Security control weaknesses on the eInsurance application

Management will:

• Work along with the eInsurance vendor in order to assess the possibility to implement the security module on the
system that includes the password controls;

• Assess along with the eInsurance vendor, the possibility to implement a control/feature to maintain a proper
accountability of the user´s accesses (userID, date and time logs) on this application, Create and assign individual
login accounts to the helpdesk team in order to maintain a proper accountability of the actions performed by each
user.

• Management must implement audit trails to keep accountability on the changes performed on the client data and
also to the policy issuance functionality.

• Implement logs on the eInsurance database in order to maintain a proper liability of the accesses and changes
made on this level. Furthermore, request GIS to perform a full review of newly implemented and pre-existing
applications on a regular basis.
  
Consolidated    IT    Controls    Catalog   AC    -    Access    Control  
 
 
Ref.    #   Controls   Evidence    Requirements  
 
AC2.1   User    authentication    must    use    automated   Evidence    of    system    password    policies    (i.e.  
means    to    enforce    the    following:   configuration    parameters)    must    be    available  
a.    authentication    by    a    PIN,    password,    or   to    demonstrate    password    length,    complexity,  
token    (e.g.    smartcard,    one-time-use   and    change    requirements.    Systems    must    be  
password).   able    to    demonstrate    authentication  
b.    passwords    must    not    be    displayed    on   functionality    consistent    with    documented  
screen    or    on    printed    materials.   requirements.  
c.   unique,    temporary    passwords    must    be    
issued    for    new    or    reset    accounts    that    
require    change    on    first    use.    
d.    passwords    must    be:    
1)    minimum    length    of    8    characters    
2)    different    from    the    associated    
 
UserIDs.  
 
3)   Composed    of    a    mix    of    at    least    three  
 
of    the    following    complexity    
requirements:    upper    case    
characters,    lower    case    characters,    
numeric    and    special    characters    (or    
maximum    complexity    options    
supported    by    the    underlying    system).    
4)   changed    at    least    every    90    days.    
5)   restricted    so    the    same    password    
cannot    be    used    again    within    8    
changes.    
e.    accounts    must    be    locked    after    5    incorrect    
login    attempts.    
f.   Account    lockout    duration    must    be    set    to    
30    minutes    or    longer    or    until    an    
 
administrator    re-enables    the    user    ID.  
 
g.    Identification    of    the    requestor    of    
password    resets    through    a    specialized    
question    set    or    independent    
confirmation.    
 
 
 
 
 
 
 
 
 
 
  
Weak user management and lack of Segregation of Duties controls

Management will:

• Create a process to periodically review the user access rights related to the eInsurance application and perform an
initial review; (Jose Felipe Diaz)

• Develop and implement a procedure to be notified about external leavers in order to remove/block their accesses in
the system at the moment of their contractual agreement termination. (Jose Felipe Diaz)

• Implement a formal workflow in order to record both the request and approvals around the creation of new login
accounts and profile/function changes of the users that already have access to the application. (Jose Felipe Diaz)

• Develop and implement a Segregation of Duties matrix for the eInsurance application system, including segregation
between the role that allows users to perform changes on the products parameters and the profile that grant the
users the permission to issue policies and also related to the procedure of changing customer data on the system.
(Heidi Blanco).
  
Consolidated    IT    Controls    Catalog   AC    -    Access    Control  
 
 
Ref.    #   Controls   Evidence    Requirements  
 
 
AC3.1   All    users    with    access    to    Zurich    networks    or   The    user    access    request    and    provisioning  
applications    must    be:   process    must    include    documented    evidence  
a.   provided    with    only    the    minimum   of    completed    request    forms,    appropriate  
functionality    required    to    perform    their   approvals,    promptly    de-provisioning    of  
job.   access    rights,    assignment    of    unique    UserIDs,  
b.   approved    by    system    owners    and    Group   and    access    reviews    to    remove    unnecessary    or  
Information    Security    for    non-standard   obsolete    access    permissions.  
access    to    IT    systems   User    access    authorization    requests    must    exist  
c.   assigned    unique    IDs   for    each    user    account    on    the    system    and  
d.   subject    to    access    reviews    to    remove   must    match    the    access    privileges    on    the  
unnecessary    or    obsolete    permissions   system.  
e.   de-provisioned    in    a    promptly    fashion    
using    a    defined    process    which    must:    
1.    promptly    revoke    authentication    and    
access    privileges    on    all    systems.    
2.    disable    or    remove    components    
dedicated    to    providing    access.    
 
Weaknesses related to the Change Management process

Management will:

• Create a process to perform regular assessments on the changes made on the eInsurance system, in order to
ensure that it is in compliance with the local Change Management policy as well as to reinforce the communication
to the developers the about the importance of having all the required supporting documentation properly formalized
and available whenever needed.

• Create minimum technical/functional eInsurance documentation in order to provide continuous system maintenance
during its lifetime.  
 
 
 
Weaknesses around external interface

Management will:

• Implement controls to manage both the completeness and integrity of the transmitted data.

• Restrict the access to the network folder where the files to be sent to the Bank are safeguarded as on an needed
basis; and

• Create a formal contract and/or a formal agreement with Banesco Bank over the interface that is maintained with
that entity and the contact must contain, among other, a specific clause about data confidentiality.