|
April 28, 2002
FYI - A
new tool for manipulating packets of data that travel over the
Internet could allow attackers to camouflage malicious programs just
enough to bypass many intrusion-detection systems and firewalls.
http://news.com.com/2100-1001-887065.html
FYI
- NCUA Letter to Federal
Credit Unions 02-FCU-04 - Weblinking Relationships -Electronic
Financial Services (Part 721.3(c)) - authorizes FCUs to offer
through electronic means any services, products, functions, or
activities that a credit union could otherwise perform, provide, or
deliver to members
www.ncua.gov/ref/letters/02-FCU-04.html
FYI - The Federal Reserve Banks are amending Operating
Circular No. 5, (Electronic Access), effective June 1, 2002. The
revised operating circular will govern electronic access to Reserve
Bank services.
http://www.dallasfed.org/htm/pubs/pdfs/notices/2002/02-19.pdf
INTERNET
COMPLIANCE - Disclosures and Notices
Several consumer regulations provide for disclosures and/or notices
to consumers. The compliance officer should check the specific
regulations to determine whether the disclosures/notices can be
delivered via electronic means. The delivery of disclosures via
electronic means has raised many issues with respect to the format
of the disclosures, the manner of delivery, and the ability to
ensure receipt by the appropriate person(s). The following
highlights some of those issues and offers guidance and examples
that may be of use to institutions in developing their electronic
services.
Disclosures are generally required to be "clear and
conspicuous." Therefore, compliance officers should review the
web site to determine whether the disclosures have been designed to
meet this standard. Institutions may find that the format(s)
previously used for providing paper disclosures may need to be
redesigned for an electronic medium. Institutions may find it
helpful to use "pointers " and "hotlinks" that
will automatically present the disclosures to customers when
selected. A financial institution's use solely of asterisks or other
symbols as pointers or hotlinks would not be as clear as descriptive
references that specifically indicate the content of the linked
material.
INTERNET SECURITY
- We continue the series
from the FDIC "Security Risks Associated with the
Internet."
While this
Financial Institution Letter was published in December 1997, the
issues still are relevant.
Non-repudiation
Non-repudiation involves creating proof of the origin or delivery of
data to protect the sender against false denial by the recipient
that the data has been received or to protect the recipient against
false denial by the sender that the data has been sent. To ensure
that a transaction is enforceable, steps must be taken to prohibit
parties from disputing the validity of, or refusing to acknowledge,
legitimate communications or transactions.
Access Control / System Design
Establishing a link between a bank's internal network and the
Internet can create a number of additional access points into the
internal operating system. Furthermore, because the Internet is
global, unauthorized access attempts might be initiated from
anywhere in the world. These factors present a heightened risk to
systems and data, necessitating strong security measures to control
access. Because the security of any network is only as strong as its
weakest link, the functionality of all related systems must be
protected from attack and unauthorized access. Specific risks
include the destruction, altering, or theft of data or funds;
compromised data confidentiality; denial of service (system
failures); a damaged public image; and resulting legal implications.
Perpetrators may include hackers, unscrupulous vendors, former or
disgruntled employees, or even agents of espionage.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
Content of Privacy Notice
10) Does the institution list the following categories of
nonpublic personal information that it discloses, as applicable, and
a few examples of each, or alternatively state that it reserves the
right to disclose all the nonpublic personal information that it
collects:
a) information from the consumer;
b) information about the consumer's transactions with the
institution or its affiliates;
c) information about the consumer's transactions with
nonaffiliated third parties; and
d) information from a consumer reporting agency? [§6(c)(2)]
IN CLOSING - The
Vulnerability Internet Security Test Audit (VISTA)
is an independent security test of
{custom4}'s network connection to the Internet
against unauthorized external intrusion.
While
your Network Administrator or systems consultants probably
perform a vulnerability scan, the scan would not be considered
independent since they developed and maintain your Internet
security. An independent vulnerability test is required in
most cases by your regulator, the
Gramm-Leach-Bliley Act,
and best practices.
Before
your next IT examination, visit http://www.internetbankingaudits.com/
for more information and to schedule your
independent vulnerability security scan.
|
