You are on page 1of 30

March 2013

Johnston Yoon

1.

Why is the Bank Security needed?

2.
3. 4. 5. 6.

Why do Banks need to improve Information Security?


What is the benefit to banks in Malaysia? What are required to enhance on IT Security? What can IT Security solution provide ? Introduction to Rights Management System (RMS)

Why Is The Bank Security Needed?


DATA GROWTH
The growth of digital information has rapidly surpassed expectations.by 2011 digital universe will be 10 times size of 2006

INCREASED DATA MOBILITY


The importance of data has increased its access and mobility requirements making it more difficult to secure and protect

INCREASED DATA BREACHES


As data and its mobility grow, the amount of data breaches and data exposure has also grown

U.S. 2010 > 662 Breaches2


412 (62%) Exposed Social Security Numbers 170 (26%) Exposed Credit or Debit Cards

REGULATIONS INCREASING
Increased data exposure has resulted in increased regulations and reporting requirements globally

COST OF DATA BREACHES GROWS


Increased reporting requirements and increased data breaches results in increased breach costs

U.S. 2010 $214 per record3

$7.2 Million3
Average org. cost of data breach over 4 years
1Source:

IDC The Diverse and Exploding Universe March 2008 Identity Theft Resource Center 2010 Data Breach Stats January 3, 2011 3Source: Ponemon Institute Fourth Annual U.S. Cost of Data Breach Study January 2009
2Source:

MarkAny Confidential

2012 MarkAny Inc.

Why Does Banks Need To Improve Information Security?


What are the key concerns for banks in the cash handling cycle?
MAIN DRIVERS TO IMPROVE CASH HANDLING EFFICIENCY: 50% 45% 40% 35% 30% MAJOR COST CONCERNING: Matured Bank Emerging Bank Minimize Operation Cost & Security

25%
20% 15% 10% 5% 0%

44 %

33 %

19 % 4%
Process Improvement Transparency & Audit Traceability

Cost

Security

This is not just due to Resulting in higher risk of generally higher salaries, robbery, theft, and fraud. but also more efficient Internal theft also poses a management of handling bigger problem involving cash through technology more manual processing and supply chain with more touch points of management, bringing staff and cash thus creating down other non labor opportunities for theft. related cost.
4

Source: Asian Banker Research

MarkAny Confidential

2012 MarkAny Inc.

Source: Asian Banker Research

Why Does Banks Need To Improve Information Security?


The composition of cash handling cost in emerging and mature markets

Theft Assurance Labor(Maintenance) Downtime of Machine Currency Fitness(Change) Assurance Downtime of Machine

Theft Labor(Refilling)

Holding of Excess Cash


Currency Fitness Transport Matured Banks Australia, Hong Kong, Korea, and Singapore

Holding of Excess Cash Labor(Refilling) Labor(Backoffice: Sorting, Counting)

Emerging Banks China, India, Indonesia, Malaysia, Sri Lanka and Thailand

Labor(Backoffi ce: Sorting, Counting)

Transport Labor(Maintenance)

MarkAny Confidential

2012 MarkAny Inc.

Why Does Banks Need To Improve Information Security?


The composition of cash handling cost in selected banks in emerging & matured markets
Emerging Banks Matured Banks Security & Regulatory Cost

100% 90% 80% 70%


IT & Operation Cost Theft Currency Fitness (Change)

Assurance

60% 50% 40%

Downtime of Machine (Opportunity Cost) Holding of Excess Cash (Opportunity Cost) Labor Cost

30% 20% 10% 0%

Transport Labor (Maintenance) Labor (BackOffice: Sorting, Counting) Labor (Refilling)

Bank Thailand

Bank Sri Lank

Bank Malaysia

Bank Indonesia
MarkAny Confidential

Bank Korea
|

Bank Taiwan

Foreign Bank Singapore


6

Source: Asian Banker Research

2012 MarkAny Inc.

Why Does Bank Need To Improve Information Security?


Todays banks face a wide range of risk issues, almost all of which have an impact on that organizations data
50% IT security Hardware and system malfunction Power failure Physical security Theft Product quality issues Federal compliance issues Natural disaster 17% 28% 40% 63% 78% 100%

50%

25%
22%

E-discovery requests
Supply chain breakdown Terrorism activity Bank Phishing Identity Theft

13%
11% 6% Privacy
Source: 2010 IBM Global IT Risk Study

Information leakage

Voice Phishing

Spyware

Card Fraud

MarkAny Confidential

2012 MarkAny Inc.

What Are Required to Enhance on IT Security?


PCI & DSS Compliance: 6 Control Objectives, 12 Requirements Spanning
1.

Build and Maintain a Secure Network


Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters

2.

Protect Cardholder Data


Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks

3.

Maintain a Vulnerability Management Program


Use and regularly update anti-virus software Develop and maintain secure systems and applications

4.

Implement Strong Access Control Measures


Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data

5.

Regularly Monitor and Test Networks


Track and monitor all access to network resources and cardholder data Regularly test security systems and processes

6.

Maintain an Information Security Policy


Maintain a policy that addresses information security

MarkAny Confidential

2012 MarkAny Inc.

What Is The Benefit to Banks in Malaysia?


Introducing Information Security brings about the cost-down effect to the bank and pay back to Indonesian Banks with work efficiency and more salaries to bank executives and employees
100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Bank Malaysia
Transport Insurance Theft

Quantitative Benefit
Security & Regulatory Cost Theft Currency Fitness (Change) Assurance IT & Operation Cost Downtime of Machine (Opportunity Cost) Holding of Excess Cash (Opportunity Cost) Labor Cost Transport Labor (Maintenance)

Currency Fitness (Change)

Downtime of Machine (Opportunity Cost)

Holding of Excess Cash (Opportunity Cost)

Helping to avoid contractual, industry and regulatory penalties as in nearly 5% of total cost. Maximum as much as 20 % to 30% cost saving by delivering considerable savings over traditional information security management efforts. Helping to create 2nd new revenue streams by reducing bank security cost and invest to labor management cost.

Qualitative Benefit
Creating and maintaining one set of processes, leading to reduced redundancies compared to traditional data security management efforts. Allowing for faster market rollout of new initiatives, products and services.

Labor (Maintenance)
Labor (BackOffice: Sorting, Counting) Labor (Refilling)

Labor (BackOffice: Sorting, Counting) Labor (Refilling)

Bank Korea

MarkAny Confidential

2012 MarkAny Inc.

What Are Required to Enhance on IT Security?


Initiate Ultimate Data Protection Ensure Adequate Controls of Internal Data
Facilitate alignment of IT data initiatives and business strategies

Information Security Breaches At Banks

Internal & External Malicious Threats

Inability of Data Monitoring & Traceability

IT Security Policy & External Regulation

Improve ability to measure, monitor and improve eEvidence & e-Discovery


MarkAny Confidential | 2012 MarkAny Inc.

Increase compliance and regulatory adherence & Enhance business intelligence capabilities
10

What Can IT Security Solution Provide ?


Improve existing controls used to prevent, detect and mitigate security breaches and data risks at rest, in motion, and in use Identify and define risks by assessing each business activity to potential threats and the risk at internal information & data

Collect data on threats, impacts and effectiveness of current document management process and provide hardcopy protection for eDiscovery

Provide extensive industry knowledge and guideline that cover important data risk areas such as PCI compliance and remote data protection.
MarkAny Confidential | 2012 MarkAny Inc.

11

Introduction to RMS (Rights Management System)


BlackBerry

UCM / BPM

SharedPoint

WinXP

WinVista Win 7

x64 OS Mobile Support


Screen & Web Protection

Documentum

User Platform Support


PC DRM AutoEncryption Media Control

Business System Integration


File Server Security

CD / USB Distribution

Hardcopy Protection

Offline Policy & External DRM

RMS Component Packages Components Interface Document Encryption Access Control Centralized Security Policy User Applications Control Audit Monitoring

RMS Standard Edition

The Rights Management System is a total security solution to protect internal information and prevent illegal usage or forwarding the sensitive information to unauthorized user. It enables the organization to consolidate its security policy and make all intelligence secured in the Bank organization.
MarkAny Confidential | 2012 MarkAny Inc.

Service Oriented Security Architecture


12

FileNet

Introduction to RMS Basic Service Flow


Administrator

Save Control
Monitoring and Tracking

Edit Control

Screen Capture Control


User Platform Control
Internal Users

Document Download Centralized Management

Print Control

Internal User Outflow Limited Access based on Access Control List

Prevent illegal Access

Expiry Date Control Blocking Illegal Uses (CD, Thumb-drive, Email, Business Application System, etc)

Internal Owner

The organization can assure to embrace security polices enforced by means of document encryption, access control, and audit trails. It enables the Bank to enforce internal control using security policy and system.
MarkAny Confidential | 2012 MarkAny Inc.

13

Introduction to RMS Encryption & Document Control


When unauthorized user OPENs file When authorized user with READ-ONLY without printing

Unauthorized User

Authorized User with Different Access Control

If the user can not have rights of Edit Save Print, user applications disables functions of save, edit, and print. In addition, the unauthorized person cannot be accessed to an encrypted document and read it.
MarkAny Confidential | 2012 MarkAny Inc.

14

Introduction to RMS Document Expiry Date Control


Controls valid period of document access

Validity of document

The user cannot access to documents after pre-defined period of use is expired. Before opening a document, the expiration date is always checked, and if document expired to use, sent is an alarming message to the user. The document will disappear from the memory, and even HD.
MarkAny Confidential | 2012 MarkAny Inc.

15

Introduction to RMS Access Control


Save/Edit Enabled

Document SAFER Server Open 10


/ Print 10

Readonly

User 1
Group A Readonly Group B

Job Position 1

Company 1
Open 10 Times

User 2

Readonly Job Position 2

Header
Meta-Data Properties Document Encryption & Access Control

Access Control Information List

USER1
Read-only Extension Data ACL

USER2
Open 10 Times Extension Data ACL

GROUP A
Save / Edit Extension Data ACL

GROUP B
Read-only Extension Data ACL

POSITION1
Open/Print 10 Times Extension Data ACL

POSITION2
Read-only Extension Data ACL

Policy

COMPANY1
Read-only Extension Data ACL

Document Data

Encrypted Document Data

The access control information is configured by a security manager based on position, division, and job of the user. Access rights are differently applied to users.
MarkAny Confidential | 2012 MarkAny Inc.

16

Introduction to RMS User Applications Control


Document SAFER Server

Block-copy is disabled

Document SAFER Client


MS EXCEL MS WORD

Save function is inactive

MS POWERPOINT MS VISIO

CAD DRAWING PHOTOSHOP

Print function is inactive

MS PROJECT

Edit function is inactive


ADBO PDF

User PC Group
IMAGE FORMAT (BMP, JPEG, PNG, GIF, TIFF)

MULTIMEDIA

Windows applications to edit documents is controlled by Document SAFER Client program. Document SAFER supports all kind of version of application software, including MS Office, Adobe PDF reader, Photoshop, Notepad, Wordpad, MS Paint, CAD drawing tools, and etc.
MarkAny Confidential | 2012 MarkAny Inc.

17

Introduction to RMS Centralized Security Policy

A document downloaded from Document SAFER server without edit, save rights

Edit , save rights enabled in real time without download again according to users authority

All security policy is defined by a security manager with real-time configuration of access rights in Document SAFER server.
MarkAny Confidential | 2012 MarkAny Inc.

18

Introduction to RMS Auditing Trail & Monitoring

Log History Report

Log History for File Transactions

Log Export to Excel

Log History for Date Time Condition

Log History for User Activities

User activities of open, save, print , and download/upload are reported to Document SAFER server. With this audit trail, a security manager is able to monitor user activities and audit misuse of document handling in user platform.
MarkAny Confidential | 2012 MarkAny Inc.

19

Introduction to RMS Screen Capture Protection

Screen Capture Disabled

Controls screen capture by protecting an encrypted block only.

Control of the screen capture for encrypted documents can block activation of commercial capture program or shareware viewer programs . Blocking screen capture function at PC is also activated for a user who is not allowed to use edit function. An unauthorized user for screen capture function will find that there is no ways to capture the information displayed on the screen. MarkAny Confidential | 2012 MarkAny Inc.

20

Introduction to RMS User Platform Support

Document SAFER Client Windows XP SP2/3 Vista ~ Windows 7 (x86, x64)

Document SAFER Server Windows 2003 ~ Windows 2008 R2 (x86, x64)

Support Unicode for Multi-language

Microsoft .NET framework 3.0 or Higher

Document SAFER supports all kinds of Window operating system including WinXP, Vista, Win 7 and 64bitsapplications. It supports multi-languages based on Unicode including English, Arabic, Chinese, Japanese, and Korean.
MarkAny Confidential | 2012 MarkAny Inc.

21

Introduction to RMS Mobile Device Support

Document SAFER Server

ECM / BPM / DMS

Mobile Enterprise DRM


Email Attached File

Save Control

E-Mail Server
Capture Control

SecuReady

Edit Control

Smartphone including Document SAFER SecuReady

File Download from Media

Expiry Date Control

Outflowing Control

User PC

Smartphone support is becoming more important than ever. Document SAFER extends its security features to mobile devices such as I-phone, Android phone, Windows Mobile, and Blackberry. Access of documents is controlled exactly as in PC or Laptop computer.
MarkAny Confidential | 2012 MarkAny Inc.

22

Introduction to RMS Integration with Existing Biz. System

Content Management System

WIND CHIL PLM/PDM

SharedPoint

SAP ERP
Document SAFER

Other EDMS

Documentum System

Other Groupwares (Lotus Notes, etc.)

FileNet ECM

Document SAFER integrates seamlessly with existing business platform (ECM/EDMS/BPM/GW/PDM/ERP/ETC.). MarkAny has a long experience in integration with many business systems, such as Oracle UCM/BPM, Microsoft Share Point, IBM FileNet, EMC Documentum, even local EDMS, and e-mail systems.
MarkAny Confidential | 2012 MarkAny Inc.

23

Conclusion

What is the real benefit to Bank office ?


Cost Down Document Security Regulation Satisfactory Enhanced Security
New Opportunity

20% ~ 30% cost saving for security insurance

Ensure document authenticity, integrity, and Safeguarding of information

Meet regulatory requirements and remove extra cost

Enhance document security throughout the information lifecycle

Leverage existing infrastructure investment & creation of new revenue stream


40 60 80 0 100

40 20 0

60 80 100 20

40

60 80 0 100 20

40

60 80 0 100 20

40

60 80 0 100 20

30%

100%

80%
MarkAny Confidential | 2012 MarkAny Inc.

100%

50%
24

Successful References
Document Security in Finances

Woori Bank Shinhan Bank

IBK Bank

Daegu District Bank

Korea Development Bank

Korea ExportImport Bank

Korea Investment & Securities

Hyundai Securities

Woori Futures

Korea Financial Supervisory Service

Kyobo Life Insurance

Kumho Life Insurance

Allianze Life Insurance

BC Credit Card

Document Security in Global Sites

PT. Telkom Indonesia

Bank BTN Indonesia


MarkAny Confidential | 2012 MarkAny Inc.

Saudi Riyad Bank


25

Successful Cases Bank BTN Indonesia


Rights Management System (RMS)
Purpose: Protect online documents managed in IBM FileNet ECM and provide data protection and strong access control to digital assets Implementation Period: April. 2011 ~ April. 2011 (2 Weeks)
Database
HR Integration

File Storage
Document File Access

User Profile System (ADS/LDAP)


User & Group Profile Synchronization

IBM FileNet
System Administration
ECM Custom Layer

Triggering Logon Process & Document Encryption / Decryption

RMS (Document SAFER)


HTTP APIs

Internal Network(10/100Mb)
User Authentication (SSO) RMS Client Download Document Upload / Download

Softcopy Documents

Hardcopy Documents

Users
MarkAny Confidential | 2012 MarkAny Inc.

26

Successful Cases Korean Bank Industries


Rights Management System (RMS)
Purpose: Protect online documents managed in existing system (Banking Information Management System, ERP, MIS, Accounting System, etc.) and provide data protection and strong access control to digital assets
Project Implementation Information
No Banks Type Document SAFER Components PC-DRM(Included 11 Branches) Added OLAP,DM Message System Second Year Maintenance Server DRM(#4) & PC-DRM Second Year Maintenace Server DRM(#6) & PC-DRM Second Year Maintenace Server DRM(#6) & Integration with 6 Branches Second Year Maintenance
Daegu District Bank

Initial Project Woori Bank & Woori Fi nance Group Additional Development (2010~ 2011) Maintenance Daegu District Bak (2010~ 2011) Korean EXIM Bank (2010~ 2011) KDB Finance Group (2010~ 2011) Initial Project Maintenance Initial Project Maintenance Initial Project Maintenance

MarkAny Confidential

2012 MarkAny Inc.

27

Successful Cases Saudi Riyad Bank


Rights Management System (RMS)
Purpose: Satisfying IT Compliance & Regulation like PCI & DSS with use of IBM FileNet ECM and provide data protection and strong access control to digital assets Implementation Period: Jun.. 2011 ~ Sep. 2011 (2 Weeks)

MarkAny Confidential

2012 MarkAny Inc.

28

Successful Cases PT. Telkom Indonesia


Hardcopy Document Security (HDS)
Purpose: Protect Hardcopies at BoD Conference & Trace with Forensic Watermarking & 2D-Barcode on Printed Papers Implementation Period: Feb. 2010 ~ Feb. 2010 (1 Weeks)
1
Document Upload Database

Single Sign On Document Creation Document Upload EDMS Lotus Domino ADS BOD Secretary Document Print Out or Email Distribution BOD Members

3 Watermarked Image 6 Document Tracking

Document Download

5 Tracking Hardcopies Unauthorized User

Photocopy & Illegal Distribution

Security Administrator

BOD Board

MarkAny Confidential

2012 MarkAny Inc.

29

2012 MarkAny Inc.

You might also like