June 30, 2002
- NCUA - Office of Foreign Assets Control Specially Designated Narcotics
Traffickers Added to List - The Department of the Treasury’s Office of
Foreign Asset Control frequently amends its listing of Specially
Designated Narcotics Traffickers www.ncua.gov/ref/reg_alerts/02-RA-05.html
COMPLIANCE - Disclosures/Notices (Part 1 of
Several regulations require disclosures and notices to be given at
specified times during a financial transaction. For example, some
regulations require that disclosures be given at the time an
application form is provided to the consumer. In this situation,
institutions will want to ensure that disclosures are given to the
consumer along with any application form. Institutions may
accomplish this through various means, one of which may be through
the automatic presentation of disclosures with the application form.
Regulations that allow disclosures/notices to be delivered
electronically and require institutions to deliver disclosures in a
form the customer can keep have been the subject of questions
regarding how institutions can ensure that the consumer can
"keep" the disclosure. A consumer using certain electronic
devices, such as Web TV, may not be able to print or download the
disclosure. If feasible, a financial institution may wish to include
in its on-line program the ability for consumers to give the
financial institution a non-electronic address to which the
disclosures can be mailed.
INTERNET SECURITY - We continue the series
from the FDIC "Security Risks Associated with the Internet."
While this Financial Institution Letter was published in
December 1997, the issues still are relevant.
Firewalls - Description, Configuration, and Placement
A firewall is a combination of hardware and software placed between
two networks which all traffic, regardless of the direction, must
pass through. When employed properly, it is a primary security
measure in governing access control and protecting the internal
system from compromise.
The key to a firewall’s ability to protect the network is its
configuration and its location within the system. Firewall products
do not afford adequate security protection as purchased. They must
be set up, or configured, to permit or deny the appropriate traffic.
To provide the most security, the underlying rule should be to deny
all traffic unless expressly permitted. This requires system
administrators to review and evaluate the need for all permitted
activities, as well as who may need to use them. For example, to
protect against Internet protocol (IP) spoofing, data arriving from
an outside network that claims to be originating from an internal
computer should be denied access. Alternatively, systems could be
denied access based on their IP address, regardless of the
origination point. Such requests could then be evaluated based on
what information was requested and where in the internal system it
was requested from. For instance, incoming FTP requests may be
permitted, but outgoing FTP requests denied.
Often, there is a delicate balance between what is necessary to
perform business operations and the need for security. Due to the
intricate details of firewall programming, the configuration should
be reassessed after every system change or software update. Even if
the system or application base does not change, the threats to the
system do. Evolving risks and threats should be routinely monitored
and considered to ensure the firewall remains an adequate security
measure. If the firewall system should ever fail, the default should
deny all access rather than permit the information flow to continue.
Ideally, firewalls should be installed at any point where a computer
system comes into contact with another network. The firewall system
should also include alerting mechanisms to identify and record
successful and attempted attacks and intrusions. In addition,
detection mechanisms and procedures should include the generation
and routine review of security logs.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
Opt Out Notice
19. If the institution discloses nonpublic personal information
about a consumer to a nonaffiliated third party, and the exceptions
under §§13-15 do not apply, does the institution provide the
consumer with a clear and conspicuous opt out notice that accurately
explains the right to opt out? [§7(a)(1)]