13

Given that information security is derived from physical security, as evidenced by this theft, I'm curious as to what protection surrounds my bank account?

There are two main avenues I'm interested in. Physical security, e.g. locked doors, fences, mission impossible laser beams, and the underlying technical security (e.g. encryption). If someone did physically steal my data, what prevents them from accessing it? I'm aware of several techniques for protecting data in this fashion, but with encryption a key and IV needs to be stored somewhere, but, for example, what prevents that being stolen?

I'm not asking about specific banks, but general practice amongst big banks (not specifically national banks, but large banks with millions, or tens of millions of customers. Think banks of the order of Barclays).

Ian Newson
  • 257
  • 1
  • 8
  • I assume you are actually asking for industry standards and not how your information, specifically, is protected? – schroeder Sep 24 '15 at 18:58
  • This is too broad to answer, as it varies by bank. You can expect banks to follow best practices, and they may or may not. I've done work in one bank whose corporate datacenter is on the ground floor of a building which has floor-to-ceiling vertical window stripes, said building being located in the woods a few hundred yards from a divided four-lane highway. Can you say "smash and grab?" Most other financials I worked in were more traditional, locked doors, sign-in sheets, 24x7 personnel (operations if not security in situ). – gowenfawr Sep 24 '15 at 19:13
  • @schroeder Yes of course, I'm asking about industry standards. I'm sure there are differences but having not named a specific bank it would be abhorrent for me to expect such specificity! I will edit my question to reflect this. – Ian Newson Sep 24 '15 at 19:44
  • @gowenfawr I'm not asking about specific banks, just general industry practice amongst larger banks. See my edit. Sounds like you have an answer in you! :) – Ian Newson Sep 24 '15 at 19:47
  • 2
    There is not "one standard to rule them all". It really does depend on the bank. Your data won't be secured in the same way as physical money, think more classic data center security (ISO 27001:2013 like, sign in sheets, pre-authorized visitors, biometric security, etc) than laser beams, huge steel doors and round the clock guards. And to be honest, I sincerely doubt banks encrypt all their customer data. – user3244085 Sep 28 '15 at 21:59

2 Answers2

5

Well, what they are really supposed to do is look to the most effective physical security measures used in the customary practices of high-security data centers in data processing industries in general, plus implement specific measures & practices that their lawyers tell them are required by the collective body of federal regulations that speak to the information security of U.S. financial institutions.

Guidance on best practices and recommendations for the secure design and operation of data centers in general certainly isn't hard to find. You seem interested in the specific details of what access control mechanisms should be in place, how perimeter security should be monitored, etc., (which I'll admit I've always found interesting as well.) This piece from CSO Online is one of the more comprehensive and readable run-downs, listing 19 specific physical security elements that a well-protected data center should implement well. ("Mantraps, access control systems, bollards and surveillance." among them.) Probably not surprisingly, there are compliance certification standards for data center physical security that companies in "highly regulated industries"--financial institutions first and foremost-- are very often required (by practical forces if not directly by legal regulations) to comply with.

Now, talking about info sec regulations that apply to banks and other financial institutions is always a massively complicated endeavor. Such regulations come from, just talking at the federal level, the "Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB)". So says the IT Handbook resource for the Federal Financial Examination Institution Counsel, which is probably one of the best official government sources you're going to find that covers federal information security regulatory requirements for banks comprehensively, coming from that broad, broad swath of agencies. FFEIC's specific page on data center physical security is here. It is a fairly short document, and addresses intruder detection, the training of security guards, and other topics. Look at topics surrounding that specific page in the virtual IT Handbook for information on physical security concerns that will often pertain to data centers as well as other facilities. You might also take a direct look at the Federal Reserve's guidelines regarding information security standards; some of those high-level conceptual standards most definitely do eventually affect how banks do the specifics of providing physical security at their data centers.

So there's some fun night-table reading for you.

tl; dr: They should being doing what responsible companies in other security-intensive data processing industries are doing, plus meeting what the requirements in regulations from any number of different agencies and jurisdictions that oversee financial institutions mandate.

mostlyinformed
  • 2,715
  • 16
  • 38
1

I can give you some insight regards one of the biggest banks in the world as I used to work for them for some years. I won't go into specifics or tell you which bank just in case I am breaching some kind of security!

The bank has multiple data centres, for contingency purposes, in fact the data centres they use are designed to withstand a nuclear attack.

Each data centre can operate on its own in case the other one is out of action for whatever reason and has its own power generators in case of power failures.

The data centres are actually underground, so cannot be broken into as such. The compounds have many CCTV, barbed wire fences and guards patrolling.

The servers themselves naturally have all the security you would expect, firewalls, hardware security modules and so forth, the software has security too, this will vary from bank to bank depending on the infrastructure used.

It is much easier and more likely for hackers to get into your bank account using phishing and other such techniques, trying to break into your bank account via the server that has the data on it would be virtually impossible without inside assistance.

You money is safe, as long as you safeguard your information.

davidjwest
  • 111
  • 3