m Processes Universe A business or operational process is an organized set of activities or tasks that produces a specific service or product. Is different than policy and procedure. Risks Universe =A b A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through pre-emptive action. ical, Financial, Technical, Legal, Market etc Risk Types- Operational, P’LE Risks associated with processes Illustration - Cash Collection Misappropriation of funds through fraud or theft can occur that handles cash. Transportation, utilities, public places susceptible to fraud through insufficient financial controls. crimes can be perpetrated by employees, vendors or even former employees Reasons fraud can occur within your organization are many, including: Greed Poor accounting controls within your organization Organizational complacency A lack of defined accountability over the cash handling process Risk and Process can have MANY to MANY relationship# Account Oriented Approach ccount-oriented approach » . Balance sheet oe : a Fixed assets ees Jee aes Real estate (*) : Inventory Receivables Financial instruments (*) Cash (*) : Payables Income statement Sales revenue (*) f a ase Raw material consumed (*) ; | : = Personnel expenses heat Segment reporting (*) Internal activity allocation (*) Consolidated financial statement (*) _L Process Oriented Approach From purchase to pay (*) Vendors From order to cash (*) Purchasing Incoming invoices ; sae Payables ae Outgoing payments — Customers Ae Revenues Receivables Incoming paymentsBNE. ON ONE TREES, Processes vulnerable to cyber threats ERP today operate in more open environment ERP work on heterogeneous platforms Customized codes are introduced Application of patches not streamlined SOD enforcement is critical issue Risks differ from organization to organizations: Ney Lo / & » Identity Theft » Bypassing System Controls > Collusion » Transaction Manipulation >» Removing Trailsidentity theft Ae Deliberate use of someone else's identity A method to gain a financial advantage or obtain credit and other benefits in the other person's name To the other person's disadvantage or loss. someone uses another's personally identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes. Child Identity, Medical Identity, Senior citizen Identity are vulnerable Means Shoulder surfing, searching through trash, spamming :se Vie User login Audit trails Transaction Audit trails Vv NV. Wow. O/S, D/B Audit trails CCTV Audit trails Device Audit trails — Vv Vv Network Access Audit trails computer audit trailsCompliance is either a state of being in accordance with » established guidelines or specifications, » abiding by both industry regulations » Abiding by government legislation Doer adheres to rules, regulations, practices, guidelines, law, contract, prescribed rulesNe Ss NS - Sehe NSN . rz How compliance helps Discipline Better job coordination and efficiency Reduction in errors Containment of risks Less penalties Better service delivery Customer trustPCI DSS Ts he cardholder data environment. (CDE). comprised of people, processes, technologies that store, process, or transmit cardholder data or sensitive authentication data. “System components” include network devices, servers, computing devices, and applications. Systems that provide security services (for example, authentication servers), facilitate segmentation (for example, internal firewalls), or may impact the security of CDE Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. Network components including but not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types including but not limited to web, application, database, authentication, mail, proxy, Network Time Protocol (NTP), and Domain Name System (DNS). Applications purchased and custom including internal and external (for example, Internet) all ee, a“= (a Payment -General Architecture Retail Store Payment Processor es ae Data Center > POS Machine i App Memory Payment Process POS App Payment ing Client Ap * Data Storage Aadhar, retina, (biometric), Upi, RFID (prepaid cards), credit/ debit card, mobile based payment PSS M-wallet oe: = Authorization Flow — Debit/ Credit Card a rrocessor Acquirer Gateway Merchant's —~ payment So P: th ayment software y = sarjvost NL) brand's ie Se Routes = \ network Ger request Transmit. Ze Processes request —-» SN payment; Transmits 2 Transmits request request | Merchant's Cardholder payment Swipes the Issuer hardware card Checks Accepts and transmits the credit of funds card data Rupay, VISA, MASTERCARD and _ all banks Interfaces — Handshake should happen with all banks in the list — need to go bank by bank for Pilot- 3 DES or higher for algorithm for encryption. - transaction serial number of \ themec — (Be Processes the batch; ornare a tas reports; Credits \ Transmits the "were EN batch ete ete Credits merchant's \ account; Transmits {ransaction tor sattiamant Creates, sends, and i reconciles the batch : ‘ iiss i | a 6 < S Cardholder Receives the statement; Pays the bill cardholder's account; ‘Sends the statement Rupay, VISA, MASTERCARD - Need to create batches for every issuing bank with Batch controls for all transactions during the period with time stamp, transaction serial _ Numbers, transaction status, amount - dispute management is further cycle Za Build and Maintain a Secure Network and Systems Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Protect all systems against malware and regularly update anti-virus software or programs Develop and maintain secure systems and applications=A (4 Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Polic 12. Maintain a policy that addresses information security for all personnel Card Holder Data- Card No, Card Holder Name, Expiry Date, Sensitive Information - Magnetic Track Information, CVV numbers, PIN Number (cannot be stored) eS “4 \ AIllustration — Compensating controls 1. List constraints precluding compliance with the original requirement. 2. Define the objective of the original control; identify the objective met by the compensating control. 3. Any additional risk posed by the lack of the original control. 4. Definition of Compensating Controls and explain how they address the objectives of the original control and the increased risk, if any. 5. Define how the compensating controls were validated and tested. 6. Maintenance Define process and controls in place to maintain compensating controls. :: Swift Compliance ae is B CSCF (Customer Security Control Framework) provides 16 mandatory security controls and 11 advisory security controls, which are recommended best practices. Users are required to self-assess their SWIFT local environments against CSCF annual Failure to submit self-attestation is visible to all counterparties and supervisory bodies.ecbeth a Secure your environment Know and limit access Detect and respond 1. Restrict internet access 2. Protect critical systems from the general IT environment 3. Reduce attack surfaces and vulnerabilities Physically secure the environment 4 5. Prevent compromise of credentials 6 pi . Manage identities and segregate leges 7. Detect anomalous system activity or transaction records 8. Plan for incident response and information sharing There are 16 mandatory controls, and 11 optional controls Controls to be implemented on End-to-End Basis Standard Frameworks and Clauses to be mapped.ME HS ES RS Internet Banking ATM Switch security NEFT / RTGS payments M-wallets UPI BHIM M-commerce RBI Cyber security GuidelinesOy iat RBI - Traditional IT security challenges Proliferation of attack vectors and enhanced attack surface Proliferation of digital and shifting customer preference Sophistication of threat actors and enhanced targeting of banks Banking increasingly operating as a “boundary-less” ecosystemRBI - Directives » Need for effective cyber security monitoring and detection capabilities » Focus on building resilient systems that transverse a large volume of system events and deduce intelligence. » Resilient banking ecosystem Y To detect threats in advance Recover from an incident should materialize Learn from threat intelligence to prevent similar incidents.Banks will have to refocus To analysing logs occurs real time or near real time. From analysing security logs passively From basic security operations capabilities To setting up advanced next generation security operations centres analytics enabled by device user behaviour based machine learning defence to ensure that lateral movement of malicious code is prevented on a real-time basis using integrated honeypots. From Static rule-based systems To dynamic and adaptive security systems A cyber crisis management plan must address the entire life cycle of incident detection, response, containment and recovery.aE Card management program PIN management program v v vy Cash Management program vy Reconciliation Management program Switch security programv Vv Mobile Program Securit Isolate data and code execution across apps An application framework with common security such as cryptography, permissions. Technologies for common memory management errors. Encrypted file system to protect data on lost/ stolen devices. User-granted permissions to restrict access to system features and user data. Application-defined permissions to control application data on a per-app basis.< mC Ue elite es nh U Inter-institutional / inter-bank transaction — Funds transfer purely between two RTGS members / participants. 4 Customer transaction — Funds transfer / receipt on behalf of the customer of a RTGS participant member. U Government transaction — Funds transfer/receipt on behalf of Government Accounts by a participating member. Q Multilateral Net Settlement Batch (MNSB) — The file containing net settlement position of clearing participants of an ancillary payment system managed by a clearing house.Options for accessing RTGS system v Member has to own, install and maintain the dedicated hardware and software connecting to the Central System through the approved network by the Bank. v The interface application needs to be developed by the members as per the specification provided by the Bank. v This mode of access is purely browser based. Members can originate and receive payment transactions through INFINET / any other network approved by the Bank.Messaging Standard nD U Transaction Flow: The interactions between the Member Interface and the Central System be through pre-defined message format (ISO 20022) only. Every message will be digitally signed and encrypted for ensuring security. Q Unique Transaction Reference (UTR) / Transaction Identification Number: Each message has.to be assigned with a unique number and provided in the field Transaction Identification . The Unique Transactions Reference (UTR) number is 22 characters length, which can be used for further reference. Q) Message Standard: The RTGS system will handle messages based on ISO 20022 standard. All mandatory fields are validated in accordance with the ISO 20022 message standards and the coding requirements set by the Bank. -processing 1 Transaction Type Code (TTC): The RTGS system uses a Transaction Type Code (TTC) to identify the type of individual payment messages that is allowed for the p / transaction. The TTC values are in the range of “0000” to “9999”. Priority: The members may assign a priority while processing a payment transaction at the Member Interface before releasing the transaction to the Central System. The available range of priority is from '01' to '99". The lower the assigned number, the higher will be the priority. The priorities from “01” to “10” are reserved for the RBI. Participants can use the priorities from “11” to “99”. (Queuing: Payment messages received in the RTGS will be maintained in a logical payment queue, pending settlement. The queue will be ordered by priority numbers of the transactions and, within a priority number, by the time of receipt in the RTGS system.Transaction Authorization Legal liability where responsib defined Corruption of EDI application es of trading partners are not clearly Additional security types of risk include: Unauthorized access Deletion or manipulation of transactions Loss or duplication Loss of confidentiality and improper distributionStandard should be set to indicate that the message format and content are valid Controls should be in place to ensure that standard transmissions are properly converted The receiving organization must have controls in place to test the reasonableness of messages received Controls should be established to guard against manipulation of data Procedures should be established to determine messages are only from authorized parties and transmissions are properly authorized Direct and dedicated transmission channels among parties should exist Data should be encrypted Electronic signatures Message authentication codes= oe Use of appropriate encryption techniques Perform edit checks Perform additional computerized checking Log each inbound transaction on receipt Use of control totals on receipt of transaction Segment count totals Control techniques in the processing of individual transactions Ensure the exchange of control totals of transactions sent and received Maintain a record and validation of number of messages received / sent Arrange for security over temporary files and data transfer— Control the set up and change of trading partner details Compare transactions Match trading partner number Limit the authority Segregate initiation and transmission responsibility Document management sign-off Log all payment transactions Segregate duties Segregate access Report large (value) or unusual transaction Log outbound transactions Require paperless authorizationa Applicable Framework/Laws/Clauses i ft IT Enabled Under Company Act 2013 UO Electronic Filing of Company Records QO Electronic Voting ) AGM and other proceedings U Investigations / Scrutiny of Electronic Records4s IT Act 2000 Legal recognition of electronic records/ Digital signatures >» S4/S5 = >» S43/S44 - Penalties for damage to computer system / Failure to furnish information >» Rule72 - Breach of confidentiality & privacy >» Rule76 - Confiscation Data Protection Laws - German Preventing Unauthorized Access to Systems, Databases, Storage Media > Input Controls — Operational Controls through Job Sheet ity of transaction