R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

April 13, 2003

FYI- A Guide To The ATM and Debit Card Industry - The ATM and debit card industry is undergoing dramatic change. From the sharp growth in point of sale debit card transactions to the heavy consolidation of the regional networks handling electronic transactions, the industry’s transformation raises economic and public policy issues. www.kc.frb.org/pubaffrs/pressrel/pr03-14.htm 

FYI- A close look at system logs provides clues to spot hacking or worm activity. - You can deploy all of the firewalls and intrusion-detection devices money can buy to protect your network from hackers and malicious code, but when it comes to truly knowing what's happening on your network, there's no substitute for digging through system log files.  http://www.computerworld.com/securitytopics/security/story/0,10801,79803,00.html 

FYI - The number of computer security incidents and attacks detected at businesses worldwide soared by 37% between the fourth quarter of 2002 and the first quarter of this year.  http://www.computerworld.com/securitytopics/security/holes/story/0,10801,80049,00.html 

FYI - Virus costs keep rising - Firms are taking more time to recover from virus attacks, according to a new report, and costs are rising.  http://www.vnunet.com/News/1139852 

FYI - Online thieves hit Georgia Tech - Online intruders broke into a server containing the credit card numbers of some 57,000 patrons of a Georgia Institute of Technology arts and theater program, a university official said Monday.  http://zdnet.com.com/2100-1105-994821.html 

INTERNET COMPLIANCE -
 Non-Deposit Investment Products

Financial institutions advertising or selling non-deposit investment products on-line should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products."  On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

INFORMATION SYSTEMS SECURITY We continue our series on the FFIEC interagency Information Security BookletThis booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants.  Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm.  There is no charge for the e-newsletter. 

ROLES AND RESPONSIBILITIES (2 of 2)

Senior management should enforce its security program by clearly communicating responsibilities and holding appropriate individuals accountable for complying with these requirements. A central authority should be responsible for establishing and monitoring the security program. Security management responsibilities, however, may be distributed throughout the institution from the IT department to various lines of business depending on the institution’s size, complexity, culture, nature of operations, and other factors. The distribution of duties should ensure an appropriate segregation of duties between individuals or organizational groups.

Senior management also has the responsibility to ensure integration of security controls throughout the organization. To support integration, senior management should

1)  Ensure the security process is governed by organizational policies and practices that are consistently applied,
2)  Require that data with similar criticality and sensitivity characteristics be protected consistently regardless of where in the organization it resides,
3)  Enforce compliance with the security program in a balanced and consistent manner across the organization, and
4)      Coordinate information security with physical security.

Senior management should make decisions regarding the acceptance of security risks and the performance of risk mitigation activities using guidance approved by the board of directors.

Employees should know, understand, and be held accountable for fulfilling their security responsibilities. Institutions should define these responsibilities in their security policy. Job descriptions or contracts should specify any additional security responsibilities beyond the general policies. Financial institutions can achieve effective employee awareness and understanding through security training, employee certifications of compliance, self - assessments, audits, and monitoring.

Management also should consider the roles and responsibilities of external parties. Technology service providers (TSPs), contractors, customers, and others who have access to the institution’s systems and data should have their security responsibilities clearly delineated and documented in contracts.


INFORMATION SECURITY QUESTION:

A. AUTHENTICATION AND ACCESS CONTROLS
- Access Rights Administration

5. Evaluate the effectiveness and timeliness with which changes in access control privileges are implemented and the effectiveness of supporting policies and procedures.

• Review procedures and controls in place and determine whether access control privileges are promptly eliminated when they are no longer needed.  Include former employees, and temporary access for remote access and contract workers in the review.

• Assess the procedures and controls in place to change, when appropriate, access control privileges (e.g., changes in job responsibility and promotion).

• Determine whether access rights expire after a predetermined period of inactivity.


• Review and assess the effectiveness of a formal review process to periodically review the access rights to assure all access rights are proper.  Determine whether necessary changes made as a result of that review.


PRIVACY
-We continue covering various issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies in May 2001.

Financial Institution Duties
( Part 6 of 6)

Redisclosure and Reuse Limitations on Nonpublic Personal Information Received:

If a financial institution receives nonpublic personal information from a nonaffiliated financial institution, its disclosure and use of the information is limited.

A)  For nonpublic personal information received under a section 14 or 15 exception, the financial institution is limited to:

     1)  Disclosing the information to the affiliates of the financial institution from which it received the information; 

     2)  Disclosing the information to its own affiliates, who may, in turn, disclose and use the information only to the extent that the financial institution can do so; and 

     3)  Disclosing and using the information pursuant to a section 14 or 15 exception (for example, an institution receiving information for account processing could disclose the information to its auditors). 

B)  For nonpublic personal information received other than under a section 14 or 15 exception, the recipient's use of the information is unlimited, but its disclosure of the information is limited to:

     1)  Disclosing the information to the affiliates of the financial institution from which it received the information;

     2)  Disclosing the information to its own affiliates, who may, in turn disclose the information only to the extent that the financial institution can do so; and

     3)  Disclosing the information to any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which it received the information. For example, an institution that received a customer list from another financial institution could disclose the list (1) in accordance with the privacy policy of the financial institution that provided the list, (2) subject to any opt out election or revocation by the consumers on the list, and (3) in accordance with appropriate exceptions under sections 14 and 15.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated