Security Management System: Temenos Education Centre

SECURITY MANAGEMENT SYSTEM
TEMENOS EDUCATION CENTRE
Warning: This document, is protected by copyright law and international treaties. No part of this
document may be reproduced or transmitted in any form or by any means, electronic or mechanical,
for any purpose, without the express written permission of TEMENOS Holdings NV Unauthorized
reproduction or distribution of this presentation or any portion of it, may result in severe civil and
Copyright © 2004 TEMENOS HOLDINGS NV
criminal penalties, and will be prosecuted to the maximum extent possible under applicable law.”
Information in this document is subject to change without notice.
T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV

Why Security for Banks?
For business transactions
 Secrecy
 Funds transferred correctly
To provide a secure environment
T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 2

How banks ensure security?
 Control
o Different functions (Maker – Checker)
o Individual users
o Different departments
 Audit
o Internal & External
 Reporting
o MIS and Statutory

Different levels
Example of a typical Treasury Operation
TREASURY Authorizer
Front Office Middle Office Back Office
Audit
Inputter1 Inputter2 Inputter3

Why SMS?
Any unauthorized usage of the system

o Detect
o Stop
o Record

SMS in Temenos T24
or
Authorizer Queries
Transaction Input
 Security Management System
RDBMS
APPLICATION LOGIC
Temenos T24 Core
COB
 Accruals
 Validation  Maturity Control
 Reporting
AUTHORIZED  Revaluation
UNAUTHORIZED
Static Data
Risk Management Messages/Clearing Accounting
 Product
 Interest Rates  Credit Risk  Print  General Ledger
 Commissions  Market Risk  Debits/Credits
SWIFT SID Interface
 Currency
 etc...

SMS Functionalities
Access to Temenos T24
User profiles
Authorizations
System Control
Overrides

Access to Temenos T24
Application
Sign On Name
Function
User profile
Data
Password
Time

Sign On Name and Password
Sign On Name
Sign On Name and Sign On Name and

Password are Password are masked
encrypted at the from the user during
database level input
Password

Password Attributes
 Not displayed on input.

 Encrypted on file.
 No more than two repeat characters.
 Last two passwords cannot be used.
 At first sign on, Temenos T24 will ask for Password to
be input twice.
 Minimum of 6 characters, maximum of 16.

Password Attempts
Assumption: Number of password attempts is 3 User has forgotten

The password
Sign on Name
Security
Violation
Password

Password Attempts

The password
Sign on Name
Security
Violation
Password

Password Attempts

The password
Sign on Name
Too
Security
many
Violation
attempts
Password
Security Administrator
PASSWORD.RESET

PASSWORD.RESET
 If the User has forgotten the password, the Security Administrator

can use PASSWORD.RESET to clear the old password

SIGN.ON.RESET
This situation arises when:

 A User closes their PC without closing Temenos T24
 A Hardware or system failure occurs

Types of Sign off
 User Initiated
 An Inactive Session
 Hardware Failure

User Profiles
 Created using the USER Application
 Each User has a profile which defines

o System Usage Times
o Which Company entity they can access
o The applications, Versions, Functions and Records they are allowed

to access and use

User – Important fields
 User ID
 User Name
 Sign On Name
 Classification
 Company Code
 Department Code
 Password Validity

User – Important fields continuation
 Start Date Profile
 End Date Profile
 Start time
 End time
 Time Out Minutes
 Attempts

 Company restriction
 Application
 Version
 Function
 Field Number
 Data Comparison
 Data From
 Data To

 Sign On Off Log
 Security Mgmt L
 Application Log
 Function Id Log
 Override class
 Attributes

Workshop - 1
 Create a New Profile for you as a member of staff with all

Functions including Auditor Review.
 Log in as this new user. Remember to set your password to
123456
 Access User Application. Exit from the application.

Workshop - 1 Solution
Login as the same user and check whether you are able to do a
auditor review
Workshop - 2
 Make the following changes in your recently created USER

profile
 Restrict access only to CUSTOMER Application with the
functions of Input, See, and Print.
 Log out and log in again.
 Now try to access USER application. Test whether the
access has been restricted

Workshop – 2 Solutions
User ‘ROBERT’ has access only to the Customer application.
Functions allowed - Input, See and Print

Workshop – 2 Solutions Continuation
User ‘ROBERT’ doesn’t have access to USER application

USER.SMS.GROUP
User1 Teller
User2 Teller
USER.SMS.GROUP
User3 Teller
User4 Teller

USER.SMS.GROUP
 Define the Group Security Requirements
 Enter the group name
 Attach the condition Group to the User’s Profile

Workshop - 3
 Create a User Group for Account Managers
 Restrict this to only Input, See, Delete and Authorise Customer

records where Sector is equal to 1000
 Attach this to your USER profile.
 Log out and log in.
 Check whether the access is now restricted properly.

Workshop -Solution

Attributes
 It is possible to attach different attributes to different users

depending on usage
 Attributes field in the user profile can be set to options like

Explorer, Super user, etc.

Workshop - 4
 Amend your user profile and prevent access to command line

 Log out and log in
 Has your access been restricted with regard to command line?
 Log in as your ‘trainee’ user and give access to command line in
your user profile.

Overrides
 Non Blocking
Any user can approve the override
 Blocking
Only users with proper authentication are allowed
to approve the override

Override - Blocking
 OVERRIDE.CLASS record is used

 The ID is the Application name
 Defines which Override messages require a User-defined
classification
 User-defined classifications are then linked to User profiles

Workshop - 4
 Select any Customer record.

 Change Nationality to AD & Residence to AE and commit.
 Look at the override. Get the record authorized.

Workshop Solution

Workshop - 5
 View the OVERRIDE.CLASS record for CUSTOMER application
 Include the override ‘ADDRESS/RESIDENCE STILL AGREE’ in

OVERRIDE.TEXT field and ‘CUS’ in DEFAULT.CLASS field.
 After this, repeat the previous workshop and look at the Override.
 Try to get this record authorized

Workshop Solution

Workshop Solution

Workshop Solution

Workshop Solution

Workshop - 6
 Attach Default Class ‘CUS’ to your User Profile

 Login as this USER and authorize the record which is in INAO
status.
 Test whether you have the right access

Workshop solution

Workshop solution

Workshop - 7
 Select any Customer record.

 Change Nationality to AD & Residence to AE and commit.
 Attach Default Class ‘CUS’ to a different User Profile.
 Login as this USER and authorized the record.
 Test whether you have the right access

Workshop solution

Workshop solution

OVERRIDE.CLASS.DETAILS
 In a Bank, each user will have authority to approve certain set of

overrides based on amount involved
– INP - amounts up to USD 50,000
– SUP - between USD 50,000 and 1,000,000
– MGR - excess amounts over USD 1,000,000
– This is achieved using the Application OVERRIDE.CLASS.DETAILS

ACTIVITY
 Who is currently logged onto the System
 Which Application, Function and Record ID are being used

PROTOCOL
 These fields within the USER Application allow the Security

Administrator to decide the usage information that needs to be
recorded in PROTOCOL
 All Security Violations will be automatically recorded
 A PROTOCOL report will be produced each working day

PROTOCOL
Historical activity

AUDIT TRAIL
 Temenos T24 uses a comprehensive Audit Trail (or Audit Log) to

allow the System Administrator to see who is accessing the
system and when.
 It shows the following information
– Record Status
– Current Record No
– Inputter
– Date and Time
– Authoriser
– OVERRIDE.CLASS Information
– Audit Code, Date and Time

Workshop - 7
 Create a new user

 Give him access to audit records
 Login as this user
 Check whether you have correct access

AUDIT TRAIL

USER.EXTERNAL.FIELD
 This table will allow the user to specify for each T24 Application,
which field number(s) identify a 'Customer' or 'Account' field.
 Used by the Security Management System to control EXTERNAL
type users for whom specific Customer and account number(s)
have been specified on the profile
 An override will need to be approved when CUSTOMER.FD field
input is not of a 'CUS' type and ACCOUNT.FD field input is not of
‘ACC’ ‘ALL’ or ‘ANT’ type.

User profile of an external user
External User- TRIAL
Restricted access
to records of
Customer(s)
Restricted Access
to Branch,
Applications and
functionalities

Example of typical operation
The dropdown has only the respective customer’s account


Security Management System: Temenos Education Centre

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security Management System: Temenos Education Centre

Uploaded by

Copyright:

Available Formats

SECURITY MANAGEMENT SYSTEM

TEMENOS EDUCATION CENTRE

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV

For business transactions

To provide a secure environment

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 2

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 3

Example of a typical Treasury Operation

Front Office Middle Office Back Office

Inputter1 Inputter2 Inputter3

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 4

Any unauthorized usage of the system

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 5

Temenos T24 Core

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 6

Access to Temenos T24

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 7

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 8

Sign On Name and Sign On Name and

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 9

 Not displayed on input.

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 10

Assumption: Number of password attempts is 3 User has forgotten

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 11

Assumption: Number of password attempts is 3 User has forgotten

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 12

Assumption: Number of password attempts is 3 User has forgotten

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 13

 If the User has forgotten the password, the Security Administrator

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 14

This situation arises when:

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 15

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 16

 Created using the USER Application

 Each User has a profile which defines

o Which Company entity they can access

o The applications, Versions, Functions and Records they are allowed

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 17

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 18

 Start Date Profile

 End Date Profile

 Time Out Minutes

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 19

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 20

 Sign On Off Log

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 21

 Create a New Profile for you as a member of staff with all

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 22

 Make the following changes in your recently created USER

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 24

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 25

User ‘ROBERT’ doesn’t have access to USER application

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 26

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 27

 Define the Group Security Requirements

 Enter the group name

 Attach the condition Group to the User’s Profile

T2ITT – R05 – 1.0 Copyright © 2005 TEMENOS HOLDINGS NV 28

 Create a User Group for Account Managers

 Restrict this to only Input, See, Delete and Authorise Customer

 Attach this to your USER profile.

 Log out and log in.

 Check whether the access is now restricted properly.