|
July 7, 2002
FYI
- Regulation
and Supervision - Small-Entity Compliance Guide for Regulation P (Privacy
of Consumer Financial Information) http://www.federalreserve.gov/regulations/cg/regpcg.htm
FYI
- Who's Who in Government Cyber Security A list of people
involved in the government's cybersecurity efforts includes Bush
administration officials, legislators from both houses, and private
sector representatives. http://www.washingtonpost.com/wp-dyn/articles/A50625-2002Jun26.html
INTERNET
COMPLIANCE - - Disclosures/Notices (Part 2 of
2)
In those instances where an electronic form of communication is
permissible by regulation, to reduce compliance risk institutions
should ensure that the consumer has agreed to receive disclosures
and notices through electronic means. Additionally, institutions may
want to provide information to consumers about the ability to
discontinue receiving disclosures through electronic means, and to
implement procedures to carry out consumer requests to change the
method of delivery. Furthermore, financial institutions advertising
or selling non-deposit investment products through on-line systems,
like the Internet, should ensure that consumers are informed of the
risks associated with non-deposit investment products as discussed
in the "Interagency Statement on Retail Sales of Non Deposit
Investment Products." On-line systems should comply with this
Interagency Statement, minimizing the possibility of customer
confusion and preventing any inaccurate or misleading impression
about the nature of the non-deposit investment product or its lack
of FDIC insurance.
INTERNET SECURITY - We continue the series
from the FDIC "Security Risks Associated with the Internet."
While this Financial Institution Letter was published in
December 1997, the issues still are relevant.
Data Transmission and Types
of Firewalls
Data traverses the Internet in units referred to as packets. Each
packet has headers which contain information for delivery, such as
where the packet is from, where it is going, and what application it
contains. The varying firewall techniques examine the headers and
either permit or deny access to the system based on the firewall's
rule configuration.
There are different types of firewalls that provide various levels
of security. For instance, packet filters, sometimes implemented as
screening routers, permit or deny access based solely on the stated
source and/or destination IP address and the application (e.g.,
FTP). However, addresses and applications can be easily falsified,
allowing attackers to enter systems. Other types of firewalls, such
as circuit-level gateways and application gateways, actually have
separate interfaces with the internal and external (Internet)
networks, meaning no direct connection is established between the
two networks. A relay program copies all data from one interface to
another, in each direction. An even stronger firewall, a stateful
inspection gateway, not only examines data packets for IP addresses,
applications, and specific commands, but also provides security
logging and alarm capabilities, in addition to historical
comparisons with previous transmissions for deviations from normal
context.
Implementation
When evaluating the need for firewall technology, the potential
costs of system or data compromise, including system failure due to
attack, should be considered. For most financial institution
applications, a strong firewall system is a necessity. All
information into and out of the institution should pass through the
firewall. The firewall should also be able to change IP addresses to
the firewall IP address, so no inside addresses are passed to the
outside. The possibility always exists that security might be
circumvented, so there must be procedures in place to detect attacks
or system intrusions. Careful consideration should also be given to
any data that is stored or placed on the server, especially
sensitive or critically important data.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
20. Does the opt out notice
state:
a. that the institution discloses or reserves the right to disclose
nonpublic personal information about the consumer to a nonaffiliated
third party; [§7(a)(1)(i)]
b. that the consumer has the right to opt out of that disclosure;
[§7(a)(1)(ii)] and
c. a reasonable means by which the consumer may opt out?
[§7(a)(1)(iii)] |
