Bank of America Stock Ticker by ert41610


More Info
									Data Security:
A Roadmap

Dodi Iverson, Executive Vice President

Richard Bellanca, Senior Vice President
Bank of America Corporation
                 Bank of America
 Over 38 million consumer & small business relationships
 Over 5,800 retail banking offices
 Over 16,700 ATMs
 Over 14.7 million active online users
 No. 1 overall Small Business Administration lender in the
   Bank of America Corporation stock (ticker: BAC) is listed
    on the New York Stock Exchange

                          Higher Standards
               Insurance Services Group

   Line of business within Global Consumer & Small
    Business Banking
   Products Include:
       Credit Protection Products
       Loan Protection Products
       Term Life Insurance
       Accidental Death & Disability
       Health Savings Accounts
       Long Term Care Insurance
       Homeowners and Auto Insurance
   Outsourcing solution for insurance and non-insurance
   Carrier and product independent
   Service 250+ financial institutions and 50+ insurance
 Core focus – administration
 End to end or modular solutions
 Retention and process optimization
 SAS 70 Type II

         Operational excellence driven by security, innovation and reliability
                        Terms & Overview
   Data vs. Information           068567839                   068-56-7839

   Confidential Data      Data can only be shared internally on a need to know basis.
                           Examples include consumer information such as date of birth,
                           marital status, social security number, health claims.

   Proprietary Data       Information intended for internal distribution only. Examples
                           include organizational charts, inter-office mail, unreleased pilot

   Public Data            Information obtained from or intended for public disclosure.
                           Examples include marketing brochures, press releases, annual

   Encryption             Transmitted data is coded, making it unintelligible if intercepted
                           by a 3rd party. Only the sender and the recipient have the “key”
                           to unlock the code.
                Security Breaches

Laptop stolen, Grad
Students’ info exposed

         ID verification service provider sends personal,
                   financial info to con artists
                Data Security Roadmap

                          Awareness &

  & Value


                                           Security Design
             Execution                     & Management
         Methods of the Trade

 System hacking
 Codes/scams
 Physical negligence
 Stolen equipment
 Disgruntled employees
                 Identity Theft Categories
 Personal Identifiable Theft:
       Examples: social security number, online banking log-in/password
       Theft is beyond a single account
       Thief has ability to create additional accounts
       Loss potential is greater
       Criminal may wait in excess of 15 months before striking

 Account Theft:
       Example: credit card is stolen
       Theft is typically limited to a single account
       Short-term window for thief
       Root Causes for Identity Theft

 Prevalence of SSN as a unique identifier
 Information security not equal among organizations
 More information about individuals stored on central
 Personal security
 Expansion of electronic fraud
                        Key Customer Data

   Customer data that can be used against you:
       Checking or credit card account numbers
       Social security number
       Drivers license number
       ATM card
       Date of birth
       Home address
       Phone number
       Credit reports
       Passwords
                            Common Security Concerns

      Cyber threats rank higher than physical breaches
      73% felt domestic suppliers posed less risk
      Buyers don’t believe security claims of suppliers and are
          conducting their own audits – 30% factor

         ISO 17799 – ISO 27001
         SAS 70 Type II

Source: Booz Allen Hamilton study, June 2006
       Data Security – A Supplier Differentiator

Then       Better
                                Higher     Improved        Freed
           Service              Quality   Satisfaction   Resources

Now        Customer                           Data
                               Cost                            Retention
           Centricity                        Security
                         Assessing Data Security Risk
                                         Failure Modes & Effects Analysis
       Process        Potential Failure                   S             Potential          O      Current            D   R                        Responsible
                                        Potential Failure                                                                     Recommend
#      Function       Modes (process                      E             Causes of          C      Process            E   P                         Person &
                                         Effects (Y's)                                                                          Actions
        (Step)            defects)                        V            Failure (X's)       C      Controls           T   N                        Target Date
       Information                                                   Physical Media
                                                                                                 Verify if tapes              No longer utilize
1   Exchange with 3rd Data Tapes are lost Lost Customer Data   5     Used to transfer      2                         2   20                       Data Steward
                                                                                               arrive at 3rd party            physical media
          Party                                                           data

     3rd Party to 3rd                                                     Security
                      Data is breached by                                                                                        additional
2   Party Information                     Lost Customer Data   5   Infrastructure not as   3       CIS Audit         3   45                         3rd Party
                            hackers                                                                                               security
        Exchange                                                         advanced

                              Rating Scale for FMEA
                                                                                Likelihood of
                                  Rating               Severity of Effect        Occurrence       Ability to Detect
                                                                                  Very High:
                                                                               Failure is almost Little to no chance
                                     5        Almost Certain Loss of Customers     inevitable         of detection

                                                 High Probability of customer          High: Repeated Very low chance of
                                     4         dissatisfaction and lost business           Failures        detection
                                               Noticeable to customers resulting         Occasional    Moderate chance
                                     3           in potential for lost business            Failures      of detection
                                                Minor defected noted by some
                                               customers. Minor defect noticed         Low: Relatively     High chance of
                                     2           by discriminating customers.            few failures         detection
                                                                                       Remote: Failure     Almost certain
                                     1                     No Effect                      is unlikely         detection
Expense vs. Security Achieved


           Security Achieved
                        Dollar Amount Losses by Type




                                                                                                      Theft of proprietary
             $30,000,000                                                                              info
                                                                                                      Laptop theft

             $25,000,000                                                                              System penetration









                                                                 1st Qtr
Source: CSI/FBI 2005 Computer Crime and Security Survey; Computer Security Institute
                             Security Technologies Used
                                                                                             Intrusion Prevention Systems
                                                                                             Public Key Infrastructure
                                                                                             Smart cards/one-time passwords
                                           46%                                               Encrypted files

                                               52%                                           Reusable account/login passwords

                                                            68%                              Encryption for data in transit
                                                              70%                            Server-based access control lists
                                                                                             Intrusion Detection Systems
                                                                                             Anti-virus software

0%             20%             40%              60%             80%             100%

Source: CSI/FBI 2005 Computer Crime and Security Survey; Computer Security Institute
                   Data Steward

 Data Stewards ensure that a
  critical asset, customer and
  account data, is received,
  verified and delivered to all
  appropriate information users
  in an accessible, consistent
  and timely manner.
                               Data Exchange Process Map
                                                                 Representative          5.0
           1.0               2.0            ISG enters file
                                                                 from BAC Data       Information           6.0             7.0             8.0
    Initial Meeting     Determine Data   information in Data
                                                                  Transmission        Exchange          Metadata         Test File    Production Files
  between Vendor &        Exchange            Exchange
                                                                 Services (DTS)    between Vendor      Discussions      Submitted       Commence
          BAC              Logistics     Repository System
                                                                   contacts the     and BAC-DTS

Participants:         Participants:      Participants:         Participants:      Participants:     Participants:    Participants:    Participants:
• 3RD Party           • 3RD Party        • BAC –               • BAC – DTS        • BAC – DTS       • BAC –          • BAC –          • BAC –
  Vendor (Bus)          Vendor (Bus)       Information                                                Information      Information      Information
                                                               • 3rd Party        • 3rd Party
                                           Mgr                                                        Manager          Manager          Manager
• 3rd Party           • 3rd Party                                Vendor             Vendor
  Vendor (Tech)         Vendor (Tech)    Purpose:                (Tech)             (Tech)          • 3rd Party      • BAC - DTS      • BAC - DTS
                                                                                                      Vendor (Bus)
• BAC – Product       • BAC –            • Register            Purpose:           Purpose:                           • 3rd Party      • 3rd Party
  Manager               Information        data                                                     • 3rd Party        Vendor           Vendor
                                                               • BAC –DTS         • Exchange IP
                        Mgr                exchange in                                                Vendor           (Tech)           (Tech)
• BAC –                                                          provides           Addresses
                                           the central                                                (Tech)
  Information         Purpose:                                   email with                                          Purpose:         • 3RD Party
                                           repository                             • Exchange
  Mgr                                                            instructions                       Purpose:                            Vendor (Bus)
                      • # of Files                                                  Passwords                        • Test end to
                                                                 for data
Purpose:                                                                                            • Review field     end file       Purpose:
                      • File Layouts                             exchange         • Notification
                                                                                                      definitions      submission,
• Introductory                                                   process            procedures                                        • File receipt
                      • Frequency                                                                                      connectivity
  Meeting                                                                                           • Determine                         and load
                                                                                  • Automate                           test
                      • Contacts                                                                      valid values
• High level                                                                        scripts, if                                       • Continual
                                                                                                      that vendor
  overview of         • Exchange                                                    necessary                                           feedback on
                                                                                                      will provide
  the data              Protocols                                                                                                       new valid
  exchange                                                                                          • Answer                            values or
                      • Quality
  process                                                                                             additional                        data
                                                                                                      questions                         anomalies
                      • SLA
Data Management Environment
                              Mitigating Theft
   Technical Infrastructure                   Technical Tools
        Multi-tier architecture                    Encryption
        Multi-factor authentication                Anti-virus/spyware
        Continuous server monitoring               Electronic Transmissions
        Access controls                             (Secure Sockets Layer (SSL),
                                                     FTP/PGP, NDM)

   Business Processes
        Employee training
        Policy enforcement
        No confidential data on hard drive
        Cross shredding
        Access controls
   Infrastructure Categories

Production                    Quality
 Contact routines/calendar    Quality assurance practices
 Roles & responsibilities     Metadata management
 Change control               Defect resolution process
 Adding new sources

Governance                    Communications
 The Data Council             Communication plan
 Downstream SLA               Data Steward Program
 Source data provider SLA     Corporate partnerships
 User access/standards                                ™
                Password Best Practices
DO                                 DO NOT
   Use a password with mixed-        Use your name in any form
    case letters
                                      Use a word contained in
   Use a password that contains       dictionaries, or standard word
    alphanumeric characters and        lists
                                      Use other information easily
   Use a password that can be         obtained about you
    typed quickly
                                      Write a password down or store it
   Change passwords regularly         online
                                      Reveal a password to anyone
    Seee@SHorr                        Use shared accounts
                Information Exchange

 All data exchanges must be submitted via
  encrypted electronic transmission. Never
  submit customer or account data via tape,
  CD, disks, etc.
 Any email communication that contains
  confidential information must be encrypted.
 Data exchanges between vendors that
  contain BAC customer data must adhere to
  same standards as exchanging with BAC.
 Never store customer or other sensitive
  banking data on computer/laptop hard
                 Governance Elements

Major Deliverables:
• Service Level Agreements –
  Source Providers
                                ASKISG User Access Form
• Service Level Agreements –
  Information Users             NBK #:
                                Work Phone:
                                eMail Address:
                                Business Division:

• User access request forms
• Encryption Standards          Access Level Request:*                   General


                                                                                     Super Power
                                                                                                   Desktop Designer


• Data Transmission Standards
                                Business Justification:

• Information Quality C.O.E.
• CIS Assessments/Audits
• Information Sharing Request   Digital Signature:                                                                    Date

• The Data Council              * See Roles tab for detail matrix on access levels
          Resources for the Roadmap

 ISO 17799

 SANS Institute


 ISSA (Information Systems Security Association)

 Collaboration
 Task force commitment
        “Security is not a product,
               but a process.”
                               - Bruce Schneier

     “When you know that you’re capable of
          dealing with whatever comes,
you have the only security the world has to offer.”
                                                  - Harry Browne

To top