The client is the European Division of one of the world’s largest retail banks.
Client Requirement and Business Drivers
As part of their European development strategy the bank had an objective to establish a new state of the art Internet Banking System. At the earliest stages of the project, security assurance was naturally identified as a critical element.
The main business drivers were:
- Compliance with FSA and other international regulations demanded effective and demonstrable levels of security
- A high level of confidence had to be established within the business, to ensure that authorisation for the project to go live was achieved to meet tight business driven timescales
- The success of investment in such on-line services required high levels of customer confidence to be established and maintained through the secure launch and ongoing operation of this service
- Recognition of the potential high level of financial exposure to the bank and its customers from inadequate security
- Recognition of the potentially disastrous impact on brand and reputation that would arise from any security related incident
Recognising the importance of the right specialist expertise, together with the need for objectivity and independence
Commissum was engaged to meet the business and technical information security related objectives of the Internet Banking project within tight timescales set by the business.
The services were delivered in the following areas during the course of the project:
- Selected, focused security design and analysis for the UK group Internet-facing infrastructure
- Pre-launch application security testing of the integrated solution comprising bespoke and commercial off-the-shelf elements
- Pre and post go-live network penetration testing
- Security analysis of critical back-end systems and infrastructure and advice on lock-down
With launch dates being identified as business critical by the bank, Commissum completed all work within planned timescales by adopting characteristic flexibility with respect to changing priorities, and difficult working hours, to accommodate the requirements of the business.
Adopting a collaborative approach we worked closely with the client on a day-to-day basis. Major issues were immediately communicated to the client as and when they were identified, and recommended corrective action was factored into the project on an ongoing basis with Commissum support prior to a successful launch.
Of note was the fact that we highlighted vulnerabilities in a commercial off-the-shelf application at the heart of the Internet Banking System. This was already in use in numerous deployments around the world; this resulted in immediate action by the 3rd party supplier of this application.
Commissum continues to provide specialist assurance services to the bank as a trusted security partner, with other activities including application testing of internal banking management systems, advice on changes to internal processes, forensic services for incident investigation, and support to specialist security products.