Independent Bank of Texas (IBT)
Security Recommendations

Advanced Training

As a merchant participating in IBT's Cash Management services, you will have access to highly confidential information and will be expected to:

  • Maintain the confidentiality, integrity, and security of confidential information.
  • Use confidential information only for the specific business purposes for which it is intended.
  • Disclose confidential information only to authorized personnel.
  • Implement physical and logical security controls reasonably designed to ensure the security and integrity of confidential information.

Due to constant evolution and advancements in technology, IBT recommends that its merchant customers keep abreast of current technology and follow guidelines or standards that remain applicable to current technology implementations and trends. Examples of organizations that publish IBT approved standards in line with industry best practices are: the Payment Card Industry Security Standards Council (PCI), the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the National Institute of Standards and Technology (NIST).

If a breach of security is discovered, immediately contact local authorities, Independent Bank of Texas, and customers that may have had their information compromised.

In addition to reviewing and implementing controls that comply with the aforementioned standards, IBT recommends, at a minimum, implementation of the following security controls to help safeguard the integrity, confidentiality, and availability of the information and information systems.

Minimum Physical Security Controls

  • Restrict physical access to workstation used for transmitting electronic transactions. Locate workstation, where feasible, in an area that has restricted traffic flow. Ideally, the equipment would be in an office with access by only those authorized to access the application.

Minimum Logical Security Controls

To achieve logical security, it may be necessary to engage an outside network consultant to configure network and workstation security.

1. Install and maintain a firewall on the network, capable of both stateful packet inspection as well as application layer filtering.

  • The firewall should be configured to:

--Disallow traffic from untrusted networks;

--Restrict inbound and outbound Internet traffic; and

--Limit Internet access and restrict webmail access.

  • Direct public access must be prohibited.
  • The firewall should be kept up to date and monitored.
  • Ensure the firewall has audit logging capabilities.

2. Separate all internal company networks from the internet through the use of a network "DMZ".

3. Install and maintain anti-virus and anti-spyware tools on all computers attached to the company network. These tools should be kept up to date and be capable of generating audit logs.

4. The use of wireless networks is discouraged, but if wireless networks must be deployed, appropriate security controls should be in place.

  • Default service set identifier (SSID) should be custom to the company.
  • SSID broadcasts should be disabled.
  • Vendor default settings should be changed.
  • A minimum of WiFi protected access (WPA and WPA2) encryption and authentication should also be enabled.
  • **WARNING: Wired Equivalent Privacy (WEP) is deprecated and is NOT a secure method of encryption.

5. Restrict use of peer to peer (P2P) networks and file sharing capabilities.

6. Restrict remote access. If remote software is required, it should be implemented sparingly and only when absolutely necessary.

7. All default system passwords should be changed.

8. Ensure that each user of the system has their own ID and password. Log on credentials should never be shared.

9. Strong password parameters are encouraged – minimum length of 8 characters and must include alpha/numeric and special characters for both the network and cash management application.

10. Passwords should be required to be changed every 90 days.

11. Computers and terminals should be configured to log users off after 10 minutes of inactivity. This is typically accomplished through the use of a password protected screen saver.

12. All computers and devices attached to a company network should be configured to allow for automatic patching and updates.

13. Perform periodic reviews of event logs and application specific logs.

14. Ensure that all systems are periodically backed up, preferably through the implementation of automated backup procedures.

15. Consider segregation of duties between initiation and approval and transmission of the electronic transactions.

Suspension in the Event of a Suspected Security Breach

IBT may suspend your Cash Management services if IBT has reason to believe there has been:

  • A suspected breach in the security of your company's physical or logical infrastructure.
  • Fraud or a fraudulent transaction originating from your company.
  • Uncertainty regarding the authorization or accuracy of electronic transmissions submitted by your company.

If you use online services for any business activity, you assume all risk of loss for unauthorized transfers and payments, and you must establish your own internal security procedures to prevent all unauthorized use by other employees or persons.

Additional Links and Resources

www.bbb.org/data-security

http://www.sba.gov/community/blogs/community-blogs/business-law-advisor/how-small-businesses-can-protect-and-secure-cus

www.ftc.gov/bcp/edu/multimedia/interative/inforsecurity/index.html

http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf

www.ic3.gov/media/2010/corporateaccounttakeover.pdf

https://www.nacha.org/sites/default/files/files/CAT%20-%20B.pdf

www.fsisac.com/files/public/db/p265.pdf