CIB understands the need for CIB Business Online Portal to be a secure and trusted channel and has therefore ensured that the platform is operated in a highly secure manner with strong technological and non-technological security standards in place.
- Each user is required to have a unique user ID and password
- One Time Password via a secure token are required for any financial transactions submitted to the bank via CIB Business Online Portal.
- The platform is configured is such a way to allow for multiple levels of authorization, to ensure that the proper reviews and authorizations are conducted within the clients organization prior to submitting any transaction to the bank.
B. Server authentication
- All of CIB's externally facing servers (i.e. reachable by the public through the internet) are located on CIB premises.
- Business services that are accessible through the internet are utilizing SSL for secure connectivity between the user's browser and CIB's server. Server side certificates CIB uses Versing certificates, our CA (Certificate Authority) is the Versing Public CA. are ensuring that the browser is connected to a CIB operated server. Hence with every connection between the user's browser and one of CIB's servers, the server is authenticated by the browser.
C. User authentication
- For all transactions submitted to the bank, one time password, through a secure token, are required. Secure tokens will only be given to persons who are authorized signors per a company's Commercial Register.
- Each user is assigned a unique user ID and password.
- All passwords must be at least 8 characters long and must be a combination of letters, numbers and special characters.
- Password complexity is enforced by the application
- No default or built-in user ID is permissible within the platform
- After 5 unsuccessful log-in attempts, the user's account will be deactivated and can only be activated again by a bank administrator.
D. Authorization matrix
CIB Business Online Portal includes the ability to assign specific and limited privileges to each user. Users can be defined as 'inquiry only' users with view only rights or as 'transacting' users with the right to transact on the system.
Any transaction submitted to the bank must be approved by at least two authorizers, who must be authorized signers for the company and will be issued a secure token based on this. Four distinct authorization limits can be established (A, B, C, D) with several different authorization combinations (A+B, A & B, B+D, etc.).
E. Audit and control reports
Several audit and control reports are available, including
- An audit report on all login activities by all the company users.
- An audit report on all transfers originated through the platform
- An audit report on all communications submitted to the bank through the secure mail functionality
Integration within CIB technology environment
Interface Resilience CIB utilizes services from reputable national and international vendors in order to implement and secure its external interfaces. In order to implement a resilient set of interface with our external partners as well as the general internet, we have contracted RAYTA/Vodafone, TE Data, NOL, NOOR and Link.Net. In addition, CIB uses dark-fiber technology for its implementation of a Disaster Recovery site in order to provide RPO and RTO of 0 minutes for those services and interfaces that require this, both from a business perspective and a technical perspective. This includes all security related infrastructure as well. All of our online services are implemented using at least two of the above interface in order to provide 24x7 connectivity where applicable and resilience according to business specifications as well as market requirements with regards to DR as well as BCM.
Secure platforms In order to comply with national and international laws and regulations, standards applied by top financial institutions, as well as the online-business domain, we deploy fully hardened operating system configurations on those servers that require this.
CIB policy is to continuously revisit our hardening strategy in order to adhere to the latest standards and guidelines. In addition we explicitly consider hardening of our servers in scope of compliance or security related projects. E.g. the current PCI – Compliance program that is ensuring compliance according to the PCI-DSS specifications of our systems, takes explicitly into account the hardening of our security- sensitive systems. Each new business service is receiving a so called CIA rating as well as requirements for RPO and RTO for both DR and BCM scenario's. Within our security infrastructure the business service is properly fitted and therefore inherently secure as well as compliant.
Cyber threats Apart from architectural security components like firewalls, proxies and web- filters, which are explicitly embedded in our infrastructure (see the appendix) our environment is configured with a variety of specialized soft- and hardware to address threats from external sources.
- Symantec Endpoint full client is used for all servers and client systems.
- Lotus Protector is used for defending our environment from attacks originating from email.
- Compliance to CIB security standards is enforced using CISCO NAC Agents.
- All latest client software updates (most notably Windows updates) is realized through SUS.
- Proventia Intrusion Prevention is explicitly targeting cyber-attacks that utilize intrusion tactics to compromise our security.
A. Funds Transfer Operations
Funds Transfer Operations is centralized in one building, which is secured by security guards requiring all visitors to be signed-in and escorted by a CIB staff.
The Funds Transfer Operations is monitored by video cameras 24 hours a day.
B. Trade Operations
Trade Operations is centralized in one building, which is secured by security guards requiring all visitors to be signed-in and escorted by a CIB staff. The Central Operations building is monitored by video cameras 24 hours a day.