Category Archives: Newsletter

Data Security, Management and Governance in Financial Institutions

transaction-securitydata_security_490px

 

 

Financial systems, all over the world, play fundamental roles in the development and growth of the economy. The effectiveness and efficiency in performing these roles, particularly the intermediation between the surplus and deficit units of the economy, depend largely on the level of development of the financial system. Financial systems, all over the world, play fundamental roles in the development and growth of the economy. The effectiveness and efficiency in performing these roles, particularly the intermediation between the surplus and deficit units of the economy, depend largely on the level of development of the financial system.This describes the protection of customer data within the financial services Industry. It includes examples of good practice within financial institutions.  Embracing the the standard practices within  the financial services firms, in general, could significantly improve their controls to prevent data loss or theft.

Despite the positive impact of technology on society, it has on the other hand led to unintended use in criminal activities like cyber crime. It has therefore become easier to steal a penny from millions of bank account owners using the internet than through conventional bank robbery. Since banking is highly based on trust from its customers, security issues will remain a special concern in the banking industries. Hence, the risk of hackers, denial of service attacks, technological failures, breach of privacy of customer information and opportunities for fraud created by the anonymity of the parties to electronic transactions have to be properly managed.

The blunt truth is that all organisations need to take the protection of their data and information with the utmost seriousness. Organisations holding individuals’ data must in particular take steps to ensure that it is adequately protected from loss or theft. There have been several high profile incidents of data loss in public and private sectors during that time which have highlighted that some organisations could do much better. The coverage of these incidents has also raised public awareness of how lost or stolen data can be used for crimes like identity fraud. Getting data protection wrong can bring commercial, reputational, regulatory and legal penalties. Getting it right brings rewards in terms of customer trust and confidence. The financial services industry needs to pay close attention to what its regulator is saying here, which is also relevant to organisations outside the financial services industry which hold data about private individuals. All organisations handling individuals’ data, in both the public and private sectors, could benefit from the good practice advice it contains.

It has been noted that the most significant shortcoming in the banking industry today is a wide spread failure on the part of senior management in banks to grasp the importance of technology and incorporate it into their strategic plans accordingly. contemporary technology in banking comes in the form of computer based application and information technology. From the banking customer’s perspective, two of the practical purposes of banking are convenience and accessibility to both funds and account information.Many financial institutions are failing to identify all aspects of the data security risk they face, for three main reasons. First, some do not appreciate the gravity of this risk; second, some do not have the expertise to make a reasonable assessment of key risk factors and devise ways of mitigating them; and third, many fail to devote or coordinate adequate resources to address this risk. Large and medium-sized firms generally devote adequate resources to data security risk management but there is a lack of coordination among relevant business areas such as information technology, information security, human resources, financial crime, and physical security. There is too much focus on IT controls and too little on office procedures, monitoring and due diligence. This scattered approach, further weakened when firms do not allocate ultimate accountability for data security to a single senior manager, results in significant weaknesses in otherwise well-controlled firms. However, the wide use and application of information technology in the banking industries has also led to emerging threats and attacks, basically in the form of computer crimes and fraud Hence, there is a need to protect customers and stakeholders involved in information technology services.

Firms’ dealings with third-party suppliers are a major concern. Many firms, small and large, use third parties for IT maintenance, as well as the backing up of electronic files and archiving of paper documents. Firms generally rely too much on assumptions that contractual terms are being met, with very few firms proactively checking how third parties vet their employees or the security arrangements in place to protect customer data.

In addition, some firms do not consider the risk associated with granting third-party suppliers in their environment. Financial Institutions or firms try to assess and manage their data security risks and evaluating how these risks are changing, and how they impact on the statutory objectives.

 four statutory objectives

  • market confidence: maintaining confidence in the financial system;
  • public awareness: promoting public understanding of the financial system;
  • consumer protection: securing the appropriate degree of protection for consumers; and
  • the reduction of financial crime: reducing the extent to which it is possible for a business to be used for a purpose connected with financial crime.

Financial services organizations are built on data, so data governance is a critical concern. But many firms have their own definition of data governance which may be completely different from competitors. For some financial institutions, data governance means establishing governance bodies and councils, while others consider data governance the process of defining data stewardship and workflow. Some financial services firms have master data management and data quality programs established under the name of data governance, while others combine all of these aspects—governance bodies, data stewardship, metadata and master data management and data quality—under the data governance umbrella. Theoretically, data governance encompasses the systematic and formal management of any service or process that is required for effective information management. But realistically, businesses prioritize and sponsor only those initiatives that are mandated by regulations or provide a clear return on investment. The financial services industry has been moving towards enforceable data governance which turns static policies and standards in Word documents into governance processes that can be enforced and realized in IT and the business with tangible benefits. Within financial services firms, the most prominent governance goal is the availability of reliable and accurate data for risk aggregation and reporting including data accountability and traceability. Although IT enables and implements tools for data governance, it is not an IT initiative and should not be driven by IT. For a data governance program to be successful and sustainable, the mandate must come from the business. While a data governance program may result in a tool-based implementation, that is not the core of data governance.

Common Business Drivers

For financial services organizations, the most common reasons for a data governance initiative are:

  • Support risk management and regulatory reporting
  • Address mergers, acquisitions and divestitures
  • Provide improved analytics to gain competitive advantage
  • Enable more informed and real-time decision making
  • Save or avoid costs
  • Assist with cross and up-selling
  • Comply with regulations
  • Reduce customer attrition
  • Enhance customer service quality
  • Improve profitability and operational effectiveness

A long-term, sustainable data governance initiative must be built on a foundation of metrics based measurements. These metrics can be broadly classified in three categories:

  • Efficiency metrics
  • Enablement metrics
  • Enforcement metrics

Whether your financial institution has already implemented a data governance program or if your program is underway, it is useful to perform an assessment of your firm’s data maturity and governance to prioritize and map business drivers to IT initiatives, align governance processes with the software development life cycle, and define and articulate an SLA-based continuous improvement program. It’s not possible to monetize every benefit from a data governance program, especially those around Enforcement. Your organization’s needs, objectives and action plans for data governance may differ significantly from your competitors.

There’s no one size fits all model for data governance, and no single tool that can solve all challenges. IT implementations and tools must be carefully selected based on unique goals of your business. Establishing a metrics-based program to assess, monitor and improve the governance program is critical for its success and ongoing support.

Using Seismic technology in oil and gas exploration

Seismic waves which is the same tool used to study earthquakes- are frequently used to search for oil and gas deep below the earth surface. This wave of energy move through the Earth just as sound waves moves through the air.

In oil and gas exploration seismic waves are sent deep into the Earth and allowed to bounce back. Geophysicists records the waves to learn about oil and gas reservoirs located beneath Earth surface.

HOW ARE SEISMIC TECHNOLOGIES USED IN FINDING OIL AND GAS TODAY?

What we use in exploring for earth’s energy resources is called reflection seismology. When you use seismic waves in the study of earthquakes, the earthquakes are the source of energy that is, the source of waves. But, in using reflection seismology for oil and gas exploration we to deploy some kind of acceptable energy source on the surface of the earth and then distribute an appropriate number of seismic sensors across the earth’s surface that will record the waves that are reflected back.

There is variety of energy sources used. The most common one that’s used on shore is called vibroseis. They’re very large, heavy vehicles that weigh 60,000 to 70,000 pounds. They apply a base plate to the Earth, and they have a hydraulic system integrated into the vehicle that vibrates that base plate over a predetermined frequency range. So the vibroseis – which is what we would call the source station – becomes the energy source of the seismic waves.

The wave field generated at the source station radiates away from that point as a three-dimensional wave. It goes down and reflects back. The reflected wave field from each rock interface that is encountered in the propagation of this down-going wave field is then recorded at the Earth’s surface by sensors, which we call geophones. They’re distributed in specific geometries on the surface, above the area of interest. We use those sensor responses to image the interior of the Earth, in places where we’re interested in getting a very detailed understanding of the geology.

When a reflected wave field comes back to the Earth’s surface, where a geophone is located, the case of the geophone moves as the Earth moves. But inside that case is this suspended coil of copper wire. There’s a magnet attached to the case of the geophone, and when the Earth moves the case and its magnet attached to the case, that magnet moves across these copper wires and out goes a voltage.

It’s a very simple little device, but geophones have now gotten to be extremely sensitive. To give you an idea of the sensitivity, you have to stop seismic recording if winds get up to, say, 20 miles an hour or higher. The reason is the wind shakes the grass and affects the signal. It just builds up background noise in the geophones that is undesirable.

Some groups of companies are applying seismic technology to oil and gas issues that help their companies to be more efficient in extracting oil and gas from reservoirs.

So the uses of seismic reflection technologies are quite broad. The technology will continue to be dominated by oil and gas community for the foreseeable future. But who would have thought only 10 years ago that the seismic reflection technology would play such an important role in CO2 sequestration, you know? We’ll see what the future brings!

Apple Pay: How Secure Is It?

INTRODUCTION

Apple Pay was launched on 20th October, 2014. It is however not the first mobile payment system to be introduced to the world. In fact there are plenty of others, most notably Google Wallet and Softcard.

An issue with any new payment system is that when it is new, it is relatively untested. It’s only after the system has been in operation for months or even years that any vulnerabilities are likely to be spotted and fixed. What can we say about the security of Apple Pay so soon after its launch?

 

WEAKNESS OF APPLE PAY

One possible weak point involves using Apple’s Touch ID fingerprint recognition system to authenticate that you are the owner of the device making the payment. Security experts have found that it’s a possible weak point because Touch ID can be bypassed easily using fingerprints lifted from glass.

Apple Pay uses a system called tokenization, which replaces information about credit cards with other data. That means that your credit card information is not stored on your mobile device – or on Apple’s servers.

However, the exception to this is when you first enroll a credit card into the system. This is done by taking a photograph of the card or entering the card details manually. A security consultant at Massachusetts-based security company Neohapsis, Bob Doyle, says “This is a weak point in the process because this is the one time you interact with your card data,”

The fact is that Apple actively works to prevent its iOS operating system being “jail-broken,” yet every version of iOS, including the current iOS 8, has been successfully jail-broken by enthusiasts who have found and exploited bugs in Apple’s code.

For now, there is no known malware that can steal credit card details from Apple Pay, and no operating system vulnerabilities are publicly known to exist. But that doesn’t mean such malware isn’t already under development, or that hackers aren’t actively searching for vulnerabilities in iOS that can be exploited to allow them to steal the information they are after.

Apple Pay uses Near Field Communication (NFC) to communicate one-time transaction information (not credit card information) with retail point-of-sale (PoS) systems, and in theory this is another weak point in the system. Bob Doyle says “Adding NFC to a device introduces risk… When there is a new communications system in a device, then there is an opportunity to compromise the device itself.”

He also adds that Apple Pay includes protections against replay attacks in which transaction details transmitted by NFC are intercepted by a hacker to be re-used later. Such protections make it difficult for a hacker to compromise the payment system using a technique such as attaching a hidden NFC receiver to a retailer’s PoS hardware.

David Emm of Kaspersky points out that replay protection may make it difficult, but not necessarily impossible, for hackers to compromise Apple Pay at the point-of-sale. He says, “People think up ingenious things, and they will certainly look at all the possibilities. Efforts to subvert the system will certainly go on… To overcome the onetime nature of data intercepted using an NFC receiver, hackers might attempt to use it to execute a transaction at the same time,” he also adds, “You would effectively have a race condition (with hackers attempting to get their transactions through before the legitimate one). But this would be difficult because the transaction still has to go to the bank payment system, and the attacker wouldn’t have the necessary authentication data.”

