CASE STUDY:  Do You Know Where Your Data Is?  Evaluating a Technology Service Provider (TSP)

The Federal Financial Institutions Examination Council (FFIEC) Guidelines for Risk Management release in January 2009 contain various risk management guidelines for Remote Deposit Capture (RDC). iStream Financial Services understands the importance of protecting sensitive data and implemented appropriate systems, policies and practices well prior to the release of the new guidelines.

The financial arena has suffered great embarrassment and loss due to fraud and security breaches. As a whole, the entire industry is working diligently on several levels to create solutions for image quality, data movement, data security, fraud and other issues surrounding data protection. Security is the component that all other procedures revolve around, but there is no "one solution" to ensure data integrity. IT Security is based on many layers protecting access to systems and data. One analogy is the layered security of a castle in earlier centuries which relied on an outer wall, moat, inner wall, armed guards, and more.

In 2008, the average financial impact of a data breach was $6.65 million per breach according to Dr. Larry Ponemon of Ponemon Institute. This financial risk, not to mention reputation risk, should provide ample motivation to adhere to FFIEC guidelines and to ensure that only reliable Technology Service Providers (TSP) are utilized. This document provides various considerations from iStream Financial Services when considering a TSP.

Selecting the Right Product and Partner
RDC is an emerging market with tremendous potential. Such a large market presents many challenges and risks regarding the capture, processing and clearing of check images, as well as the risks inherent in any financial transactions.

Before you can choose a service provider, you need to identify your organization's goals and needs. Then question, does this company meet these needs? How does the TSP match up with us? Will the TSP support or control you? Will the system and service be there when needed?

When choosing a service provider it is essential to evaluate their technology from both a current and future perspective. Does the provider have a flexible solution designed to meet the needs of your customers and grow with you? Have they designed security to ensure reliability, confidentiality, functionality, storage safety, etc, better known as "security by design"?

iStream's systems are developed with "security by design". For example, when a customer scans an item, where are the images saved, how well is the data protected, and will you be able to retrieve the image when you need it? As part of "security by design", iStream's system only allows images to be stored on our secured servers, thus protecting the end user on multiple levels.

Plan for the Expected: Compliance, Audit and Test
Can your TSP stand up to the FFIEC guidelines for technology requirements and recommendations? Does your TSP have a SAS 70 certified audit of the RDC process and controls? What about security audits, system vulnerability tests, penetration tests, and social engineering attempts performed by independent third parties? In this respect, it is important to know that iStream Financial Services not only meets or exceeds the FFIEC guidelines, but actually anticipated the development of those guidelines and since its inception, structured the development of its technology and security around "best practice" recommendations that eventually were incorporated into the FFIEC guidelines. Additionally, iStream performs several independent third-party audits to help provide for the reliability of its systems and performs vulnerability and penetration testing on a regular basis. As past presenters at the FDIC Technology Seminar in Washington D.C. on the topic of "Emerging Issues and Risk Mitigation in the Financial Industry," iStream has worked diligently to help determine and eradicate risks that a financial institution is exposed to with remote deposit capture.

It's important to understand if the organization has a SAS 70 and whether it's a Type I or Type II. SAS 70 is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) and is officially titled "Reports on the Processing of Transactions by Service Organizations." It defines the professional standards used by a service auditor to assess the internal controls of a service organization and issue a service auditor's report.

A Type I service auditor's report includes the service auditor's opinion on the fairness of the presentation of the service organization's description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives. A Type II service auditor's report tests the information contained in a Type I service auditor's report and also includes the service auditor's opinion on whether the specific controls were operating effectively during the period under review.

Ask your Technology Service Provider for a copy of their SAS 70 Type II as part of your due diligence research. But more importantly, read it, especially the results of testing that identify any exceptions during the testing process.

A Working Budget for Comprehensive Monitoring and Evaluation
Readers who participated in Information Security's Priorities 2009 survey ranked data protection, threat management and other security initiatives as top concerns. At the same time, 27 percent of the more than 900 respondents expect their security budgets to remain flat and 23 percent are delaying some purchases. More than half expect security budget cuts if the economy doesn't rebound.

Does your Third Party Service Provider have the necessary budget for monitoring and evaluation?

Vulnerability scans, applications tests, social engineering (people, processes and the environment), mock penetration activity, red flag monitoring for identification theft, multi-factor identification, Out-of-band authentification and other continual evaluation and monitoring activities should be an element of determining whether the processes and procedures are demonstrated, tested and proven to work.

Multifactor authentication (MFA) is a security system in which more than one form of authentication is implemented to verify the legitimacy of a transaction. In contrast, single factor authentication (SFA) involves only a user ID and password. What authentication process does your TSP offer when your customers use their solution?

Plan for the unexpected - No Single Point of Failure
The estimated economic loss related to Hurricane Katrina was $125 - $150 billion. Liberty Bank & Trust in New Orleans lost its headquarters, records, six of eight local branches and most of its customers due to Hurricane Katrina. Backup records were temporarily lost, so the bank had no idea how much a person had in his or her account. The bank ended up losing $1 million in ATM overdrafts while another couple hundred thousand dollars was looted from cash machines and bank branches. At the end of 2005, the year of the storm, the bank showed a $1.5 million loss.

Lesson learned: A secure disaster recovery site with no single point of failure is paramount.

While no one expects a tornado, wildfire, or a flood, these natural disasters do happen and the loss of data in those events has been astounding. When Hurricane Katrina happened, the FDIC said in a resource document entitled "Preparing Your Institution for a Catastrophic Event" that a critical lesson was learned given that some organizations did not anticipate and weren't prepared for the extensive destruction and prolonged recovery period resulting from Hurricane Katrina.

Be prepared.

Does your TSP have a disaster recovery site? Do they do comprehensive disaster drills? Is the disaster recovery site located in a close proximity to the main site? Also, critical attention should be paid to backup data - is it encrypted, is it updated daily, weekly or monthly? Who can access it? iStream believes it is critical that the primary backup site have no single point of failure.

Conclusion - Research and Integrity are critical
RDC and other electronic payments are poised for explosive growth over the next several years. More than half of U.S. banks have adopted RDC solutions and nearly 90 percent of the other half plan on adopting solutions in the future.

With such tremendous expansion happening so quickly, security issues will arise, and it's important that in-depth research is done when choosing a TSP. As with any emerging business solution, new vendors and technologies will appear on the market that offer the "best solution". However, if critical steps aren't taken to determine the security and safety of these technologies, the RDC industry could face major security breaches. Research and diligence are critical to the growth of RDC and other electronic payments and continued banking success.