R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

March 23, 2003

FYI- NCUA - Wireless Technology - The purpose of this letter is to provide important considerations for credit unions that are currently engaged in or may be considering the use of wireless technology.  www.ncua.gov/ref/letters/2003/03-CU-03.htm

FYI  - OTS Releases Guidance on Third Party Arrangements - The Office of Thrift Supervision (OTS) today issued general guidance for savings associations and examiners on outsourcing relationships. www.ots.treas.gov/docs/77310.html

FYI- IP spoofing is one of the most common forms of on-line camouflage. In IP spoofing, an attacker gains unauthorized access to a computer or a network by making it appear that a malicious message has come from a trusted machine by “spoofing” the IP address of that machine. In this article, we will examine the concepts of IP spoofing: why it is possible, how it works, what it is used for and how to defend against it.  http://www.securityfocus.com/infocus/1674 

FYI- How a managed security provider helps protect the enterprise - Having followed the history of intrusion-detection systems (IDS) during the past few years and understanding the different deployment methodologies, we believe IDS has finally come of age.  http://www.computerworld.com/securitytopics/security/story/0,10801,79255,00.html?nas=SEC-79255 

FYI - LapLink says hackers left key clue - The hackers used the login names and passwords of two former employees.  Most companies intend to delete an employee's computer account after that person leaves, but sometimes they don't follow through.  http://seattletimes.nwsource.com/html/businesstechnology/134653561_laplink150.html 

FYI - For sale: memory stick plus cancer patient records - Health bosses in Lancashire are facing awkward questions after confidential medical records of 13 cancer patients found their way onto a portable memory stick, which was repackaged and sold as new to a Crewe estate agent.  http://www.theregister.co.uk/content/55/29752.html 

FYI - Hundreds warned as data disappears - British Columbia's Ministry of Human Resources is warning 568 people to keep a close eye on their bank accounts and credit cards after confidential, personal information was stolen during a break-in.  http://www.globetechnology.com/servlet/story/RTGAM.20030311.wdata311/GTStory 

INTERNET COMPLIANCEThe Role Of Consumer Compliance In Developing And Implementing Electronic Services from FDIC:

When violations of the consumer protection laws regarding a financial institution's electronic services have been cited, generally the compliance officer has not been involved in the development and implementation of the electronic services.  Therefore, it is suggested that management and system designers consult with the compliance officer during the development and implementation stages in order to minimize compliance risk.  The compliance officer should ensure that the proper controls are incorporated into the system so that all relevant compliance issues are fully addressed.  This level of involvement will help decrease an institution's compliance risk and may prevent the need to delay deployment or redesign programs that do not meet regulatory requirements.

The compliance officer should develop a compliance risk profile as a component of the institution's online banking business and/or technology plan.  This profile will establish a framework from which the compliance officer and technology staff can discuss specific technical elements that should be incorporated into the system to ensure that the online system meets regulatory requirements.  For example, the compliance officer may communicate with the technology staff about whether compliance disclosures/notices on a web site should be indicated or delivered by the use of "pointers" or "hotlinks" to ensure that required disclosures are presented to the consumer.  The compliance officer can also be an ongoing resource to test the system for regulatory compliance.

The FFIEC along with the OCC, FDIC, OTS, FRB, and NCUA released the first booklet of the much anticipated IT Examination Handbook.  The first booklet released, Information Security, is a comprehensive discussion of about computer security.  This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants.   

Because of the importance of computer security, we will begin a new series this week that will cover the Information Systems Booklet.  We will also start sharing one or two questions from the examination procedures.   Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm.  There is no charge for the e-newsletter. 


Information security enables a financial institution to meet its business objectives by implementing business systems with due consideration of information technology (IT) -  related risks to the organization, business and trading partners, technology service providers, and customers. Organizations meet this goal by striving to accomplish the following objectives.

1)  Availability - The ongoing availability of systems addresses the processes, policies, and controls used to ensure authorized users have prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to information and/or systems.

2)  Integrity of Data or Systems - System and data integrity relate to the processes, policies, and controls used to ensure information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability.

3)  Confidentiality of Data or Systems - Confidentiality covers the processes, policies, and controls employed to protect information of customers and the institution against unauthorized access or use.

4)  Accountability - Clear accountability involves the processes, policies, and controls necessary to trace actions to their source. Accountability directly supports non-repudiation, deterrence, intrusion prevention, intrusion detection, recovery, and legal admissibility of records.

5)  Assurance - Assurance addresses the processes, policies, and controls used to develop confidence that technical and operational security measures work as intended. Assurance levels are part of the system design and include availability, integrity, confidentiality, and accountability. Assurance highlights the notion that secure systems provide the intended functionality while preventing undesired actions.

Appropriate security controls are necessary for financial institutions to challenge potential customer or user claims that they did not initiate a transaction. Financial institutions can accomplish this by achieving both integrity and accountability to produce what is known as non-repudiation. Non-repudiation occurs when the financial institution demonstrates that the originators who initiated the transaction are who they say they are, the recipient is the intended counter party, and no changes occurred in transit or storage. Non-repudiation can reduce fraud and promote the legal enforceability of electronic agreements and transactions. While non-repudiation is a goal and is conceptually clear, the manner in which non-repudiation can be achieved for electronic systems in a practical, legal sense may have to wait for further judicial clarification.


- Access Rights Administration

1. Evaluate the adequacy of policies and procedures for authentication and access controls to manage effectively the risks to the financial institution.

• Evaluate the processes that management uses to define access rights and privileges (e.g., software and/or hardware systems access) and determine if they are based upon business need requirements.

• Review processes that assign rights and privileges and ensure that they take into account and provide for adequate segregation of duties.

• Determine if access rights are the minimum necessary for business purposes. If greater access rights are permitted, determine why the condition exists and identify any mitigating issues or compensating controls.

• Ensure that access to operating systems is based on either a need-to-use or an event-by-event basis.

- We continue our coverage of the various issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Financial Institution Duties ( Part 3 of 6)

Requirements for Notices

Clear and Conspicuous. Privacy notices must be clear and conspicuous, meaning they must be reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice. The regulations do not prescribe specific methods for making a notice clear and conspicuous, but do provide examples of ways in which to achieve the standard, such as the use of short explanatory sentences or bullet lists, and the use of plain-language headings and easily readable typeface and type size. Privacy notices also must accurately reflect the institution's privacy practices.

Delivery Rules. Privacy notices must be provided so that each recipient can reasonably be expected to receive actual notice in writing, or if the consumer agrees, electronically. To meet this standard, a financial institution could, for example, (1) hand-deliver a printed copy of the notice to its consumers, (2) mail a printed copy of the notice to a consumer's last known address, or (3) for the consumer who conducts transactions electronically, post the notice on the institution's web site and require the consumer to acknowledge receipt of the notice as a necessary step to completing the transaction.

For customers only, a financial institution must provide the initial notice (as well as the annual notice and any revised notice) so that a customer may be able to retain or subsequently access the notice. A written notice satisfies this requirement. For customers who obtain financial products or services electronically, and agree to receive their notices on the institution's web site, the institution may provide the current version of its privacy notice on its web site.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated