Security Policy ATM
The purpose of this document is to define a security policy for Bank H. This policy covers. This comprehensive policy is intended to cover all aspects of information security relating to Bank H ATM machines including: installation, maintenance, and operation ATM machines and network, employee responsibilities, ramifications for customers, and the security of ATM transactions.
This document is divided into three sections, each covering a key facet of information security:
- Organizational Policy
- Issue-Specific Policy
- System Specific Policy
Organizational Policy
Information security is a prime concern at Bank H. much of our information is critical in nature and must be protected not only for our own sake, but for our customers and to comply with government regulations. This makes it the responsibility of every employee of Bank H to comply with the policies established in these policies.
Program Responsibility
The Chief Information Security Officer has the prime responsibility for establishing and enforcing the procedures necessary for the protection of information. This person reports directly to the Chief Executive Officer and Board of Directors.
A security oversight committee will also be formed consisting of the Chief Information Officer, Chief Financial Office, Chief Information Security Officer and other representatives as seen fit. This committee will meet at least quarterly to review security procedures and recommend appropriate updates. The Chief Information Security Office will be responsible for the establishment, implementation, and enforcement of information security policies on a day to day basis.
Enforcement
All employees of Bank H are required to adhere to the policies contained in this document. Any infringements of this policy will result in disciplinary action up to an including termination and legal action.
Each employee will be required to review and sign a document indicating that he or she has reviewed and understood these policies upon hire and as part of the annual employee review process.
Any employee who suspects a breach of these policies is required to immediately report the breach to his or her direct supervisor. If that is not possible, then the employee may contact the office of the Chief Information Security Officer directly. Failure to report breaches may result in disciplinary action as specified under these policies.
Government Regulations
The mandate for a comprehensive information security policy comes from many sources. Of foremost importance is Bank H’s concern for it employees, customers, and information assets. Additionally, due diligence is required by many overseeing government agencies. Title 12, chapter II of the Code of Federal Regulations from the Federal Reserve Board defines security policies that must be followed by banks to ensure compliance with the Bank Secrecy Act and the Bank Security Act (“Regulation H: Membership of State Banking Institutions in the Federal Reserve System”).
Part 326 of the Federal Deposit Insurance Corporation also details minimum security requirements for banks including:
- Designation of a security officer
- Implementation of a security program
- Annual reporting requirements
(“Part 326—Minimum Security Devices and Procedures and Bank Secrecy Act”)
Therefore, a main goal of this document is to establish and define a security program that meets the requirements of these and other regulatory agencies.
Issue-Specific Policy
The key issues that arise when considering our overall information security plan involve protecting our customers, employees, and assets. Three additional issues that must be considered are risk management, disaster recovery, and training, which all work together to support our overall goals for establishing these policies.
Protecting Our Customers
Whereas ATM machines provide a valuable service to our customers, it is incumbent upon Bank H to take all reasonable steps to insure the security and safety of their assets, personal information, and physical security while they are conducting transactions at a Bank H ATM machine.
Regulations in the USA Patriot Act place specific requirements on banks regarding the information that customers must provide in order to open and account (“Office of Thrift Supervision Staff Summary of USA Patriot Act.”).
Furthermore, the Sarbanes-Oxley Act of 2002 places certain legal requirements on Bank H regarding the protection of sensitive information customer information (“Public Law 107-204 107th Congress”).
Procedures below will detail necessary practices for protecting our customers including:
- ATM location and physical environment
- Authentication and verification of identity
- Protection of private customer information
Protecting Our Employees
In a real sense, establishing good security policies will protect our employees and help to insulate them from the daily risks of dealing high volumes of money and sensitive information.
By clearly outlining security policies and procedures, all employees will have clear guidelines to follow to protect themselves and the assets they come into contact with. Clearly defined control procedures protect both our assets and our employees from accidental or intentional loss.
A clearly defined security policy also establishes a legal standard of informed consent which is a judicial requirement that has been established by legal precedent. This document will establish procedures specific to our employees and their interactions with ATMs including:
- Contact with sensitive information
- Contact with money and other cash instruments
- Access to ATM equipment
Protecting Our Assets
Information, like money, is a valuable asset that must be protected from theft, destruction, and unauthorized access. ATMs represent a unique exposure to risk since they are often installed in locations that are outside the physical perimeter of the bank’s facilities. Extra precautions must be taken to protect external ATMs and ATMS located at other facilities since they will often be unattended. This policy will establish procedures to protect ATMs including:
- ATM Locations
- Environmental guidelines
- Minimum hardware security issues
- Data transmission, storage and encryption
Risk Management
Risk management is one of the first lines of defense in the effort to protect our customers, employees, and assets. Although the details of risk management fall outside the scope of this document, basic risk protection guidelines will be established by the Security Oversight Commission and a senior representative from risk management will be on that committee. In general, it is important that all reasonable steps will be taken to insure the company and customer assets including:
- FDIC insurance covering customer deposits
- Applicable insurance to protect ATM equipment
- Applicable liability coverage
Disaster Recovery
The ability to recover from natural and man-made disasters is an essential component of any security program. It is not the intent of the policy to create a comprehensive disaster recovery plan for the company. However, issues related to disaster recovery will be covered as applicable to ATMs including:
- Recovery of information and assets from equipment involved in an accident or disaster that renders the equipment inaccessible or damages or destroys the equipment
- Planning to mitigate the loss caused by such events
- Restoration of service, where applicable
Training and Awareness
All employees are required to attend security awareness training sessions to be coordinated and conducted by the Chief Information Security Officer a minimum of once a year. These sessions will be designed to educate employees of their responsibilities. Topics will include:
- Education on new and existing policies and procedures
- Practical training on tools and technology
- Awareness training on risks and mitigation
System Specific Policy
Special consideration must be used in protecting the systems that support our ATMs and data networks. As technology changes, so will the challenges and tools available for the security of these systems. Therefore, these policies should be reviewed on a quarterly basis and updated as necessary.
ATM Machines
ATMs form the core systems covered by these policies. Since many ATMs are outside the physical protection of our facilities, special care must be taken to protect them. Policies must be implemented to deal with these unique systems including:
- Money control procedures
- Technology to monitor ATMs against tampering and abuse
- Best-practices for installation and maintenance of ATMs
Networks
Data networks are necessary components of an ATM system and in some cases the most vulnerable. Therefore, all due care must be taken to insure the integrity, reliability, and security of our networks. Policies must be established regarding:
- Network installation and maintenance
- Network monitoring
- Network protocols and standards
- The use of encryption
Section 2 – Security Systems
As the field of information security has matured, several recognized standards have evolved. Following these standards help to insure the development of comprehensive and effective security policies. A key concept in information protection is the concept of security systems. Security systems are domains of protection that establish the best practices. Our policies will be developed to cover each of these domains as appropriate.
Confidentiality
Confidentiality protects information from disclosure or exposure to unauthorized agents. Confidential information must be clearly indentified and reasonable steps must be taken to maintain its confidentiality. The following policies relate to confidentiality in the context of Bank H ATM security:
- Information will be classification so that confidential information can be identified and protected.
- Measures will be taken to protect confidential information in both physical and electronic form.
- The confidentiality of customer information is of prime importance.
- The confidentiality of personal employee information will also be protected.
Integrity
Integrity insures that information is kept in its original state and does not become corrupted at any point in the system. Systems must be implemented to protect assets from both intentional and unintentional corruption. The following policies relate to integrity in the context of Bank H ATM security:
- Error-checking data protocols will be used to insure the integrity of information in electronic form.
- Proper control procedures will be used in the handling and transport of information in physical media.
- Backup and archival policies will be constructed so that information may be re-created in the event of loss.
- All hardware and software will be maintained to insure the highest level of integrity when working with our data.
Availability
In order to be useful, assets must be available to those authorized to access. Some security risks are designed to block access to information and other assets. Policies that support availability include:
- Systems connected to external networks will have software and hardware to protect them against denial of service attacks.
- Disaster recovery plans will be developed and tested to insure the quick recovery of operations in the event of a disaster.
- ATMs will be located in areas that are accessible and convenient while appropriate measures are taken to secure them.
Access control
One of the first lines of defense is to limit access to an asset to authorized personnel only. This starts with locking the door and may include other devices and techniques to control access. Examples of access control include:
- Locked areas will be used as appropriate and policies will be developed to manage keys and access codes.
- The use of automated access cards or key-code locks will be used as appropriate to limit access to authorized personnel.
- The use of usernames, passwords, and other methods will be used to limit computer system access.
- Keys, codes, and other information relating to access to ATMs will be closely managed.
Non-repudiation
Accountability is the final key to a good security system. A clear and authentic trail of ownership and access to information and other assets must be established and maintained at all times. Examples of policies designed to enforce non-repudiation are:
- Fingerprints will be used to irrefutabley identify parties, as appropriate, when dealing with information in physical media.
- Digital certificates and digital signatures will be used to add irrefutable identification to electronic information as appropriate.
Section 3 – Standards
The following standards have been established as minimum set of requrements that must be met in order to insure our security and protection of our assets. Compliance with these standards in mandatory at all levels. Any exceptions must be cleared in writing by the Chief Information Security Officer with the agreement of the Security Oversight Committee.
- Employees
- Before hire, all employees will sign a release document authorizing the company to perform or contract with a third party to perform a background investigation.
- Employees will be required to present a verified set of fingerprints which will be sent to appropriate law enforcement agencies for a criminal background check.
- Potential candidates who do not pass such background checks or fail to submit to them will not be considered for employment.
- All employees, upon hire, will be required to review and sign the following documents:
- A non-disclosure agreement stating that they will not disclose company information to third parties.
- An information confidentiality policy describing the bank’s information classification system and the handling of information at each level.
- A privacy statement informing the employee that their personal information will be held as company confidential and will not be released to third parties except as required by law.
- An accepted use of company resourced policy which clearly explains that all company equipment and resources, including information and service, are wholly owned by Bank H.
- Employees may not use any company equipment or resources for personal use.
- Upon hire, each employee will be issued a photo id card. This card must be displayed at all times while on company premises.
- When an employee leaves the company for any reason, the following procedures are to be followed:
- Whether the termination was for voluntary or involuntary reasons, employees will not be allowed to stay on the premises. The standard “2 week” notice will be foregone and the employee will be expected to depart the premises on the same day. Any compensation due will be determined by human resource policy.
- Before leaving the premises, employees will conduct an exit interview. During this time the employee will reveal or return any access instruments that are outstanding in their file.
- Access to all computer systems or any other system that was granted to the employee will be immediately removed.
- Customers
- A valid government ID and social security card must be presented by all bank customers before an account of any kind can be opened. Copies of these documents will be made and kept on file in a secure manner.
- Potential customers must be cleared using industry appropriate services to insure that they are free and clear form obligations to other financial institutions before they will be allowed to establish and account.
- Each customer will be issued a secret Personal Identification Number (PIN) at the time they open an account. The PIN must be created using a system either randomly generates a PIN that is only known to the customer or allows the customer to enter the PIN without the revealing it to the bank employees.
- PINs will be immediately encrypted. At not time will a PIN be stored or transmitted in an unencrypted form.
- ATM cards will clearly show the full name of the customer, their card number, and a clear expiration date.
- ATM cards and any corresponding PIN shall not be mailed or otherwise transmitted within the same document or package.
- Upon closing their account, customers will return any ATM Cards in their possession. All ATM cards will be immediately disabled.
- Customers will be required to read and sign a document that explains their obligations for ensuring the security of their ATM cards and transactions. At a minimum, customers must agree to:
- Take reasonable steps to ensure that the ATM card issued to them is kept secure
- Notify the bank as soon as they believe that an ATM card has been lost or stolen
- Not let anyone else user their ATM card
- Not reveal their PIN to anyone else
- Notify the bank if their PIN has become compromised.
- Non customers wishing to conduct business with the bank will be required to show a valid government issued ID and must leave a fingerprint on file, preferably on the document being transacted.
- Employee and customer areas will be clearly marked. Customer will not be allowed in employee areas.
- Physical Security
- All company facilities shall be secured, at a minimum by doors with manual locks. Doors shall remain locked during non-business hours and at any time the facility is not occupied.
- A log must be kept of keys, the number of copies that have been made, and who the keys have been distributed to. Records must also be kept of keys that are reported as lost and who was reported to be in possession of the key at the time it was lost.
- A log must be kept of electronic codes and door access cards including who such instruments have been distributed to. Records must also be kept of access cards that are reported as lost and who was reported to be in possession of the key at the time it was lost.
- Employees must notify security as soon as they believe that a key, access card, or lock access code has been compromised.
- All bank facilities that hold money and similar must be secured by an alarm system. Employees should have the ability to trigger such alarms without detection.
- All ATMs must be secured with alarm systems that are triggered by unauthorized tampering.
- All alarm systems must be tied directly to local authorities or a registered alarm service that monitors the alarm status at all times.
- Monetary Access
- Appropriate control procedures and accounting procedures must be adhered to when dealing with money.
- Any area in which money is handled, held, or transported must be under constant video surveillance.
- Any monetary transactions exceeding $1000 must be verified and witness by a second employee.
- Any monetary transactions exceeding $10000 must be continuously observed by an employee who is at a higher level than the employee completing the transaction.
- The transport of money outside the bank facility must be handled by an authorized armored transport service and escorted by qualified armed personnel.
- Information Classification
- All information, whether in physical or electronic form, shall be assigned an appropriate level of classification based on its sensitivity and criticality. Data shall be assigned a minimum of three levels of classification.
- Public – this information is neither sensitive nor critical to the company, nor is there any legal requirement to protect it.
- Confidential – this is information that is sensitive in nature and should not be reveled to the general public. This classification is further subdivided into two categories:
- Company Confidential – this information is sensitive information related to bank.
- Customer Confidential – this is private information that belongs to a customer and must be protected by law.
- Critical – information that is not necessarily (but may be) confidential, but is nevertheless critical to the successful functioning of the bank.
- ATM Equipment
- ATMs that require external access must still be secured in such a way that any access panels are not visible and cannot be easily accessed.
- All ATM machines must be under constant video surveillance.
- All networks shall be protected by a hardware-based firewall and other hardware and software deemed appropriate.
- The bank’s internal network shall not be exposed to public networks such as the Internet.
- All data transmitted via a network must be encrypted to prevent exposure to unauthorized tapping.
- Data protocols must be in place to validate that data is both transmitted and received in its original form. Data that does not pass validation should be rejected and logged.
- Network security software must be installed that constantly monitors the network for patterns and signs of attempted or actual unauthorized access. Activity that represents a threat must trigger an alarm to appropriate agencies and personnel. The daily stocking and removal of cash to and from an ATM shall be done in adherence to policies in section regarding the handling of cash detailed above.
- Each ATM shall use a PIN encryption device that encrypts and stores the information in a secure manner.
- Hardware must be implemented monitor, analyze, and authenticate any external source attempting to connect to the ATM. Unauthorized attempts must be logged and reported immediately to the monitoring agency.
- ATMs shall be connected to a monitoring system that automatically tracks the status of the ATM. The ATM should be configured with software that can log and securely transmit information about usage for external profiling to detect potential attacks.
- All ATMs must be under continual video surveillance as detailed in section 2.3 above.
- At no time will the customer’s PIN, account number, or other confidential information be displayed on the screen or any receipt.
- Networks
- All networks shall be protected by a hardware-based firewall and other hardware and software deemed appropriate.
- All data transmitted via a network must be encrypted to prevent exposure to unauthorized tapping.
Section 4 – Practices, Procedures and Guidelines
This section defines the practices and procedures for the day to day operations of the company. These represent a set of guidelines which allow managers to perform their duties with due diligence, while also offering flexibility and adaptability for various environments and situations. Any questions about interpretation should be addressed the office of the Chief Information Security Officer.
- Employees
- Employees may, as appropriate, be issued certain instruments or information that allows them to access restricted areas or information. Upon receipt of any such instrument, the employee will sign a document verifying their receipt and agreeing to release the instrument back to the company when their job no longer requires it or upon termination. Instruments of this nature include, but are not limited to:
- ID Cards
- Access cards
- Access codes including usernames, passwords, Pins, and codes to electronic locks.
- Keys
- Customers
- Customers should read and sign a privacy notice informing them that their personal and financial information will be protected and not revealed to any third party except where required by law.
- Customers should be given a pamphlet that explains how to safely and securely use their ATM card online and at ATM machines.
- Physical Security
- The same procedures detailed in section 3.3 should be implemented for padlocks or other portable locking devices and keys to them.
- Doors that required access by more than 5 people should be considered for electronic access.
- Security officers should be present at all facilities that hold money and similar instruments during business hours. After hours, arrangements for surveillance and patrol should be implemented as appropriate.
- Prominent security cameras should be located both inside and outside all facilities that hold money or related instruments. These cameras should be linked to a system that records their images at all times.
- Computer Access
- In general, computers used for bank business should not be connected to the Internet.
- Computers that require connection to the Internet should not also be connected to the Bank’s internal network.
- Software that monitors and controls Internet activity should be used on computers connected to the Internet.
- The following guidelines should be used for password security:
- Passwords should be changed at a minimum of every 30 days.
- Passwords should not be reused.
- Passwords should contain a minimum of one number and one character and must be at least eight characters in length.
- Monetary Access
- Appropriate control procedures and accounting procedures must be adhered to when dealing with money.
- Any area in which money is handled, held, or transported must be under constant video surveillance.
- Any monetary transactions exceeding $1000 must be verified and witness by a second employee.
- Any monetary transactions exceeding $10000 must be continuously observed by an employee who is at a higher level than the employee completing the transaction.
- The transport of money outside the bank facility must be handled by an authorized armored transport service and escorted by qualified armed personnel.
- Information Classification
- Additional levels of information classification may be assigned as appropriate.
- All information that is considered confidential should be clearly labeled as such.
- Electronic confidential information should be stored in an encrypted form at all times.
- Physical media that is confidential should be secured in a locked location at all times.
- Information that is critical should be backed up an archived on a regular basis.
- ATM Equipment
- ATMs should be located inside of an existing bank facility when possible.
- ATMs should be installed in a well-lit area with open access.
- Keys and other devices that allow access to ATMs must be kept under tight security and are subject to regulations specified under section
- ATMs should be installed by authorized vendors who have been screened and are bonded. Records of all persons involved in the installation will be kept and archived.
- All vendors should supply documentation showing that the persons performing the installation have successfully passed a background check including a criminal background investigation.
- A schedule of preventive maintenance should be created to insure the correct functioning of all ATMs. Maintenance shall be performed only by qualified individuals.
- Records of maintenance should be kept including the date of the maintenance, what was done, and who performed the maintenance. These records shall be considered company confidential.
- Systems should be in place to prevent the tampering of ATMs or tampering with their information.
- ATMs should incorporate and audible alarm that is triggered by any sign of trouble.
- The ATM’s internal software should be capable of sending alarms to the appropriate agency when the ATM is in need of service.
- ATMs should be secured to an immoveable foundation.
- The internal safe that contains the money should be manufactured, tested and rated for strength and resistance to attacks.
- Internal components should be protected in such a way that a single individual cannot gain access. This insures that at least two people are present with separate access codes and/or keys in order to gain access to the ATM.
- Mirrors should be installed to allow customers to see their surroundings while they are transacting at an ATM, but not allow others to see what they are doing.
- The keypad and screen of the ATM should be located in such a way that the customer’s body naturally blocks the keypad when it is being used.
- ATM usage should be monitored and analyzed to insure that each ATM is appropriately stocked with cash to meet customer demands.
- Networks
- The bank’s internal network should not be exposed to public networks such as the Internet.
- Data protocols should be in place to validate that data is both transmitted and received in its original form. Data that does not pass validation should be rejected and logged.
- Network security software should be installed that constantly monitors the network for patterns and signs of attempted or actual unauthorized access. Activity that represents a threat must trigger an alarm to appropriate agencies and personnel.
Bibliography
The following resources were used as reference material for the preparation of this document.
“Office of Thrift Supervision Staff Summary of USA Patriot Act”. Department of Treasury. 20 March 2002. 25 Jul 2008. < http://www.ots.treas.gov/docs/4/48896.pdf>
“Part 326—Minimum Security Devices and Procedures and Bank Secrecy Act.” Federal Deposit Insurance Corporation. 31 October 2007. 5 July 2008. < http://www.fdic.gov/regulations/laws/rules/2000-4900.html>
“Public Law 107-204 107th Congress”. Security Exchange Commission.” 30 July 2002. 6 July 2008. <http://www.sec.gov/about/laws/soa2002.pdf>
“Regulation H: Membership of State Banking Institutions in the Federal Reserve System.” The Federal Reserve Board. 15 December 2005. 5 July 2008. <http://www.federalreserve.gov/Regulations/cg/reghcg.htm>
Lyons, Michael. “Information Security Fundamentals.†Lecture notes. Summer 2008. George Mason University. 9 July 2008.
Shirey, R. “Internet Security Glossary, RFC 2828.†RFC-Editor.org. May 2000. RFC (Request For Comments). 11 July 2008. <http://www.rfc-editor.org/cgi-bin/rfcsearch.pl>
Slade, Robert, and NetLibrary, Inc. Dictionary of information security [electronic resource] Robert Slade. Massachusetts: Syngress, c2006.
The National Security Agency (NSA). Information Assurance Directorate (IAD). Information Assurance Technical Assurance Technical Framework (IATF). Appendix H <http://www.rfc-editor.org/cgi-bin/rfcsearch.pl>
Whitman, Michael E. & Mattord, Herbert J. Management of Information Security, Thomson Course Technology, c2004.
Whitman, Michael E. & Mattord, Herbert J. Principles of Information Security, 3rd edition; Thomson Course Technology.
Order Now