In the new economy, information security is not an option - it is an essential part
of doing business intelligently. Internet technology has changed the means by
which companies conduct business and challenges the methods each business
must undertake to protect its information. As companies operate in increasingly
connected environments, the need for information security grows exponentially.
Each company must understand how to protect its assets and information. As
you expand your business initiatives and operations via the Internet, the potential
for security breaches increases significantly, as do the consequences. Terms like
lowered productivity, reduced competitive advantage, loss of revenue, loss of
market share, employee, customer or partner litigation, regulatory action, and
loss of trust or reputation are enough to make every CIO question the cost of
security vs. the cost of doing business. The advantage of conducting business
over the Internet creates new and unfamiliar security risks that cannot be
Information Security is not a tool, policy, or procedure; it is a discipline. Security
is not only a technology issue, but also a critical business issue. While security
experts agree it not feasible to completely mitigate risk in the current
commerce environment, the industry is constantly developing new solutions to
help you better manage the inherent risks involved in conducting business over
the Internet. The challenge within corporate security environments is not solely
technical; it is marrying policies and practices to minimize risk to an acceptable
level and to be prepared for the changing environment.
Security is the protection of information, systems and services against disasters,
mistakes and unauthorized access. Security industry experts agree that a
layered approach to information security is the most prudent means to minimize
the risks and vulnerabilities of conducting business over the Internet. Effective
and properly installed security controls ensure that the likelihood and impact of
security incidents are minimized to acceptable levels. Security controls utilizing a
layered framework allow the organization to maintain the level of risk it is
comfortable with, without preventing its ability to conduct e-business. The
framework surrounding the security controls is critical, not only to the success of
any e-business initiatives, but also to the success of the organization.
Keys to a Sound Security Program
TruSecure® Corporation, a worldwide leader in security assurance services,
states the only way for organizations to ensure the integrity of their systems
and data is to adopt a security program that is risk-based, holistic, dynamic
and pragmatic. The goal of Fiserv's security controls framework is to provide
your financial organization with the essential elements required to minimize
risk to an acceptable level. Ensuring that the Fiserv's framework is based on
these principles strengthens the overall effectiveness of our security controls.
- A risk-based framework focuses on protecting against the most significant
risks. Fiserv determines risk, as a mathematical product of vulnerability,
the determination of exposure and susceptibility to a given source of
threat, threat, the likelihood of occurrence, and cost, the hard and soft
costs as a result of a security event.
- The holistic framework realizes that the entire organization is only as
secure as its weakest link. The security controls should be multidisciplined
and extended to customers and partners.
- Dynamic security controls are required due to the evolution of threats and
vulnerabilities. Policies, practices, and elements should be reviewed and
updated as required to remain effective.
- All security controls must also be pragmatic, as they must support the
needs of the organization without being of excessive cost or burden to
users. Controls that inhibit or prohibit the bank's ability to conduct
business may lead to lost productivity or increased employee costs.
The Fiserv Framework
Fiserv has adopted the TruSecureŽ Risk Reduction Methodology, which identifies
the layers required to provide a sound security posture for every business.
Compliance with these essential practices assures the success of Fiserv's
- Environment/Physical. Defines the measures taken to protect buildings,
rooms, and devices from unauthorized access.
- Network/Connectivity. Guides the implementation of all devices that
connect to internal or external networks. This includes firewalls, routers,
intrusion detection systems, client, vendor and foreign networks, and the
monitoring of the network and network components.
- Platform/Operating Systems. Determines the method(s) that are used to
"harden" network servers. These steps are completed to minimize
vulnerabilities on the hardware and operating systems.
- Services/Applications. Determines the application control procedures
during software use and development. These security features determine
access and authentication controls within the application.
- Human. Defines and addresses the performance and awareness of
human resources that affect the organization's security posture. Human
factors, or "social" engineering include policies or standard operating
procedures addressing information security that must be implemented and
enforced at all levels within the organization. Examples include security
policies, management procedures, training and general awareness.
The Fiserv operations are physically protected at a secure, private Fiserv data
processing facility with round-the-clock electronic access control and
surveillance. Access to sensitive areas of the facility requires multiple
authentications and authorities. Power and critical environmental control systems
are redundant and operate independent of utility providers.
The Fiserv network perimeter is protected by a series of access controls. This is
accomplished with routers, firewalls, Demilitarized Zones (DMZ's) and Private IP
addressing. In addition to the infrastructure, Fiserv monitors the network
segments 24x7x365 for malicious code and intrusions.
Fiserv maintains redundant routers for its Internet connection. These routers are
used to route traffic from the Internet to the eSolutions Center. Access control is
accomplished on these routers through the filtering of unauthorized destination
addresses and unauthorized services and traffic types (denial of service attacks)
before they reach the firewall.
Additional routers are also used to connect the eSolutions Center with the
financial institution, and are often referred to as the back-end routers. These
routers isolate and protect the remote environment by insuring that only the traffic
with the proper destination addresses and services are authorized. The data that
flows between the two points of connections is encrypted at the hardware level,
thereby authenticating the connection. The hardware encryption is DES3 with
thirty -minute key exchange. The keys are held in dynamic memory and are
inaccessible in the event of a power interruption.
The Fiserv eSolutions Center has implemented completely redundant firewalls.
These systems have automatic fail over in the case of a component breakdown
and are electronically monitored seven days a week, twenty-four hours a day by
The firewalls provide access control by examination, filtering and routing (and
denying if unauthorized) incoming and exiting IP traffic. All IP traffic must be
authorized to pass through the firewall. The firewall also provides network
segmentation, isolating public DMZ's, and internal segments from each other as
Fiserv maintains at least one DMZ network. The DMZ network is situated
between the public outside network (e.g., the Internet or an Extranet) and
Fiserv's internal network. The DMZ network contains publicly accessible
systems, such as web servers, mail servers, and vendor routers. The DMZ
network is protected from the outside network by a firewall, and is monitored for
All host traffic will pass through the firewall and be subject to host authentication.
The source IP address will comply with the Fiserv 10.x standard. Network
address translation (NAT) is required, and it will be performed on the firewall.
The host IP address on the DMZ segment requires address translation by the
firewall to the internal address. Access to the host without NAT is not allowed.
Intrusion detection monitors are deployed at strategic points throughout the
Fiserv network. The intrusion detection system is "passive" in that it is not bound
to a protocol stack in any way, thus making it immune from external attack.
The primary function of the intrusion detection system is to detect unauthorized
attempts to access firewalls, routers or any other security component. The
system also examines all LAN traffic, looking for known attack patterns and
provides documentation of intrusive activity. It is able to take corrective action on
known attack patterns by terminating connections, disabling the firewall and
router ports as well as notifying the appropriate personnel so that additional
corrective action can be taken.
Fiserv server platforms are hardened to the operating system vendor's
specifications for Internet security. The servers and operating systems hosting
Fiserv Internet applications run the minimum set of services required to support
the application, reducing vulnerability to exploitation of default or unused features
Information using Fiserv Internet banking applications is entered through Secure
Socket Layer (SSL), which creates a 128-bit encrypted connection between the
client's browser and the Fiserv hosted web servers. Fiserv Internet applications
require digital certificate authentication of the client's browser and the Fiserv web
server, as well as user password authentication prior to initiating the encrypted
session. A digital certificate is a tamper-resistant file that "certifies" the identity
and key ownership of an individual, a computer system, or an organization.
Fiserv maintains a core of policies that govern information security, procedures
and guidelines. Network and system administrators within Fiserv are required to
follow these published policies as they relate to the implementation, use and
support of all systems and applications. These polices are designed to ensure
that information and information systems are properly protected from a variety of
threats such as error, fraud, embezzlement, sabotage, privacy violation, service
interruption and natural disaster.
The integrity of Fiserv's security structure is dependent upon the successful
implementation and maintenance of the security framework described above.
Fiserv takes a proactive role in advancing our Internet security technologies and
practices by utilizing industry security experts and network security product
consultants. In order to ensure our security controls are continually evolving and
remain evenly balanced with the state of technology, the Fiserv security
infrastructure is regularly audited and inspected. Some of the firms that provide
audit services to Fiserv are TruSecure Corporation and Deloitte & Touche.