FTC eyes network operators in spam battle
- The Federal Trade Commission
and its counterparts in 26 other nations began sending e-mail to
tens of thousands of people believed to be responsible for open
relays and open proxies that spammers use as broadcast points for
massive amounts of junk mail.
Inspector General cuffs
IRS security staff for performance woes -
IRS system administrators and security
specialists continue to fumble and allow system vulnerabilities
because accountability for carrying out security tasks and training
is insufficient, a new inspector general’s report contends.
- Bank group offers guidelines on
outsourcing security risks - A
consortium of the country's top financial services firms last week
published a set of industry guidelines to use in evaluating the
security risks of IT outsourcing deals.
You will find the 125 page report at at
- NIST releases telnet, IT security drafts
Draft documents on computer security released by the
National Institute of Standards and Technology give an example of
how unauthorized telnet users simply identify themselves as a guest
to gain access to sensitive government files.
Risk Management Guide for Information Technology Systems:
Internet Fraud Tops FTC Complaints List
Reports of Internet-related fraud accounted for 55 per
cent of consumer complaints filed with the Federal Exchange
Commission (FTC) during 2003, the agency has announced.
Return to the top of the
COMPLIANCE - We continue our review of the FFIEC
interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
B. RISK MANAGEMENT TECHNIQUES
Implementing Weblinking Relationships
The strategy that financial institutions choose when
implementing weblinking relationships should address ways to avoid
customer confusion regarding linked third-party products and
services. This includes disclaimers and disclosures to limit
customer confusion and a customer service plan to address confusion
when it occurs.
Disclaimers and Disclosures
Financial institutions should use clear and conspicuous webpage
disclosures to explain their limited role and responsibility with
respect to products and services offered through linked third-party
websites. The level of detail of the disclosure and its prominence
should be appropriate to the harm that may ensue from customer
confusion inherent in a particular link. The institution might post
a disclosure stating it does not provide, and is not responsible
for, the product, service, or overall website content available at a
third-party site. It might also advise the customer that its privacy
polices do not apply to linked websites and that a viewer should
consult the privacy disclosures on that site for further
information. The conspicuous display of the disclosure, including
its placement on the appropriate webpage, by effective use of size,
color, and graphic treatment, will help ensure that the information
is noticeable to customers. For example, if a financial institution
places an otherwise conspicuous disclosure at the bottom of its
webpage (requiring a customer to scroll down to read it), prominent
visual cues that emphasize the information's importance should point
the viewer to the disclosure.
In addition, the technology used to provide disclosures is
important. While many institutions may simply place a disclaimer
notice on applicable webpages, some institutions use
"pop-ups," or intermediate webpages called
"speedbumps," to notify customers they are leaving the
institution's website. For the reasons described below, financial
institutions should use speedbumps rather than pop-ups if they
choose to use this type of technology to deliver their online
A "pop up" is a screen generated by mobile code, for
example Java or Active X, when the customer clicks on a particular
hyperlink. Mobile code is used to send small programs to the user's
browser. Frequently, those programs cause unsolicited messages to
appear automatically on a user's screen. At times, the programs may
be malicious, enabling harmful viruses or allowing unauthorized
access to a user's personal information. Consequently, customers may
reconfigure their browsers or install software to block disclosures
delivered via mobile codes.
In contrast, an intermediate webpage, or "speedbump,"
alerts the customer to the transition to the third-party website.
Like a pop-up, a speedbump is activated when the customer clicks on
a particular weblink. However, use of a speedbump avoids the
problems of pop-up technology, because the speedbump is not
generated externally using mobile code, but is created within the
institution's operating system, and cannot be disabled by the
Return to the top of the
INFORMATION SYSTEMS SECURITY
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION -
Firewall Services and Configuration
Firewalls may provide some additional services:
! Network address translation (NAT) - NAT readdresses outbound
packets to mask the internal IP addresses of the network. Untrusted
networks see a different host IP address from the actual internal
address. NAT allows an institution to hide the topology and address
schemes of its trusted network from untrusted networks.
! Dynamic host configuration protocol (DHCP) - DHCP assigns IP
addresses to machines that will be subject to the security controls
of the firewall.
! Virtual Private Network (VPN) gateways - A VPN gateway provides an
encrypted tunnel between a remote external gateway and the internal
network. Placing VPN capability on the firewall and the remote
gateway protects information from disclosure between the gateways
but not from the gateway to the terminating machines.
Placement on the firewall, however, allows the firewall to
inspect the traffic and perform access control, logging, and
malicious code scanning.
One common firewall implementation in financial institutions hosting
Internet applications is a DMZ, which is a neutral Internet
accessible zone typically separated by two firewalls. One firewall
is between the institution’s private network and the DMZ and then
another firewall is between the DMZ and the outside public network.
The DMZ constitutes one logical security domain, the outside public
network is another security domain, and the institution’s internal
network may be composed of one or more additional logical security
domains. An adequate and effectively managed firewall can ensure
that an institution’s computer systems are not directly accessible
to any on the Internet.
Financial institutions have a variety of firewall options from which
to choose depending on the extent of Internet access and the
complexity of their network. Considerations include the ease of
firewall administration, degree of firewall monitoring support
through automated logging and log analysis, and the capability to
provide alerts for abnormal activity.
Return to the top of the
C. HOST SECURITY
10. Determine if vulnerability testing takes
place after each configuration change.
Return to the top of the
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
28. Does the institution refrain from
requiring all joint consumers to opt out before implementing any opt
out direction with respect to the joint account? [§7(d)(4)]
29. Does the institution comply with a consumer's direction to opt
out as soon as is reasonably practicable after receiving it? [§7(e)]