R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

September 7, 2003

CONTENT
INTERNET COMPLIANCE INFORMATION SYSTEMS SECURITY INFORMATION SECURITY QUESTION
INTERNET PRIVACY PENETRATION TESTS - WEB SITE AUDITS


FYI - This week I will be attending the Network Security Conference sponsored by the Information Systems Audit and Control Association (ISACA) being held at Caesars Place in Las Vegas.  If you are also attending, I look forward to meeting you.

FYI- More than 27 million people have been victims of identity theft in the last five years, costing them $5 billion and businesses and financial institutions almost $48 billion, the Federal Trade Commission.  http://www.salon.com/business/wire/2003/09/03/ftc/index.html 

FYI- Auditing Local Area Networks for new IT auditors.  http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5439 

FYI- Hacking-by-subpoena ruled illegal - Issuing an egregiously overbroad subpoena for stored e-mail qualifies as a computer intrusion in violation of anti-hacking laws, a federal appeals court ruled Thursday, deciding a case in which a litigant in a civil matter subpoenaed every single piece of e-mail his courtroom adversary sent or received.  http://www.securityfocus.com/news/6837 

FYI - Blaster worm linked to severity of blackout - The W32.Blaster worm may have contributed to the cascading effect of the Aug. 14 blackout, government and industry experts revealed this week.  http://www.computerworld.com/printthis/2003/0,4814,84510,00.html 

FYI - Accountant escapes tax charges by blaming virus - An accountant in Hoover, Alabama, has been acquitted of tax evasion and filing incorrect returns after a jury accepted his explanation that it was due to a computer virus attack.  http://www.theage.com.au/articles/2003/08/29/1062050651422.html 

 Return to the top of the newsletter

INTERNET COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." 

B. RISK MANAGEMENT TECHNIQUES

Managing Service Providers

Financial institutions, especially smaller institutions, may choose to subcontract with a service provider to create, arrange, and manage their websites, including weblinks. The primary risks for these financial institutions are the same as for those institutions that arrange the links directly. However, if a financial institution uses a set of pre-established links to a large number of entities whose business policies or procedures may be unfamiliar, it may increase its risk exposure. This is particularly true in situations in which the institution claims in its published privacy policy that it maintains certain minimum information security standards at all times.

When a financial institution subcontracts weblinking arrangements to a service provider, the institution should conduct sufficient due diligence to ensure that the service provider is appropriately managing the risk exposure from other parties. Management should keep in mind that a vendor might establish links to third parties that are unacceptable to the financial institution. Finally, the written agreement should contain a regulatory requirements clause in which the service provider acknowledges that its linking activities must comply with all applicable consumer protection laws and regulations.

Financial institution management should consider weblinking agreements with its service provider to mitigate significant risks. These agreements should be clear and enforceable with descriptions of all obligations, liabilities, and recourse arrangements. These may include the institution's right to exclude from its site links the financial institution considers unacceptable. Such contracts should include a termination clause, particularly if the contract does not include the ability to exclude websites. Finally, a financial institution should apply its link monitoring policies discussed above to links arranged by service providers or other vendors.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Public Key Infrastructure (Part 1 of 3)

Public key infrastructure (PKI), if properly implemented and maintained, may provide a strong means of authentication. By combining a variety of hardware components, system software, policies, practices, and standards, PKI can provide for authentication, data integrity, defenses against customer repudiation, and confidentiality. The system is based on public key cryptography in which each user has a key pair - a unique electronic value called a public key and a mathematically related private key. The public key is made available to those who need to verify the user’s identity.

The private key is stored on the user’s computer or a separate device such as a smart card. When the key pair is created with strong encryption algorithms and input variables, the probability of deriving the private key from the public key is extremely remote. The private key must be stored in encrypted text and protected with a password or PIN to avoid compromise or disclosure. The private key is used to create an electronic identifier called a digital signature that uniquely identifies the holder of the private key and can only be authenticated with the corresponding public key.

Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

B. NETWORK SECURITY

9. Evaluate the appropriateness of technical controls mediating access between security domains.  Consider:

• Firewall topology and architecture

• Type(s) of firewall(s) being utilized

• Physical placement of firewall components

• Monitoring of firewall traffic

• Firewall updating

• Responsibility for monitoring and updating firewall policy

• Contingency planning

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice
6. Does the institution provide an annual privacy notice to each customer whose loan the institution owns the right to service? [§§5(c), 4(c)(2)]


Return to the top of the newsletter

INTERNET AUDITING SERVICES - We offer independent Internet auditing regarding web sites compliance and penetration-vulnerability  testing.  Visit http://www.bankwebsiteaudits.com for more information about web site audits.  For information regarding penetration-vulnerability testing visit http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.  We have clients in 37 states and more than 40 years banking and bank examining experience.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated