R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

March 28, 2004

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing

FYI  -
FBI analyst faces trial for surfing law enforcement systems - A former FBI investigative analyst is set to go on trial early next month in Dallas on felony charges related to his alleged misuse of law enforcement databases.   http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=25279

FYI  - Credit agency reports security breach - More than 1,400 Canadians, primarily in the provinces of British Columbia and Alberta, have been notified of a major security breach at Equifax Canada Inc., a national consumer-credit reporting agency.   http://www.computerworld.com/printthis/2004/0,4814,91319,00.html

FYI  - Personal data at risk, thousands are warned - San Diego State University is warning more than 178,000 students, alumni and employees that hackers broke into a university computer server where names and Social Security numbers were stored.  http://www.signonsandiego.com/news/computing/20040317-9999-news_7m17hacker.html

FYI  - Part 1: Keys to great security and IT operations - http://www.computerworld.com/printthis/2004/0,4814,91205,00.html

FYI  - Outsourcing: Losing Control - How do you protect sensitive data when it's in the hands of a third party?  http://www.computerworld.com/printthis/2004/0,4814,91085,00.html

FYI - U.S. shuts down Internet 'phishing' scam - The U.S. government said it had arrested a Texas man who crafted fake e-mail messages to trick hundreds of Internet users into providing credit card numbers and other sensitive information.  http://www.cnn.com/2004/TECH/internet/03/22/crime.phishing.reut/index.html

Return to the top of the newsletter

The Role Of Consumer Compliance In Developing And Implementing Electronic Services from FDIC:

When violations of the consumer protection laws regarding a financial institution's electronic services have been cited, generally the compliance officer has not been involved in the development and implementation of the electronic services.  Therefore, it is suggested that management and system designers consult with the compliance officer during the development and implementation stages in order to minimize compliance risk.  The compliance officer should ensure that the proper controls are incorporated into the system so that all relevant compliance issues are fully addressed.  This level of involvement will help decrease an institution's compliance risk and may prevent the need to delay deployment or redesign programs that do not meet regulatory requirements.

The compliance officer should develop a compliance risk profile as a component of the institution's online banking business and/or technology plan.  This profile will establish a framework from which the compliance officer and technology staff can discuss specific technical elements that should be incorporated into the system to ensure that the online system meets regulatory requirements.  For example, the compliance officer may communicate with the technology staff about whether compliance disclosures/notices on a web site should be indicated or delivered by the use of "pointers" or "hotlinks" to ensure that required disclosures are presented to the consumer.  The compliance officer can also be an ongoing resource to test the system for regulatory compliance.

Return to the top of the newsletter

- We continue our series on the FFIEC interagency Information Security Booklet.  


Many financial institutions use modems, remote - access servers (RAS), and VPNs to provide remote access into their systems or to allow remote access out of their systems. Remote access can support mobile users through wireless, Internet, or dial-in capabilities. In some cases, modem access is required periodically by vendors to make emergency program fixes or to support a system.

Remote access to a financial institution's systems provides an attacker with the opportunity to remotely attack the systems either individually or in groups. Accordingly, management should establish policies restricting remote access and be aware of all remote access devices attached to their systems. These devices should be strictly controlled. Good controls for remote access include the following actions:

! Disallow remote access by policy and practice unless a compelling business justification exists.
! Disable remote access at the operating system level if a business need for such access does not exist.
! Require management approval for remote access.
! Require an operator to leave the modems unplugged or disabled by default, to enable modems only for specific, authorized external requests, and disable the modem immediately when the requested purpose is completed.
! Configure modems not to answer inbound calls, if modems are for outbound use only.
! Use automated callback features so the modems only call one number (although this is subject to call forwarding schemes).
! Install a modem bank where the outside number to the modems uses a different prefix than internal numbers and does not respond to incoming calls.
! Log and monitor the date, time, user, user location, duration, and purpose for all remote access.
! Require a two-factor authentication process for all remote access (e.g., PIN-based token card with a one-time random password generator).
! Implement controls consistent with the sensitivity of remote use (e.g., remote system administration requires strict controls and oversight including encrypting the authentication and log-in process).
! Appropriately patch and maintain all remote access software.
! Use trusted, secure access devices.
! Use remote-access servers (RAS) to centralize modem and Internet access, to provide a consistent authentication process, and to subject the inbound and outbound network traffic to firewalls.

Return to the top of the newsletter



4. Determine whether adequate policies and procedures exist to address the loss of equipment, including laptops and other mobile devices. Such plans should encompass the potential loss of customer data and authentication devices.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

38. For customers only, does the institution ensure that the initial, annual, and revised notices may be retained or obtained later by the customer in writing, or if the customer agrees, electronically? [9(e)(1)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated