Back

Provide customer security advice, as necessary.


CONTROL ID
13674
CONTROL TYPE
Communicate
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a customer service program., CC ID: 00846

This Control has the following implementation support Control(s):
  • Use simple understandable language when providing customer security advice., CC ID: 13685
  • Disseminate and communicate to customers the risks associated with transaction limits., CC ID: 13686
  • Display customer security advice prominently., CC ID: 13667


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • It is the primary responsibility of AIs to ensure that the risks posed by e-banking are properly managed and to educate and protect their customers. In the light of the inherent operational, reputation and legal risk as well as potential liquidity risk associated with e-banking, an AI's Board , or i… (§ 3.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • AIs should warn their e-banking customers of the customers' obligations to take reasonable security precautions to protect the devices and the authentication factors (e.g. passwords and authentication tokens) used by the customers in the e-banking services. AIs should also observe the relevant provi… (§ 4.3.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • The customer reception desk should provide consistent information to customers in collaboration with the public relations division. (P70.7. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is also desirable that users be made aware that they themselves must also check to be sure that there is no unauthorized use. (P113.1. ¶ 3, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • For early detection of unauthorized use, it is recommended that customers check their account balance and history of transactions on a regular basis. (P115.3., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Provision of various electronic banking channels like ATM/debit cards/internet banking/phone banking should be issued only at the option of the customers based on specific written or authenticated electronic requisition along with a positive acknowledgement of the terms and conditions from the custo… (Critical components of information security 31) (i), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Banks are responsible for the safety and soundness of the services and systems they provide to their customers. Reciprocally, it is also important that customers take appropriate security measures to protect their devices and computer systems and ensure that their integrity is not compromised when e… (Critical components of information security 31) (iv), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Customers should be advised to adopt various good security precautions and practices in protecting their personal computer and to avoid conducting financial transactions from public or internet café computers. (Critical components of information security g) ¶ 2 11., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • SSL server certificate warning: Internet banking customers should be made aware of and shown how to react to SSL or EV-SSL certificate warning. (Critical components of information security g) ¶ 2 15. g., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Measures available for users to take; (Article 27-3(1)(3), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • A major provider of information and communications services may, if it is foreseen that a serious problem is likely to occur in the information system of a user who uses the services, the information and communications network, or similar provided by it because of an occurrence of a serious intrusio… (Article 47-4(2), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • It would be useful for the FI to provide timely updates to its customers on the progress of its incident management and the measures the FI is implementing to protect its customers and continue delivery of financial services. Where appropriate, the FI should advise its customers on actions that they… (§ 7.7.7, Technology Risk Management Guidelines, January 2021)
  • The FI should alert its customers on a timely basis to new cyber threats so that they can take precautionary measures. (§ 14.4.2, Technology Risk Management Guidelines, January 2021)
  • The FI should advise their customers on the means to detect unauthorised transactions and to report promptly security issues, suspicious activities or suspected fraud to the FI. (§ 14.4.3, Technology Risk Management Guidelines, January 2021)
  • Customers should be informed of the security best practices that they should adopt when using online financial services. This includes the measures to take to secure their electronic devices that are used to access online financial services. (§ 14.4.1, Technology Risk Management Guidelines, January 2021)
  • The FI should actively monitor for phishing campaigns targeting the FI and its customers. Immediate action should be taken to report phishing attempts to service providers to facilitate the removal of malicious content. The FI should alert its customers of such campaigns and advise them of security … (§ 14.1.6, Technology Risk Management Guidelines, January 2021)
  • A regulated institution would normally advise on measures for customers to protect themselves against fraud and identity theft. Examples of advice given would typically include: (Attachment E ¶ 2, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • promoting and developing education and training on cybersecurity, cybersecurity skills, awareness raising and research and development initiatives, as well as guidance on good cyber hygiene practices and controls, aimed at citizens, stakeholders and entities; (Article 7 2(f), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • strengthening the cyber resilience and the cyber hygiene baseline of small and medium-sized enterprises, in particular those excluded from the scope of this Directive, by providing easily accessible guidance and assistance for their specific needs; (Article 7 2(i), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • The cloud customer is informed by the cloud provider of the status of the incidents affecting them in a regular and an appropriate form that corresponds to the contractual agreements or is involved into corresponding remedial actions. As soon as an incident was remedied from the cloud provider's poi… (Section 5.6 RB-20 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. (IR-7 Control, StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. (IR-7 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. (IR-7 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. (IR-7 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • An explanation of situations in which the institution uses enhanced authentication controls, such as call center contact or certain types of account activity like password reset. (Section 10 ¶ 2 Bullet 6, Authentication and Access to Financial Institution Services and Systems)
  • An explanation of communication mechanisms that customers may use to monitor account activity, such as transaction alerts. (Section 10 ¶ 2 Bullet 3, Authentication and Access to Financial Institution Services and Systems)
  • An explanation of how customers can determine the legitimacy of communications from the financial institution, particularly communications that seek information that could be used to access the customer's account. (Section 10 ¶ 2 Bullet 1, Authentication and Access to Financial Institution Services and Systems)
  • An explanation of controls the financial institution offers that customers can use to mitigate risk, such as MFA. (Section 10 ¶ 2 Bullet 2, Authentication and Access to Financial Institution Services and Systems)
  • A comprehensive customer awareness program educates customers about a range of authentication risks and other security considerations when using digital banking services. The customer awareness program can complement the layered security controls implemented to protect customers and can lower access… (Section 10 ¶ 1, Authentication and Access to Financial Institution Services and Systems)
  • As part of its customer awareness program, makes security awareness information available to its customers using unaffiliated third-party API services. Determine whether the information addresses protections available and not available when the customer allows access to its data. (App A Objective 13:6i Bullet 10, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • A financial institution's customer awareness and educational efforts should address both retail and commercial account holders and, at a minimum, include the following elements: (Customer Awareness and Education ¶ 1, Supplement to Authentication in an Internet Banking Environment)
  • A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically; (Customer Awareness and Education ¶ 1 Bullet 3, Supplement to Authentication in an Internet Banking Environment)
  • The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. (IR-7 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. (IR-7 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. (IR-7 Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents. (IR-7 Control, FedRAMP Security Controls High Baseline, Version 5)
  • Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents. (IR-7 Control, FedRAMP Security Controls Low Baseline, Version 5)
  • Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents. (IR-7 Control, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents. (IR-7 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents. (IR-7 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents. (IR-7 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents. (IR-7 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. (IR-7 Control: Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. (IR-7 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. (IR-7 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Serve as the information privacy liaison for users of technology systems (T0878, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Serve as the information privacy liaison for users of technology systems (T0878, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. (IR-7 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. (IR-7 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. (IR-7 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. (IR-7 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents. (IR-7 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents. (IR-7 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Direct the person whose personal information has been breached to promptly change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the covered entity and all other online accounts for which the person whose pers… (§ 6-1-716(2)(a.3)(I), Colorado Revised Statutes, Section 6-1-716, Notice of Security Breach)
  • The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. (IR-7 Control, TX-RAMP Security Controls Baseline Level 1)
  • The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. (IR-7 Control, TX-RAMP Security Controls Baseline Level 2)