Kinney's comment:  As many of you know, I maintain a web site that list the financial institutions on the Internet at http://www.thecommunitybanker.com/bank_links/index.htm for banks and http://www.thecommunitybanker.com/cu_links/ for credit unions.  I receive at least one notification a month that an institution's link goes to an adult web site.  Unfortunately, this happens is when an institution changes its domain name. The adult businesses take over the old domain name because of all the hits the institution's old domain name received.  We strongly recommend that if you change your domain name, that you do not let the old domain name expire.  The cost to maintain the old domain name is relatively inexpensive compared to the possible reputational risk.  If your link is not correct, please notify me immediately at examiner@yennik.com, and I will make any necessary changes.

FYI  - Newest BugBear virus targets financial institutions - The latest variant of the BugBear computer virus is being investigated by the FBI after the virus was found to be specifically targeting banks among its many potential victims.  http://www.computerworld.com/printthis/2003/0,4814,82015,00.html 

FYI  - The General Accounting Office today released its report on the FDIC Information Security: Progress Made but Existing Weaknesses Place Data 
http://www.gao.gov/cgi-bin/getrpt?GAO-03-630 
Highlights - http://www.gao.gov/highlights/d03630high.pdf 

FYI  - Revised Compliance Examination Process - The Federal Deposit Insurance Corporation has revised its process for examining FDIC-supervised depository institutions to determine their compliance with consumer protection laws and regulations. The revised process focuses increased attention on an institution's compliance management system. Examiners will begin to use these procedures for all examinations for which an on-site review is scheduled to begin on or after June 30, 2003. www.fdic.gov/news/news/financial/2003/fil0352.html

FYI - What happens when an institution does not following BSA, OFAC, etc.  The Federal Reserve Board on Monday announced the execution of a Written Agreement by and between Southern Commercial Bank, St. Louis, Missouri and the Federal Reserve Bank of St. Louis. www.federalreserve.gov/boarddocs/press/Enforcement/2003/20030616/default.htm

FYI - Securities group: Treat IM like e-mail - Instant messages should be treated the same as e-mail messages and archived for three years, the Nasdaq's regulator is telling its members.  http://news.com.com/2100-1032-1018960.html?part=dht&tag=ntop 
http://www.pcworld.com/news/article/0,aid,111234,00.asp 

FYI - Intrusion Detection On The Way Out - The research firm says the software, which attempts to spot and report attacks against information systems, will no longer be necessary in a couple of years.  http://www.informationweek.com/shared/printableArticle.jhtml?articleID=10300918 
http://www.eweek.com/print_article/0,3668,a=43256,00.asp  
Kinney's comment:  Do not throw away your IDS.  Best practices will always require some type of detection system in case the firewall is not functioning properly.

FYI - E-mail's up--is the boss watching? - U.S. workers spend nearly a quarter of their day dealing with e-mail, according to a new study.  http://news.com.com/2100-1032_3-1018562.html?tag=fd_top 

Return to the top of the newsletter

INTERNET COMPLIANCE - Record Retention

Record retention provisions apply to electronic delivery of disclosures to the same extent required for non-electronic delivery of information. For example, if the web site contains an advertisement, the same record retention provisions that apply to paper-based or other types of advertisements apply. Copies of such advertisements should be retained for the time period set out in the relevant regulation. Retention of electronic copies is acceptable. 

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY STRATEGY (2 of 2)

Any particular approach should consider: (1) policies, standards, and procedures; (2) technology and architecture; (3) resource dedication; (4) training; and (5) testing.

For example, an institution’s management may be assessing the proper strategic approach to intrusion detection for an Internet environment. Two potential approaches were identified for evaluation. The first approach uses a combination of network and host intrusion detection sensors with a staffed monitoring center. The second approach consists of daily access log review. The former alternative is judged much more capable of detecting an attack in time to minimize any damage to the institution and its data, albeit at a much greater cost. The added cost is entirely appropriate when customer data and institution processing capabilities are exposed to an attack, such as in an Internet banking environment. The latter approach may be appropriate when the primary risk is reputational damage, such as when the only information being protected is an information-only Web site, and the Web site is not connected to other financial institution systems.

Strategies should consider the layering of controls. Excessive reliance on a single control could create a false sense of confidence. For example, a financial institution that depends solely on a firewall can still be subject to numerous attack methodologies that exploit authorized network traffic. Financial institutions should design multiple layers of security controls and testing to establish several lines of defense between the attacker and the asset being attacked. To successfully attack the data, each layer must be penetrated. With each penetration, the probability of detecting the attacker increases.

Policies are the primary embodiment of strategy, guiding decisions made by users, administrators, and managers, and informing those individuals of their security responsibilities. Policies also specify the mechanisms through which responsibilities can be met, and provide guidance in acquiring, configuring, and auditing information systems. Key actions that contribute to the success of a security policy are:

1)  Implementing through ordinary means, such as system administration procedures and acceptable - use policies;

2)  Enforcing policy through security tools and sanctions;

3)  Delineating the areas of responsibility for users, administrators, and managers;

4)  Communicating in a clear, understandable manner to all concerned;

5)  Obtaining employee certification that they have read and understood the policy;

6)  Providing flexibility to address changes in the environment; and

7)  Conducting annually a review and approval by the board of directors.

Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

10. Determine whether PKI (Public Key Infrastructure)-based authentication mechanisms

• Securely issue and update keys,

• Securely unlock the secret key,

• Provide for expiration of keys at an appropriate time period,

• Ensure the certificate is valid before acceptance,

• Update the list of revoked certificates at an appropriate frequency,

• Employ appropriate measures to protect private and root keys, and

• Appropriately log use of the root key.

Return to the top of the newsletter

INTERNET PRIVACY - We continue covering various issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies in May 2001.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 13, and 14 and/or 15 but not outside of these exceptions (Part 2 of 2)

B. Presentation, Content, and Delivery of Privacy Notices 

1)  Review the financial institution's initial and annual privacy notices. Determine whether or not they:

a.  Are clear and conspicuous (§§3(b), 4(a), 5(a)(1)); 

b.  Accurately reflect the policies and practices used by the institution (§§4(a), 5(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

c.  Include, and adequately describe, all required items of information and contain examples as applicable (§§6, 13).

2)  Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written consumer records where available, determine if the institution has adequate procedures in place to provide notices to consumers, as appropriate. Assess the following:

a.  Timeliness of delivery (§4(a)); and

b.  Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§9).

c.  For customers only, review the timeliness of delivery (§§4(d), 4(e), and 5(a)), means of delivery of annual notice §9(c)), and accessibility of or ability to retain the notice (§9(e)).

Return to the top of the newsletter

PENETRATION TESTS - WEB SITE AUDITS - We offer independent Internet auditing regarding web sites compliance and penetration-vulnerability  testing.  Visit http://www.bankwebsiteaudits.com for more information about web site audits.  For information regarding penetration-vulnerability testing visit http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.