The following e-banking risk assessment and controls evaluation is provided to assist commercial Internet banking users in identifying threats and measure the strength of their controls.
For each question, select the answer(s) that best represent(s) your environment. Following the assessment, use the “Control Evaluation – Best Answers and Tips” to evaluate your environment.
1) Are employees required to sign an Acceptable Use Policy (AUP)?
2) Does each employee using Internet banking complete security awareness training?
3) Do you complete background checks on employees prior to hire?
4) Is a dedicated computer system used for e-Banking activities?
5) Do computer systems have up-to-date antivirus software?
6) Is there a process in place to ensure software updates and patches are applied (e.g. Microsoft, Java, Adobe products, etc.)?
7) Do users run as local Administrators on their computer systems?
8) Does a firewall protect the network?
9) Do you have an Intrusion Detection/Prevention System (IDS/IPS) in place to monitor and protect the network?
10) Is Internet content filtering being used?
11) Is email SPAM filtering being used?
12) Are users of the Internet banking system trained to manually lock their workstations when they leave them?
13) Is wireless technology used on the network with the Internet banking system?
14) Are critical systems (including systems used to access Internet banking) located in a secure area?
15) How are passwords protected?
16) Have you experienced fraud through e-Banking in the past?
17) Has malware been discovered on systems used for e-Banking activities in the past?
Once you have completed the questionnaire, total the answers selected to calculate a summary risk rating of your environment. Note: This risk rating is designed to give a general idea of your risk posture based only on the answers in this questionnaire. Additional factors could either increase or decrease the risk.
Control Evaluation – Best An AUP are: Purpose and scope of network activity; devices that can be used to access the network, bans on attempting to break into accounts, crack passwords, circumvent controls or disrupt services; expected user behavior; and consequences of noncompliance.