e-commerce and you
DESCRIPTION
E-Commerce And You. Roger Blake Senior Information Systems Officer National Credit Union Administration. Lake Buena Vista, Fl. November 3, 2004. Notable Quotes. “…The Internet is the single greatest threat to the economy and national security of the United States today…”. Richard Clark - PowerPoint PPT PresentationTRANSCRIPT
E-Commerce And YouE-Commerce And You
Lake Buena Vista, FlLake Buena Vista, Fl November 3, 2004November 3, 2004
Roger BlakeRoger Blake
Senior Information Systems OfficerSenior Information Systems Officer
National Credit Union AdministrationNational Credit Union Administration
22
Notable QuotesNotable Quotes
“…“…The Internet is the single greatest The Internet is the single greatest threat to the economy and national threat to the economy and national
security of the United States today…”security of the United States today…”
Richard ClarkRichard Clark
President’s Chief Advisor ofPresident’s Chief Advisor of
Critical InfrastructureCritical Infrastructure
National Security CouncilNational Security Council
33
Notable QuotesNotable Quotes
“…“…Anyone in the privacy of their own Anyone in the privacy of their own home can create a very persuasive home can create a very persuasive vehicle for fraud over the Internet…”vehicle for fraud over the Internet…”
Louis J. FreehLouis J. Freeh
Director of the FBIDirector of the FBI
44
Notable QuotesNotable Quotes“…“…The use of digital media also can lend fraudulent The use of digital media also can lend fraudulent
material an air of credibility. Someone with a home material an air of credibility. Someone with a home computer and knowledge of computer graphics computer and knowledge of computer graphics can create an attractive, professional-looking Web can create an attractive, professional-looking Web site, rivaling that of a Fortune 500 company…”site, rivaling that of a Fortune 500 company…”
Arthur LevittArthur Levitt
Chairman of the SECChairman of the SEC
55
NCUA Strategic PlanNCUA Strategic Plan2003-20082003-2008
Goal #2:Goal #2:
Facilitate the ability of credit unions to Facilitate the ability of credit unions to safely integrate financial services and safely integrate financial services and emerging technology in order to meet emerging technology in order to meet the changing expectations of their the changing expectations of their members.members.
66
e-Commerce Servicese-Commerce Services
Does NCUA expect all credit unions to Does NCUA expect all credit unions to develop and implement e-Commerce develop and implement e-Commerce services?services?
No!No!
NCUA encourages credit unions to NCUA encourages credit unions to consider offering e-Commerce services.consider offering e-Commerce services.
77
88
Credit Union StatisticsCredit Union Statistics
Website TrendsWebsite Trends
June ‘98 – June ‘04June ‘98 – June ‘04
5300 Call Report Data5300 Call Report Data
1010
Credit Union Industry StatisticsCredit Union Industry Statistics
Credit Union WebsitesCredit Union Websites
Jun-03 Jun-04 ChangeInteractive 3,461 3,872 11.9%Non-Interactive 1,529 1,342 -12.2%Total 4,990 5,214 4.5%
Website Mix Jun-03 Jun-04Interactive 69.36% 74.26%Non-Interactive 30.64% 25.74%Total 100.00% 100.00%
1111
Credit Union Industry StatisticsCredit Union Industry Statistics
0
1,000
2,000
3,000
4,000
5,000
6,000
Interactive Non-Interactive Total
Website Type Jun-98
Dec-98
Jun-99
Dec-99
Jun-00
Dec-00
Jun-01
Dec-01
Jun-02
Dec-02
Jun-03
Dec-03
Jun-04
1212
Credit Union Industry StatisticsCredit Union Industry Statistics
Website GrowthWebsite Growth
-20.0%
-10.0%
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
Interactive Non-Interactive Total
Website Growth
Dec-98
Jun-99
Dec-99
Jun-00
Dec-00
Jun-01
Dec-01
Jun-02
Dec-02
Jun-03
Dec-03
Jun-04
1313
Credit Union Industry StatisticsCredit Union Industry Statistics
0
1,000
2,000
3,000
4,000
5,000
6,000
Jun-98
Dec-98
Jun-99
Dec-99
Jun-00
Dec-00
Jun-01
Dec-01
Jun-02
Dec-02
Jun-03
Dec-03
Jun-04
Total Websites
FCUs
FISCUs
Total
Computer Security InstituteComputer Security Institute(CSI)(CSI)
Computer SecurityComputer Security
Issues & TrendsIssues & Trends
2004 CSI/FBI Computer2004 CSI/FBI Computer
Crime and Security SurveyCrime and Security Survey
www.gocsi.comwww.gocsi.com
1515
Key FindingsKey Findings
Unauthorized use and financial losses declinedUnauthorized use and financial losses declined Virus and denial of service top costVirus and denial of service top cost Law enforcement reporting declinedLaw enforcement reporting declined Security audits usedSecurity audits used Security outsourcing lowSecurity outsourcing low Sarbanes-Oxley impactSarbanes-Oxley impact Security training neededSecurity training needed
1616
RespondentsRespondents
Respondents By Revenue
Over $1B37%
$100M-$1B20%
$10M-$99M23%
Under $10M20%
1717
Percentage of IT BudgetPercentage of IT BudgetSpent on SecuritySpent on Security
2004: 481 Respondents/97%2004: 481 Respondents/97%
IT Budget Spent on Security
8%
8%
7%
22%
24%
16%
14%
0% 5% 10% 15% 20% 25% 30%
More than 10%
8%-10%
6%-7%
3%-5%
1%-2%
Less than 1%
Unknown
2004
1818
TechnologiesTechnologies
2001: 530 Respondents/99%2001: 530 Respondents/99%2000: 629 Respondents/97%2000: 629 Respondents/97%
1999: 501 Respondents/96%1999: 501 Respondents/96%1998: 512 Respondents/98%1998: 512 Respondents/98%
Security Technologies Used
0% 20% 40% 60% 80% 100% 120%
Digital IDs
Public Key Infrastructure
Smart Cards/Tokens
Intrusion Detection
Intrusion Prevention
PCMCIA
Physical Security
Encrypted Login
Firewalls
Reusable Passwords
Anti-Virus Software
Encrypted Files
Encryption-Data in Transit
Biometrics
Access Controls
2004
2003
2002
2001
2000
1999
1998
2004: 483 Respondents/98%2004: 483 Respondents/98%2003: 525 Respondents/99%2003: 525 Respondents/99%2002: 500 Respondents/99%2002: 500 Respondents/99%
1919
Unauthorized UseUnauthorized Use
2001: 532 Respondents/99.6%2001: 532 Respondents/99.6%2000: 585 Respondents/91%2000: 585 Respondents/91%1999: 512 Respondents/98%1999: 512 Respondents/98%
1998: 515 Respondents/99%1998: 515 Respondents/99%1997: 391 Respondents/69%1997: 391 Respondents/69%1996: 410 Respondents/96%1996: 410 Respondents/96%
2004: 481 Respondents/97%2004: 481 Respondents/97%2003: 524 Respondents/99%2003: 524 Respondents/99%2002: 481 Respondents/96%2002: 481 Respondents/96%
Unauthorized Use of Computer Systems Within the Last 12 Months
0%
10%
20%
30%
40%
50%
60%
70%
80%
Yes No Don't Know
1996
1997
1998
1999
2000
2001
2002
2003
2004
2020
Breach FrequencyBreach Frequency
2002: 321 Respondents/64%2002: 321 Respondents/64%2001: 348 Respondents/65%2001: 348 Respondents/65%
2000: 392 Respondents/61%2000: 392 Respondents/61%1999: 327 Respondents/63%1999: 327 Respondents/63%
How Many Security Breach Incidents?
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
1-5 6-10 >10 Don't Know
1999
2000
2001
2002
2003
2004
2004: 280 Respondents/57%2004: 280 Respondents/57%2003: 356 Respondents/67%2003: 356 Respondents/67%
2121
Website IncidentsWebsite Incidents
2000: 120 Respondents/18%2000: 120 Respondents/18%1999: 92 Respondents/18%1999: 92 Respondents/18%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
1 to 5 6 to 10 More Than 10
1999
2000
2001
2002
2003
2004
2002: 244 Respondents/49%2002: 244 Respondents/49%2001: 211 Respondents/40%2001: 211 Respondents/40%
2004: 132 Respondents/27%2004: 132 Respondents/27%2003: 135 Respondents/25%2003: 135 Respondents/25%
2222
Types of LossesTypes of LossesDollar Amount of Losses By Type (000)
5,149
2,754
702
406
6,831
10,186
11,767
70,196
65,643
27,382
781
201,797
871
902
958
2,747
3,998
4,278
6,735
7,671
10,159
10,601
11,460
26,064
55,054
0
141,498
0 30,000 60,000 90,000 120,000 150,000 180,000
Sabotage
System Penetration
Website Defacement
Misuse of Web Application
Telecom Fraud
Unauthorized Access
Laptop Theft
Financial Fraud
Abuse of Wireless Network
Insider Net Abuse
Theft of Propietary Info.
Denial of Service
Virus
Other
Total
2004
2003
2004: 269 Respondents/54%2004: 269 Respondents/54%
2323
Computer IntrusionsComputer IntrusionsActions TakenActions Taken
2001: 345 Respondents/64%2001: 345 Respondents/64%2000: 407 Respondents/63%2000: 407 Respondents/63%1999: 295 Respondents/57%1999: 295 Respondents/57%
1998: 321 Respondents/72%1998: 321 Respondents/72%1997: 317 Respondents/56%1997: 317 Respondents/56%1996: 325 Respondents/76%1996: 325 Respondents/76%
Computer Intrusion(s) Within Last 12 Months: Actions Taken
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Patched Holes Did Not Report Reported to LawEnforcement
Reported to LegalCounsel
1996
1997
1998
1999
2000
2001
2002
2003
2004
2004: 320 Respondents/65%2004: 320 Respondents/65%2003: 376 Respondents/71%2003: 376 Respondents/71%2002: 389 Respondents/77%2002: 389 Respondents/77%
2424
Computer IntrusionsComputer IntrusionsNot ReportedNot Reported
2001: 345 Respondents/64%2001: 345 Respondents/64%2000: 407 Respondents/63%2000: 407 Respondents/63%1999: 295 Respondents/57%1999: 295 Respondents/57%
1998: 321 Respondents/72%1998: 321 Respondents/72%1997: 317 Respondents/56%1997: 317 Respondents/56%1996: 325 Respondents/76%1996: 325 Respondents/76%
The Reasons Organizations Did Not Report Intrusions to Law Enforcement
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Negative Publicity Competitors WouldUse to Advantage
Unaware That CouldReport
Civil Remedy SeemedBest
1996
1997
1998
1999
2000
2001
2002
2003
2004
2004: 267 Respondents/54%2004: 267 Respondents/54%2003: 376 Respondents/71%2003: 376 Respondents/71%2002: 389 Respondents/77%2002: 389 Respondents/77%
2525
Risk AssessmentRisk Assessment
Risk Assessment ModelingRisk Assessment Modeling
2626
e-Commerce Riskse-Commerce Risks
Risk that are generally associated with Risk that are generally associated with e-Commerce and IT include:e-Commerce and IT include:• ComplianceCompliance• TransactionTransaction• StrategicStrategic• ReputationReputation
2727
e-Commerce Riskse-Commerce Risks
Potential impact of risks facing a credit Potential impact of risks facing a credit unions engaging in e-commerce unions engaging in e-commerce activities may include: activities may include: • Lack of member trust due to poor public Lack of member trust due to poor public
imageimage• Potential legal or regulatory sanctionsPotential legal or regulatory sanctions• Fraudulent loans, disbursements and Fraudulent loans, disbursements and
withdrawal of member fundswithdrawal of member funds
2828
e-Commerce Riskse-Commerce Risks
Potential impact of risks facing a credit Potential impact of risks facing a credit unions engaging in e-commerce unions engaging in e-commerce activities may include: activities may include: • Misappropriation of fundsMisappropriation of funds• Extended disruption of member services Extended disruption of member services • Unauthorized access to member dataUnauthorized access to member data• Theft of confidential member dataTheft of confidential member data
2929
Risk ManagementRisk Management
3030
Risk Management ProcessRisk Management Process
3131
Risk Management ProcessRisk Management ProcessIdentify RisksIdentify Risks
Risk identification involves the Risk identification involves the evaluation of: evaluation of: • What risk categories impact the credit What risk categories impact the credit
union as it relates to IT (e.g., operational, union as it relates to IT (e.g., operational, financial, informational, transactional)?financial, informational, transactional)?
• Which assets should be reviewed?Which assets should be reviewed?
3232
Risk Management ProcessRisk Management ProcessAssess ImpactAssess Impact
Impact Assessment includes:Impact Assessment includes:• Threat AnalysisThreat Analysis• Asset ValuationAsset Valuation• Vulnerability AnalysisVulnerability Analysis
3333
Risk Management ProcessRisk Management ProcessPrioritization (Rank)Prioritization (Rank)
3434
Risk Management ProcessRisk Management ProcessAction Plans (Mitigation)Action Plans (Mitigation)
Mitigation recommendations should, at Mitigation recommendations should, at a minimum, address: a minimum, address: • The medium to high risk exposures The medium to high risk exposures • Those exposures that exceed Those exposures that exceed
management’s expectations and management’s expectations and allowances (i.e., unacceptable risks)allowances (i.e., unacceptable risks)
3535
Risk Management ProcessRisk Management ProcessAction Plans (Mitigation)Action Plans (Mitigation)
Recommendations can fall into one of Recommendations can fall into one of four categories: four categories: • Preventative Safeguards Preventative Safeguards • Mitigating SafeguardsMitigating Safeguards• Detective SafeguardsDetective Safeguards• Recovery SafeguardsRecovery Safeguards
3636
Risk Management ProcessRisk Management ProcessImplement, Monitor, ReportImplement, Monitor, Report
Implement revised strategies in a timely Implement revised strategies in a timely mannermanner
Monitor the risksMonitor the risks Report resultsReport results
3737
OutsourcingOutsourcing
Vendor ManagementVendor Management
3838
OutsourcingOutsourcing
Risk ManagementRisk Management Vendor SelectionVendor Selection ContractsContracts OversightOversight Service Level AgreementsService Level Agreements
3939
OutsourcingOutsourcingRisk ManagementRisk Management
Board of directors and senior Board of directors and senior management responsible for:management responsible for:• Understanding risks associated with Understanding risks associated with
outsourcing arrangements for technology outsourcing arrangements for technology services. services.
• Ensuring effective risk management Ensuring effective risk management practices are in place. practices are in place.
4040
OutsourcingOutsourcingRisk ManagementRisk Management
Board of directors and senior Board of directors and senior management responsible for:management responsible for:• Assessing how outsourcing arrangements Assessing how outsourcing arrangements
will support the credit union’s objectives will support the credit union’s objectives and strategic plans. and strategic plans.
• Assessing how relationships will be Assessing how relationships will be managed.managed.
4141
OutsourcingOutsourcingVendor SelectionVendor Selection
Selection criteria:Selection criteria:• Ensure potential vendors have relevant Ensure potential vendors have relevant
expertise and references expertise and references • Evaluate vendor’s capabilities, references, Evaluate vendor’s capabilities, references,
and personnel involved and personnel involved • Ensure stable financial position Ensure stable financial position • Evaluate consequences of selecting Evaluate consequences of selecting
inappropriate vendorinappropriate vendor
4242
OutsourcingOutsourcingContractsContracts
As a minimum, contracts should As a minimum, contracts should address:address:• Scope of servicesScope of services• Cost and duration of servicesCost and duration of services• Security and confidentialitySecurity and confidentiality• Audit and controlsAudit and controls• Performance standardsPerformance standards
4343
OutsourcingOutsourcingContractsContracts
As a minimum, contracts should As a minimum, contracts should address:address:• IndemnificationIndemnification• Limitation of liabilityLimitation of liability• Dispute resolutionDispute resolution• Termination and assignmentTermination and assignment• ReportingReporting
4444
OutsourcingOutsourcingOversightOversight
Implement an on-going oversight Implement an on-going oversight program to monitor each service program to monitor each service provider’s controls, conditions and provider’s controls, conditions and performanceperformance
Monitor key indicators:Monitor key indicators:• Financial condition and operations Financial condition and operations • Quality of service and support Quality of service and support
4545
OutsourcingOutsourcingOversightOversight
Monitor key indicators:Monitor key indicators:• Contract compliance and required Contract compliance and required
revisions revisions • Access to credit union’s systems Access to credit union’s systems • Business contingency plansBusiness contingency plans
4646
OutsourcingOutsourcingService Level AgreementsService Level Agreements
Clearly outline any service level Clearly outline any service level agreements (SLAs) based on defined agreements (SLAs) based on defined standardsstandards• Formal SLAs help to ensure outsourced Formal SLAs help to ensure outsourced
vendor provides an appropriate level of vendor provides an appropriate level of service to credit unionservice to credit union
• SLAs should be confirmed by all parties SLAs should be confirmed by all parties involved and kept currentinvolved and kept current
4747
Other IssuesOther Issues
SecuritySecurity PrivacyPrivacy Business ContinuityBusiness Continuity Regulation (Federal & State)Regulation (Federal & State) etc...etc...
4848
e-Commerce: Do You Dare?e-Commerce: Do You Dare?
??