R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

April 6, 2003

FYI Schwab's online-bank plan delayed - The San Francisco-based company, which has $755 billion in customer assets, expected to launch an online bank earlier this year in a bid to expand its offerings and offset persistent weakness in its main stock-trading business. But Charles Schwab Bank, as the unit is called, is still mired in an approval process required by banking regulators.  http://news.com.com/2100-1019-995422.html?tag=cd_mh 

FYI - Security Incidents Skyrocket - Fast-spreading worms pose the greatest threat.  The number of computer security incidents and attacks detected at businesses worldwide soared by 84 percent between the fourth quarter of 2002 and the first quarter of this year, fueled in part by a surge in the number of mass-mailing worms, according to a report due out Monday from Internet Security Systems.  http://www.pcworld.com/news/article/0,aid,110140,tk,dn040403X,00.asp 

FYI
- Chinese hacker groups are planning attacks on U.S. and U.K. based Web sites to protest the war in Iraq, the Department of Homeland Security warned in an alert that it unintentionally posted on a government Web site.   http://www.washingtonpost.com/wp-dyn/articles/A60363-2003Mar31.html 

INTERNET COMPLIANCEFair Housing Act

A financial institution that advertises on-line credit products that are subject to the Fair Housing Act must display the Equal Housing Lender logotype and legend or other permissible disclosure of its nondiscrimination policy if required by rules of the institution's regulator.

Home Mortgage Disclosure Act (Regulation C)

The regulations clarify that applications accepted through electronic media with a video component (the financial institution has the ability to see the applicant) must be treated as "in person" applications. Accordingly, information about these applicants' race or national origin and sex must be collected. An institution that accepts applications through electronic media without a video component, for example, the Internet or facsimile, may treat the applications as received by mail.

INFORMATION SYSTEMS SECURITY We continue our series on the FFIEC interagency Information Security BookletThis booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants.  Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm.  There is no charge for the e-newsletter. 

ROLES AND RESPONSIBILITIES (1 of 2)

Information security is the responsibility of everyone at the institution, as well as the institutionís service providers and contractors. The board, management, and employees all have different roles in developing and implementing an effective security process. The board of directors is responsible for overseeing the development, implementation, and maintenance of the institutionís information security program. Oversight requires the board to provide management with guidance and receive reports on the effectiveness of managementís response. The board should approve written information security policies and the information security program at least annually. The board should provide management with its expectations and requirements for:

1)  Central oversight and coordination,
2)  Areas of responsibility,
3)  Risk measurement,
4)  Monitoring and testing,
5)  Reporting, and
6)  Acceptable residual risk.

Senior managementís attitude towards security affects the entire organizationís commitment to security. For example, the failure of a financial institution president to comply with security policies could undermine the entire organizationís commitment to security.

Senior management should designate one or more individuals as information security officers. Security officers should be responsible and accountable for security administration. At a minimum, they should directly manage or oversee risk assessment, development of policies, standards, and procedures, testing, and security reporting processes. Security officers should have the authority to respond to a security event by ordering emergency actions to protect the financial institution and its customers from an imminent loss of information or value. They should have sufficient knowledge, background, and training, as well as an organizational position, to enable them to perform their assigned tasks.


INFORMATION SECURITY QUESTION:

A. AUTHENTICATION AND ACCESS CONTROLS
- Access Rights Administration

3. Determine whether employeeís levels of online access (blocked, read-only, update, override, etc.) match current job responsibilities.

4. Determine that administrator or root privilege access is appropriately monitored, where appropriate.


ē Management may choose to further categorize types of administrator/root access based upon a risk assessment. Categorizing this type of access can be used to identify and monitor higher-risk administrator and root access requests that should be promptly reported.


PRIVACY - We continue covering various issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies in May 2001.

Financial Institution Duties
( Part 5 of 6)

Limitations on Disclosure of Account Numbers:

A financial institution must not disclose an account number or similar form of access number or access code for a credit card, deposit, or transaction account to any nonaffiliated third party (other than a consumer reporting agency) for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.

The disclosure of encrypted account numbers without an accompanying means of decryption, however, is not subject to this prohibition. The regulation also expressly allows disclosures by a financial institution to its agent to market the institution's own products or services (although the financial institution must not authorize the agent to directly initiate charges to the customer's account). Also not barred are disclosures to participants in private-label or affinity card programs, where the participants are identified to the customer when the customer enters the program.

IN CLOSING - On pages 80-81 of the newly released FFIEC interagency Information Security Booklet, the regulators are requiring financial institutions to have at least an annual independent penetration test.  Did you know that there are over 2,000 known vulnerabilities with approximately 25 new vulnerabilities added every week, and that in 2001, 99% of unauthorized intrusions resulted from known vulnerabilities?  We can provide independent penetration testing to help protect {custom4} from unauthorized external access.  For more information, please visit our web site at http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated