Introduction

In the new economy, information security is not an option - it is an essential part of doing business intelligently. Internet technology has changed the means by which companies conduct business and challenges the methods each business must undertake to protect its information. As companies operate in increasingly connected environments, the need for information security grows exponentially. Each company must understand how to protect its assets and information. As you expand your business initiatives and operations via the Internet, the potential for security breaches increases significantly, as do the consequences. Terms like lowered productivity, reduced competitive advantage, loss of revenue, loss of market share, employee, customer or partner litigation, regulatory action, and loss of trust or reputation are enough to make every CIO question the cost of security vs. the cost of doing business. The advantage of conducting business over the Internet creates new and unfamiliar security risks that cannot be ignored.

Information Security is not a tool, policy, or procedure; it is a discipline. Security is not only a technology issue, but also a critical business issue. While security experts agree it not feasible to completely mitigate risk in the current commerce environment, the industry is constantly developing new solutions to help you better manage the inherent risks involved in conducting business over the Internet. The challenge within corporate security environments is not solely technical; it is marrying policies and practices to minimize risk to an acceptable level and to be prepared for the changing environment.

Security is the protection of information, systems and services against disasters, mistakes and unauthorized access. Security industry experts agree that a layered approach to information security is the most prudent means to minimize the risks and vulnerabilities of conducting business over the Internet. Effective and properly installed security controls ensure that the likelihood and impact of security incidents are minimized to acceptable levels. Security controls utilizing a layered framework allow the organization to maintain the level of risk it is comfortable with, without preventing its ability to conduct e-business. The framework surrounding the security controls is critical, not only to the success of any e-business initiatives, but also to the success of the organization.

Keys to a Sound Security Program

TruSecure® Corporation, a worldwide leader in security assurance services, states the only way for organizations to ensure the integrity of their systems and data is to adopt a security program that is risk-based, holistic, dynamic and pragmatic. The goal of Fiserv's security controls framework is to provide your financial organization with the essential elements required to minimize risk to an acceptable level. Ensuring that the Fiserv's framework is based on these principles strengthens the overall effectiveness of our security controls.

• A risk-based framework focuses on protecting against the most significant risks. Fiserv determines risk, as a mathematical product of vulnerability, the determination of exposure and susceptibility to a given source of threat, threat, the likelihood of occurrence, and cost, the hard and soft costs as a result of a security event.
• The holistic framework realizes that the entire organization is only as secure as its weakest link. The security controls should be multidisciplined and extended to customers and partners.
• Dynamic security controls are required due to the evolution of threats and vulnerabilities. Policies, practices, and elements should be reviewed and updated as required to remain effective.
• All security controls must also be pragmatic, as they must support the needs of the organization without being of excessive cost or burden to users. Controls that inhibit or prohibit the bank's ability to conduct business may lead to lost productivity or increased employee costs.

The Fiserv Framework

Fiserv has adopted the TruSecureŽ Risk Reduction Methodology, which identifies the layers required to provide a sound security posture for every business. Compliance with these essential practices assures the success of Fiserv's security program.

• Environment/Physical. Defines the measures taken to protect buildings, rooms, and devices from unauthorized access.
• Network/Connectivity. Guides the implementation of all devices that connect to internal or external networks. This includes firewalls, routers, intrusion detection systems, client, vendor and foreign networks, and the monitoring of the network and network components.
• Platform/Operating Systems. Determines the method(s) that are used to "harden" network servers. These steps are completed to minimize vulnerabilities on the hardware and operating systems.
• Services/Applications. Determines the application control procedures during software use and development. These security features determine access and authentication controls within the application.
• Human. Defines and addresses the performance and awareness of human resources that affect the organization's security posture. Human factors, or "social" engineering include policies or standard operating procedures addressing information security that must be implemented and enforced at all levels within the organization. Examples include security policies, management procedures, training and general awareness.

Physical Environment

The Fiserv operations are physically protected at a secure, private Fiserv data processing facility with round-the-clock electronic access control and surveillance. Access to sensitive areas of the facility requires multiple authentications and authorities. Power and critical environmental control systems are redundant and operate independent of utility providers.

Network Connectivity

The Fiserv network perimeter is protected by a series of access controls. This is accomplished with routers, firewalls, Demilitarized Zones (DMZ's) and Private IP addressing. In addition to the infrastructure, Fiserv monitors the network segments 24x7x365 for malicious code and intrusions.

Fiserv maintains redundant routers for its Internet connection. These routers are used to route traffic from the Internet to the eSolutions Center. Access control is accomplished on these routers through the filtering of unauthorized destination addresses and unauthorized services and traffic types (denial of service attacks) before they reach the firewall.

Additional routers are also used to connect the eSolutions Center with the financial institution, and are often referred to as the back-end routers. These routers isolate and protect the remote environment by insuring that only the traffic with the proper destination addresses and services are authorized. The data that flows between the two points of connections is encrypted at the hardware level, thereby authenticating the connection. The hardware encryption is DES3 with thirty -minute key exchange. The keys are held in dynamic memory and are inaccessible in the event of a power interruption.

The Fiserv eSolutions Center has implemented completely redundant firewalls. These systems have automatic fail over in the case of a component breakdown and are electronically monitored seven days a week, twenty-four hours a day by onsite resources.

The firewalls provide access control by examination, filtering and routing (and denying if unauthorized) incoming and exiting IP traffic. All IP traffic must be authorized to pass through the firewall. The firewall also provides network segmentation, isolating public DMZ's, and internal segments from each other as required.

Fiserv maintains at least one DMZ network. The DMZ network is situated between the public outside network (e.g., the Internet or an Extranet) and Fiserv's internal network. The DMZ network contains publicly accessible systems, such as web servers, mail servers, and vendor routers. The DMZ network is protected from the outside network by a firewall, and is monitored for intrusion detection.

All host traffic will pass through the firewall and be subject to host authentication. The source IP address will comply with the Fiserv 10.x standard. Network address translation (NAT) is required, and it will be performed on the firewall. The host IP address on the DMZ segment requires address translation by the firewall to the internal address. Access to the host without NAT is not allowed. Intrusion detection monitors are deployed at strategic points throughout the Fiserv network. The intrusion detection system is "passive" in that it is not bound to a protocol stack in any way, thus making it immune from external attack. The primary function of the intrusion detection system is to detect unauthorized attempts to access firewalls, routers or any other security component. The system also examines all LAN traffic, looking for known attack patterns and provides documentation of intrusive activity. It is able to take corrective action on known attack patterns by terminating connections, disabling the firewall and router ports as well as notifying the appropriate personnel so that additional corrective action can be taken.

Operating Systems

Fiserv server platforms are hardened to the operating system vendor's specifications for Internet security. The servers and operating systems hosting Fiserv Internet applications run the minimum set of services required to support the application, reducing vulnerability to exploitation of default or unused features and services.

Applications

Information using Fiserv Internet banking applications is entered through Secure Socket Layer (SSL), which creates a 128-bit encrypted connection between the client's browser and the Fiserv hosted web servers. Fiserv Internet applications require digital certificate authentication of the client's browser and the Fiserv web server, as well as user password authentication prior to initiating the encrypted session. A digital certificate is a tamper-resistant file that "certifies" the identity and key ownership of an individual, a computer system, or an organization.

Human

Fiserv maintains a core of policies that govern information security, procedures and guidelines. Network and system administrators within Fiserv are required to follow these published policies as they relate to the implementation, use and support of all systems and applications. These polices are designed to ensure that information and information systems are properly protected from a variety of threats such as error, fraud, embezzlement, sabotage, privacy violation, service interruption and natural disaster.

Proactive Protection

The integrity of Fiserv's security structure is dependent upon the successful implementation and maintenance of the security framework described above. Fiserv takes a proactive role in advancing our Internet security technologies and practices by utilizing industry security experts and network security product consultants. In order to ensure our security controls are continually evolving and remain evenly balanced with the state of technology, the Fiserv security infrastructure is regularly audited and inspected. Some of the firms that provide audit services to Fiserv are TruSecure Corporation and Deloitte & Touche.