R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

January 12, 2003

FYI - Securing Outlook, Part Two: Many Choices to Make - This is the second of two articles focusing on ways to secure one of the world's most popular e-mail clients, Microsoft's Outlook. The first article offered a brief overview of Outlook, as well as some of the threats that undermine its security. It also discussed configuring Outlook for optimal security. This article will look at some more things that Outlook users can do to improve their e-mail security.  http://online.securityfocus.com/infocus/1652 

FYI  - California disclosure law has national reach - A new California law requiring companies to notify their customers of computer security breaches applies to any online business that counts Californians as customers, even if the company isn't based in the Golden State.  http://online.securityfocus.com/news/1984 

FYI -
Security Threats to Beware of in 2003 - In this New Year, virus attacks just begin with e-mail. Here's what to do to stay safe from Internet-borne nasties.  http://www.pcworld.com/news/article/0,aid,108376,tk,wb010703x,00.asp 

FYI
- Wal-Mart to offer discount financial services - Wal-Mart is introducing basic financial services for US customers, using the same low-margin strategy that has turned it into the world's biggest retailer.  http://www.yennik.com/article_walmart1-7-03.htm 

FYI - Feds back off proposed disaster recovery regs for Wall Street - Federal regulators have reportedly dropped a proposed plan to require Wall Street firms to move their disaster recovery data centers 200 to 300 miles away from primary data centers, according to an announcement by a U.S. senator.  http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,77250,00.html 

FYI - Virus outlook: Bigger trouble ahead - The year 2002 may have been a relatively quiet for virus attacks, but security experts say that this is likely to be the calm before the storm. In 2003, they say, new breeds of computer attacks are likely to emerge that are capable of knocking out millions of computers around the Internet in a matter of minutes.  http://msn.com.com/2100-1105-979066.html 

INTERNET COMPLIANCE
Advertisement Of Membership

The FDIC and NCUA consider every insured depository institution's online system top-level page, or "home page", to be an advertisement. Therefore, according to these agencies' interpretation of their rules, financial institutions subject to the regulations should display the official advertising statement on their home pages unless subject to one of the exceptions described under the regulations. Furthermore, each subsidiary page of an online system that contains an advertisement should display the official advertising statement unless subject to one of the exceptions described under the regulations. Additional information about the FDIC's interpretation can be found in the Federal Register, Volume 62, Page 6145, dated February 11, 1997.

INTERNET SECURITY
We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

PENETRATION ANALYSIS (Part 2 of 2)

A penetration analysis itself can introduce new risks to an institution; therefore, several items should be considered before having an analysis completed, including the following:

1) If using outside testers, the reputation of the firm or consultants hired. The evaluators will assess the weaknesses in the bank's information security system. As such, the confidentiality of results and bank data is crucial. Just like screening potential employees prior to their hire, banks should carefully screen firms, consultants, and subcontractors who are entrusted with access to sensitive data. A bank may want to require security clearance checks on the evaluators. An institution should ask if the evaluators have liability insurance in case something goes wrong during the test. The bank should enter into a written contact with the evaluators, which at a minimum should address the above items.

2) If using internal testers, the independence of the testers from system administrators.

3) The secrecy of the test. Some senior executives may order an analysis without the knowledge of information systems personnel. This can create unwanted results, including the notification of law enforcement personnel and wasted resources responding to an attack. To prevent excessive responses to the attacks, bank management may consider informing certain individuals in the organization of the penetration analysis.

4) The importance of the systems to be tested. Some systems may be too critical to be exposed to some of the methods used by the evaluators such as a critical database that could be damaged during the test.

FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail {custom4} a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

PRIVACY EXAMINATION QUESTION
- We finish our series of listing the regulatory-privacy examination questions.  Next week, we will cover the issues outlined in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies in May 2001.

50.  If the institution discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in 4(a)(2), opt out in 7 and 10, revised notice in 8, and for service providers and joint marketers in 13, not apply because the institution makes the disclosure:

a.  with the consent or at the direction of the consumer; [15(a)(1)]
b.
1.
  to protect the confidentiality or security of records; [15(a)(2)(i)]
2.  to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability; [15(a)(2)(ii)]
3.  for required institutional risk control or for resolving consumer disputes or inquiries; [15(a)(2)(iii)]
4.  to persons holding a legal or beneficial interest relating to the consumer; [15(a)(2)(iv)] or
5.  to persons acting in a fiduciary or representative capacity on behalf of the consumer; [15(a)(2)(v)]
c.  to insurance rate advisory organizations, guaranty funds or agencies, agencies rating the institution, persons assessing compliance, and the institution's attorneys, accountants, and auditors; [15(a)(3)]
d.  in compliance with the Right to Financial Privacy Act, or to law enforcement agencies; [15(a)(4)]
e.  to a consumer reporting agency in accordance with the FCRA or from a consumer report reported by a consumer reporting agency; [15(a)(5)]
f.  in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit, if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; [15(a)(6)]
g.  to comply with Federal, state, or local laws, rules, or legal requirements; [15(a)(7)(i)]
h.  to comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, state, or local authorities; [15(a)(7)(ii)] or
i.  to respond to judicial process or government regulatory authorities having jurisdiction over the institution for examination, compliance, or other purposes as authorized by law? [15(a)(7)(iii)]

(Note: the regulation gives the following as an example of the exception described in section a of this question: "A consumer may specifically consent to [an institution's] disclosure to a nonaffiliated insurance company of the fact that the consumer has applied to [the institution] for a mortgage so that the insurance company can offer homeowner's insurance to the consumer.")

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated