摘要(英) |
Abstract
The Full Functional Internet Banking System (FFIBS for short) provides all services to customer via Internet , but how could it be trusted ? Especially in the Internet environment that threats came from all direction. Security has abstract nature, and it is hard to describe with concrete measure. In the information technology (IT for short) domain, security is an effect of sustained corporate operations, and it is more difficult to measure. The Common Criteria is an international criteria for evaluating the security of an IT product or system. It was purposed to make that describing and evaluating the IT security with the common language become possible.
This thesis proposes security objectives of FFIBS according to the Common Criteria methodology. The security objectives proposed here have the following features:
1.? To provide customer with smooth, secure and non-suspend services in the internet environment, especially keeping extreme high availability. The necessary resources for FFIBS to provide service should keep flexibility and redundancy appropriately, such as data communication capacity, process capacity of the servers. The requirements of extension and adjustment of system capacity, backup, disaster and contingency planning should be considered while system is constructed.
2.? To create reliable accounting process, we propose security objectives of virtual roles and virtual transaction evidences which based on traditional duty segregation approach of internal control.
3.? To continuing educate customer, Supporting customer to set up or directly provide customer with secure operating environment.
Finally, to comply with the requirements of Common Criteria that each security objective should be able to be traced to corresponding security environments, we present a cross reference table of FFIBS security environments and security objectives. This table gives the relationships between security environment and security objective. The created security objectives could be used as reference by general customers to determinate if the bank’s FFIBS is secure. The banks could use it to develop the security requirements for constructing FFIBS which complies with the Common Criteria and the authorities also could use it to evaluate the soundness of a FFIBS. |
參考文獻 |
[樊國楨,2002]樊國楨主編.”資通安全專輯之六-資訊安全能力評鑑”.行政院國家科學委員會科學技術資料中心,2002年12月
[樊徐楊李,2004]樊國楨,徐鈺宗,楊仲英,李孝詩.“美國聯邦政府資訊安全管理系統稽核作業相關標準初探”.http://www.im.cpu.edu.tw/cyber06/cyber06-a4.pdf,2004年10月
[沈誼中,2002]沈誼中.“電子公文系統安全評估方法之研究與設計”.國立成功大學資訊工程學系碩士論文,2002年06月
[簡智聰,2003]簡智聰.“銀行業電子金融商品之安全評估-以金融電子轉帳系統(金融EDI)為例”.東海大學資訊工程與科學系碩士論文,2003年07月
[楊嘉欣,2002]楊嘉欣.“智慧卡作業系統之驗證”.國立成功大學工程科學學系碩士論文,2002年07月
[朱天元,2004]朱天元.“新電子付款機制及其安全性之研究”.長庚大學企業管理研究所碩士論文,2004年01月
[林鈴玉,2001]林鈴玉.“國內網路銀行現況發展與交易安全之研究”.國立交通大學管理學院資訊管理學程碩士論文,2001年06月
[許妙靜,2004]許妙靜.”舞弊防制之計畫與控制要點”.會計研究月刊第221期,2004年04月
[萬戴,2005]萬幼筠、戴憶婷.“沙氏法案對我國金融業之影響”.財金資訊雙月刊第40期,2005年06月
[銀0297,2005]中華民國銀行商業同業公會全國聯合會.“電子銀行風險管理原則” . 2005年02月24日中華民國銀行商業同業公會全國聯合會全電字0297號函
[銀2189,2005]中華民國銀行商業同業公會全國聯合會.“金融機構辦理電子銀行業務安全控管作業基準”.2005年08月12日中華民國銀行商業同業公會全國聯合會全電字2189號函
[BCP,2003]Electronic Banking Group of the Basel Committee on Banking Supervision. “Risk Management Principles for Electronic Banking”. Basel Committee Publications No. 98, July 2003
[CL,1998]Theodore H. Clark and Ho Geun Lee. “Security First Network Bank: A Case Study of an Internet –pioneer”. Thirty-First Annual Hawaii International Conference on System Sciences-Vol 4 p.73 1998
[CCPS,2005A]Common Criteria Project Sponsoring Organisations.”Common Criteria Part 1: Introduction and general model V2.3”. http://www.commoncriteriaportal.org/ public/files/ccpart1v2.3.pdf ,Aug 2005
[CCPS,2005B]Common Criteria Project Sponsoring Organisations.”Common Criteria Part 2: Security functional requirements V2.3”. http://www.commoncriteriaportal.org/ public/files/ccpart2v2.3.pdf , Aug 2005
[CCPS,2005C]Common Criteria Project Sponsoring Organisations.”Common Criteria Part 3: Security Assurance Requirements V2.3”. http://www.commoncriteriaportal.org/ public/files/ccpart3v2.3.pdf , Aug 2005
[ECB,2003]European Central Bank. “Electronic money system security objectives – According to The Common Criteria Methodology ”. http://www.ecb.int/pub/pdf/other/ emoneysecurity200305en.pdf ,May 2003
[FRS,2005]Federal Reserve System USA. “A summary of the roundtable discussion on the risk and security involving retail payments over the Internet”. http://www.federalreserve.gov/paymentsystems/internetpayments/internetpayments.pdf,Jun 2005
[FFIE,2005]Federal Financial Institutions Examination Council USA. “Authentication in an Internet Banking Environment.”. http://www.ffiec.gov/pdf/authentication_ guidance.pdf, Oct 2005.
[FN,2004]Karen Furst and Daniel E. Nolle. “Technological Innovation in Retail Payments:Key Developments and Implications for Banks” . Office of the Comptroller of the Currency USA. http://www.occ.treas.gov/netbank/OCCFurstNolleJFT.pdf, Oct 2004
[HEAR,2004]Jim Hearn. “Does the Common Criteria Paradigm Have a Future?”. IEEE Security & Privacy, Vol. 2, No. 1, 2004, pp.64–65.
[HKW,2006]Alain Hiltgen, Thorsten Kramp & Thomas Weigold. “Secure Internet Banking Authentication” . Mar 2005, http://www.ubs.com/1/e/ubs_ch/authentication.html.
[HMT,2006]Kjell j. Hole, Vebjorn Moen, Thomas Tjostheim. “Case study -Online Banking Security”.IEEE Security and Privacy Vol 4 ,(Mar 2006) pp 14 – 20.
[KR,2000]Konstantin Knorr & Susanne R¨ohrig. “Security of Electronic Business Applications: Structure and Quantification”. http://www.occ.treas.gov/netbank/ OCCFurstNolleJFT.pdf Oct. 2004
[KS,2006]Feisal Keblawi & Dick Sullivan “Applying the Common Criteria in Systems Engineering”,. IEEE Security and Privacy Vol 4 , Issue 2 (Mar 2006) pp 50 - 55.
[LLOY,2006]Wes J. Lloyd. “A Common Criteria Based Approach for COTS Component Selection”. Journal of Object Technology, Vol. 4, No. 3 2005
[MT,2000]Stéphanie Motré & Corinne Téri. “Using B Method to Formalize the Java Card Runtime Security Policy for a Common Criteria Evaluation”. http://csrc.nist.gov/ nissc /2000/proceedings/papers/026.pdf , 2000
[NM,2005]Nie Jin & MA Fei-Cheng. “Network security risks in online banking”. Wireless Communications, Networking and Mobile Computing, 2005. Proceedings. 2005 International Conference on, Vol 2 Date: 23-26 Sep. 2005 ,pp 1229-1234.
[PM,2004]Bruce Potter & Gary Mcgraw. ”Software Security testing”. Security & Privacy Magazine, IEEE Sept.-Oct. 2004 Vol 2, pp 81- 85
[RF,2002]Philip O’Reilly & Pat Finnegan . ”Internet banking systems : An exploration of contemporary issues”. Journal of Systems & Information Technology 7(1) 2002 pp 93-110
[SYMA,2005]Symantec. “Internet Security Threat Report” . Sep 2005
[THIE,2004]Chad Thiele,”Internet Banking Transaction Volume and Costs”,Research Review Issue # 18,Credit Union National Association,2002/2003 Technolog & E-Commerce Survey Report.
[VWW,2002]Monika Vetterling, Guido Wimmel, Alexander Wisspeintner. “Secure Systems Development Based on the Common Criteria: The PalME Project”. Proceedings of SIGSOFT 2002/FSE-10. Nov. 18-22, 2002. .pp 129-138. |