FYI- Penetration Testing for Web Applications (Part One)
http://www.securityfocus.com/infocus/1704
FYI - Feds Far From
Securing Cyberspace -
Expert says companies must take responsibility for their own
protection. http://www.pcworld.com/news/article/0,aid,111497,tk,dn070903X,00.asp
FYI - Cybercrime Costs Tech Firms - Companies surveyed say cybercrime poses biggest threat to their financial security.
http://www.pcworld.com/news/article/0,aid,111498,tk,dn070903X,00.asp
FYI
- A total of 3,855 new viruses were introduced in the first half of this year, according to Sophos, an increase of 17.5 percent over the same time last year.
http://www.infoworld.com/article/03/07/01/HNbug_1.html
Return to the top of the
newsletter
INTERNET
COMPLIANCE - We continue our review of the FFIEC
interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
A.
RISK DISCUSSION
Introduction
Compliance risk arises when the linked third party acts in a manner
that does not conform to regulatory requirements. For example,
compliance risk could arise from the inappropriate release or use of
shared customer information by the linked third party. Compliance
risk also arises when the link to a third party creates or affects
compliance obligations of the financial institution.
Financial institutions with weblinking relationships are also
exposed to other risks associated with the use of technology, as
well as certain risks specific to the products and services provided
by the linked third parties. The amount of risk exposure depends on
several factors, including the nature of the link.
Any link to a third-party website creates some risk exposure for an
institution. This guidance applies to links to affiliated, as well
as non-affiliated, third parties. A link to a third-party website
that provides a customer only with information usually does not
create a significant risk exposure if the information being provided
is relatively innocuous, for example, weather reports.
Alternatively, if the linked third party is providing information or
advice related to financial planning, investments, or other more
substantial topics, the risks may be greater. Links to websites that
enable the customer to interact with the third party, either by
eliciting confidential information from the user or allowing the
user to purchase a product or service, may expose the insured
financial institution to more risk than those that do not have such
features.
Return to the top of the
newsletter
INFORMATION SYSTEMS SECURITY
- We
continue our series on the FFIEC interagency Information Security
Booklet.
SECURITY
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Access Rights Administration (2 of 5)
The enrollment process establishes the
user’s identity and anticipated business needs to information and
systems. New employees, IT outsourcing relationships, and
contractors may also be identified, and the business need for access
determined during the hiring or contracting process.
During enrollment and thereafter, an authorization process
determines user access rights. In certain circumstances the
assignment of access rights may be performed only after the manager
responsible for each accessed resource approves the assignment and
documents the approval. In other circumstances, the assignment of
rights may be established by the employee’s role or group
membership, and managed by pre - established authorizations for that
group. Customers, on the other hand, may be granted access based on
their relationship with the institution.
Authorization for privileged access should be tightly controlled.
Privileged access refers to the ability to override system or
application controls. Good practices for controlling privileged
access include
! Identifying each privilege associated with each system component,
! Implementing a process to allocate privileges and allocating those
privileges either on a need - to - use or an event - by - event
basis,! Documenting the granting and administrative limits on
privileges,
! Finding alternate ways of achieving the business objectives,
! Assigning privileges to a unique user ID apart from the one used
for normal business use,
! Logging and auditing the use of privileged access,
! Reviewing privileged access rights at appropriate intervals and
regularly reviewing privilege access allocations, and
! Prohibiting shared privileged access by multiple users.
Return to the top of the
newsletter
INFORMATION SECURITY
QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
- Authentication
13. Review authenticator reissuance and reset procedures.
Determine whether controls adequately mitigate risks from:
• Social engineering
• Errors in the identification of the user
• Inability to re-issue on a large scale in the event of a mass
compromise
Return to the top of the
newsletter
INTERNET PRIVACY -
We continue covering various issues in the "Privacy of
Consumer Financial Information" published by the financial
regulatory agencies in May 2001.
Redisclosure of nonpublic personal information received from a
nonaffiliated financial institution outside of Sections 14 and 15.
A. Through discussions with management and review of the
institution's procedures, determine whether the institution has
adequate practices to prevent the unlawful redisclosure of the
information where the institution is the recipient of nonpublic
personal information (§11(b)).
B. Select a sample of data received from nonaffiliated financial
institutions and shared with others to evaluate the financial
institution's compliance with redisclosure limitations.
1. Verify that the institution's redisclosure of the
information was only to affiliates of the financial institution from
which the information was obtained or to the institution's own
affiliates, except as otherwise allowed in the step b below (§11(b)(1)(i)
and (ii)).
2. If the institution shares information with entities other
than those under step a above, verify that the institution's
information sharing practices conform to those in the nonaffiliated
financial institution's privacy notice (§11(b)(1)(iii)).
3. Also, review the procedures used by the institution to
ensure that the information sharing reflects the opt out status of
the consumers of the nonaffiliated financial institution (§§10,
11(b)(1)(iii)).
Return to the top of the
newsletter
PENETRATION TESTS - WEB SITE AUDITS - We
offer independent Internet auditing regarding web sites compliance and
penetration-vulnerability testing. Visit http://www.bankwebsiteaudits.com
for more information about web site audits. For information
regarding penetration-vulnerability testing visit http://www.internetbankingaudits.com/
or email Kinney Williams at examiner@yennik.com.
|