|
June 9, 2002
FYI
- FRB Commercial Bank Examination Manual - Presents
examination objectives and procedures that Federal Reserve System
examiners follow in evaluating the safety and soundness of state member
banks. Section 4000 "Other Examination Areas" covers Information
Technology and Electronic Banking. www.federalreserve.gov/boarddocs/supmanual/default.htm#cbem
FYI - The director of the FBI
announced Wednesday that a major reorganization of the agency would
include a new focus on cybercrime and technology. http://zdnet.com.com/2100-1105-927933.html
FYI - Guidance for Financial Institutions in Detecting
Terrorist Financing - The Financial Action Task Force on Money
Laundering issued the attached guidance on April 24, 2002, to assist
financial institutions in detecting terrorist financing. The guidance will
help ensure that financial institutions do not unwittingly hide or move
terrorist funds. www.fdic.gov/news/news/financial/2002/fil0259.html
FYI
- U.S. Department of Treasury FinCEN Advisories 28 through 32
- This advisory letter revises the list of countries detailed in OCC
Advisory Letter (AL) 2002-2, "U.S. Department of Treasury FinCEN
advisories 11A and 21A," dated February 27, 2002 (see also AL 2001-7
and AL 2000-8).
www.occ.treas.gov/ftp/advisory/2002-5.txt
INTERNET
COMPLIANCE - "Member FDIC" Logo - When
is it required?
The FDIC believes that every bank's home page is to some extent an
advertisement. Accordingly, bank web site home pages should contain
the official advertising statement unless the advertisement is
subject to exceptions such as advertisements for loans, securities,
trust services and/or radio or television advertisements that do not
exceed thirty seconds.
Whether subsidiary web pages require the official advertising
statement will depend upon the content of the particular page.
Subsidiary web pages that advertise deposits must contain the
official advertising statement.
Conversely, subsidiary web pages that relate to loans do not
require the official advertising statement.
INTERNET SECURITY - We continue the series
from the FDIC "Security Risks Associated with the Internet."
While this Financial Institution Letter was published in
December 1997, the issues still are relevant.
SECURITY MEASURES
Digital Signatures
Digital signatures authenticate the identity of a sender, through
the private, cryptographic key.
In addition, every digital signature is different because it
is derived from the content of the message itself. T he combination
of identity authentication and singularly unique signatures results
in a transmission that cannot be repudiated.
Digital signatures can be applied to any data transmission,
including e-mail. To
generate a digital signature, the original, unencrypted message is
run through a mathematical algorithm that generates what is known as
a message digest (a unique, character representation of the data).
This process is known as the "hash."
The message digest is then encrypted with a private key, and
sent along with the message. The
recipient receives both the message and the encrypted message
digest. The recipient
decrypts the message digest, and then runs the message through the
hash function again. If
the resulting message digest matches the one sent with the message,
the message has not been altered and data integrity is verified.
Because the message digest was encrypted with a private key,
the sender can be identified and bound to the specific message.
The digital signature cannot be reused, because it is unique
to the message. In the
above example, data privacy and confidentiality could also be
achieved by encrypting the message itself. The strength and security
of a digital signature system is determined by its implementation,
and the management of the cryptographic keys.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
Content of Privacy Notice
16. If the institution provides a short-form initial privacy notice
according to §6(d)(1), does the short-form initial notice:
a. conform to the definition of "clear and conspicuous";
[§6(d)(2)(i)]
b. state that the institution's full privacy notice is available
upon request; [§6(d)(2)(ii)]
and
c. explain a reasonable means by which the consumer may obtain the
notice? [§6(d)(2)(iii)]
(Note: the
institution is not required to deliver the full privacy notice with
the shortform initial notice. [§6(d)(3)])
IN CLOSING - The
Gramm-Leach-Bliley Act, best practices, and examiners
recommend a security test of your Internet connection. The
Vulnerability Internet Security Test Audit (VISTA)
is
an independent security test of
{custom4}'s network connection to the Internet that meets the
regulatory requirements. We
are NOT computer technicians who sell computer equipment but trained
information systems auditors that work only for financial institutions.
As auditors, we provide
an independent review
of the vulnerability test results and an audit letter to your
Board of Directors
certifying the test results. Before your next IT examination, visit http://www.internetbankingaudits.com/
for more information.
|
