ABC Bank

Shriti Karia
Instructional Designer
KPMG
 Where are we now?
Summary of the problem
Key drivers
Why is it important?
Consequences of not getting it right brand damage, fines, legal action, loss of customers, impact on market share.etc
Challenges
Despite putting things in place how can we ensure delegates take the content on board?
In addition to day job.
Almost BAU and an after thought and not a priority until it happens. I know attitude.
Scope of the training
Training standard for all but learning path varies based on role.
Periodic email reminder to all colleagues with due date
If you are a Director content will adapt to supporting your direct reports - manager responsibility as well as basic content?
Content for all staff to be the same with a test and attestation at the end done annually with appropriate consequences for
those not adhering to completion timescales none compliant status and impact on conduct performance at end of year review.
Would take into account when looking at roll out: The bank has 8,500 staff, split across a head office in London,
and 500 retail branches in most towns and cities, and a call centre. Most users have access to high-end IT
hardware, including mobile phones, laptops and tablets. Senior managers are regularly committed to using tablet
devices only, for greater portability, and unlikely to be carrying laptops. All mobile devices are run on the latest iOS
software, including all tablets. Laptops are a 80:20 blend of windows:mac. There are HD touchscreen TVs located
around the building, as well as interactive whiteboards and televisions in all meeting rooms.
Mac/Window compatibility
Access from home
On the move
Touch screen and mouse based access etc etc
 What we will cover? - intro
Learning objectives and outcomes
My training solution
Approach
Learner journey (including screen mockups if
appropriate) I would do these as a separate
hand out
 Passwords

Secure passwords
Why insecure passwords are a security risk
Use some content from here:
http://itsecurity.telelink.com/weak-passwords

The easiest way to find information or steal your identity

is through weak passwords
People use software to guess easy passwords, often is
less than a second
Give examples of some weak passwords and some strong
password
 Creating a secure password
Showcase password creator
https://strongpasswordgenerator.com/ - an example
Timeout login
Single Sign on log in and out of all systems with one log in pros and cons

Dont use obvious passwords, single words or things that people know about you
Eg Some other examples
My daughter Zoe loves to bake cakes for Granny Jean M d Z l 2 b c 4 G J
Going to Peter and Susans wedding in June G 2 P a n d S w I J
My best skiing holiday was one week in Austria M b s h w 1 w I A

Can ABC Bank move towards Single Sign On to all systems this will either involve no password to login to some systems, or the same
username and password usable across a number of applications.

But this is going to take some time, and in the interim we must ensure password problems dont negatively affect our customers
experience.

Good passwords are long and contain non-standard characters try converting a sentence you will remember

Password managers debate how secure these are for a bank other solutions what in place now - a good question I think.
This is really good to chat through http://uk.pcmag.com/password-managers-products/4296/guide/the-best-password-managers-of-2017
Software that lets you store many different passwords in one place how is this viewed in banking ? Data risk question/assumption.
Often an online service but can be synched between computers
 Security
Security in the office
Why security in the office is important
No foreign USBs into computers
You need to make sure that only authorised contractors and visitors can access branches to carry out their work. There are 3 levels of
access for branch entry. Moves from lower to higher levels are not permitted without the appropriate new level of ID&V being applied.
The Branch Manager or Assistant Manager would need to ID&V the contractor using an online tool before a change of access level is
allowed.
Once youve located the visiting contractor/visitor
Select the grey image of the face that appears on the tool

If a photograph is present on the system it will appear, you must check that its a true likeness of the contractor/visitor present

If the ID given by the contractor/visitor has a signature, check against their signature on the Contractor/Visitor Log

Check that the name of the company the contractor/visitor works for corresponds to the name listed on the ID&V Tool
ID for staff:
Who is Known by a colleague

An expected visitor

Confirmed to still be working for ABC Bank

Then no ID&V is required when they visit
If none of the criteria are met for known employees then a visiting employee must produce relevant photographic ID so that the online
tool can be used. Tool is populated prior to arrival
The colleague undertaking the ID&V check will need to
 Security II
Staff passes
Make sure you show them at all times
Challenge anyone who is not showing a staff pass
Use Organisation Structure tool, if necessary

Have the ID&V witnessed by the person who co-signs the visiting contractor/visitors log

Show the employee the Emergency Procedures Page detailing branch contacts during their visit

People who are not authorised to enter could do so, by pretending or tailgating
Even legitimate people should not see client-confidential documents

Protect your pc
Make sure you use a screensaver when youre away from your desk
Staff must always lock their screens when moving away from their desktop. To do this:
Press Ctrl + Alt + Delete to display Windows Security screen
Select Lock Computer
Or
Select the Lock Screen icon from the toolbar
To unlock press Ctrl + Alt + Delete to display your Login screen and enter your Username and Password

Do not leave your laptop unsecured when it could be taken

 Dont leave confidential documents around
Information is classified in the following ways:
How to handle and dispose of customer's personal and financial details in line with the Data Protection Act

What you need to know

The Bank's Information Classification Standard covers all information, which may be placed into one of three classification levels:

Unrestricted

Information that is already in or has been authorised for the public domain, or information for which unauthorised public disclosure
would have no significant negative impact or consequences for ABits customers or its business partners.
Examples: Marketing materials, job advertisement, Public announcements, ABC publicly -accessible websites, Publications.

Confidential - Information which is proprietary to the organisation or related to a key business process, and to which access by all
employees is not necessary or appropriate. Access to this information is only required by those with a need-to-know to fulfil their
duties. Such information may have a negative impact if were to be disclosed to unauthorised personnel either internally or externally.
Personal and financial customer information must be classified as at least Confidential. If the information is of a sensitive personal
nature and warrants extra protection it must be classified as Secret. Refer to the Group Privacy Policy for more information on sensitive
personal information.

Examples: New product plans, Client contracts, Audit findings and reports, Legal contracts, Customer/client information, Strategies and
budgets, Vulnerability assessments, Performance appraisals, Staff remuneration and personal information, Information system security
configuration information.

Labeling information: Hard copies must have a visible Classification label on the title page as a minimum, and preferably in the footer of
each page. Envelopes containing Confidential information must have a visible Classification label on the front. Electronic information
must have an obvious Classification label, including labels within each page of multi-page documents.

Secret - Information for which unauthorised disclosure (internally or externally) may cause serious financial or reputational damage,
significant loss of competitive advantage, or regulatory sanction or legal action. Note that some information may only be considered
Secret for a short period of time.

Examples: Profit forecasts or annual results (prior to public release), Information on potential mergers or acquisitions, Strategic planning
information, Executive Committee minutes, Certain information system security configuration, Information for which unauthorised
disclosure may cause serious consequences, Certain audit findings and reports for which unauthorised disclosure may cause serious
consequences.

Labeling information: Hard copies must be given a visible Classification label on each page. Secret information must not be sent in single
envelopes; an envelope labeled as Secret must be sent within another envelope that is not labeled. Electronic information must have an
obvious Classification label, including labels within each page of multi-page documents.
 Continued

Internal Only

Intended for distribution within ABC whether to just one, some or all colleagues. We would not want or need to publicise the information but the
impact of unauthorised disclosure (internally or externally) could be a financial or reputational risk if it became public.

Example:

Policies and standards

Process documents
Internal announcements
Staff handbook
Newsletters
Internal communications that do not contain Confidential information

Make sure confidential documents are put away, especially overnight

Destroy any confidential documents safely when finished with them.

Security in public places

Talking care of your equipment
Be careful with your equipment when outside, including flash drives
Report any losses as quickly as possible
 Online
Public internet networks
All staff use secure log in remotely and VPN with RSA Secure ID
https://www.rsa.com/en-us/products/rsa-securid-suite/rsa-securid-access/securid-software-
tokens.html
Video of how it works from youtube perhaps to showcase this will be cool.

Be careful not to send sensitive information

Do not send confidential information account statements, numbers, customer specific
information, date of birth. Question how is data currently exchanged with customers?
Attempts to gain information from customers to allow someone to fraudulently access their
account, is known as Social Engineering.
Such attempts can be made via email, text or phone call.
If your customer is suspicious of an email, text or phone call or believes they may have
divulged information to a fraudster by responding to an email, text or phone call, there are
multiple ways you can support them.

Make sure your computer settings dont allow sharing

 Behaviour & Best Practice
Watch what you say
Be careful what you say about us or our clients, in case youre
overheard
No posting on Social Media
Be careful what you say in Public places. Do not discuss if you are
under a Non-Disclosure agreement
If you need to talk about work, choose somewhere you cannot be
overhead
Book rooms for meetings
Do not meet clients in public places to discuss confidential matters
Think about colleague security too misuse of system access etc
Actions if a breach exist. What is in place? Who to report? Aide
Memoir? Where can it be found? Etc etc
 My Questions
Questions to the client
How do you currently roll this out?
What has been the impact of the bad media/press
in recent times?
What are your key risks out the brief agreed?
Who are the key Stakeholders to roll this out and
how can we get them on board to emphasise
importance of training?
Thanks

ABC Q&A