Neohapsis’ Bob Doyle suspects that any attempt to steal card data when it is entered into devices using malware, exploiting vulnerabilities in Apple’s operating system or attempting to compromise the payment system during NFC transmissions likely won’t turn out to be the primary focus for attackers. He is of the opinion that “…what we will see is attackers shifting from merchant and consumer devices to attacks against payment gateways and payment networks themselves, like we saw in the recent attack on JP Morgan Chase… The attack point will shift to banks’ back-end systems”

 

APPLE PAY VS. OTHER MOBILE PAYMENT SYSTEMS

How does Apple Pay compare to other mobile payment systems? Google Wallet and Softcard do use the secure element (like Apple Pay), and transactions are protected by a PIN.

A major difference between Apple Pay and Google Wallet comes down to who you are forced to trust, according to Doyle, he says, “With Apple Pay, you trust Apple with the technology and your bank with your credit card information. With Google Wallet you trust your credit card and the technology to Google, so this does introduce a single point of failure that Apple Pay doesn’t have,”

Although the actual transactions are not identical, with Google Wallet creating a virtual credit card while Apple Pay uses tokenization, “they are pretty much parallels (in terms of security),” Doyle adds.

When it comes to emerging payment methods like Apple Pay, perhaps the best way to look at it is not whether they are secure — as nothing is 100 percent secure — but whether using them is more secure than using credit cards. We know that the magnetic strip and signature system of credit cards used in the U.S. is not very secure at all – BI Intelligence estimates that credit card fraud in 2013 in the U.S. amounted to about $7.1 billion, more than half of all global payment card fraud costs.

Conclusion

Card-issuing banks say that cardholders won’t be held responsible for purchases made with their stolen cards via Apple Pay. Industry spokesmen say banks are tightening their procedures to validate suspect cards before they’re added to the payment processing system.

Does Apple deserve some blame for the use of fraudulent credit cards on its system? The company left it to the banks to determine when they wished to require additional verification, and by what means, before green lighting a card for Apple Pay. But Apple could have mandated tougher standards on its own, say by refusing to accept cards that hadn’t been put through the validation wringer.

Possibly due to its desire to line up as many card issuers as possible for the service, Apple may not have wished to increase the banks’ costs by demanding stricter verification. Given that Apple Pay is designed to supplant merchants’ point-of-sale verification of credit cards, perhaps that was the wrong decision, especially since Apple’s own brand name is on Apple Pay.

Securing Mobile Devices in the Enterprise

INTRODUCTION

Mobile devices, such as smart phones and tablets, typically need to support multiple security objectives: confidentiality, integrity, and availability. To achieve these objectives, mobile devices should be secured against a variety of threats. The concept of mobility has changed completely in recent years. The mobile enterprise is not just a business that optimizes its website for mobile devices, nor is it one that allows its employees to work from home every so often. Today’s truly mobile enterprises place mobility at their core, transforming their operations, engaging better with customers and partners and creating innovative business models that boost revenue. As gateways into the mobile enterprise, the security of devices is critical: if devices are not protected in the right way, they represent a weak link in enterprise systems and data security.

PROBLEMS ASSOCIATED WITH MOBILE DEVICES IN THE ENTERPRISE 

  • The loss of mobile devices should give businesses cause for concern. Mobile enterprises are agile and productive because they enable access to a wide array of systems on the move. The worry is that if a mobile device falls into the wrong hands it could be used to access these systems for malicious reasons. Such concerns should not, however, stop businesses from moving towards mobility. It just means that they should do so in a secure way.
  •  If the enterprise owns employee mobile devices then much of this risk can be mitigated. Businesses can lock down devices; ensuring that they are password protected and, in case of loss, sensitive information deleted remotely.
  •   However, many workers will not use a device if it is not one they are familiar with or have helped select, especially if the usability of the device is hampered by heavy-handed security measures. The danger is that employees will instead use their personal devices for work. If the IT department does not know they are doing this, it cannot secure the device and the enterprise could be vulnerable. For a truly mobile enterprise, therefore, businesses need to arm workers with the devices they want (preferably their own).

WHAT IS THE SOLUTION?

  • One solution to this challenge is COPE (Corporate-Owned, Personally Enabled), where the business allows employees, in collaboration with IT, to choose the devices they use for work. This brings huge productivity benefits while ensuring that IT maintains control. Alternatively, businesses may embrace BYOD (Bring Your Own Device) where employees are allowed to use personal mobile devices for work. BYOD offers significant savings on procurement and network costs in addition to productivity benefits.
  • Traditionally, businesses employing a mobile strategy have mostly used mobile device management (MDM) platforms, which secure the device. The problem with MDM is that it harms the usability of mobile devices by slowing the user experience. This hinders productivity and can frustrate the user, even causing him or her to stop using the device. Therefore, a more elegant approach is required. Rather than securing the device, businesses should secure the data, applications and information that the employee accesses through it. There are three enabling technologies for this approach: Mobile Application Management (MAM), Mobile Information Management (MIM) and Identity Management (IM).
  • Rather than locking down the entire device, MAM extends a secure ‘container’ for application security and control to separate, protect, and wipe corporate applications and data. Importantly it does so in a way that does not interfere with usability.
  • While ideal for COPE deployments, MAM is particularly compelling for BYOD as it securely extends all the identity services and policies of the enterprise user to their personal mobile device. For the employer this solution is ideal. Employees can lose their phones without putting corporate data at risk. Meanwhile, MAM reassures employees that employers can’t see any of their personal information. Of course, while lost mobile devices represent a key security threat, it is not the only one. For example, data might be intercepted wirelessly through data leakages or breaches, regardless of whether the employee has physical possession of the device or not. In these cases Mobile Information Management (MIM) will play an important role. MIM secures data at the document level. The user accesses the document through the application in the usual way but requires access permission to actually view the document, allowing businesses to secure crucial data at a granular level.

CONCLUSION

Finally, a consideration for device and data security is identity fraud. With identity fraud, the mobile device becomes an easy way for criminals to steal an identity and access a victim’s personal services (e.g. bank account) and professional services (i.e. the applications and systems of their workplace). Identity management is therefore a vital component of a mobile enterprise strategy, multi factor authentication and authorization integrated with mobile security policies is critical. A mobile enterprise is a secure enterprise; Mobile devices will get lost; they will get broken; and they will get stolen. But this is no reason for businesses not to embrace their use. Let’s face it: the future is mobile. Employees want to use mobile devices to work how they want and where they want.

The Next Agenda for Energy and Utility CIOs

The traditional utility business model is being challenged by the growth of distributed energy resources, especially intermittent renewable that operate outside of utility control. In the near future customer lifestyles will become increasingly digital. And there will be pressure to continually reduce operating cost and improve workforce productivity. In order to address these challenges , utility companies have to deploy operational technologies such as smart meters, smart grid and distribution asset sensors. Information and analytics practices have not kept pace with the data deluge, with the result that many anticipated benefits have been slow to arrive.  The ability to apply analytics to create operational insight is a major opportunity for CIOs. However, doing so in an unfocused fashion will lead to erratic results.

It is important  that IT CIOs should begin to close the gap between IT potential and organizational performance by focusing in three key areas:

1. Energy provisioning transformation.

2. Digital customer engagement.

3. Digital workforce enablement.

Energy Provisioning Transformation

Disruptive forces are making the century-old traditional utility model of centralized provider of unlimited energy on demand obsolete. These forces will include but not limited to:

  • Growth of distributed energy resource, especially renewable energy on customer premises.
  • Declining demand and increasing concerns over supply security.
  • Deteriorating capacity utilization as distribution volume drops while peak demand grows

The industry needs a new business model to respond to these forces. Utilities most change from the existing supply-driven model to a distributed model that uses prices and market signals to balance supply and demand. Energy information will be a key enabler for a new energy provisioning model and utility CIOs must lead by embracing digital business. These changes are necessary in order to address societal imperatives sustainability.

Digital Customer Engagement

Energy and utility customer lifestyles will increase digitally. In addition, customer investment in energy technologies- such as rooftop solar, home energy management and electric vehicles- and need for resource conservation, increase the value of engagement. However, the utility industry lags behind other industries in customer engagement, especially with regard to digital channels such as mobile and social. Utility CIOs must leverage digital channels to drive customer participation in energy management and resource conservation, reduce operation cost through self-service, and improve satisfaction by meeting customer service channels preferences.

Digital Workforce Enablement

A changing workforce and the emergence of mobile technologies are driving a revolution of the utility industry operational technologies. Utility CIOs leverage on advances in mobility to improve communication with field crews – including the ability to capture information assets condition- and to dynamically optimize field resources. However, back-office system must be upgraded to enable more effective workforce utilization. This is especially the case as it relates large scale service restoration operation. Opportunities include digital displays to improve operational situational awareness and analytics to support operation decision making.

TECHNOLOGICAL INNOVATION-The Need Of Survival For Compliance

INTRODUCTION

As the financial markets continue to strengthen, one might assume that this is good news for technology vendors. When any financial crisis begins, one of the first budget items to suffer is always IT spend. Traditionally, as a recovery gathers momentum, so the technology coffers begin to swell once more. This time around, however, the outlook is a mixed one for technology vendors.

Generally speaking, IT spend is relatively flat at the moment as firms try and assess the medium term financial outlook. Instead, firms are seeking to derive better value from their IT infrastructures and this is increasing the adoption of cloud-based solutions, irrespective of the size of the business. Firms also have to balance their desire for technological innovation with the need to comply with new regulation.

The regulatory challenge

Indeed compliance continues to be a challenge for firms. Many firms are also trying to address some key strategic issues, but their ability to optimize this work is constrained by the ever-evolving regulatory environment.

In addition to compliance, innovation has been hampered by the lack of a robust and innovative supplier market. As a result of the downturn, the vendor market consolidated and placed much of its focus on servicing its existing clients. Truly innovative new products were few and far between.

We are still seeing the effects of this in the market today. Firms constantly need a business driver to innovate and regulation should be viewed as one such driver, or even an enabler to innovation, if approached in the right way. This is why many firms are now benefiting from improved CRM (Customer Relationship Management) as a result of suitability requirements, or increased management information stemming from the new regulatory reporting requirements.

Aligning compliance with customer expectations

Many firms are now trying to align the need for regulatory compliance with customer expectations of service quality. In theory this should be possible, as regulation is commonly introduced for the benefit of the end consumer.

It is clear that firms that can prove they are efficient and effective in implementing regulation and satisfying the regulator should be in a position to improve many elements of customer services.

There does not need to be a conflict between regulation and servicing customers.  Much of the current regulatory flow is only trying to enforce standards and expectations that non-financial firms would take for granted. Financial firms need to adopt a longer-term perspective and instil the principles of the regulators at the very core of their operations. Firms would then find that the outcomes benefit all parties.

Innovation begins to return

Innovation is starting to return, albeit very slowly. Some areas are seeing more new products and suppliers come to market. Customer Relationship Management (CRM) is one area that has evolved dramatically within investment management. Client reporting and performance measurement are also showing higher levels of innovation. It is no coincidence that these three functions are all absolutely key to providing a leading edge and high quality customer experience.

For smaller firms, the move to cloud computing is good value.  Not only do services such as Office 365 provide great flexibility in the way that a firm can be organized internally, but the cloud also enables businesses to benefit from cheaper and smarter applications. These applications enable new services to be delivered to the client faster and cheaper.

CONCLUSION

If we look at the developments in client reporting systems, no longer are these applications multi-million pound investments that only the very large firms can afford: these services are now available on a pay-as-you-go basis. If you look at the challenge to banks from new entrants such as money payment services or peer-to-peer lending, we find that these market participants have only arisen because of technology innovation.

Technological innovation and compliance can co-exist. It only takes a little imagination and a different perspective.  From small businesses, enterprises down to personal users cloud services offer lots of advantages. With a flexible usage model   based on pay-as-you-go model, charges/fees can be monthly/annual. There are no technologies to worry about or additional IT investments, No upfront cost and the ability to scale up and down as business demands is certain. It’s just a case of signing up and using the cloud services…

Cloud Services is of enormous benefits and adequate consultations should be made by users as cloud computing solutions are best determined by a qualified certified IT consultant. With the reality of the cloud on ground, 3consulting is positioned to provide powerful cloud based solutions to businesses in Nigeria today.