R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

May 4, 2003

FYI  - Tales from the security trenches - Companies share their best practices for avoiding internal threats.  http://www.infoworld.com/article/03/04/25/17FEinjob.sb1_1.html?security   

FYI  - Auditing Web Site Authentication, Part One  http://www.securityfocus.com/infocus/1688 

FYI  - Emerging legal expectations for data security and privacy are making it increasingly important for companies to demonstrate reasonable care in protecting their IT assets, say security and legal experts.  http://www.computerworld.com/securitytopics/security/story/0,10801,80744,00.html 

FYI  - Internet mavens who clog computers with massive volumes of unsolicited e-mail pitches now risk landing in prison and losing their riches under a tough Virginia law.  http://seattlepi.nwsource.com/business/aptech_story.asp?category=1700&slug=Fighting%20Spam 

FYI -
New Scam, Old Scare: E-Mail Credit-Report Warnings   http://www.washingtonpost.com/wp-dyn/articles/A27642-2003Apr23.html 

FYI - Treasury and Federal Financial Regulators Issue Final Patriot Act Regulations on Customer Identification - The Department of the Treasury, the Financial Crimes Enforcement Network, and the seven federal financial regulators today issued final rules that require certain financial institutions to establish procedures to verify the identity of new accountholders. www.federalreserve.gov/boarddocs/press/bcreg/2003/200304302/default.htm

FYI - AT&T Corp. announced new security steps it has taken recently to protect businesses and consumers against voice-mail hackers.  http://www.computerworld.com/securitytopics/security/story/0,10801,80554,00.html 

INTERNET COMPLIANCEExpedited Funds Availability Act (Regulation CC)

Generally, the rules pertaining to the duty of an institution to make deposited funds available for withdrawal apply in the electronic financial services environment. This includes rules on fund availability schedules, disclosure of policy, and payment of interest. Recently, the FRB published a commentary that clarifies requirements for providing certain written notices or disclosures to customers via electronic means. Specifically, the commentary to the regulations states that a financial institution satisfies the written exception hold notice requirement, and the commentary to the regulations states that a financial institution satisfies the general disclosure requirement by sending an electronic version that displays the text and is in a form that the customer may keep. However, the customer must agree to such means of delivery of notices and disclosures. Information is considered to be in a form that the customer may keep if, for example, it can be downloaded or printed by the customer. To reduce compliance risk, financial institutions should test their programs' ability to provide disclosures in a form that can be downloaded or printed. 

INFORMATION SYSTEMS SECURITY We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT


KEY STEPS

Common elements of risk assessment approaches involve three phases: information gathering, analysis, and prioritizing responses. Vendor concerns add additional elements to the process.

INFORMATION GATHERING

Identifying and understanding risk requires the analysis of a wide range of information relevant to the particular institution's risk environment. Once gathered, the information can be catalogued to facilitate later analysis. Information gathering generally includes the following actions:

1)  Obtaining listings of information system assets (e.g., data, software, and hardware). Inventories on a device - by - device basis can be helpful in risk assessment as well as risk mitigation. Inventories should consider whether data resides in house or at a TSP.

2)  Determining threats to those assets, resulting from people with malicious intent, employees and others who accidentally cause damage, and environmental problems that are outside the control of the organization (e.g., natural disasters, failures of interdependent infrastructures such as power, telecommunications, etc.).

3)  Identifying organizational vulnerabilities (e.g., weak senior management support, ineffective training, inadequate expertise or resource allocation, and inadequate policies, standards, or procedures).

4)  Identifying technical vulnerabilities (e.g., vulnerabilities in hardware and software, configurations of hosts, networks, workstations, and remote access).

5)  Documenting current controls and security processes, including both information technology and physical security.

6)  Identifying security requirements and considerations (e.g., GLBA).

7)  Maintaining the risk assessment process requires institutions to review and update their risk assessment at least once a year, or more frequently in response to material changes in any of the six actions above.


INFORMATION SECURITY QUESTION:

A. AUTHENTICATION AND ACCESS CONTROLS
- Authentication

1. Determine whether the financial institution has removed or reset default profiles and passwords from new systems and equipment.

2. Determine whether access to system administrator level is adequately controlled.


PRIVACY
-We continue covering various issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies in May 2001.

Examination Procedures
(Part 1 of 3)

A. Through discussions with management and review of available information, identify the institution's information sharing practices (and changes to those practices) with affiliates and nonaffiliated third parties; how it treats nonpublic personal information; and how it administers opt-outs. Consider the following as appropriate:

1)  Notices (initial, annual, revised, opt out, short-form, and simplified);

2)  Institutional privacy policies and procedures, including those to: 
     a)  process requests for nonpublic personal information, including requests for aggregated data; 
     b)  deliver notices to consumers; manage consumer opt out directions (e.g., designating files, allowing a reasonable time to opt out, providing new opt out and privacy notices when necessary, receiving opt out directions, handling joint account holders); 
     c)  prevent the unlawful disclosure and use of the information received from nonaffiliated financial institutions; and 
     d)  prevent the unlawful disclosure of account numbers;

3)  Information sharing agreements between the institution and affiliates and service agreements or contracts between the institution and nonaffiliated third parties either to obtain or provide information or services;

4)  Complaint logs, telemarketing scripts, and any other information obtained from nonaffiliated third parties (Note: review telemarketing scripts to determine whether the contractual terms set forth under section 13 are met and whether the institution is disclosing account number information in violation of section 12);

5)  Categories of nonpublic personal information collected from or about consumers in obtaining a financial product or service (e.g., in the application process for deposit, loan, or investment products; for an over-the-counter purchase of a bank check; from E-banking products or services, including the data collected electronically through Internet cookies; or through ATM transactions);

6)  Categories of nonpublic personal information shared with, or received from, each nonaffiliated third party; and

7)  Consumer complaints regarding the treatment of nonpublic personal information, including those received electronically.

8)  Records that reflect the bank's categorization of its information sharing practices under Sections 13, 14, 15, and outside of these exceptions.

9)  Results of a 501(b) inspection (used to determine the accuracy of the institution's privacy disclosures regarding data security).

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated