R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

April 4, 2004

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing

FYI  -
There's No ''IT'' in ''Thrift'' - Well, OK, there is. But don't tell the Seattle-area bank that said no to ATMs, E-mail, and Web access. Can it continue to grow and remain monumentally frugal?  http://www.cfo.com/article/1,5309,12602||M|846,00.html

FYI  - Laptop Theft Puts GMAC Customers' Data At Risk - Personal data, including Social Security numbers, for about 200,000 GMAC Financial Services customers may have been compromised due to the theft of two laptop computers from an employee's car.  http://www.informationweek.com/shared/printableArticle.jhtml?articleID=18402703

FYI  - Would-be whistleblower indicted for keyboard tap - A former claims adjuster for a U.S. insurance company is the first to be charged under federal wiretap law for the covert use of a hardware keystroke logger, after he was caught using the device while secretly helping consumer attorneys gather information to use against his own company.   http://www.securityfocus.com/printable/news/8329

FYI  -
Cybersecurity liability seen increasing - Hackers, viruses and other online threats don't just create headaches for Internet users--they could also create prison sentences for corporate executives, experts say.  http://news.com.com/2100-7348_3-5180855.html?tag=nefd_top

FYI  - Part 2: What it takes to be the best in security and IT operations - http://www.computerworld.com/securitytopics/security/story/0,10801,91586,00.html

Human error blamed for most security breaches - Eight-four per cent of organizations quizzed in a survey out today blamed human error "either wholly or in part" for their last major security breach. Last year, human error was cited as the cause of 63 per cent of security breaches. So, if anything, the problem is getting worse.   http://www.theregister.co.uk/content/55/36706.html

FYI - Cybercrimes' True Price: Crime May Not Pay, But Someone Has To Pick Up The Cost  - All security breaches are arguably a bad thing for a company, but recent empirical evidence suggests that most breaches actually don't have a significant economic impact in terms of direct expenses imposed on the companies that suffer them.  That's the good news.  The bad news is that the indirect costs associated with cybersecurity breaches can lead to significant economic punishment.  http://www.informationweek.com/shared/printableArticle.jhtml?articleID=18402607

FYI - Retail Payment Systems Guidance Released by Federal Financial Institution Regulators - The Federal Financial Institutions Examination Council today issued revised guidance for examiners, financial institutions, and technology service providers on the risks associated with retail payment systems.
FFIEC:  www.ffiec.gov/press/pr033104.htm 
OTS:  http://www.ots.treas.gov/docs/77407.html
OCC:  www.occ.treas.gov/ftp/bulletin/2004-14.txt 
NCUA:  www.ncua.gov/news/press_releases/2004/FFIEC040331.pdf

Return to the top of the newsletter

"Member FDIC" Logo - When is it required?

The FDIC believes that every bank's home page is to some extent an advertisement. Accordingly, bank web site home pages should contain the official advertising statement unless the advertisement is subject to exceptions such as advertisements for loans, securities, trust services and/or radio or television advertisements that do not exceed thirty seconds. 

Whether subsidiary web pages require the official advertising statement will depend upon the content of the particular page.  Subsidiary web pages that advertise deposits must contain the official advertising statement.  Conversely, subsidiary web pages that relate to loans do not require the official advertising statement. 

Return to the top of the newsletter

- We continue our series on the FFIEC interagency Information Security Booklet.  


The confidentiality, integrity, and availability of information can be impaired through physical access and damage or destruction to physical components. Conceptually, those physical security risks are mitigated through zone-oriented implementations. Zones are physical areas with differing physical security requirements. The security requirements of each zone are a function of the sensitivity of the data contained or accessible through the zone and the information technology components in the zone. For instance, data centers may be in the highest security zone, and branches may be in a much lower security zone. Different security zones can exist within the same structure. Routers and servers in a branch, for instance, may be protected to a greater degree than customer service terminals. Computers and telecommunications equipment within an operations center will have a higher security zone than I/O operations, with the media used in those equipment stored at yet a higher zone.

The requirements for each zone should be determined through the risk assessment. The risk assessment should include, but is not limited to, the following threats:

! Aircraft crashes
! Chemical effects
! Dust
! Electrical supply interference
! Electromagnetic radiation
! Explosives
! Fire
! Smoke
! Theft/Destruction
! Vibration/Earthquake
! Water
! Wireless emissions
! Any other threats applicable based on the entity's unique geographical location, building configuration, neighboring entities, etc.

Return to the top of the newsletter



5. Determine whether adequate policies and procedures govern the destruction of sensitive data on machines that are taken out of service, and that those policies and procedures are consistently followed by appropriately trained personnel.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

39.  Does the institution use an appropriate means to ensure that notices may be retained or obtained later, such as:

a. hand-delivery of a printed copy of the notice; [9(e)(2)(i)]

b. mailing a printed copy to the last known address of the customer; [9(e)(2)(ii)] or

c. making the current privacy notice available on the institution's web site (or via a link to the notice at another site) for the customer who agrees to receive the notice at the web site? [9(e)(2)(iii)]

IN CLOSING - The FFIEC interagency Internet guidelines require financial institution web sites to comply with consumer compliance, advertising, notifications, weblinking, and other federal regulations.  We have identified 17 federal regulations and over 130 issues that relate to an institution's web site.  We also verify weblinks for functionality and appropriateness.  As a former bank examiner with over 40 year experience, we audit web sites following the FFIEC Internet guidelines for financial institutions across the country.  Visit http://www.bankwebsiteaudits.com and learn how we can assist your financial institution.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated