R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

September 15, 2002

FYI  - Companies Snooze on Cyber-Security - To a shocking degree, top execs remain largely uninvolved with this critical issue, and their businesses remain vulnerable.  http://www.businessweek.com/technology/content/sep2002/tc20020910_7073.htm 

INTERNET COMPLIANCE
Flood Disaster Protection Act

The regulation implementing the National Flood Insurance Program requires a financial institution to notify a prospective borrower and the servicer that the structure securing the loan is located or to be located in a special flood hazard area. The regulation also requires a notice of the servicer's identity be delivered to the insurance provider. While the regulation addresses electronic delivery to the servicer and to the insurance provider, it does not address electronic delivery of the notice to the borrower.


INTERNET SECURITY
We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Intrusion Response Policies and Procedures. Management should establish, document, and review the policies and procedures that guide the bank's response to information system intrusions. The review should take place at least annually, with more frequent reviews if the risk exposure warrants them. 

Policies and procedures should address the following:

1. The priority and sequence of actions to respond to an intrusion. Actions should address the containment and elimination of an intrusion and system restoration. Among other issues, containment actions include a determination of which business processes must remain operational, which systems may be disconnected as a precaution, and how to address authentication compromises (e.g., revealed passwords) across multiple systems.

2. Gathering and retaining intrusion information, as discussed below.

3. The employee's authority to act, whether by request or by pre-approval, and the process for escalating the intrusion response to progressively higher degrees of intensity and senior management involvement.

4. Availability of necessary resources to respond to intrusions. Management should ensure that contact information is available for those that are responsible for responding to intrusions.

5. System restoration tools and techniques, including the elimination of the intruder's means of entry and back doors, and the restoration of data and systems to the pre-intrusion state.

6. Notification and reporting to operators of other affected systems, users, regulators, incident response organizations, and law enforcement. Guidelines for filing a Suspicious Activity Report for suspected computer related crimes are discussed below, and in OCC Advisory Letter 97-9, "Reporting Computer Related Crimes" (November 19, 1997). 

7. Periodic testing, as discussed below.

8. Staff training resources and requirements. 

PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

34. Does the institution deliver a revised privacy notice when it: 

a. discloses a new category of nonpublic personal information to a nonaffiliated third party; ['8(b)(1)(i)]

b. discloses nonpublic personal information to a new category of nonaffiliated third party; ['8(b)(1)(ii)] or

c. discloses nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt out right regarding that disclosure? ['8(b)(1)(iii)]

(
Note: a revised notice is not required if the institution adequately described the nonaffiliated third party or information to be disclosed in the prior privacy notice. ['8(b)(2)])

IN CLOSING - The Gramm-Leach-Bliley Act, best practices, and examiners recommend a security test of your Internet  connection to help ensure that your Internet connection is configured properly to prevent unauthorized intrusion.   The Vulnerability Internet Security Test Audit (VISTA) is an independent security test of the network's connection to the Internet that meets the regulatory requirements.  As a former bank examiner, we provide an independent review of the test results and an audit letter to your Board of Directors certifying the test results.  For answers to frequently asked questions regarding vulnerability tests, visit http://www.internetbankingaudits.com/frequently_asked_questions.htm

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated