technology controls 2015 - university of north texascpm.hps.unt.edu/sites/default/files/technology...

2/8/2016

1

Technology Internal Controlsfor

Treasury Professionals

Patrick ShinkleUniversity of North TexasCenter for Public Managementhttp://pacs.unt.edu/cpm/

Objectives

• Discuss the impact of technology as it relates to internal controls.

• Discuss and Identify:• Insider Threats

• The management of internal security controls

• COSO and COBIT

• Mobile security controls

• Check fraud prevention procedures

• Depository internal controls

• PCI compliance steps

2/8/2016

2

The CIA Triad

SecurityOrb.com

Confidentiality of information, refers to protecting the information from disclosure to unauthorized parties.

Integrity of information refers to protecting information from being modified by unauthorized parties.

Availability of information refers to ensuring that authorized parties are able to access the information when needed.

10 Tips for Fighting the Insider Threat

• Repeat Offenders and Offenses • Most organizations get hit more than once because they failed to address prior weaknesses.

• Focus on the Crown Jewels• You can't protect everything, so identify what information is most important.

• Use Existing Technology • Don't rush out to buy new systems; Use existing technologies better.

• Mitigate Threats from Business Partners• Anyone with access to your systems poses a security risk.

• Recognize Concerning Behavior or Patterns• Incidents don't always happen in isolation.

www.banksecurity.com

2/8/2016

3

10 Tips for Fighting the Insider Threat

• Recruited Employees• Many internal threats are by planted or recruited employees.

• Watch Behavior During Resignation or Termination• What information is not secured?

• Be Mindful of Employee Privacy Concerns• Monitor, but don’t violate privacy policies and laws.

• Cross‐Department Involvement• Make the fight against internal fraud an organizational initiative.

• Get Buy‐In from the Top• Executives have to understand the threats.

www.banksecurity.com

Management of Security

• Policies, Standards, Guidelines & Procedures

• Data & Information Classification

• Operational Activities & Separation of Duties

• Protection Selection

• Security Awareness

• Risk Assessment

• Due Diligence

https://www.asisonline.org/Publications/Pages/Sec‐Man.aspx

2/8/2016

4


• Policies Standards, Guidelines & Procedures• Management Development “Tone at the Top”

• Understand compliance, laws, regulations and liability

• Provide support, resources, and funds

• Development of “Security Policies” (Strategic)• Regulatory, Advisory, and Informative

• Standards, Guidelines and Procedures (Tactical)

• Define what is protected and what needs protection

• Employee expectations, training and enforcement

• Noncompliance remediation



• Data & Information Classification• Confidential

• Health care information

• Programming code

• Private• Human resource

• Work history

• Sensitive• Employee listings

• Public• Upcoming projects and initiatives


2/8/2016

5


• Operational Activities & Separation of Duties• Clear organizational chart and reporting structure

• Noncompliance, “scope creep”, and errant procedures mitigated

• Separation of duties & Job rotation• Instructions, procedures, and checklist are documented and verified

• Cross‐training implementation

• Fraud detection

• Work load allocation

• Efficiencies and competencies identified

• Mandatory vacations required

• Performance measurements identified



• Protection Selection• Costs

• Design, implementation, repair, replace, update, and support

• Implementation

• Modifications

• Compatibility

• Maintenance

• Auditing & Testing

• Support Requirements

• Effects on Productivity

• Visible & Invisible


2/8/2016

6


• Security Awareness: (Failures):• Failure to engage top management• No Plan, defined goals or framework• Misalignment between the business and security

• Lack of commitment• Poorly defined policies and objectives• Lack of materials and technical support

• Limited visibility into metrics and measures to indicate success

• Lack of engagement on the end‐user level

• Security Awareness (Successes):• Security can’t be guaranteed• In many cases, it is the law and entities have a legal obligation to comply

• Remember what you are protecting• You will build trust and loyalty from employees and taxpayers

• Build cohesiveness and strong practices at the entity

• End‐user experience and expertise increases.

• It’s not a question of if, but when…



• Risk Assessment• Describe the entity’s functions

• Identify the assets

• Determine the configuration and performance constraints

• Assess the security requirements

• Identify practices, procedures and potential products to mitigate risk

• Implement the counter measures

• Evaluate and assess counter measure effectiveness

• Periodically re‐evaluate


2/8/2016

7


• Due Diligence• Ensure the outcomes are anticipated and expected

• Make certain cost, time, implementation and other factors don’t skew the performance evaluation

• Evaluation should include feedback from the risk assessment and end‐user evaluations

• Be willing to adapt and adjust policies, procedures and guidelines as needed to support the operations of the program.


COSO & COBIT at 10,000 ft.

• COSO• The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.

http://www.coso.org/

2/8/2016

8

COSO & COBIT at 10,000 ft.

• COBIT• Control Objectives for Information and Related Technology (COBIT) is a framework created by ISACA for information technology (IT) management and IT governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.

http://www.isaca.org

Use of COSO and COBIT at 10,000 ft.

Automated Application ControlsLevel 1 ‐ COSO• Financial Reporting, Disbursements, Treasury Functions, Banking / Investment Platforms

• Data validation, inputs & outputs, reconciliations, reporting

General Application ControlsLevel 2 ‐ COBIT• System Development, Change Control, Data Recovery, Database Management, Programmer Security

General Computer ControlsLevel 3 ‐ COBIT• Change & Configuration Management, Network & Security Administration, Data Center Operations, Disaster Recovery, OS Administration

http://www.isaca.org

2/8/2016

9

The Big Basics of Security

• Backup/Verify the Data• Including external backup vendors

• Use Physical Security• Lock it up

• Dedicate specific computers for banking/investment services• Remove any unneeded software/hardware from the dedicated computer

• Update/patch programs, operating systems and malware protection

• Install Firewall Hardware and or Software

• Utilize services and features provided by your Depository• Reconciliation, Positive Pay, quality check stock, call back verifications, etc.

The Big Basics of Security

• Utilize “Controlled” Password Management• Renewals, complexity, commonality

• Implement Disaster Recovery (DR), BC, COOP, COG• Risk assessments• Documented procedures

• Train your employees• Use links versus direct typing the URL address• Connecting from home, remote

• Think beyond the Computer (USB, Appliances, Systems, Vendors)• Vendor Remote login• Default passwords

2/8/2016

10

Enterprise Security Concepts

Mobile Threats

• 10% of mobile apps leak logins or passwords

• 25% expose personally identifiable info (PII)

• 40% communicate with third parties

• Confirm “permissions” before installing Apps.

• Facebook, Angry Birds, Flashlight Apps, etc.

“Cybercrime: This Is War” Report by JPMorganChase 3/2013

http://blogs.wsj.com/wtk‐mobile/

2/8/2016

11

The “Cloud” Security Threat

• Secure Data Transfer• Transferred over the Internet

• Secure APIs or front ends

• Data Breaches• Lack of encryption

• Poor credential policy

• Data Loss• It’s still hardware and it will fail.

• Retention and space issues

• Account or Service Hijacking

http://www.infoworld.com/article/2613560/cloud‐security/9‐top‐threats‐to‐cloud‐computing‐security.html

VPN – Virtual Private Networks

• Secure “tunnel or portal ” connection over the internet

• IPsec• Traditional choice for VPN security on corporate networks. Network appliances (Cisco, Juniper) implement the VPN server functions in hardware. Corresponding VPN client software is then used to log on to the network.

• SSL• Relies on a Web browser instead of custom VPN clients for network access. By using the SSL network protocols built into standard Web browsers and Web servers, SSL VPNs are intended to be cheaper to set up and maintain than IPsec VPNs. In addition, network administrators have more options to control access to network resources.

2/8/2016

12

Check Fraud Issues

• Altered Payees• Positive Pay help mitigate

• Added Payee• Positive pay doesn’t help

• Poor check stock• Uncontrolled check stock• Photocopied checks• Chemical alteration

• Hand written checks• Check processing insurance. I.e. TeleCheck

http://www.ckfraud.org/ckfraud.html

Types of Check Fraud

• Forgery• An employee issues a check without proper authorization. Criminals steal a check, endorse it and present for payment.

• Counterfeiting• Fabricating a check or duplicating a check with advanced color photocopiers.

• Alteration• Remove or modify handwriting and information on the check. Removing all the information is called check washing.

• Paperhanging• Writing and/or ordering new checks on closed accounts.

• Check Kiting• Opening accounts at two or more institutions and using "the float time" of available funds to create fraudulent balances.

2/8/2016

13

High Security Check Features

• Thermocromatic Ink (Temperature sensitive)• Toner Fusion / Toner Anchorage (permanently bonds the ink/toner to the paper)

• Bleeding Seals / Ink & Dye (Black ink turns red and runs)• Microprinting (legible line with wording under magnification)• Overprinting / Ultra‐Violet or Fluorescent Fibers• Laid Lines or Anti‐splicing Lines (Deter cut‐and‐paste alterations)• Watermark / Dual‐tone Paper• Warning Bands• Chemical Reactive Ink• Void Pantograph• High Resolution Intricate Border

http://www.checksnforms.com/Articles.asp?ID=242

The Padlock Icon

• The Enhanced Security Features Padlock Icon is a small padlock symbol printed on the front and back of a check.

• The Padlock Icon is intended to provide an indication to all parties accepting checks that additional security features have been incorporated in the design of the check, the production process, or the materials being used.

• These additional features add complexity to the check document and make the check harder to change or reproduce.

• The addition of these features gives those parties accepting checks the opportunity to verify the authenticity of the check document being presented.

http://www.cpsa‐checks.org/i4a/pages/index.cfm?pageid=3281

2/8/2016

14

The Padlock Icon

• In order to use the icon, the Check Payment Systems Association requires designating the presence of a minimum of three (3) features that, either individually or collectively, defend against both alteration and counterfeiting.

• These can be (1) physical features, involving design or printing, or (2) paper features, or (3) a combination of both.

• Only overt security features that are visually detectable or are disclosed on the document itself can be counted toward fulfilling this requirement.

• Covert security features do not count toward fulfilling this requirement.

http://www.cpsa‐checks.org/i4a/pages/index.cfm?pageid=3281

Signs of Possible “Bad” Checks

• The check lacks perforations.• The check number is either missing or does not change.• The check number is low (like 101 up to 400) on personal checks or (like 1001 up to 1500) on business checks. (90% of bad checks are written on accounts less than one year old.)

• The type of font used to print the customer's name looks visibly different from the font used to print the address.

• Additions to the check (i.e. phone numbers) have been written by hand.• The customer's address is missing.• The address of the bank is missing.• There are stains or discolorations on the check possibly caused by erasures or alterations.


2/8/2016

15

Signs of Possible “Bad” Checks

• The numbers printed along the bottoms of the check (called Magnetic Ink Character Recognition, or MICR, coding) is shiny. Real magnetic ink is dull and non glossy in appearance.

• The MICR encoding at the bottom of the check does not match the check number.

• The MICR numbers are missing.

• The MICR coding does not match the bank district and the routing symbol in the upper right‐hand corner of the check (if shown).

• The name of the payee appears to have been printed by a typewriter. Most payroll, expenses, and dividend checks are printed via computer.

• The word VOID appears across the check.

• Notations appear in the memo section listing "load," "payroll," or "dividends." Most legitimate companies have separate accounts for these functions, eliminating a need for such notations.

• The check lacks an authorized signature.


Bank LockBox

• Payments are sent to a post office box instead of the entity itself, where bank employees pick up the payments for immediate processing.

• Processing time is much faster, ensuring that payments are deposited promptly.

• Fees vary, depending on the bank, size of the entity and number of payments. Typically, a flat fee is assessed per month in addition to a per item processing fee.

• Can be very secure but discuss with the depository on the “catch rate” of bogus items.

• Bank employees clear the lockbox several times a day, ensuring that payments are processed quickly, and typically processed in the same day.

2/8/2016

16

Wire and ACH Transactions

• Require 2 different computers to move money.• 1‐10 to initiate the transaction, 1 dedicated “banking only” computer to approve the transactions.

• 1 Initiator, 1 Approver, 1 Verifier

• Set up predefined wires instructions and prenote ACH transactions.• Dual Authentication – Something you have, something you know.

• Token ‐ (hardware or software) that an authorized user of computer system or device is given to ease and confirm authentication.

• Transaction Alerts/Notification• Text, Email, Confirmation Call

• Setup debit blocks and filters through the depository.

Positive Pay

• When an entity issues payroll or other types of checks, the entity provides its depository a list of check numbers and the amounts of each of these checks.

• As check recipients begin to deposit or cash their checks and the checks are presented back to the depository for payment, the depository confirms the check numbers and dollar amounts versus the list to ensure the presented items match the list.

• If the checks are not the depository listing, the checks do not get processed.

• The bank provides an exceptions report and notifies of potential fraud.

2/8/2016

17

Payee Positive Pay

• The bank reviews various aspects of a check presented for payment which included the “Payee’s Name” and compare them against a supplied list of checks issued.

• The bank pays out each check only if all the marks can be verified.

• It adds another layer of review in the form of the payee name, which appears on the check but is not standard to the system.

• This helps ensure that altered checks or checks issued fraudulently are not paid out.

Reverse Positive Pay

• The entity maintains the list of issued checks and the bank sends a list of checks that have been submitted for payment.

• The entity compares the information from the checks at the bank to the list maintained in the company.

• If a check is good, the entity OKs the bank to pay. If corrections must be made, the entity handles the changes.

• If a bad check is presented to the bank, it is not paid and the entity is not defrauded.

2/8/2016

18

Control Disbursement

• Provides timely and accurate information each morning, letting the entity know how much money is needed in the entity’s account each day to cover checks that will clear that night.

• It is a convenient way to avoid overdrafts or leaving too much money in the account.

• It is used to maximize an entity’s available cash for investment or debt payments, allowing excess funds to be invested as long as possible.

Holder in Due Course

• A holder in due course is one possessing a check or promissory note, given in return for something of value, who has no knowledge of any defects or contradictory claims to its payment. Such a holder is entitled to payment by the maker of the check or note. USLegal.com

• Every company that issues stop payments on checks or uses generic check stock that is available entirely blank is vulnerable to a holder in due course lawsuit. Litigation expense and holder in due course judgments can cripple a company financially and should be feared and avoided, especially in light of some Appellate Court rulings.

• Texas Business & Commerce Code ‐ Section 3.302. Holder In Due Course

Fraudtips.net

2/8/2016

19

Holder in Due Course

• Three issues to assist:• Get check stock that is customized for your entity

• Name of Entity

• Graphic of Municipal Building

• Historical Picture or significance to the entity

• List how to detect fraud on the check stock• Fraud detection instructions printed on the check

• Have “stale” dates printed on the check at the time of issue• 6 months under UCC

• Highly secured check stock and implementation Positive Pay assist entities in the deterrence of check fraud.

• http://www.abagnale.com/

Check 21

• Allows the recipient of a paper check to create a digital version, thereby eliminating the need for further handling of the physical document

• Regulates electronic communications between banks. Instead of having to send a physical check to clear, Bank B can simply send an electronic image. Bank A confirms that the check is valid and instantly transfers the funds.

• Typically, a bank can clear a check in as little as 24 hours, rather than taking several days to do it. Bank B would keep the actual check, rather than sending it to Bank A. If an entity or individual wants a copy of the canceled check, they can request a substitute check from their bank.

• The substitute check (paper copy of the front and back of the check) is an authorized electronic copy of the original check.

2/8/2016

20

Remote Deposit or eDeposit

• The ability to deposit a check into a bank account from a remote location, without having to physically deliver the check to the bank

• Accomplished by scanning a digital image of a check into a computer, then transmitting that image to the bank

• Benefits:• Float reduction time• Bank visits reduction• Electronic copies

• Risks:• Fake checks or altered checks• Duplication (Deposit and then take to another bank in person)

• Banks have the liability under Federal Regulations

PCI – Payment Card Industry Compliance

• Security of the payment chain.

• Requirements designed to ensure that ALL entities that process, store or transmit credit card information maintain a secure environment.

• If any customer pays directly using a credit card or debit card, then the PCI DSS (Data Security Standard) requirements apply.

• Merchant IDs are based on physical location, as well as all the different payment types.

2/8/2016

21

PCI 12 Step Program for Compliance

1. Install and maintain a firewall configuration to protect data.

2. Do not use vendor‐supplied defaults for system passwords and other security parameters.

3. Protect stored data.

4. Encrypt the transmission of cardholder data and sensitive information across public networks.

5. Use and regularly update antivirus software.

6. Develop and maintain secure systems and applications.

PCI 12 Step Program for Compliance

7. Restrict access to data by need‐to‐know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.

10. Track and monitor all access to network resources and cardholder data.

11. Regularly test security systems and processes.

12.Maintain a policy that addresses information security.

2/8/2016

22

EMV Chip Cards

• EMV stands for Europay, MasterCard and Visa, a global standard for inter‐operation of integrated circuit cards (IC cards or "chip cards") and IC card capable point of sale (POS) terminals and automated teller machines (ATMs), for authenticating credit and debit card transactions.

• EMV standards dictate the physical nature and capabilities of the chip, the format of the hosted data applications and the way they interact with point‐of‐sale (POS) devices.

• In October, 2015, the liability will shift to acquirers for domestic and cross‐border counterfeit fraud card‐present POS transactions if the merchant does not have an EMV‐enabled POS device.

• In October, 2017, the liability shift takes effect for transactions generated from automated fuel dispensers ‐ this allows more transition time to account for higher equipment/pump costs.

http://www.banktech.com/payments/emv‐implementation‐who‐is‐ready/a/d‐id/1296291

technology controls 2015 - university of north texascpm.hps.unt.edu/sites/default/files/technology...

Documents