R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

April 20, 2003

FYI- Lawyers see security suit-riddled future - At the RSA Conference 2003, lawyers outlined a hypothetical scenario, in which Harry the Hacker, angry because he's been fired, decides to put his computing skills to work for nefarious purposes.  http://news.com.com/2100-1009-996935.html?part=dht&tag=ntop 

FYI- Security is on every IT manager’s priority list, but what is security and how can executives measure and promote their efforts?  http://news.com.com/2100-1009-997231.html?tag=cd_mh 

FYI- Three U.S. regulatory agencies have released disaster recovery guidelines for financial institutions notable for their lack of any recommended minimum distance between primary and secondary data centers and their recognition that achieving many of the goals could take years.  
Article:  http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,80262,00.html 
White paper:  http://www.sec.gov/news/studies/34-47638.htm 

FYI - Fake bank site part of Nigerian scam - They’re certainly persistent. Another flavor of the well-known Nigerian scam has popped up, this one even more elaborate than the familiar e-mail solicitation.  http://www.msnbc.com/news/900824.asp?vts=041820030250 

INTERNET COMPLIANCEDisclosures/Notices (Part 1 of 2)

Several regulations require disclosures and notices to be given at specified times during a financial transaction. For example, some regulations require that disclosures be given at the time an application form is provided to the consumer. In this situation, institutions will want to ensure that disclosures are given to the consumer along with any application form. Institutions may accomplish this through various means, one of which may be through the automatic presentation of disclosures with the application form. Regulations that allow disclosures/notices to be delivered electronically and require institutions to deliver disclosures in a form the customer can keep have been the subject of questions regarding how institutions can ensure that the consumer can "keep" the disclosure. A consumer using certain electronic devices, such as Web TV, may not be able to print or download the disclosure. If feasible, a financial institution may wish to include in its on-line program the ability for consumers to give the financial institution a non-electronic address to which the disclosures can be mailed. 

INFORMATION SYSTEMS SECURITY We continue our series on the FFIEC interagency Information Security Booklet.  


Action Summary
-Financial institutions must maintain an ongoing information security risk assessment program that effectively

1)  Gathers data regarding the information and technology assets of the organization, threats to those assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements;

2)  Analyzes the probability and impact associated with the known threats and vulnerabilities to its assets; and

3) Prioritizes the risks present due to threats and vulnerabilities to determine the appropriate level of training, controls, and testing necessary for effective mitigation.


- Access Rights Administration

6. Determine that, where appropriate and feasible, programs do not run with greater access to other resources than necessary.  Programs to consider include application programs, network administration programs (e.g., DNS), and other programs.

7. Compare the access control rules establishment and assignment processes to the access control policy for consistency.

-We continue covering various issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies in May 2001.

Other Matters

Fair Credit Reporting Act

The regulations do not modify, limit, or supersede the operation of the Fair Credit Reporting Act.

State Law

The regulations do not supersede, alter, or affect any state statute, regulation, order, or interpretation, except to the extent that it is inconsistent with the regulations. A state statute, regulation, order, etc. is consistent with the regulations if the protection it affords any consumer is greater than the protection provided under the regulations, as determined by the FTC.

Grandfathered Service Contracts

Contracts that a financial institution has entered into, on or before July 1, 2000, with a nonaffiliated third party to perform services for the financial institution or functions on its behalf, as described in section 13, will satisfy the confidentiality requirements of section 13(a)(1)(ii) until July 1, 2002, even if the contract does not include a requirement that the third party maintain the confidentiality of nonpublic personal information.

Guidelines Regarding Protecting Customer Information

The regulations require a financial institution to disclose its policies and practices for protecting the confidentiality, security, and integrity of nonpublic personal information about consumers (whether or not they are customers). The disclosure need not describe these policies and practices in detail, but instead may describe in general terms who is authorized to have access to the information and whether the institution has security practices and procedures in place to ensure the confidentiality of the information in accordance with the institution's policies.

The four federal bank and thrift regulators have published guidelines, pursuant to section 501(b) of the Gramm-Leach-Bliley Act, that address steps a financial institution should take in order to protect customer information. The guidelines relate only to information about customers, rather than all consumers. Compliance examiners should consider the findings of a 501(b) inspection during the compliance examination of a financial institution for purposes of evaluating the accuracy of the institution's disclosure regarding data security.

Next week we will start covering the examination objectives.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated