Click to return to BOL home page
Banker Store eCard Exchange Vendor Connect Career Connect Learning Connect Bankers Information Network
Home Compliance Lending Operations Security Marketing Technology/eBanking
Top Stories Bankers' Threads BOL Conferences CrimeDex Em@il Education FREE Briefings Record Retention

   

















    Site Map

    Our Sponsors

    Home



Lending Gurus
Operations Gurus
Security Gurus
Marketing Gurus
Technology Gurus
eBanking Gurus

Print Friendly! Email This Article! Discuss NOW!


Safety and Security in an Outsourcing Environment


Outsourcing has become an increasingly popular alternative to in-house processing for community banks that wish to concentrate their efforts on the business of banking and leave technology issues to the experts.

What many community banks may not realize is that outsourcing can be one of the most powerful ways to ensure the safety of customer information. Conversely, it can leave gaping holes in security, which lead to devastating consequences. The side of the spectrum upon which a bank will fall depends in great part on the measures taken by its outsourcing provider. Jack Henry & Associates, a trusted partner of F & D Zurich, and a major player in the outsourcing arena, has some sound advice for banks that rely on outside sources to provide data processing or Internet banking needs.

Layered Security
Ralph Borenstein, National Manager of Jack Henry's OutLink Data Centers, which provide core data processing and item capture services, stresses three levels of security that a bank should look for in an outsourcer: (1) well structured security standards on the processing platform; (2) strong security in the application products being run on those platforms; and (3) protection of communications between the processor and third party vendors.

With regard to the latter, Borenstein says, "It is essential that the flow of data go through a centralized firewall, where attempted intrusions can be recorded and tracked. This layered approach to security goes beyond the basic firewall for real-time monitoring of traffic, both internally and externally. An outsourcer can then deal effectively with any vulnerabilities."

Jack Henry has taken security a step further by partnering with PentaSafe Security Technologies for security management reporting throughout all the OutLink data centers. "An outsourcer needs some way to keep all the confidential data of multiple client banks separate," says Steve Martinson, PentaSafe's Product Marketing Manager, iSeries and AS/400, "because the information co-exists on the same physical server." PentaSafe provides that capability.

After helping to set strong auditing and security standards, PentaSafe then implements those standards with products that focus on vulnerability assessment, intrusion management, security policies and user administration and management.

PentaSafe's expertise in IBM iSeries security enables the security management solution provider to address a number of issues auditors look for. For example, PentaSafe tools monitor and manage inactive sessions, inactive user accounts, powerful user ID activity, and invalid sign-on attempts. Users are limited in their ability to access data, upload or download it to or from the main system. Should an intrusion or breech in security occur, the outsourcer receives real-time notification via pager or cell phone so that preventative measures can be taken.

Outsourcing Through an ASP
An Application Service Provider (ASP) has distinct security advantages over canned products an individual bank may implement, according to Jack Henry's NetTeller ASP Operations Manager Curtis Rayburn. "A real-time ASP system encompasses more than just access to account information," he says. "The primary benefit is the availability of a level of resources that would be cost-prohibitive for a single bank implementation. Those resources have the skill and expertise to provide a product with the security, screens and dialogues that allow customers to securely interact in a web-based format with the account information that resides on their bank's host system."

Diane Hagemann, Web Development Manager for Jack Henry, similarly notes the higher level of security delivered in a web hosting environment provided by an ASP as opposed to a traditional web-hosting provider. Jack Henry provides the same level of security for the non-transactional web sites it is hosting as for the Internet Banking, bill payment and brokerage services it provides.

In the opinion of Dave Windhorst, Regional Manager over the Internet Solutions Group for Jack Henry, an Internet or web hosting outsourcer can't focus too many resources on security. He touts the value of external intrusion detection companies. "An ASP outsourcer should take advantage of real-time intrusion monitoring services on a 24 by 7 basis. In so doing, every traffic signature is examined to detect potential intrusion attempts so that an outsourcer can implement incident response procedures, if necessary." A security-minded ASP will even take the pro-active approach of hiring a security company to perform "business ethical hacking", in which the consultant intentionally tries to hack into systems to uncover vulnerabilities.

Aaron Blevins, Internet Solutions Support Manager for Jack Henry, adds that regular audits and annual reviews should be conducted by independent CPA and security firms and the results published and made available to banks.

Building Security from the Ground Up
"The computer room and operations center are the heart of the bank. They must be protected." So says Dave Goerke, Manager of the Construction Division for Sys-Tech. Sys-Tech is a Jack Henry company that builds and designs power and facilities for computer rooms and operations centers. It is Goerke's contention that bankers must evaluate an outsourcer's actual data center facility - from physical access controls to protective measures taken against power failures, fire or environmental conditions that cause equipment failure.

"TVSS (transient voltage surge suppressor) is a first line of defense to prevent brownouts and protect against lightening," explains Goerke. "Yet, many facilities do not include TVSS in their system." Next, Goerke recommends a single source UPS (uninterrupted power supply) to clean up power that feeds computer equipment. Finally, a transfer switch should be in place to convert to a startup generator in the case of a power outage.

Environmental conditions, such as humidity, can also affect the operation of mission critical equipment. It is therefore important to build redundancy into all air conditioning. Likewise, static free tile floors will prevent static discharge that could take a machine down.

Fire deterrents should consist of dry chemical or dry pipe, pre-action systems rather than standard sprinklers to prevent water from damaging equipment should there be a false alarm.

Planning for Disaster
In the event of a disaster at an outsourcing facility, that outsourcer should be fully redundant, with a business recovery plan in place. Yet the need for disaster planning does not stop at the door of a data processing service provider. "The IT function comprises, at best, 25% of what needs to be recovered in a disaster scenario," says Doug Barton, Manager of Jack Henry's Centurion™ Disaster Recovery Division. Banks that outsource their data processing functions must still have their own business recovery plan.

Centurion's Business Recovery Consulting Manager, Tom Williams, outlines two key areas on which a bank must focus when outsourcing its data processing. First, if disaster strikes the data center, a bank needs a reaction plan. "The bank must have manual or interim workaround procedures in place to take care of functions the system normally provides, such as instant inquiries, balances, entry of loan application information." If, on the other hand, the bank facility is rendered inoperable by disaster, it must have a plan for handling customers, employees and department level business functions. Business continuity is critical and it takes a plan to ensure it happens.

Security: A Full-Time Job
In today's world of constantly evolving technology, hackers are at work 24 hours a day, all across the world, probing and looking for holes in bank processing systems. New threats to the physical security of banks and data centers continue to mount. That's why, according to Jack Henry's Internet Solutions Security Officer Katie McGuire, "It is critical to choose an outsourcer that not only has skilled programmers, systems administrators, and Internet experts, but is a partner devoted to protecting their customers' information. Commitment to security is evident in a service provider like Jack Henry & Associates, whose data center teams include staff whose only responsibility is the security of systems and information." With that, bankers and their customers can sleep at night. Because hackers don't!

First published on BankersOnline.com 6/28/02
Home | Compliance | Lending | Operations | Security | Marketing | Technology | eBanking
BOL Archives    Privacy Policy    Important Disclaimer   Recommend This Site !   Contact Us


BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.