VISTA - Did you know that there are over 3,900 known vulnerabilities?  As we begin the New Year, the time is right to schedule penetration-vulnerability testing for Yennik, Inc..  The FFIEC interagency Information Security Booklet states in part that financial institutions should have at least an annual independent penetration test.  Since we are IT auditors, we can provide the independent penetration-vulnerability testing required by your examiners.  For more information, please visit our web site at http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.

FYI - 'Phishing' attacks rocket in November - Fraudsters ramped up "phishing" attacks by 29 percent in November, according to a new report. http://asia.cnet.com/news/security/printfriendly.htm?AT=39209629-39037064t-39000005c

FYI - Agencies Announce Final Rules on Disposal of Consumer Information - The federal bank and thrift regulatory agencies today announced interagency final rules to require financial institutions to adopt measures for properly disposing of consumer information derived from credit reports.
Press Release: www.federalreserve.gov/boarddocs/press/bcreg/2004/20041221/default.htm 
Press Release: http://www.ots.treas.gov/docs/7/77452.html 
Press Release: www.fdic.gov/news/news/press/2004/pr12804.html 
Press Release: www.occ.treas.gov/scripts/newsrelease.aspx?JNR=1&Doc=H3RLP4BE.xml 
Attachment: www.occ.treas.gov/ftp/release/2004-113a.pdf 

FYI - Automated Clearing House - This bulletin advises national banks and examiners about three amendments to National Automated Clearing House Association Operating Rules that became effective in 2004. The bulletin supplements guidance on Automated Clearing House activities outlined in the FFIEC IT Handbook, "Retail Payment Systems," dated March 2004. www.occ.treas.gov/ftp/bulletin/2004-58.txt 

FYI - FDIC Receives Technology Award - The Federal Deposit Insurance Corporation recently received a 2004 Enterprise Architecture Excellence Award from the Zachman Institute for Framework Advancement for its initiative to manage corporate data collaboratively. www.fdic.gov/news/news/press/2004/pr13104.html 

Return to the top of the newsletter

INTERNET COMPLIANCE -  Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 1 of 3)

E-mail and Internet-related fraudulent schemes, such as "phishing" (pronounced "fishing"), are being perpetrated with increasing frequency, creativity and intensity. Phishing involves the use of seemingly legitimate e-mail messages and Internet Web sites to deceive consumers into disclosing sensitive information, such as bank account information, Social Security numbers, credit card numbers, passwords, and personal identification numbers (PINs). The perpetrator of the fraudulent e-mail message may use various means to convince the recipient that the message is legitimate and from a trusted source with which the recipient has an established business relationship, such as a bank. Techniques such as a false "from" address or the use of seemingly legitimate bank logos, Web links and graphics may be used to mislead e-mail recipients.

In most phishing schemes, the fraudulent e-mail message will request that recipients "update" or "validate" their financial or personal information in order to maintain their accounts, and direct them to a fraudulent Web site that may look very similar to the Web site of the legitimate business. These Web sites may include copied or "spoofed" pages from legitimate Web sites to further trick consumers into thinking they are responding to a bona fide request. Some consumers will mistakenly submit financial and personal information to the perpetrator who will use it to gain access to financial records or accounts, commit identity theft or engage in other illegal acts.

The Federal Deposit Insurance Corporation (FDIC) and other government agencies have also been "spoofed" in the perpetration of e-mail and Internet-related fraudulent schemes. For example, in January 2004, a fictitious e-mail message that appeared to be from the FDIC was widely distributed, and it told recipients that their deposit insurance would be suspended until they verified their identity. The e-mail message included a hyperlink to a fraudulent Web site that looked similar to the FDIC's legitimate Web site and asked for confidential information, including bank account information.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY TESTING - TESTING CONCEPTS AND APPLICATION

Testing Risks to Data Integrity, Confidentiality, and Availability. Management is responsible for carefully controlling information security tests to limit the risks to data integrity, confidentiality, and system availability. Because testing may uncover nonpublic customer information, appropriate safeguards to protect the information must be in place. Contracts with third parties to provide testing services should require that the third parties implement appropriate measures to meet the objectives of section 501(b) of the GLBA. Management also is responsible for ensuring that employee and contract personnel who perform the tests or have access to the test results have passed appropriate background checks, and that contract personnel are appropriately bonded. Because certain tests may pose more risk to system availability than other tests, management is responsible for considering whether to require the personnel performing those tests to maintain logs of their testing actions. Those logs can be helpful should the systems react in an unexpected manner.

Confidentiality of Test Plans and Data. Since knowledge of test planning and results may facilitate a security breach, institutions should carefully limit the distribution of their testing information. Management is responsible for clearly identifying the individuals responsible for protecting the data and provide guidance for that protection, while making the results available in a useable form to those who are responsible for following up on the tests. Management also should consider requiring contractors to sign nondisclosure agreements and to return to the institution information they obtained in their testing.

Return to the top of the newsletter

IT SECURITY QUESTION:  ENCRYPTION

4. Determine whether adequate provision is made for different cryptographic keys for different uses and data..

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

1)  Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all customers not later than when the customer relationship is established, other than as allowed in paragraph (e) of section four (4) of the regulation? [§4(a)(1))]?

(Note: no notice is required if nonpublic personal information is disclosed to nonaffiliated third parties only under an exception in Sections 14 and 15, and there is no customer relationship. [§4(b)] With respect to credit relationships, an institution establishes a customer relationship when it originates a consumer loan. If the institution subsequently sells the servicing rights to the loan to another financial institution, the customer relationship transfers with the servicing rights. [§4(c)])