R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

March 21, 2004

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI -
FBI adds to wiretap wish list - A far-reaching proposal from the FBI would require all broadband Internet providers, including cable modem and DSL companies, to rewire their networks to support easy wiretapping by police. 
http://news.com.com/2102-1028_3-5172948.html?tag=st.util.print

FYI  - Hosting company reveals hacks, citing disclosure law - Citing California's security breach disclosure law, Texas-based Allegiance Telecom notified 4,000 Web hosting customers of a recent computer intrusion that exposed their usernames and passwords, in a case that experts say illustrates the security sunshine law's national influence.  http://www.securityfocus.com/printable/news/8240

FYI  - USB Tokens Smaller, Cheaper, More Secure - USB authentication tokens are back, and they're better than ever.  http://www.internetweek.com/story/showArticle.jhtml?articleID=18312205

FYI  - School officials: 13-year-old hacker wiped out school records from computer system - A middle school student hacked into a server that stored records for a computerized student reading program and deleted the files. 
Article:  http://www.morningjournal.com/site/news.cfm?newsid=11111924&BRD=1699&PAG=461&dept_id=46371&rfi=6
Follow-up:   http://www.morningjournal.com/site/news.cfm?BRD=1699&dept_id=46368&newsid=11117845&PAG=461&rfi=9

FYI  - SANS Institute's Alan Paller talks about fighting back hackers - He laid out the seven most common and dangerous kinds of security attacks.  http://www.computerworld.com/printthis/2004/0,4814,90955,00.html

FYI  - For the third time since December 2001, a federal district court ordered the Department of the Interior to disconnect its computer systems from the Internet due to pervasive security weaknesses.  http://www.indiantrust.com/index.cfm?FuseAction=PressReleases.ViewDetail&PressRelease_id=102&Month=3&Year=2004

FYI - GAO - Information Security: Technologies to Secure Federal Systems. 
http://www.gao.gov/cgi-bin/getrpt?GAO-04-467
Highlights - http://www.gao.gov/highlights/d04467high.pdf


Return to the top of the newsletter

INTERNET COMPLIANCEReserve Requirements of Depository Institutions (Regulation D)

Pursuant to the withdrawal and transfer restrictions imposed on savings deposits, electronic transfers, electronic withdrawals (paid electronically) or payments to third parties initiated by a depositor from a personal computer are included as a type of transfer subject to the six transaction limit imposed on passbook savings and MMDA accounts.

Institutions also should note that, to the extent stored value or other electronic money represents a demand deposit or transaction account, the provisions of Regulation D would apply to such obligations. 

Consumer Leasing Act (Regulation M)


The regulation provides examples of advertisements that clarify the definition of an advertisement under Regulation M. The term advertisement includes messages inviting, offering, or otherwise generally announcing to prospective customers the availability of consumer leases, whether in visual, oral, print, or electronic media. Included in the examples are on-line messages, such as those on the Internet. Therefore, such messages are subject to the general advertising requirements.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  


SECURITY CONTROLS - IMPLEMENTATION - APPLICATION ACCESS (Part 2 of 2)


Institution management should consider a number of issues regarding application-access control. Many of these issues could also apply to oversight of operating system access:

! Implementing a robust authentication method consistent with the criticality and sensitivity of the application. Historically, the majority of applications have relied solely on user IDs and passwords, but increasingly applications are using other forms of authentication. Multi-factor authentication, such as token and PKI-based systems coupled with a robust enrollment process, can reduce the potential for unauthorized access.
! Maintaining consistent processes for assigning new user access, changing existing user access, and promptly removing access to departing employees.
! Communicating and enforcing the responsibilities of programmers (including TSPs and vendors), security administrators, and business line owners for maintaining effective application-access control. Business line managers are responsible for the security and privacy of the information within their units. They are in the best position to judge the legitimate access needs of their area and should be held accountable for doing so. However, they require support in the form of adequate security capabilities provided by the programmers or vendor and adequate direction and support from security administrators.
! Monitoring existing access rights to applications to help ensure that users have the minimum access required for the current business need. Typically, business application owners must assume responsibility for determining the access rights assigned to their staff within the bounds of the AUP. Regardless of the process for assigning access, business application owners should periodically review and approve the application access assigned to their staff.
! Setting time-of-day or terminal limitations for some applications or for the more sensitive functions within an application. The nature of some applications requires limiting the location and number of workstations with access. These restrictions can support the implementation of tighter physical access controls.
! Logging access and events.
! Easing the administrative burden of managing access rights by utilizing software that supports group profiles. Some financial institutions manage access rights individually and it often leads to inappropriate access levels. By grouping employees with similar access requirements under a common access profile (e.g., tellers, loan operations, etc.), business application owners and security administrators can better assign and oversee access rights. For example, a teller performing a two-week rotation as a proof operator does not need year-round access to perform both jobs. With group profiles, security administrators can quickly reassign the employee from a teller profile to a proof operator profile. Note that group profiles are used only to manage access rights; accountability for system use is maintained through individuals being assigned their own unique identifiers and authenticators.

Return to the top of the newsletter

IT SECURITY QUESTION:

D. USER EQUIPMENT SECURITY (E.G. WORKSTATION, LAPTOP, HANDHELD)

3. Determine whether adequate inspection for, and removal of, unauthorized hardware and software takes place.
 

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

37.  For annual notices only, if the institution does not employ one of the methods described in question 36, does the institution employ one of the following reasonable means of delivering the notice such as:

a. for the customer who uses the institution's web site to access products and services electronically and who agrees to receive notices at the web site, continuously posting the current privacy notice on the web site in a clear and conspicuous manner; [9(c)(1)] or

b. for the customer who has requested the institution refrain from sending any information about the customer relationship, making copies of the current privacy notice available upon customer request? [9(c)(2)]

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated