall and other hardware and software deemed appropriate.All data transmitted via a network must be encrypted to prevent exposure to unauthorized tapping.Section 4 Practices, Procedures and GuidelinesThis section defines the practices and procedures for the day to day operati ons of the company. These represent a set of guidelines which allow managers to perform their duties with due diligence, while also offering flexibility and adaptability for various environments and situations. Any questions about interpretation should be addressed the office of the Chief Information Security Officer.EmployeesEmployees may, as appropriate, be issued certain instruments or information that allows them to access restricted areas or information. Upon receipt of any such instrument, the employee will sign a document verifying their receipt and agreeing to release the instrument back to the company when their job no longer requires it or upon termination. Instruments of this nature include, but are not trammel toID CardsAccess cardsAccess codes including usernames, passwords, Pins, and codes to electronic locks.KeysCustomersCustomers should read and sign a privacy notice informing them that their personal and financial information will be protected and not revealed to a ny third party except where required by law.Customers should be given a pamphlet that explains how to safely and securely use their ATM card online and at ATM machines.Physical SecurityThe same procedures detailed in section 3.3 should be implemented for padlocks or other portable locking devices and keys to them.Doors that required access by more than 5 people should be considered for electronic access.Security officers should be present at all facilities that hold money and similar instruments during business hours. After hours, arrangements for surveillance and patrol should be implemented as appropriate.Prominent security cameras should be located both inside and outside all facilities that hold money or related instruments. These cameras should be linked to a system that records their images at all times.Computer AccessIn general, computers used for bank business should not be connected to the Internet.Computers that require connection to the Internet should not also be connect ed to the Banks internal network.Software that monitors and controls Internet activity should be used on computers connected to the Internet.The following guidelines should be used for password securityPasswords should be changed at a minimum of every 30 days.Passwords should not be reused.Passwords should contain a minimum of one number and one character and must be at least eight characters in length.Monetary AccessAppropriate control procedures and accounting procedures must be adhered to when dealing with money.Any area in which money is handled, held, or transported must be under constant video surveillance.Any monetary transactions exceeding $1000 must be verified and witness by a second employee.Any monetary transactions exceeding $10000 must be continuously observed by an employee who is at a higher level than the employee completing the transaction.The transport of money outside the bank facility must be handled by an authorized armored transport service and escorted by qua lified armed personnel.Information ClassificationAdditional levels of information classification may be assigned as appropriate.All information that is considered confidential should be clearly labeled as such.Electronic confidential information should be stored in an encrypted form at all times.Physical media that is confidential should be secured in a locked location at all times.Information that is critical should be backed up an archived on a regular basis.ATM EquipmentATMs should be located inside of an existing bank facility when possible.ATMs should be installed in a well-lit area with open access.Keys and other devices that allow access to ATMs must be kept under tight security and are subject to regulations specified under section ATMs should be installed by authorized vendors who have been screened and are bonded. Records of all persons involved in the installation will be kept and archived.All vendors should supply documentation showing that the persons performing the ins tallation have successfully passed a background check including a criminal background investigation.A schedule of preventive maintenance should be created to insure the correct functioning of all ATMs. care shall be performed only by qualified individuals. Records of maintenance should be kept including the date of the maintenance, what was done, and who performed the maintenance. These records shall be considered company confidential.Systems should be in place to prevent the tampering of ATMs or tampering with their information.ATMs should incorporate and audible alarm that is triggered by any sign of trouble.The ATMs internal software should be capable of sending alarms to the appropriate agency when the ATM is in need of service.ATMs should be secured to an immoveable foundation.The internal safe that contains the money should be manufactured, tested and rated for strength and resistance to attacks.Internal components should be protected in such a way that a single individual ca nnot gain access. This insures that at least two people are present with check access codes and/or keys in order to gain access to the ATM.Mirrors should be installed to allow customers to see their surroundings while they are transacting at an ATM, but not allow others to see what they are doing.The computer keyboard and screen of the ATM should be located in such a way that the customers body naturally blocks the keypad when it is being used.ATM usage should be monitored and analyzed to insure that each ATM is appropriately stocked with cash to meet customer demands.NetworksThe banks internal network should not be exposed to public networks such as the Internet.Data protocols should be in place to validate that data is both transmitted and received in its original form. Data that does not pass validation should be rejected and logged.Network security software should be installed that constantly monitors the network for patterns and signs of attempted or actual unauthorized acces s. Activity that represents a threat must trigger an alarm to appropriate agencies and personnel.BibliographyThe following resources were used as reference hearty for the preparation of this document.Office of Thrift Supervision Staff Summary of USA Patriot Act. Department of Treasury. 20
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.