|
May 4, 2003
FYI
- Tales from the security
trenches - Companies share their best practices for avoiding
internal threats. http://www.infoworld.com/article/03/04/25/17FEinjob.sb1_1.html?security
FYI - Auditing
Web Site Authentication, Part One http://www.securityfocus.com/infocus/1688
FYI - Emerging
legal expectations for data security and privacy are making it
increasingly important for companies to demonstrate reasonable care
in protecting their IT assets, say security and legal experts.
http://www.computerworld.com/securitytopics/security/story/0,10801,80744,00.html
FYI - Internet mavens
who clog computers with massive volumes of unsolicited e-mail
pitches now risk landing in prison and losing their riches under a
tough Virginia law. http://seattlepi.nwsource.com/business/aptech_story.asp?category=1700&slug=Fighting%20Spam
FYI -
New Scam, Old Scare: E-Mail
Credit-Report Warnings
http://www.washingtonpost.com/wp-dyn/articles/A27642-2003Apr23.html
FYI
-
Treasury and Federal Financial Regulators Issue Final Patriot Act
Regulations on Customer Identification - The Department of the
Treasury, the Financial Crimes Enforcement Network, and the seven
federal financial regulators today issued final rules that require
certain financial institutions to establish procedures to verify the
identity of new accountholders. www.federalreserve.gov/boarddocs/press/bcreg/2003/200304302/default.htm
FYI
- AT&T Corp. announced new security
steps it has taken recently to protect businesses and consumers
against voice-mail hackers. http://www.computerworld.com/securitytopics/security/story/0,10801,80554,00.html
INTERNET
COMPLIANCE - Expedited Funds Availability Act
(Regulation CC)
Generally, the rules pertaining to the duty of an institution to
make deposited funds available for withdrawal apply in the
electronic financial services environment. This includes rules on
fund availability schedules, disclosure of policy, and payment of
interest. Recently, the FRB published a commentary that clarifies
requirements for providing certain written notices or disclosures to
customers via electronic means. Specifically, the commentary to the
regulations states that a financial institution satisfies the
written exception hold notice requirement, and the commentary to the
regulations states that a financial institution satisfies the
general disclosure requirement by sending an electronic version that
displays the text and is in a form that the customer may keep.
However, the customer must agree to such means of delivery of
notices and disclosures. Information is considered to be in a form
that the customer may keep if, for example, it can be downloaded or
printed by the customer. To reduce compliance risk, financial
institutions should test their programs' ability to provide
disclosures in a form that can be downloaded or printed.
INFORMATION SYSTEMS SECURITY
- We
continue our series on the FFIEC interagency Information Security
Booklet.
INFORMATION SECURITY RISK ASSESSMENT
KEY STEPS
Common elements of risk assessment approaches involve three phases:
information gathering, analysis, and prioritizing responses. Vendor
concerns add additional elements to the process.
INFORMATION GATHERING
Identifying and understanding risk requires the analysis of a
wide range of information relevant to the particular institution's
risk environment. Once gathered, the information can be catalogued
to facilitate later analysis. Information gathering generally
includes the following actions:
1) Obtaining listings
of information system assets (e.g., data, software, and hardware).
Inventories on a device - by - device basis can be helpful in risk
assessment as well as risk mitigation. Inventories should consider
whether data resides in house or at a TSP.
2) Determining threats
to those assets, resulting from people with malicious intent,
employees and others who accidentally cause damage, and
environmental problems that are outside the control of the
organization (e.g., natural disasters, failures of interdependent
infrastructures such as power, telecommunications, etc.).
3) Identifying
organizational vulnerabilities (e.g., weak senior management
support, ineffective training, inadequate expertise or resource
allocation, and inadequate policies, standards, or procedures).
4) Identifying
technical vulnerabilities (e.g., vulnerabilities in hardware and
software, configurations of hosts, networks, workstations, and
remote access).
5) Documenting current
controls and security processes, including both information
technology and physical security.
6) Identifying security
requirements and considerations (e.g., GLBA).
7) Maintaining the risk
assessment process requires institutions to review and update their
risk assessment at least once a year, or more frequently in response
to material changes in any of the six actions above.
INFORMATION SECURITY
QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
- Authentication
1. Determine whether the financial institution
has removed or reset default profiles and passwords from new systems
and equipment.
2. Determine whether access to system administrator level is
adequately controlled.
PRIVACY
-We continue covering various issues in the "Privacy of Consumer Financial
Information" published by the financial regulatory agencies in
May 2001.
Examination Procedures (Part 1 of 3)
A. Through discussions with management and review of available
information, identify the institution's information sharing
practices (and changes to those practices) with affiliates and
nonaffiliated third parties; how it treats nonpublic personal
information; and how it administers opt-outs. Consider the following
as appropriate:
1) Notices (initial, annual, revised, opt out, short-form, and
simplified);
2) Institutional privacy policies and procedures, including
those to:
a) process requests for nonpublic
personal information, including requests for aggregated data;
b) deliver notices to consumers;
manage consumer opt out directions (e.g., designating files,
allowing a reasonable time to opt out, providing new opt out and
privacy notices when necessary, receiving opt out directions,
handling joint account holders);
c) prevent the unlawful disclosure
and use of the information received from nonaffiliated financial
institutions; and
d) prevent the unlawful disclosure of
account numbers;
3) Information sharing agreements between the institution and
affiliates and service agreements or contracts between the
institution and nonaffiliated third parties either to obtain or
provide information or services;
4) Complaint logs, telemarketing scripts, and any other
information obtained from nonaffiliated third parties (Note: review
telemarketing scripts to determine whether the contractual terms set
forth under section 13 are met and whether the institution is
disclosing account number information in violation of section 12);
5) Categories of nonpublic personal information collected from
or about consumers in obtaining a financial product or service
(e.g., in the application process for deposit, loan, or investment
products; for an over-the-counter purchase of a bank check; from
E-banking products or services, including the data collected
electronically through Internet cookies; or through ATM
transactions);
6) Categories of nonpublic personal information shared with,
or received from, each nonaffiliated third party; and
7) Consumer complaints regarding the treatment of nonpublic
personal information, including those received electronically.
8) Records that reflect the bank's categorization of its
information sharing practices under Sections 13, 14, 15, and outside
of these exceptions.
9) Results of a 501(b) inspection (used to determine the
accuracy of the institution's privacy disclosures regarding data
security). |
