|
FYI- Critical information security weaknesses at the
Internal Revenue Service demonstrate the importance of moving past
the development of an information security program to actually
implement the measures outlined in the plan. http://www.fcw.com/fcw/articles/2003/0602/web-irs-06-02-03.asp
FYI - Latest Bugbear virus claws at banks - Security
company Symantec has uncovered a sinister new function in
fast-spreading e-mail virus Win32.Bugbear.B, suggesting that the
worm harvests passwords used by bank employees. http://news.com.com/2100-1009_3-1015616.html?tag=fd_top
Return to the top of the
newsletter
INTERNET
COMPLIANCE - Advertisements
Generally, Internet web sites are considered advertising by the
regulatory agencies. In some cases, the regulations contain special
rules for multiple-page advertisements. It is not yet clear what
would constitute a single "page" in the context of the
Internet or on-line text. Thus, institutions should carefully review
their on-line advertisements in an effort to minimize compliance
risk.
In addition, Internet or other systems in which a credit application
can be made on-line may be considered "places of business"
under HUD's rules prescribing lobby notices. Thus, institutions may
want to consider including the "lobby notice,"
particularly in the case of interactive systems that accept
applications.
Return to the top of the
newsletter
INFORMATION SYSTEMS SECURITY
- We
continue our series on the FFIEC interagency Information Security
Booklet.
INFORMATION SECURITY STRATEGY (1 of 2)
Action Summary - Financial institutions should develop a strategy
that defines control objectives and establishes an implementation
plan. The security strategy should include
1) Cost comparisons of
different strategic approaches appropriate to the institution’s
environment and complexity,
2) Layered controls
that establish multiple control points between threats and
organization assets, and
3) Policies that guide
officers and employees in implementing the security program.
An information security strategy is a plan to mitigate risks while
complying with legal, statutory, contractual, and internally
developed requirements. Typical steps to building a strategy include
the definition of control objectives, the identification and
assessment of approaches to meet the objectives, the selection of
controls, the establishment of benchmarks and metrics, and the
preparation of implementation and testing plans.
The selection of controls is typically grounded in a cost comparison
of different strategic approaches to risk mitigation. The cost
comparison typically contrasts the costs of various approaches with
the perceived gains a financial institution could realize in terms
of increased confidentiality, availability, or
integrity of systems and data. Those gains could include reduced
financial losses, increased customer confidence, positive audit
findings, and regulatory compliance. Any particular approach should
consider: (1) policies, standards, and procedures; (2) technology
and architecture; (3) resource dedication; (4) training; and (5)
testing.
Return to the top of the
newsletter
INFORMATION SECURITY
QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
- Authentication
8. Determine whether adequate controls exist to
protect against replay attacks and hijacking.
9. Determine whether token-based authentication mechanisms
adequately protect against token tampering, provide for the unique
identification of the token holder, and employ an adequate number of
authentication factors.
Return to the top of the
newsletter
INTERNET PRIVACY -We continue
covering various issues in the "Privacy of Consumer Financial
Information" published by the financial regulatory agencies in
May 2001.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 13=, 14, and/or 15 but outside of these
exceptions (Part 1 of 3)
A. Disclosure of Nonpublic Personal Information
1) Select a sample of third party relationships with
nonaffiliated third parties and obtain a sample of data shared
between the institution and the third party. The sample should
include a cross-section of relationships but should emphasize those
that are higher risk in nature as determined by the initial
procedures. Perform the following comparisons to evaluate the
financial institution's compliance with disclosure limitations.
a. Compare the data shared and with whom the data were shared
to ensure that the institution accurately categorized its
information sharing practices and is not sharing nonpublic personal
information outside the exceptions (§§13, 14, 15).
b. Compare the categories of data shared and with whom the
data were shared to those stated in the privacy notice and verify
that what the institution tells consumers in its notices about its
policies and practices in this regard and what the institution
actually does are consistent (§§10, 6).
2) Review contracts with nonaffiliated third parties that
perform services for the financial institution not covered by the
exceptions in section 14 or 15. Determine whether the contracts
adequately prohibit the third party from disclosing or using the
information other than to carry out the purposes for which the
information was disclosed. Note that the "grandfather"
provisions of Section 18 apply to certain of these contracts. (§13(a)).
Return to the top of the
newsletter
PENETRATION TESTS - WEB SITE AUDITS - We
offer independent Internet auditing regarding web sites compliance and
penetration-vulnerability testing. Visit http://www.bankwebsiteaudits.com
for more information about web site audits. For information
regarding penetration-vulnerability testing visit http://www.internetbankingaudits.com/
or email Kinney Williams at examiner@yennik.com.
|
