We limit our internet access in my bank. But with credit bureaus, flood certificate ordering going to the internet, its becoming harder to do. We're looking at software to limit what sites and have a log of all visits. But I was curious if other banks limit access or just give access to whomever?

We don't limit access, however, our company policy states that the use of the computer or any other forms of communication must be for business uses. We also monitor the internet sites visited by employees and would inform the supervisor if we saw that employees were on a shopping site frequently.

In addition, each year, employees sign a statement saying that they understand our commmunication policy (which includes any form of communication - internet, cell phone, pagers, telephones, faxes, etc) and only use the communication tools for our bank purposes.

Besides the necessary and required Acceptable Use Agreements, if you have the capability to systemically control access to the Internet (that would be who has access and what can be accessed), you should implement those controls.

Systemic access control provisions, especially when utilized as part of a single sign-on authentication system, allow you to proactively prevent problems rather than retroactively cleaning up problems. Obviously, the control is only as good as the control lists, which must be well organized and periodically maintained.

-g

An AUP is essential (on a tangent make sure you are specifically getting employees to waive restrictions on wiretaping since you need to monitor their activities and doing so without permission is considered wiretaping).

I'm a firm believer in setting up access control policies that restrict where users are able to go. We have plenty of banking customers that only allow certain individuals to go to certain web sites. Things work very well when the policy is implemented well. Remember my golden rule about Information Systems - 20% technology - 80% industrial psychology - the technical part is easy, it's the people part that's difficult on this one.

There are a lot of ways to skin this cat - they can vary from the sort of singly sign-on mentioned by 'g' to as simple a solution as setting IP based rules for specific workstations. In between are a lot of other choices - some involving proxy's, firewall rules, browser security profiles, etc. If you are interested in discussing any of these in detail let me know.

For what it's worth the reasons to limit internet usage extend FAR beyond productivity. I've been predicting that we're going to see a lot more very dangerous internet based attacks that are going to hit users that browse to infected websites. The worst part is that when they do so over an encrypted link (you know - where the little lock is lit up at the bottom of the screen) they will make it past most of your infosec defensive systems (firewall, IDS, IPS, ETC, ETC, etc.

The only employees not allowed internet access are tellers and certain operations positions. Also, our data processor is able to provide us with reports of all websites employees have visited and how long they were on. Let's just say a few people spend way too much bank time on EBAY. HR and the Head of IT review these reports and send any problems to the dept. head. Kind of Big Brother like don't you think?

Access should be granted as needed, based on job descriptions. An IAUP is essential in my opinion. I didn't realize the liabilities the bank has until I researched an article on that topic. They are huge. And I personally don't think it is a far stretch to think how you could get into trouble.

Imagine someone at work who was able to install programs on their bank PC. They get into some file sharing and the next thing you know the RIAA has your address on a hit list and you are being sued.

We have some users with less access than others, some with none and some items completely blocked such as the ability to listen to an MP3 online. There are reasons we restrict it, bandwidth, and reasons I'd like access to these, the BOL audio BLOG posts. Everyone can't be happy and there are reasons for the rules.

Software, such as SonicWall (a firewall) allow you to also limit access to, for example, adult sites - so look into the software that you, hopefully, are now using for a firewall as that software may have access limiting elements.

We grant Internet access to employees that have a justified need. While we do not block particular sites or limit access to only certain sites, we do monitor all traffic and address abuses as they occur. Abuses are very limited as employees know big brother is watching.

Andy, could you provide me a copy of the article regarding the liability that banks may incur. You may PM if you can email the article or request my fax number.

I'm not sure if this is the liability that Andy is referring to . . , but " Downstream Liability " for Attack Relay and Amplification is a topic and scenario(s) that everyone should be aware (IT Admin, Mgmt, Auditors, Marketing).

Here is a link to some info on the topic:
http://www.isalliance.org/resources/papers/Downstream_Liability.pdf

-g

We do not restrict employees from having internet access, but employ a content filter to block access to the racy stuff. We use Websense and it integrates with our firewall very well along with other flavors of firewalls. It also writes its' logs to our SQL server which can be queried for specific browsing habits or top tens, etc... Also blocks malicious web sites, advertisement, peer-to-peer apps etc. It is 1 of the tiers of our defense-in-depth strategy.

We do not place any restrictions on the websites our employees can visit. We use a device from Vericept that captures websites and e-mail that have specific content that is not bank related. We can customize and adjust it's sensitivity. Some of the catagories it captures are obviously porn, racism, conflict, job searches, online shopping, gambling, and sports sites. It becomes very obvious when there is a problem and it is handled appropriately. We warn people with access that the device is there so they know we are watching.

We are just starting to block sites - porn, hate sites, hacker sites, etc. The software can be customized at an individual level to allow certain positions access to all sites while the general population will be blocked from a certain set of sites.

We limit Internet access to most employees with the exception of the Auditor, Compliance Officer, President, and Marketing. Individuals who request Internet access must also list the sites that they will use along with an explanation as to why. We are able to input appropriate URL's by accessing the rules via firewall.