Smart Cards for Security and Assurance

When designing and implementing a system that handles sensitive or valuable information, there can be few discussions that do not include some reference to ensuring adequate security. At a strategic level there will be high level requirements for security that will safeguard the system, which must ultimately translate to practical solutions and physical implementations. This chapter focuses on the technical implementation of security requirements and, in particular, the use of smart cards as trusted security tokens. In particular, it examines the significance of tamper resistance by exploring the different hardware and software platforms in relation to smart card attacks. It also highlights certain issues around the deployment of smart card technology in the financial industry.

Swallowing the Bait, Hook, Line, and Sinker

Phishing and pharming continue to plague many financial institutions and electronic commerce (e-commerce) Web sites. Security experts estimate annual losses from computer crime total in the billions, but there are actually no valid statistics on the losses from this type of crime because no one knows how many cases go unreported. The array of online threats grows all the time. Sophisticated criminals have now turned to a new activity of rat-ing, where criminals can watch everything the user is typing from other parts of the globe. The new activity is difficult to detect. Companies have devised various methods of protecting their customers. They are beginning to integrate more security, well beyond simple user names and passwords, as the need for more stringent methods becomes imperative. Various countries also have passed identity fraud legislation, but the global nature of cybercrime raises difficult legislative problems of jurisdiction as criminals use off-shore servers and Internet sites to avoid domestic regulations.

Identity and Access Management

This chapter discusses the role of identity and access management in the financial services industry. Identity and access management is a very broad concept that has far reaching rewards or consequences within an organization. This chapter provides a survey of the topics within identity and access management so that managers and security administrators of financial institutions can gain an understanding of the issues and possible solutions.

Analyzing Risks to Determine a New Return on Security Investment

This chapter expands upon standard methods of calculating the return on security investment (ROSI) in several ways. First, it accounts for the dynamic nature of threats, vulnerabilities, and defenses as they apply to the finance sector. Second, it takes a more holistic view of security investments using a portfolio method. The protection of information assets can be viewed in two ways. One is the hierarchical view of security measures, such as avoidance, deterrence, and prevention. The other is defense in depth, wherein various security tools and processes, such as firewalls, identity and access management, and intrusion detection and prevention products, are combined for greater overall protection. The reader will gain a deeper understanding of the factors that affect the risks and returns of investments in security measures, tools, and processes and will find that using the portfolio approach leads to more cost-effective security.

Information Security in Banking

The banking sector is identified as a critical infrastructure by the federal government. In this chapter, the author provides an overview of information security in the banking sector, outlines the information and technology common to most banks, explains the information security law and regulation banks must comply with, and explores the information security controls necessary to protect the banking infrastructure in the United States.

Risk Management in Banking

Banks play an important role in the financial system contributing to efficient and well functioning transfers of capital and risk between those in excess (savers) and those in need (borrowers) of money. Traditionally, financial risks, like interest rate, foreign exchange and credit risks, have been the most important and typical ones for banking operations. However, lately the risk environment of banks has changed considerably. In this study we are stressing the vital importance for the single bank to have a much more sophisticated and well-structured approach to risk management than it had 15 years ago. Our main focus is on how banking objectives such as profitability and growth should govern risk management, and how these objectives are made operational into the management of those assets and liabilities exposed to changes in market prices and in customer repayments of loans.

Information Disclosure and Regulatory Compliance

The Sarbanes-Oxley Act (SOX) introduced significant changes to financial practice and corporate governance regulation, including stringent new rules designed to protect investors by improving the accuracy and reliability of corporate disclosures. Briefly speaking, it requires management to submit a report containing an assessment of the effectiveness of the internal control structure, a description of material weaknesses in such internal controls and of any material noncompliance. Such mandatory regulations can have some broader ramifications on firm profitability, market structure, and social welfare, many of which were unintended when policy makers first formulated this act. Moreover, the tight coupling of compliance activities, information disclosure, and information technology (IT) investment scan have implications for IT governance because of its potential to change relationships between technology investments and business. This chapter aims to provide some intuitive insights into the trade offs involved for firms in disclosure of such information, and lays the ground for some research questions that would be of interest to academics, industry executives, and policy makers, alike.

Managing Information Assurance in Subscription-Based Financial Services

This chapter reviews the main types of access control mechanisms that can be used to govern subscription-based financial services. The overall performance of these mechanisms is analyzed with respect to several important features of subscription-based financial services. Namely, the chapter analyzes the impact of the following features: (1) the number of clients/ subscriptions can be potentially large; (2) the number and types of subscriptions offered by a provider varies in time; (3) subscription terms may change; and (4) subscriptions terms may take into account mutable information. Furthermore, the chapter presents in detail one mechanism that achieves good performance.

Stronger Authentication

Authentication is a prime challenge for banks today as end users’ digital identities are being compromised through increasingly sophisticated means. This chapter provides a timely review of the authentication concept and key authentication technologies, namely password tokens, biometrics, smart cards, smart tokens, and out-of-band authentication. An integrative model is proposed, which frames three key considerations in choosing an authentication solution—cyber threat types, regulatory requirements, and business considerations. Each of the implications is considered in turn. Finally, to guide future deployments of authentication solutions, the chapter concludes with pragmatic suggestions by proposing a set of evaluation criteria for choosing authentication solutions and key legal considerations.

Security Risk Management Strategy of Financial Services Institutions

This chapter is about a new security risk management strategy for financial services institutions. The proper strategy presented here takes the systematic and cybernetics theory as the instruction, regards the risk analysis process, the management strategy implementation, and the monitor and audit as an organic security management system. Thus the strategy is an auto adapted open system to defeat various safety threats dynamically. By comparing management of electronic commerce (e-commerce) security risks with that of traditional financial risks, this chapter suggests accurate security risk measurement using quantitative analysis and further integration of the e-commerce security risk with traditional financial risks.