|  home news  |  services  |  contacts  | careers |

<services> ---

Security Assessments

Skills for network security jobs are among the most demanded today, and will be more so in the days to come.

Security Assessments

INVOID security assessments have been designed to meet and exceed regulatory and "best practice" requirements for testing of system vulnerabilities, configuration problems, vulnerability research and timely system patching requirements.

A security assessment from INVOID delivers not only findings that are presented to your IT staff in a briefing session following the engagement, but more importantly provides a detailed "how to fix" document which assures your Board and auditors that vulnerabilities will be closed and risks mitigated in a timely fashion without additional high-cost consulting fees.

In addition, an audit "Certification of Internet Adherence to Best Practices" will be issued upon verification of closure of high- and medium-risk vulnerabilities identified during the assessment.

Assessments

INVOID offers four security assessment types to meet your specific requirements:

  • Internet Vulnerability Assessment

    Identifies risk and exposures to the Internet through an external penetration test. Provides a wide range of testing across public systems.

  • Enterprise Assessment

    Identifies the risk and exposures of your internal shared systems. Provides industry best practice measures of architecture, systems and practices.

  • Application Assessment

    In-depth testing of a business application to ensure that all exposures are addressed. Provides detailed and comprehensive analysis of an application.

  • Partner Due Diligence Assessment

    Identifies risk and exposures where financial transactions flow between businesses. Provides an overview of the adequacy of your partner’s security.

 

 

 
Solutions for the Financial Community

 

Solutions for the Financial Community

Challenges

Auditors advise that the Board of Directors and senior managers of financial institutions ensure that they have reviewed and secured risk management policies and processes to cover all electronic data activities.

Regulators expect risks to be recognized, addressed and managed in a prudent manner according to the fundamental characteristics and challenges of e-banking services.

Some of the challenges are:

  • How do I keep up with the rapid development of e-banking capabilities AND manage the security risk?
  • What MUST senior management do to ensure security policies and procedures are adequate?
  • How can I add security expertise to my IT staff within the limits of my budget?

Solutions

Security Compliance Package

All financial institutions, regardless of their size or resources, are caught in a regulatory compliance dilemma: How do we comply with information security regulations with our limited technical staff and budget?

INVOID understands this dilemma and has packaged a suite of services scoped and priced specifically to the size of your institution. Our Financial Services Security Compliance Package provides a complete information security solution that assures you will pass your next audit without breaking your bank!

INVOD provides information security solutions designed to meet the legal and regulatory requirements of the financial services community. We have a staff of security experts who work with clients around the clock. We understand the financial industry’s challenge of meeting security compliance regulations while managing a business and a budget.

 

 

Skills for network security jobs are among the most demanded today, and will be more so in the days to come.

 

 
EnterPrise Security Monitoring

Enterprise Security Monitoring

Your critical business systems are always at risk from the Internet -- a network security breach can bring your company to its knees. INVOID combines state-of-the-art tools with skilled security professionals to guard your network and protect your business every minute of every day.

INVOID™ leverages economies of scale to deliver maximum network security at minimum cost per device. Plus you enhance your IT staff with dedicated security expertise!

What You Get

  • IT Security Cost Control

    Managed services flatten your costs, leading to predictable manageable security costs.

  • Forensic Off-Site Log Archival

    We save your logs for later forensic analysis. Each week we generate compressed, signed, read-only optical media and store it in a fireproof vault.

  • Real Time Security Analysis

    Each log entry is scored based on the likelihood of a security violation. These scores can be reviewed across both time and systems for a comprehensive view.

  • 24x7 Global Monitoring

    IDS doesn’t sleep or eat! Every day, every minute, IDS guards your network against unwanted visitors and potential threats ensuring compliance and mitigating risk.

  • 24x7 Event Escalation & Technical Support

    IDS -- the Security Help Desk you can afford! Keep your resources focused on your business while we monitor, alert and work with your IT staff to promptly resolve issues that impact security and operational stability.

  • Evolving Risk Research & Alert Service

    INVOID is constantly doing the security research for evolving threats so your staff doesn’t have to! We keep you and your business ahead of the hackers by monitoring their community, studying known exploits, constantly reviewing vulnerabilities and alerting you to those that affect your systems.

Banking Regulations

FFIEC - Federal Financial Institutions Examination Council

FFIEC Safeguard Standards

Implements Safeguard provisions for Section 501 of the GLBA. Requires banks to protect against unauthorized access and anticipated threats or hazards to security or integrity and unauthorized access or use that could result in harm or inconvenience.

Requirements defined in the Information Security IT Examiners Handbook include:

Risk Assessments Process to identify threats, vulnerabilities, attacks, probabilities of occurrence, and outcomes
Security Strategy and Policy Plan to mitigate risk that integrates technology, policies, procedures and training
Security Controls Security controls must address the following areas:
  • Access Control
  • Encryption
  • Logging and Data Collection
  • Malicious Code
  • Intrusion Detection
  • Intrusion Response
Security Testing Use of various methodologies to verify that controls are effective and performing as intended
Security Monitoring Continuously gathering and analyzing information regarding new threats and vulnerabilities and actual attacks on the institution

FFIEC E-Banking

Places Board and Senior Management responsible for developing the institution’s e-banking business strategy, including; cost-benefit analysis, risk assessment, due diligence process and third party oversight and Information Security Program.

Information Security Program must address the following:

  • Ensure compliance with section 501(b) of the GLBA
  • Information Security Controls
  • Authenticating Customers
  • Administrative Controls
  • Legal and Compliance

Regulations defined in the E-Banking IT Examiners Handbook (August 2003) include:

  • Information Security Controls

    • Ongoing knowledge of attack sources, scenarios, and techniques
    • Rapid response capability to react to newly discovered vulnerabilities
    • Network access controls over external connections
    • System hardening
    • Controls to prevent malicious code
    • Physical security of computing devices
    • User enrollment, change, and termination procedures
    • Authorized use policy
    • Security Training Program
    • Independent testing

  • Internal Controls

    • Segregation of duties
    • Dual controls on sensitive transactions
    • Reconcilements, daily
    • Suspicious activity
    • Similar website names checking
    • Error checks
    • Alternate channel confirmations on sensitive transactions

  • Business Continuity Controls

    • Redundancy into critical network components
    • Periodically testing business resumption capabilities

Breach Disclosure for Financial Institutions

Requires public notification and reporting cyber security breaches that may have compromised confidential information.

Interagency Guidance on Notification for Unauthorized Access to Customer Information applies to FDIC, OCC, OTS, FRB, CNUA. Goes into effect early 2004 and is based on CA Disclosure Law.

FDIC - Federal Deposit Insurance Corporation

Institutional Letters Relating to Information Security

  • FIL-84-2004 - Guidance on Instant Messaging
  • FIL-30-2003 - Guidance on Weblinking
  • FIL-08-2002 - Wireless Networks And Customer Access
  • FIL-69-2001 - Authentication In An Electronic Banking Environment
  • FIL-68-2001 - GLBA 501(b) Examination Guidance
  • FIL-50-2001 - Bank Technology Bulletin on Outsourcing
  • FIL-46-2001 - Privacy Of Consumer Financial Information
  • FIL-22-2001 - Security Standards for Customer Information
  • FIL-67-2000 - Security Monitoring of Computer Networks
  • FIL-68-99 - Risk Assessment Tools And Practices For Information System Security

FIL-84-2004 - Guidance on Instant Messaging

The FDIC is providing guidance to financial institutions on the risks associated with publicly available instant messaging and network file-sharing. This guidance includes background information on the risks and how they can be mitigated through an effective management program.

The Federal Deposit Insurance Corporation (FDIC) has prepared the attached guidance to assist financial institutions in protecting themselves against the vulnerabilities of instant messaging (IM) and establishing policies and procedures concerning its usage.

Institutions should assess the risks and the business needs for IM and establish policies to allow, restrict or deny IM usage based on these risk assessments and business needs.

Customer information security guidelines require that periodic risk assessments and status reports be submitted to the board of directors. These periodic assessments and reports should include the institution’s position on IM. Any control weaknesses should be identified and addressed during the normal course of business.

See Guidance: http://www.fdic.gov/news/news/financial/2004/fil8404a.html

FIL-30-2003 - Guidance on Weblinking

Federal Bank and Credit Union Regulatory Agencies Jointly Issue Guidance on the Risks Associated With Weblinking. Provides guidance for controlling risk to reputation or misleading consumer on who is providing the information.

See Attachment: Weblinking: Identifying Risks And Risk Management Techniques

FIL-08-2002 - Wireless Networks And Customer Access

Many of the risks that financial institutions face when implementing wireless technology are risks that exist in any networked environment (see FIL-67-2000, "Security Monitoring of Computer Networks," dated October 3, 2000, and the 1996 FFIEC Information Systems Examination Handbook, Volume 1, Chapter 15). However, wireless technology carries additional risks that financial institutions should consider when designing, implementing and operating a wireless network.

Security should not be compromised when offering wireless financial services to customers or deploying wireless internal networks. Steps that can be taken immediately in wireless implementation include:

  • Establishing a minimum set of security requirements for wireless networks and applications;
  • Adopting proven security policies and procedures to address the security weaknesses of the wireless environment;
  • Adopting strong encryption methods that encompass end-to-end encryption of information as it passes throughout the wireless network;
  • Adopting authentication protocols for customers using wireless applications that are separate and distinct from those provided by the wireless network operator;
  • Ensuring that the wireless software includes appropriate audit capabilities (for such things as recording dropped transactions);
  • Providing appropriate training to IT personnel on network, application and security controls so that they understand and can respond to potential risks; and
  • Performing independent security testing of wireless network and application implementations.

See Attachment: http://www.fdic.gov/news/news/financial/2002/fil0208a.html

FIL-69-2001 - Authentication In An Electronic Banking Environment

This guidance focuses on the risk-management controls necessary to authenticate the identity of customers accessing electronic financial services. It also addresses the verification of new customers and the authentication of existing customers. The guidance applies to both retail and commercial customers.

