Unless otherwise protected, all data transfers, including electronic mail, travel openly over the Internet and can be monitored or read by others. Given the volume of transmissions and the numerous paths available for data travel, it is unlikely that a particular transmission would be monitored at random. However, programs, such as "sniffer" programs, can be set up at opportune locations on a network, like Web servers (i.e., computers that provide services to other computers on the Internet), to simply look for and collect certain types of data. Data collected from such programs can include account numbers (e.g., credit cards, deposits, loans) or passwords.

Due to the design of the Internet, data privacy and confidentiality issues extend beyond data transfer and include any connected data storage systems, including network drives. Any data stored on a Web server may be susceptible to compromise if proper security precautions are not taken.

Potentially, the open architecture of the Internet can allow those with specific knowledge and tools to alter or modify data during a transmission. Data integrity could also be compromised within the data storage system itself, both intentionally and unintentionally, if proper access controls are not maintained. Steps must be taken to ensure that all data is maintained in its original or intended form.

Essential in electronic commerce is the need to verify that a particular communication, transaction, or access request is legitimate. To illustrate, computer systems on the Internet are identified by an Internet protocol (IP) address, similar to a telephone that is identified by a phone number. Through a variety of techniques, generally known as "IP spoofing" (i.e., impersonating), one computer can actually claim to be another. Likewise, user identity can be misrepresented as well. In fact, it is relatively simple to send an e-mail message that appears to have come from someone else, or even send it anonymously. Therefore, authentication controls are necessary to establish the identities of all parties to a communication.

Non-repudiation involves creating proof of the origin or delivery of data to protect the sender against false denial by the recipient that the data has been received or to protect the recipient against false denial by the sender that the data has been sent. To ensure that a transaction is enforceable, steps must be taken to prohibit parties from disputing the validity of, or refusing to acknowledge, legitimate communications or transactions.

Establishing a link between a bank's internal network and the Internet can create a number of additional access points into the internal operating system. Furthermore, because the Internet is global, unauthorized access attempts might be initiated from anywhere in the world. These factors present a heightened risk to systems and data, necessitating strong security measures to control access. Because the security of any network is only as strong as its weakest link, the functionality of all related systems must be protected from attack and unauthorized access. Specific risks include the destruction, altering, or theft of data or funds; compromised data confidentiality; denial of service (system failures); a damaged public image; and any resulting legal implications. Perpetrators may include hackers, unscrupulous vendors, former or disgruntled employees, or even agents of espionage.

Web-based attackers, more commonly called "hackers," pose the most publicized security challenge. These individuals gain access to systems and the information they contain by exploiting flaws in the configuration of the Web server, the server's operating system, or the actual components of the Web pages.

Internal intrusion, or the breaching of security systems by someone within the organization who might potentially have authorized access to hardware and software components, is another area of concern. Physical security and password security are paramount in controlling illegal activity within the site manager's own organization.

The receipt or distribution of malicious code elements can also cause security risks and, more commonly, malicious harm to Web-based computers and programs. Many Web sites include receipt and distribution of files and programs among the features that are offered to end users.

Denial of service and availability must also be a primary concern for site managers. As if protection from interlopers and subversive elements was not enough of a concern, system downtime resulting from power failure, wide-area communications problems, and natural disasters can also result in customer dissatisfaction and ultimate harm to the site manager's company or group.

Security-related negligence in the handling of sensitive data or the configuration of security systems can also be devastating. The best security systems incorrectly administered or improperly managed present increased risk potential. Inadequate policies and procedures can result in security failures or censure from regulatory agencies and auditors.

User authentication, correctly identifying the individuals that access the Web site, is another risk area that generates much public discussion. The creation and management of adequate user ID and password files or other authentication measures like digital certificates is a detailed process that requires a large amount of time and attention.

It is not by accident that both the FDIC and the NCSA list data privacy and confidentiality as the first element in their lists of potential security risks. This security component is especially vital to Web-based financial institution activity, since the protection of private personal financial data is one of the cornerstones of the banking industry. Limiting access to information to only those authorized to receive it and transmitting data in a way that ensures privacy are the first steps to successful Internet security.

The most common method of restricting data access on the Internet is much older than the technology that utilizes it. User ID and Password requirements were a key component of earlier technology, such as mainframe computer systems and off-the-shelf PC modem-to-modem communication programs. While the correct application of User IDs and Passwords are still vital to Internet security, their implementation has become more sophisticated by necessity. It is no longer enough to require users to identify themselves-it is now vital to protect against sophisticated programs that can replicate the login efforts of a user, utilizing a pattern of codes designed to uncover the authentic User ID and Password assigned to a specific user. It is vital that Web-based financial applications use measures like limiting the number of incorrect logins and the tracking of unsuccessful access attempts in order to protect the confidentiality of the User IDs and Passwords themselves.

From a procedural standpoint, it is also vital that financial information providers create and implement secure methods for producing and issuing customer codes. User ID and Password controls must become part of the documented, enforced, and audited procedures of every financial institution that maintains more than a marketing presence on the Internet. Separation of duties and dual control within the operations area that maintains user access information and/or the Web site itself must be maintained as ardently as they are in the cash vault or other key areas of the financial institution. The best technology, poorly managed, will prove ineffective.

Restricting access to sensitive information is the first step toward maintaining data privacy, but financial sites must also take steps to protect this information as it travels across a public, non-secure system. The Internet is by design an open system. It, in and of itself, does not provide secure pathways for private transmission of data. In order for financial institutions to be able to deliver account and transaction summaries, they must utilize encryption methods that will render their transmissions unreadable to parties that are not a part of the conversation. Secure Socket Layer (SSL) and Secure HyperText Transfer Protocol (S-HTTP) are two standardized, widely available technologies to provide encryption of transmissions between Web content providers and browser-based customers. Both of these technologies utilize data scrambling and recompiling methods that render data useless to anyone who does not have the "key" required to read the packet. Most industry-standard browsers support these technologies, and they are relatively easy to implement for commercial Web sites.

The field of data encryption is a constantly evolving area of increasingly complex technologies, some so secure that the United States Government has made it illegal for US companies to export the technology outside of its boundaries. For a more detailed discussion of these methods, see the article "Mmm-mmm Good! Alphabet Soup Security" by Chey Cobb, located in the Library pages of the International Computer Security Association Web site (www.icsa.net).

Certificate Authorities and Digital Certificates are emerging to further address the issues of authentication, non-repudiation, data privacy, and cryptographic key management. A Certificate Authority (CA) is a trusted third party that verifies the identity of a party to a transaction. To do this, the CA vouches for the identity of a party by attaching the CA's digital signature to any messages, public keys, etc., which are transmitted. Obviously, the parties involved must trust the CA, and identities must have been proven to the CA beforehand. Digital Certificates are messages that are signed with the CA's private key. They identify the CA, the represented party, and could even include the represented party's public key.

The responsibilities of CAs and their position among emerging technologies continue to develop. They are likely to play an important role in key management by issuing, retaining, or distributing public/private key pairs.

A virtual private network (VPN) is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of tunneling protocols and security procedures. Using a VPN involves encrypting data before sending it through the public network and decrypting it at the receiving end. An additional level of security involves encrypting not only the data but also the originating and receiving network addresses.

On the Internet, a router is a device, or in some cases software, on a computer that determines the next network point to which a packet should be forwarded toward its final destination. The router is connected to at least two networks and decides which way to send each information packet based on its current understanding of the state of the networks it is connected to.

A firewall is the point at which your private company network and a public network such as the Internet connect. A firewall system is a hardware/software configuration that sits between the private and public networks, controlling what traffic is allowed in or out of the private network. Features include logging and reporting, automatic alarms at given thresholds of attack, and a graphical user interface for controlling the firewall.

When properly configured, a network firewall can be very effective at keeping out unauthorized users and stopping unwanted activities on the internal network.

Because potentially malicious programs can be downloaded directly onto a system from the Internet, virus protection measures beyond the traditional boot scanning techniques should be implemented to properly protect servers, systems, and workstations.

The most obvious element of securing a network is often times the most easily overlooked: physical security, or controlling access to the most sensitive components in your computer network, such as a network administration station or server room.

No amount of planning or expensive equipment will keep your network secure if unauthorized personnel have access to central administration consoles. Even if a user does not have evil intent, an untrained user may unknowingly provide unauthorized outside access or override certain protective configurations.

A site security policy is required to establish an enterprise-wide program of how both internal and external users interact with a company's computer network, how the corporate computer architecture topology will be implemented, and where computer assets will be located. The policy should weigh possible threats against the value of personal productivity and also of corporate assets which may need different levels of protection.

Redundancy attempts to eliminate any single point of failure that could disrupt communications on a network. Examples of hardware redundancies include RAID 5 disk systems, dual power supplies in file servers, uninterruptible power supplies, and server clustering/failover technologies.

It is impossible to over emphasize the need for a good backup and disaster recovery strategy. File system backups not only protect you in case of a hardware failure or accidental deletion, but they also protect against unauthorized changes made by an intruder.

Operator Groups provide a very detailed level of control. For each action within the CustomerLink system, operators can be restricted altogether, be allowed only to view the data, or be allowed to add, edit, and change the data. Two default Operator Groups are delivered with CustomerLink. The Technical Group allows operators to perform all operator actions within the system except for security functions. The CSR Group is designed for operators with very limited system duties related to customer maintenance or retrieval of customer-initiated messages.

In addition to being placed in an Operator Group, an operator can also be designated as a Security Officer. Like operators in the Technical Group, Security Officers are allowed to perform all actions within the system. Security Officers also have the authority to add other operators or change the profile of existing operators. Each financial institution usually has only a single Security Officer, with an additional security login stored under dual control in a secure location.

Customer Groups provide access control in much the same manner as Operator Groups. When added to the system, each new customer must be assigned to a Customer Group. As customers access the CustomerLink Web pages, they will be limited to performing actions authorized by their Customer Group, and they will be restricted to specific amount limits designated individually for each of those actions. Three default groups are delivered with CustomerLink. The Main Group allows users to perform all of the actions available. The Restricted Group allows customers to view their account information, but blocks them from performing any transactions within the system. The Demo Group allows financial institutions to set up customers and accounts that can be used by potential system users to see how the system works. Demo customers can perform all transactions within the system, but those transactions are not included in the daily reports and files used by the financial institution. The Demo Group blocks customers from changing the Setup information (such as the Password) related to the demo customer.

Customer Groups also control the amount that users are charged for performing any action in the system. Financial institutions that wish to implement different fee levels for different sets of customers may also utilize multiple Customer Groups for that reason.

In addition to Customer Groups, financial institutions can easily remove options from their Web site through the Web Page Settings option in the CustomerLink Administration program. This will make those options, as well as the links and Help files associated with them, unavailable for all customers. This process can be performed by any operator with the proper security rights and requires no special Web page programming or customization.