September 15, 2002
- Companies Snooze on Cyber-Security -
To a shocking degree, top execs remain largely
uninvolved with this critical issue, and their businesses remain
INTERNET COMPLIANCE - Flood
Disaster Protection Act
The regulation implementing the National Flood Insurance Program requires
a financial institution to notify a prospective borrower and the servicer
that the structure securing the loan is located or to be located in a
special flood hazard area. The regulation also requires a notice of the
servicer's identity be delivered to the insurance provider. While the
regulation addresses electronic delivery to the servicer and to the
insurance provider, it does not address electronic delivery of the notice
to the borrower.
INTERNET SECURITY - We
continue our review of the OCC Bulletin about Infrastructure Threats and
Intrusion Risks. This week we review Intrusion Response Policies and
Procedures. Management should establish, document, and review the policies
and procedures that guide the bank's response to information system
intrusions. The review should take place at least annually, with more
frequent reviews if the risk exposure warrants them.
Policies and procedures should address the following:
1. The priority and sequence of actions to respond to an intrusion.
Actions should address the containment and elimination of an intrusion and
system restoration. Among other issues, containment actions include a
determination of which business processes must remain operational, which
systems may be disconnected as a precaution, and how to address
authentication compromises (e.g., revealed passwords) across multiple
2. Gathering and retaining intrusion information, as discussed below.
3. The employee's authority to act, whether by request or by pre-approval,
and the process for escalating the intrusion response to progressively
higher degrees of intensity and senior management involvement.
4. Availability of necessary resources to respond to intrusions.
Management should ensure that contact information is available for those
that are responsible for responding to intrusions.
5. System restoration tools and techniques, including the elimination of
the intruder's means of entry and back doors, and the restoration of data
and systems to the pre-intrusion state.
6. Notification and reporting to operators of other affected systems,
users, regulators, incident response organizations, and law enforcement.
Guidelines for filing a Suspicious Activity Report for suspected computer
related crimes are discussed below, and in OCC Advisory Letter 97-9,
"Reporting Computer Related Crimes" (November 19, 1997).
7. Periodic testing, as discussed below.
8. Staff training resources and requirements.
PRIVACY EXAMINATION QUESTION - We continue our series
listing the regulatory-privacy examination questions. When you
answer the question each week, you will help ensure compliance with the
34. Does the institution deliver a
revised privacy notice when it:
a. discloses a new category of nonpublic personal information to a
nonaffiliated third party; ['8(b)(1)(i)]
b. discloses nonpublic personal information to a new category of
nonaffiliated third party; ['8(b)(1)(ii)] or
c. discloses nonpublic personal information about a former customer to a
nonaffiliated third party, if that former customer has not had the
opportunity to exercise an opt out right regarding that disclosure?
(Note: a revised notice is
not required if the institution adequately described the nonaffiliated
third party or information to be disclosed in the prior privacy notice.
IN CLOSING - The
Gramm-Leach-Bliley Act, best practices, and examiners recommend a security
test of your Internet connection to help ensure that your Internet
connection is configured properly to prevent unauthorized intrusion.
Vulnerability Internet Security Test Audit (VISTA)
is an independent security test of the
connection to the Internet that meets the regulatory requirements.
a former bank examiner, we provide an independent review of the test
results and an audit letter to your Board of Directors certifying the test
results. For answers to frequently asked questions regarding
vulnerability tests, visit http://www.internetbankingaudits.com/frequently_asked_questions.htm.