Date post: | 23-Oct-2015 |
Category: |
Documents |
Upload: | tran-anh-tuan |
View: | 24 times |
Download: | 1 times |
March 2013
Johnston Yoon
1. Why is the Bank Security needed?
2. Why do Banks need to improve Information Security?
3. What is the benefit to banks in Malaysia?
4. What are required to enhance on IT Security?
5. What can IT Security solution provide ?
6. Introduction to Rights Management System (RMS)
MarkAny Confidential | © 2012 MarkAny Inc. 3
Why Is The Bank Security Needed?
DATA GROWTH
The growth of digital information has rapidly surpassed
expectations.by 2011 digital universe will be 10 times size of 2006
INCREASED DATA MOBILITY
The importance of data has increased its access and mobility
requirements making it more difficult to secure and protect
INCREASED DATA BREACHES
As data and its mobility grow, the amount of data breaches and
data exposure has also grown
REGULATIONS INCREASING
Increased data exposure has resulted in increased regulations
and reporting requirements globally
U.S. 2010 > 662 Breaches2
COST OF DATA BREACHES GROWS
Increased reporting requirements and increased data breaches
results in increased breach costs
U.S. 2010
$7.2 Million3
Average org. cost of data breach over 4 years
$214 per record3
1Source: IDC – The Diverse and Exploding Universe – March 2008 2Source: Identity Theft Resource Center – 2010 Data Breach Stats January 3, 2011
3Source: Ponemon Institute – Fourth Annual U.S. Cost of Data Breach Study January 2009
412 (62%) Exposed Social Security Numbers
170 (26%) Exposed Credit or Debit Cards
MarkAny Confidential | © 2012 MarkAny Inc. 4
Why Does Banks Need To Improve Information Security?
What are the key concerns for banks in the cash handling cycle?
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
Cost Security Process
Improvement
Transparency &
Audit Traceability
Source: Asian Banker Research
44
% 33
% 19
%
4%
MAIN DRIVERS TO IMPROVE CASH HANDLING
EFFICIENCY:
Resulting in higher risk of
robbery, theft, and fraud.
Internal theft also poses a
bigger problem involving
more manual processing
with more touch points of
staff and cash thus creating
opportunities for theft.
Minimize Operation
Cost & Security
MAJOR COST CONCERNING:
Matured Bank Emerging Bank
This is not just due to
generally higher salaries,
but also more efficient
management of handling
cash through technology
and supply chain
management, bringing
down other non labor
related cost.
MarkAny Confidential | © 2012 MarkAny Inc. 5
Why Does Banks Need To Improve Information Security?
Source: Asian Banker Research
The composition of cash handling cost in emerging and mature markets
Labor(Maintenance)
Labor(Backoffice:
Sorting, Counting)
Labor(Refilling)
Transport
Currency
Fitness
Holding of
Excess Cash
Downtime of
Machine
Assurance
Theft
Matured Banks
Australia, Hong Kong,
Korea, and Singapore
Labor(Maintenance)
Labor(Backoffi
ce: Sorting,
Counting)
Labor(Refilling)
Transport
Holding of
Excess Cash
Assurance
Currency
Fitness(Change)
Downtime of Machine Theft
Emerging Banks
China, India,
Indonesia, Malaysia,
Sri Lanka and
Thailand
MarkAny Confidential | © 2012 MarkAny Inc. 6
Why Does Banks Need To Improve Information Security?
Source: Asian Banker Research
The composition of cash handling cost in selected banks in emerging & matured markets
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Bank
Thailand
Bank
Malaysia
Bank Sri
Lank Bank
Indonesia
Foreign
Bank
Singapore
Bank
Taiwan Bank
Korea
Security & Regulatory Cost
IT & Operation Cost
Labor Cost
Theft
Currency Fitness (Change)
Assurance
Downtime of Machine
(Opportunity Cost)
Holding of Excess Cash
(Opportunity Cost)
Transport
Labor (Maintenance)
Labor (BackOffice:
Sorting, Counting)
Labor (Refilling)
Emerging Banks Matured Banks
MarkAny Confidential | © 2012 MarkAny Inc. 7
Why Does Bank Need To Improve Information Security?
Terrorism activity
Supply chain breakdown
E-discovery requests
Natural disaster
Federal compliance issues
Product quality issues
Theft
Physical security
Power failure
Hardware and system malfunction
IT security
50%
40%
28%
25%
22%
17%
13%
11%
6%
50% 100%
Source: 2010 IBM Global IT Risk Study
Today’s banks face a wide range of risk issues, almost all of which have an impact on that
organization’s data
Bank
Phishing
Identity
Theft
Information
leakage
78%
63%
Voice Phishing Privacy Spyware Card Fraud
MarkAny Confidential | © 2012 MarkAny Inc. 8
What Are Required to Enhance on IT Security?
PCI & DSS Compliance: 6 Control Objectives, 12 Requirements Spanning
1. Build and Maintain a Secure Network Install and maintain a firewall configuration to protect
cardholder data Do not use vendor-supplied defaults for system passwords
and other security parameters
2. Protect Cardholder Data Protect stored cardholder data Encrypt transmission of cardholder data across open, public
networks
3. Maintain a Vulnerability Management Program Use and regularly update anti-virus software Develop and maintain secure systems and applications
4. Implement Strong Access Control Measures Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data
5. Regularly Monitor and Test Networks Track and monitor all access to network resources and
cardholder data Regularly test security systems and processes
6. Maintain an Information Security Policy Maintain a policy that addresses information security
MarkAny Confidential | © 2012 MarkAny Inc. 9
What Is The Benefit to Banks in Malaysia?
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Bank
Korea
Introducing Information Security brings about the cost-down effect to the bank and pay back to
Indonesian Banks with work efficiency and more salaries to bank executives and employees
Quantitative Benefit • Helping to avoid contractual, industry
and regulatory penalties as in nearly
5% of total cost.
• Maximum as much as 20 % to 30%
cost saving by delivering considerable
savings over traditional information
security management efforts.
• Helping to create 2nd new revenue
streams by reducing bank security cost
and invest to labor management cost.
Qualitative Benefit • Creating and maintaining one set of
processes, leading to reduced
redundancies compared to traditional
data security management efforts.
• Allowing for faster market rollout of
new initiatives, products and services.
Theft
Currency Fitness
(Change)
Insurance
Downtime of
Machine
(Opportunity Cost)
Holding of Excess
Cash (Opportunity
Cost)
Transport
Labor (Maintenance)
Labor (BackOffice:
Sorting, Counting)
Labor (Refilling)
Security & Regulatory Cost
IT & Operation Cost
Labor Cost
Theft
Currency Fitness (Change)
Assurance
Downtime of Machine
(Opportunity Cost)
Holding of Excess Cash
(Opportunity Cost)
Transport
Labor (Maintenance)
Labor (BackOffice:
Sorting, Counting)
Labor (Refilling)
Bank
Malaysia
MarkAny Confidential | © 2012 MarkAny Inc. 10
Internal & External
Malicious Threats
IT Security Policy &
External Regulation
Information Security
Breaches At Banks
Inability of Data Monitoring &
Traceability
What Are Required to Enhance on IT Security?
Facilitate alignment of IT
data initiatives and
business strategies
Improve ability to measure,
monitor and improve e-
Evidence & e-Discovery
Increase compliance and
regulatory adherence &
Enhance business
intelligence capabilities
Initiate Ultimate Data
Protection Ensure
Adequate Controls of
Internal Data
MarkAny Confidential | © 2012 MarkAny Inc. 11
Improve existing controls used to prevent, detect and mitigate security breaches and data risks at rest, in motion, and in use
Collect data on threats, impacts and effectiveness of current document management process and provide hardcopy protection for e-Discovery
Identify and define risks by assessing each business
activity to potential threats and the risk at internal
information & data
Provide extensive industry knowledge and guideline that cover important data
risk areas such as PCI compliance and remote
data protection.
What Can IT Security Solution Provide ?
MarkAny Confidential | © 2012 MarkAny Inc. 12
Introduction to RMS (Rights Management System)
The Rights Management System is a total security solution to protect internal information and prevent illegal usage or
forwarding the sensitive information to unauthorized user. It enables the organization to consolidate its security policy
and make all intelligence secured in the Bank organization.
Se
rvic
e O
rie
nte
d S
ecu
rity
Arc
hite
ctu
re
RMS Standard Edition
Document
Encryption
Access
Control
User
Applications
Control
Centralized
Security
Policy
Audit
Monitoring
User Platform Support Business System Integration
WinXP WinVista Win 7 x64 OS
BlackBerry
Mobile Support
UCM / BPM SharedPoint
FileNet Documentum
Components Interface
RMS Component Packages
PC DRM –
Auto-
Encryption
Media
Control CD / USB
Distribution
Screen & Web
Protection Hardcopy
Protection
File Server
Security Offline Policy &
External DRM
MarkAny Confidential | © 2012 MarkAny Inc. 13
Introduction to RMS – Basic Service Flow
The organization can assure to embrace security polices enforced by means of document encryption, access control,
and audit trails. It enables the Bank to enforce internal control using security policy and system.
Save
Control Edit
Control
Control
Screen
Capture
Control
Expiry Date
Control
Internal
Users
Blocking Illegal Uses
(CD, Thumb-drive, Email, Business
Application System, etc)
User
Platform
Control
Internal
Owner
Administrator
Internal
User
Outflow
Monitoring and
Tracking
Limited Access
based on
Access Control
List
Centralized
Management
Document
Download
Prevent illegal
Access
MarkAny Confidential | © 2012 MarkAny Inc. 14
Introduction to RMS – Encryption & Document Control
If the user can not have rights of ‘Edit’ ‘Save’ ‘Print’, user applications disables functions of ‘save’, ‘edit’, and ‘print’. In
addition, the unauthorized person cannot be accessed to an encrypted document and read it.
When unauthorized user OPENs file When authorized user with READ-ONLY without printing
Unauthorized User Authorized User with Different Access Control
MarkAny Confidential | © 2012 MarkAny Inc. 15
Introduction to RMS – Document Expiry Date Control
The user cannot access to documents after pre-defined period of use is expired. Before opening a document, the
expiration date is always checked, and if document expired to use, sent is an alarming message to the user. The
document will disappear from the memory, and even HD.
Controls valid
period of
document
access
Validity of
document
MarkAny Confidential | © 2012 MarkAny Inc. 16
Introduction to RMS – Access Control
The access control information is configured by a security manager based on position, division, and job of the user.
Access rights are differently applied to users.
Header
Meta-Data
Properties
USER1
Read-only
Extension Data
ACL
USER2
Open 10 Times
Extension Data
ACL
GROUP A
Save / Edit
Extension Data
ACL
GROUP B
Read-only
Extension Data
ACL
POSITION1
Open/Print 10 Times
Extension Data
ACL
POSITION2
Read-only
Extension Data
ACL
Policy COMPANY1
Read-only
Extension Data
ACL
Access Control Information List
Encrypted Document Data
Document Data
Group A
Group B User 2
User 1 Job Position 1
Job Position 2
Company 1
Document SAFER
Server
Save/Edit
Enabled
Read-
only
Read-
only
Open 10
/ Print 10
Read-
only
Open 10
Times
Document
Encryption &
Access Control
MarkAny Confidential | © 2012 MarkAny Inc. 17
Window’s applications to edit documents is controlled by Document SAFER Client program. Document SAFER
supports all kind of version of application software, including MS Office, Adobe PDF reader, Photoshop, Notepad, Word-
pad, MS Paint, CAD drawing tools, and etc.
Introduction to RMS – User Applications Control
User PC Group
MS WORD
MS EXCEL MS POWERPOINT
MS VISIO
PHOTOSHOP CAD DRAWING
MS PROJECT
ADBO PDF
MULTIMEDIA
IMAGE FORMAT (BMP,
JPEG, PNG, GIF, TIFF)
Save function is inactive
Edit function is inactive
Print function is inactive
Block-copy is disabled
Document SAFER Server
Document SAFER Client
MarkAny Confidential | © 2012 MarkAny Inc. 18
All security policy is defined by a security manager with real-time configuration of access rights in Document SAFER
server.
Introduction to RMS – Centralized Security Policy
A document downloaded from Document SAFER server without edit,
save rights
Edit , save rights enabled in real time without download again according to
user’s authority
MarkAny Confidential | © 2012 MarkAny Inc. 19
User activities of ‘open,’ ‘save,’ ‘print ‘, and ‘download/upload’ are reported to Document SAFER server. With this
audit trail, a security manager is able to monitor user activities and audit misuse of document handling in user platform.
Introduction to RMS – Auditing Trail & Monitoring
Log History Report Log History for File
Transactions
Log History for Date
Time Condition Log History for User
Activities
Log Export to Excel
MarkAny Confidential | © 2012 MarkAny Inc. 20
Introduction to RMS – Screen Capture Protection
Controls screen capture by
protecting an encrypted block only.
Screen
Capture
Disabled
Control of the ‘screen capture’ for encrypted documents can block activation of commercial capture program or
shareware viewer programs . Blocking ‘screen capture’ function at PC is also activated for a user who is not allowed to
use ‘edit’ function. An unauthorized user for ‘screen capture’ function will find that there is no ways to capture the
information displayed on the screen.
MarkAny Confidential | © 2012 MarkAny Inc. 21
Document SAFER Server Windows 2003
~ Windows 2008 R2 (x86, x64)
Document SAFER supports all kinds of Window operating system including WinXP, Vista, Win 7 and 64bitsapplications.
It supports multi-languages based on Unicode including English, Arabic, Chinese, Japanese, and Korean.
Introduction to RMS – User Platform Support
Microsoft .NET framework 3.0 or Higher
Support Unicode for
Multi-language
Document SAFER Client - Windows XP SP2/3 Vista ~ Windows 7 (x86, x64)
MarkAny Confidential | © 2012 MarkAny Inc. 22
Smartphone support is becoming more important than ever. Document SAFER extends its security features to mobile
devices such as I-phone, Android phone, Windows Mobile, and Blackberry. Access of documents is controlled exactly
as in PC or Laptop computer.
Introduction to RMS – Mobile Device Support
Smartphone including
Document SAFER SecuReady
E-Mail Server
User PC
Document SAFER Server
Email Attached File
File Download from Media
ECM / BPM / DMS
Capture Control
Edit Control
Save Control
Expiry Date
Control
Outflowing Control
Mobile Enterprise DRM
SecuReady
MarkAny Confidential | © 2012 MarkAny Inc. 23
Document SAFER integrates seamlessly with existing business platform (ECM/EDMS/BPM/GW/PDM/ERP/ETC.).
MarkAny has a long experience in integration with many business systems, such as Oracle UCM/BPM, Microsoft Share
Point, IBM FileNet, EMC Documentum, even local EDMS, and e-mail systems.
Introduction to RMS – Integration with Existing Biz. System
Document SAFER
Content Management System
Documentum System
SharedPoint
FileNet ECM
SAP® ERP
WIND CHIL ® PLM/PDM
Other Groupwares
(Lotus Notes, etc.)
Other EDMS
MarkAny Confidential | © 2012 MarkAny Inc. 24
Conclusion
0
20
40 60
100
80
Cost Down
20% ~ 30%
cost saving for
security
insurance
Document
Security
Ensure
document
authenticity,
integrity, and
Safeguarding
of information
Regulation
Satisfactory
Meet regulatory
requirements
and remove
extra cost
Enhanced
Security
Enhance
document
security
throughout the
information
lifecycle
30%
What is the real benefit to Bank office ? New
Opportunity
Leverage
existing
infrastructure
investment &
creation of
new revenue
stream
0
20
40 60
100
80
100%
0
20
40 60
100
80
80%
0
20
40 60
100
80
100%
0
20
40 60
100
80
50%
MarkAny Confidential | © 2012 MarkAny Inc. 25
Document Security in Finances
Document Security in Global Sites
Successful References
Kumho Life
Insurance
Korea Development
Bank
Daegu District Bank IBK Bank
Hyundai Securities Woori Futures
Allianze Life
Insurance BC Credit Card
Kyobo Life
Insurance
Korea Financial
Supervisory
Service Korea Investment & Securities
Shinhan Bank
Woori Bank Korea Export-
Import Bank
Bank BTN
Indonesia PT. Telkom
Indonesia
Saudi Riyad
Bank
MarkAny Confidential | © 2012 MarkAny Inc. 26
Successful Cases – Bank BTN Indonesia
Rights Management System (RMS)
Purpose: Protect online documents managed in IBM FileNet ECM and
provide data protection and strong access control to digital assets
Implementation Period: April. 2011 ~ April. 2011 (2 Weeks)
Database
Internal Network(10/100Mb)
Users
IBM FileNet RMS (Document SAFER)
File Storage User Profile System
(ADS/LDAP)
Triggering Logon Process &
Document Encryption /
Decryption
RMS Client
Download
Document Upload /
Download
User Authentication
(SSO)
User & Group
Profile
Synchronization
HR Integration Document File Access
System Administration
Softcopy Documents Hardcopy Documents
ECM Custom Layer HTTP APIs
MarkAny Confidential | © 2012 MarkAny Inc. 27
Successful Cases – Korean Bank Industries
Rights Management System (RMS)
Purpose: Protect online documents managed in existing system (Banking
Information Management System, ERP, MIS, Accounting System, etc.) and
provide data protection and strong access control to digital assets
Project Implementation Information
Daegu District Bank
No Banks Type Document SAFER Components
1
Woori Bank & Woori Fi
nance Group
(2010~ 2011)
Initial Project PC-DRM(Included 11 Branches)
Additional Development Added OLAP,DM Message System
Maintenance Second Year Maintenance
2 Daegu District Bak
(2010~ 2011)
Initial Project Server DRM(#4) & PC-DRM
Maintenance Second Year Maintenace
3 Korean EXIM Bank
(2010~ 2011)
Initial Project Server DRM(#6) & PC-DRM
Maintenance Second Year Maintenace
4 KDB Finance Group
(2010~ 2011)
Initial Project Server DRM(#6) & Integration with 6
Branches
Maintenance Second Year Maintenance
MarkAny Confidential | © 2012 MarkAny Inc. 28
Successful Cases – Saudi Riyad Bank
Rights Management System (RMS)
Purpose: Satisfying IT Compliance & Regulation like PCI & DSS with use of
IBM FileNet ECM and provide data protection and strong access control to
digital assets
Implementation Period: Jun.. 2011 ~ Sep. 2011 (2 Weeks)
MarkAny Confidential | © 2012 MarkAny Inc. 29
Successful Cases – PT. Telkom Indonesia
Hardcopy Document Security (HDS)
Purpose: Protect Hardcopies at BoD Conference & Trace with Forensic
Watermarking & 2D-Barcode on Printed Papers
Implementation Period: Feb. 2010 ~ Feb. 2010 (1 Weeks)
Document Creation Document Upload
ADS
EDMS
Lotus Domino
Database
Single Sign On
1 Document Upload
3 Document Download
Watermarked
Image
Tracking Hardcopies
6 Document Tracking
4 Document
Print Out or
Distribution
BOD Board
Photocopy & Illegal
Distribution 5
BOD Secretary
Security
Administrator Unauthorized
User
BOD Members
© 2012 MarkAny Inc.