The Federal Deposit Insurance Corporation (FDIC) believes that an effective authentication program should be implemented on an enterprise-wide basis and that the level of authentication used by a financial institution in a particular application should be appropriate to the level of risk in that application.

In this guidance, the FDIC does not endorse any particular technology or method of authentication.

See Attachment: http://www.fdic.gov/news/news/financial/2001/fil0169a.html

FIL-68-2001 - GLBA 501(b) Examination Guidance

Section 501(b) of the Gramm-Leach-Bliley Act (GLBA) required the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision to establish financial institution standards for protecting the security and confidentiality of financial institution customers' non-public personal information. The effective date of the Section 501(b) provisions was July 1, 2001. (Refer to FIL-22-2001, dated March 14, 2001, for the interagency guidelines establishing standards for safeguarding customer information.)

The standards' objectives are to:

  • ensure the security and confidentiality of customer information;
  • protect against any anticipated threats or hazards to the security or integrity of such information; and
  • protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.

The attached examination procedures have been developed to assist examiners in evaluating an institution's compliance with the customer safeguards and to ensure that the established standards are applied consistently.

See Attachment: Examination Procedures to Evaluate Compliance with the Guidelines to Safeguard Customer Information

FIL-50-2001 - Bank Technology Bulletin on Outsourcing

Introduces three short documents containing practical ideas for banks to consider when they engage in technology outsourcing. They are for informational purposes only and should not be considered examination procedures or official guidance.

Because community banks may face particular challenges in engaging and supervising their technology providers, the FDIC has talked with bankers and other experts to identify areas where assistance might be useful. Three informational documents were produced as a result of those discussions:

  • Effective Practices for Selecting a Service Provider
  • Tools to Manage Technology Providers' Performance Risk: Service Level Agreements
  • Techniques for Managing Multiple Service Providers

See Attachment: Bank Technology Bulletin

FIL-46-2001 - Privacy Of Consumer Financial Information

The FDIC has developed and approved the attached examination procedures to review supervised financial institutions for compliance with the agencies' regulation on "Privacy of Consumer Financial Information."

The examination procedures are tailored to institutions' information-sharing practices. For example, institutions that do not share nonpublic personal information outside of the exceptions in §§ 332.14 or 332.15 will not require a review of the regulation's "opt out" requirements. Institutions that do not receive information from other financial institutions outside of the exceptions in §§ 332.14 or 332.15 will undergo a less extensive review under the "reuse or redisclosure" provisions than those institutions that do receive information outside of those exceptions.

See Attachment: Privacy of Consumer Financial Information (pdf)

FIL-22-2001 - Security Standards for Customer Information

The FDIC has approved and issued the attached guidelines establishing standards for safeguarding customer information as required by the Gramm-Leach-Bliley Act (GLBA).

GLBA requires the banking agencies to establish appropriate standards for financial institutions relating to the administrative, technical and physical safeguards of customer records and information. The standards' objectives are to:

  • ensure the security and confidentiality of customer information;
  • protect against any anticipated threats or hazards to the security or integrity of such information; and
  • protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.

See Attachment: Federal Register, pages 8616-8641

FIL-67-2000 - Security Monitoring of Computer Networks

Guidelines defining the imperative requirement that appropriate personnel activate security log and review them frequently. Required whether Internet or core banking functions exist in-house or are outsourced, management is responsible for ensuring that financial institution and customer data are protected.

Additional guidance is defined for tracking and managing vulnerability threat information. Several Internet sites provide notification of systems and application vulnerabilities focused on the most common network operating systems used by most financial institutions. Crackers/hackers routinely monitor the Web sites to learn of new weaknesses that have been found. Financial institutions that do not subscribe to such [vulnerability intelligence] services and do not keep operating system patches current are very vulnerable to attacks. The FDIC recommends that financial institutions use these services to augment system security.

FIL-68-99 - Risk Assessment Tools And Practices For Information System Security

Bank management is responsible for ensuring that systems and data are protected against risks associated with emerging technology and computer networks. The attached paper emphasizes three primary components of a sound information security program: prevention, detection, and response. The extent of an institution's information security program will depend on the nature of its activities and should be based on a comprehensive risk assessment.

See Attachment: Risk Assessment Tools and Practices for Information System Security

NCUA - National Credit Union Administration

NCUA Letter 01-CU-11 - Electronic Data Security Overview

Ensure the security and confidentiality of member records, protect against anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or serious inconvenience to a member.

In response to GLBA compliance requirements NCUA released Guidelines for Safeguarding Member Information. The guide specifies that detail requirements when developing your policies and procedures that should be addressed:

  • Identify the services provided and systems (hardware and software) used.
  • Identify the risks and threats associated with each system and service.
  • Determine the likelihood the risk/threat could occur.
  • Identify and evaluate methodologies to mitigate the risks/threats.
  • Develop the policies and procedures to address the risks/threats.
  • Monitor and adjust, if necessary, the policies and procedures to achieve the desired results.
  • Review policies and procedures at least annually.
  • Train and educate staff.

Copyright 2011 INVOID All Rights Reserved
Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.