Download Free World Bank Technology Risk Checklist

The thirteen layers of e-security described in The World Bank publication covers both the hardware and software pertaining to network infrastructures. These 13 layers comprise a matrix, which manages the externalities associated with open architecture environments.

1. Risk Management—A broad based framework for managing assets and relevant risks to those assets.

2. Policy Management- A program should control Bank policy and procedural guidelines vis-à-vis employee computer usage.

3. Cyber-Intelligence- Experienced threat and technical intelligence analysis regarding threats, vulnerabilities, incidents, and countermeasure should provide timely and customized reporting to prevent a security incident before it occurs.

4. Access Controls/Authentication—Establish the legitimacy of a node or user before allowing access to requested information. The first line of defense is access controls; these can be divided in to passwords, tokens, biometrics, and public key infrastructure (PKI).

5. Firewalls—Create a system or combination of systems that enforces a boundary between two or more networks.

6. Active content filtering—At the browser level, it is prudent to filter all material that is not appropriate for the workplace or that is contrary to established workplace policies.

7. Intrusion detection system (IDS)—This is a system dedicated to the detection of break-ins or break-in attempts, either manually or via software expert systems that operate on logs or other information available on the network. Approaches to monitoring vary widely, depending on the types of attacks that the system is expected to defend against, the origins of the attacks, the types of assets, and the level of concern for various types of threats.

8. Virus scanners—Worms, Trojans, and viruses are methods for deploying an attack. Virus scanners hunt malicious codes, but require frequent updating and monitoring.

9. Encryption—Encryption algorithms are used to protect information while it is in transit or whenever it is exposed to theft of the storage device (e.g. removable backup media or notebook computer).

10. Vulnerability testing—Vulnerability testing entails obtaining knowledge of vulnerabilities that exist on a computer system or network and using that knowledge to gain access to resources on the computer or network while bypassing normal authentication barriers.

11. Systems administration—This should be complete with a list of administrative failures that typically exist within financial institutions and corporations and a list of best practices.
12. Incident response plan (IRP)—This is the primary document used by a corporation to define how it will identify, respond to, correct, and recover from a computer security incident. The main necessity is to have an IRP and to test it periodically.

13. Wireless Security— This section covers the risks associated with GSM, GPS and the 802.11 standards.