Backend banking applications security & audit

I'm looking for articles that outline what are the areas to audit
in backend banking apps (not front-end like ATM) : things like
if https or ssl is being used, sensitive data files' access (esp
corporate banking as I'm not dealing with private banking)
are being controlled with audit trail (that indicates who, at
what time & purpose of access) : any specific implementation
examples and tools used would be good
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
I suggest PA-DSS checklist

E.g. PA-DSS Requirements and Security Assessment Procedures
1. Do not retain full magnetic stripe, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data
2. Protect stored cardholder data
3. Provide secure authentication features
4. Log payment application activity
5. Develop secure payment applications
6. Protect wireless transmissions
7. Test payment applications to address vulnerabilities
8. Facilitate secure network implementation
9. Cardholder data must never be stored on a server connected to the Internet
10. Facilitate secure remote access to payment application.
11. Encrypt sensitive traffic over public networks
12. Encrypt all non-console administrative access
13. Maintain instructional documentation and training programs for customers, resellers, and integrators

Superficially in SSL use you can see the below extract
5.4 The payment application must only use or require use of necessary and secure services, protocols, daemons, components, and dependent software and hardware, including those provided by third parties, for any functionality of the payment application (for example, if NetBIOS, filesharing, Telnet, FTP, etc., are required by the application, they are secured via SSH, S-FTP, SSL, IPSec, or other technology).
11.1 If the payment application sends, or facilitates sending, cardholder data over public networks, the payment application must support use of strong cryptography and security protocols (for example, SSL/TLS, Internet protocol security (IPSEC), SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks
12.1 Instruct customers to encrypt all non-console administrative access with strong cryptography, using technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.
...and PCI-DSS' requirement 6 (Develop and maintain secure systems and application), can check out the "Prioritized Approach Tool Version 2.0" xls found below
madunix (Fadi SODAH)Commented:
Some thoughts:

· Consider future prospects of Information Systems changes.
· Accessing the Information Systems and what sort of rights do they have.
· Segregation of duties RAM (Responsibility Assignment Matrix)
· Think about the back up. I.e. frequency, storage media etc.
· Important aspect will be the disaster recovery plan and system recovery.

btanExec ConsultantCommented:
Agreed, role based and least privileged scheme for identity mgmt needs to be considered, we wouldnt want the sysadmin to have superuser unnecessarily and esp those contractor having that rights (which they shouldnt). The repeat of "snowden" saga reminds us that insider threats are very real and turning audit log will not make great impact w/o continuous monitoring of the log piping to SIEMS or SOC to make sure anomalies are flagged and escalated. It may not be totally prevented but at least deterrence is a good showing to those perpetrator.

Common Sense Guide to Mitigating Insider Threats

Another two more I see as potential threats are data leakage and mobile appl emergence for payment appl, and they are self explanatory in the sort of dangers, below are some references for info

Controlling the Malicious Use of USB Media

PCI Mobile Payment Acceptance Security Guidelines

4.2 Create server-side controls and report unauthorized access.
Develop the overall payment-acceptance solution to include capabilities for preventing and reporting unauthorized access attempts, identifying and reporting abnormal activity, and discontinuing access (i.e., the payment-acceptance solution would prevent further access by the mobile payment-acceptance app on that device until an administrator restores access). Controls include, but are not limited to:

¿ -Support for authorized access (e.g., access control list)
¿- Ability to monitor events and to distinguish normal from abnormal events
¿-Ability to report events (e.g., via a log, message, or signal) including cryptographic key changes, escalation of privileges, invalid login attempts exceeding a threshold, updates to application software or firmware, and similar actions

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Analysis

From novice to tech pro — start learning today.