R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

March 30, 2003

FYI- Research just completed by the Computing Technology Industry Association claims to show that human error is the most frequent cause of IT security breaches.  http://www.computerworld.com/careertopics/careers/training/story/0,10801,79485,00.html 

Telecommunications Service Priority (TSP) Program - Attached is the Financial and Banking Information Infrastructure Committee policy for the sponsorship of critical private sector entities' access to the Telecommunication Service Priority Program administered by the National Communications System.  This document explains the circumstances under which qualifying institutions may seek federal sponsorship for the TSP Program. 
Press release:  www.occ.treas.gov/ftp/bulletin/2003-13.txt
Attachment:  http://www.fbiic.gov/policies.htm 
Attachment:  http://www.occ.treas.gov/fr/fedregister/67fr72957.pdf 

FYI - States need cybersecurity focus - A new Zeichner Risk Analytics LLC study found 36 state governments have failed to prepare, adopt and implement acceptable cybersecurity policies, which could have damaging consequences to citizen services, communication systems and critical utilities if the nation were to undergo cyberattacks.  http://www.fcw.com/geb/articles/2003/0324/web-secure-03-24-03.asp 

FYI - The number of European consumers who bank online will reach almost 60 million in 2003, nearly triple the number  three years ago, underscoring how important the Internet remains to the financial industry, a new report says.  http://news.com.com/2100-1019-994496.html?tag=cd_mh 

FYI - SECURITY TRAINING - If employees have responsibility for security -- whether as system administrators or as security officers, analysts, or consultants -- their employer deserves to know that they have mastered the minimum set of essential skills needed to do the job. Those are the skills covered in the GIAC Security Essentials course (SANS Track 1) and examinations.  (Track 1 Boot Camp also includes the CISSP CBK.) If Track 1 is too advanced, SANS Security+ (SANS Track 9) program is a great starting point. Attend live training in ten cities, mentored training in thirty more cities, or ask to schedule a course at your location. Details at http://www.sans.org 

FYI - Firewalls set to become illegal in many American states - AN INTERESTING PIECE of news has surfaced that will have sys admins fainting in disbelief. Eight states have put forward bills that would have a devastating effect on network security and even networks themselves if they come to pass.  http://www.theinquirer.net/?article=8595 

INTERNET COMPLIANCE - "Member FDIC" Logo - When is it required?

The FDIC believes that every bank's home page is to some extent an advertisement. Accordingly, bank web site home pages should contain the official advertising statement unless the advertisement is subject to exceptions such as advertisements for loans, securities, trust services and/or radio or television advertisements that do not exceed thirty seconds. 

Whether subsidiary web pages require the official advertising statement will depend upon the content of the particular page.  Subsidiary web pages that advertise deposits must contain the official advertising statement.  Conversely, subsidiary web pages that relate to loans do not require the official advertising statement. 

We continue our series on the FFIEC interagency Information Security BookletThis booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants.  Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm.  There is no charge for the e-newsletter. 


Action Summary - Financial institutions should implement an ongoing security process, and assign clear and appropriate roles and responsibilities to the board of directors, management, and employees.


The security process is the method an organization uses to implement and achieve its security objectives. The process is designed to identify, measure, manage and control the risks to system and data availability, integrity, and confidentiality, and ensure accountability for system actions. The process includes five areas that serve as the framework for this booklet:

1)  Information Security Risk Assessment - A process to identify threats, vulnerabilities, attacks, probabilities of occurrence, and outcomes.

2)  Information Security Strategy - A plan to mitigate risk that integrates technology, policies, procedures and training. The plan should be reviewed and approved by the board of directors.

3)  Security Controls Implementation - The acquisition and operation of technology, the specific assignment of duties and responsibilities to managers and staff, the deployment of risk - appropriate controls, and assurance that management and staff understand their responsibilities and have the knowledge, skills, and motivation necessary to fulfill their duties.

4)  Security Testing - The use of various methodologies to gain assurance that risks are appropriately assessed and mitigated. These testing methodologies should verify that significant controls are effective and performing as intended.

5)  Monitoring and Updating - The process of continuously gathering and analyzing information regarding new threats and vulnerabilities, actual attacks on the institution or others combined with the effectiveness of the existing security controls. This information is used to update the risk assessment, strategy, and controls. Monitoring and updating makes the process continuous instead of a one - time event.

Security risk variables include threats, vulnerabilities, attack techniques, the expected frequency of attacks, financial institution operations and technology, and the financial institution’s defensive posture. All of these variables change constantly. Therefore, an institution’s management of the risks requires an ongoing process.


- Access Rights Administration

2. Determine if the user registration and enrollment process

• Uniquely identifies the user,
• Verifies the need to use the system according to appropriate policy,
• Enforces a unique user ID,
• Assigns and records the proper security attributes (e.g., authorization),
• Enforces the assignment or selection of an authenticator that agrees with the security policy,
• Securely distributes any initial shared secret authenticator or token, and

• Obtains acknowledgement from the user of acceptance of the terms of use.

- We continue our coverage of the various issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Financial Institution Duties ( Part 4 of 6)

Requirements for Notices

Notice Content. A privacy notice must contain specific disclosures. However, a financial institution may provide to consumers who are not customers a "short form" initial notice together with an opt out notice stating that the institution's privacy notice is available upon request and explaining a reasonable means for the consumer to obtain it. The following is a list of disclosures regarding nonpublic personal information that institutions must provide in their privacy notices, as applicable:

1)  categories of information collected;

2)  categories of information disclosed;

3)  categories of affiliates and nonaffiliated third parties to whom the institution may disclose information;

4)  policies with respect to the treatment of former customers' information;

5)  information disclosed to service providers and joint marketers (Section 13);

6)  an explanation of the opt out right and methods for opting out;

7)  any opt out notices the institution must provide under the Fair Credit Reporting Act with respect to affiliate information sharing;

8)  policies for protecting the security and confidentiality of information; and

9)  a statement that the institution makes disclosures to other nonaffiliated third parties as permitted by law (Sections 14 and 15).


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated