Review of Central Bank Guideline for Electronic Banking

 

By

 

Femi Oyesanya

yeyerolli1@aol.com

 

 

INTRODUCTION

 

The Guideline for Electronic Banking is a prerequisite for this paper.  A copy of the Guideline can be found at:

 

http://www.cenbank.org/OUT/PUBLICATIONS/BSD/2003/E-BANKING.PDF

 

 

OVERVIEW

 

 

The Central Bank of Nigeria has proposed a detailed guideline for the Electronic Banking in Nigeria .   The following is a critical review of the guideline.  Specifically, the review focuses on the Information and Communications Technology sections of the guideline, and it will attempt to reveal weaknesses in the CBN’s proposal guideline. Where possible, alternative recommendations will be defined. In issuing this review, a key factor that underlies some of the alternative recommendations, is the corrupt business environment. Information technology risk are assumed to be higher, hence Information security controls must meet these risks.

 

1.0 Technology and Security Standards Review

The CBN has proposed an approval process for all technological investments that exceeds 10% of free funds.  The 10% factor is arbitrary. Rather than proposing a 10% percentile, CBN ought to define in clears terms, a definitive methodology for evaluating tangible and intangible mid to large-scale technological asset acquisitions pursued by Banks.   As written, an investment that stands at 9.99% of fee funds, is not subject to CBN approval.  A clearer approval process, might involve, a methodology for the assessment of technological investments, in lieu of tangible and intangible return on specific technological investments. The entire process of technological asset acquisition might need to be reevaluated. A 10% of free fund criteria ought not to be the only criteria for stipulating an approval process for key technological acquisition.

 

In addition to the above suggestions, the proposal also recommends that the core technological and security standards includes the following:

  1. A guideline for criminal background checks for Banking Information Technology Employees. Such background check, might include psychological profile examinations, and general character assessment tests. 

  2. A guideline for Criminal background checks for Banking business associates that will participate in the implementation of core Information technology architecture.  Vendors must certify their business reputation.

  3. Guideline for new employee hiring and termination. Strict guidelines must address the issue of disgruntled employees. Information technology assets belonging to the banks must be must be recovered at the point of termination.  

 

1.1 Standards for Computer Networks and Internet Review

The proposed guideline addresses controls for banking data communications, and specifies specific technologies, such as proxy type firewalls to implement Security measures for data communications.  It specifies controls for external devices, connecting to a larger Network.  However, the review falls short of a key Network Security criteria. An initial technology environment, and risk assessment of each individual Financial Institution is not required. 

 

In the opinion of this review, the CBN ought to

recommend  a standard that allows the Banks to examine potential threats that may already be existing in each individual Financial Institution’s current Network.  The local Intranet facility must not be assumed to be secured.  Furthermore, each external device permanently connected, or otherwise connecting, to the Banking Network ought to implement the connection in a layered and trusted basis.  All devices are not equals.  Each device ought to have it’s own access control label, that allows it only to a specified layer of access.

 

1.2 Standards on Protocols

The CBN’s guideline calls for steps to ensure access to data is defined by clear access control measures.  In addition, Banks should be encouraged to define clear standards for classifying data.  Data sensitivity classification allows access control of the data to be more cost effective. Banks should be encouraged to implement Data sensitivity schemes into their Information Security Framework.  Also, besides human access to data, Computer Applications also have access to data.  The point here is that, access control lists should not be limited to human operators, but also to include Computer processes.

 

In addition, allowing access to Network protocols that are only needed is not enough, this review proposes that only secured ports should be open. For example SSH rather that FTP, and HTTPS, rather than HTTP protocol.

 

1.3 Standards on Applications And System Software Review

This section of the guideline offers a proposal for architectural implementation, Banking application interface, data communications, software support, physical security, and the segregation of IT security personnel from the IT personnel within a financial division.

 

It is the opinion of this review, that the guideline provided for Application and System Software, is at the very least, inadequate.  In general, most security vulnerabilities occur in Application and System Software level.  The CBN ought to elaborate more on Security issues associated with the deployment of Applications and Systems Software. Banks must implement policies and procedures that hold their Systems Personnel accountable for implementing application, and Systems Software level Security.  System Software Security patches must be applied timely. Banks must review the historic security reputation of potential Vendor Software application, and implement appropriate steps to address shortfalls in vendor proprietary Software security issues.   Programs developed in-house, must be subjected to security quality review.  Anti Virus and Intrusion detection Software updates needs to be applied timely.  A three-tier architecture needs to be considered for implementing the technological infrastructure.

 

Lastly, Banks should implement directives for Application Change Management schemes, and provide

an effective quality assurance over Applications and System Software implementation.

 

1.4 Standards on Delivery Channels

The delivery channel, is the Communication path between the Banks, it’s business associates, and it’s customers. The guideline defines a standard for data confidentiality, integrity and non-repudiation.  Clearly, it is the goal of the CBN, to implement a process for data security and integrity as the data travels from source to destination. In the view of this paper, the CBN should recommend data transmission security expectations beginning from the origin of the data   transmission, the delivery path, and the end point.

The point of data origination,  must implement security controls, likewise the transmission path,

and the endpoint. 

 

Also, since each transmission path might face varying security challenges, the CBN might want to specify varying security controls, for the diffrent data transmission Networks.  In a very general sense, transmission Networks and their security recommendations might be classified as follows:

 

A)  Security recommendations for data transmission that occurs using the highly vulnerable Public data Transmission network.  EG, Dial UP.

 

B) Security recommendations for data transmission that occur through a more secured point to point private Network.

 

C) Security recommendations for data transmission that occurs through wireless data transmission.

 

Specific delivery path needs different security requirements to make the transmission secured.  For example, data transmission that occurs via the public network, might be expected to enhance it’s Security by using VPN, while Fiber Optics point to point might not.

 

Also, audit trails expectations needs to be clearly defined.  Specific audit trail attributes

needs to be clearly identified by the CBN.  Specific data items that needs to be captured, needs to be defined by the CBN.

 

1.4.2 Automatic Teller Machine

The guideline for ATM primarily focuses on physical and transactional security.  The CBN emphasizes Customer security and gives recommendation for the careful location of ATM devices.  However, it fails to recommend a standard for total number of simultaneous connections to the ATM network.  As a condition of Service, CBN should define acceptable ATM Network saturation point. What is the acceptable level of simultaneous connection?  

 

1.4.3 Internet Banking Review.

The CBN guideline requires that only authorized staff should be able to change information on the Banks Web Site, the CBN must also specify, that Banks must put processes in place, to ensure that only authorized computing processes are allowed to make changes to the Web Site. 

 

The CBN requires that when hosting services are outsource by the Banks to ISP’s, the ISP must ensure that firewalls are configured properly by the ISP.  In the opinion of this review, the ISP must not be allowed to have any technical administrative controls whatsoever, to any security device protecting the Banks Information asset. Even when outsource, Banks must make sure that any gatekeeper technology remains solely in their control.  Allowing Firewalls, and similar devices to be managed by non-banking employees might open the door for unprecedented security breaches.

 

 In addition, the following Web security measures are also recommended:

a) All Web Pages displaying customer information must be encrypted.  Banks might want to consider

Using the Https encryption to secure it’s web pagesCustomer Browsers must also support a higher level

encryption bit.

b) The CBN might opt to own a  centralized digital Certificate issuing Server, specifically for Banks. This gives the Digital certificate issuing authority, centralized advantages, of managing issuance, expirations, and renewal of the these digital certificates. Alternately, Banks can form a centralized body that performs the same digital certificate issuance function.

 

c) Banks must implement Web Site change management controls.

 

d) Banks web sites must contain mechanism thatmakes the customer session expire, after some set period of inactivity.  Logins sessions to Web Sitesmust not be permanent.

 

e) Policies should be made to address the response time of processing transactions on a Banks web site

 

1.4.7 Switches

 

In addition to recommendations in this section of the guideline, the CBN must also encourage switching companies to implement a structured security incident reporting policy, which submits it’s formal findings directly to the CBN. 

 

1.5 Standards on Security and Privacy Review.

The standard for security and privacy does not particularly recommend any guideline for privacy. The CBN must outline specific standards for how Banks manage customer information held by Banking Systems.  There must be clear provision for Customer data confidentiality.  Specific outlines must be provided in the following areas:

 

 

A) Access of customer banking records by governmental agencies.

 

B)  Access of customer banking records by external business associates of the Banks. 

 

C) Marketing of customer banking records.

1.5.5  Backup recovery and business continuity review.

This section needs to specify data aging criteria.  How long should archived data be kept?   Clear criteria should be defined for transactional processing data, and detailed records.  It must specify the acceptable length of time for which, these records must be stored in archive.