R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

September 21, 2003

CONTENT
INTERNET COMPLIANCE INFORMATION SYSTEMS SECURITY INFORMATION SECURITY QUESTION
INTERNET PRIVACY PENETRATION TESTS - WEB SITE AUDITS


FYI- Barclays calls in cyber-police - Barclays has called in the cyber-police and slapped a limit on online cash transfers in an attempt to head off an email fraud aimed at its Internet customers.  http://www.guardian.co.uk/business/story/0,3604,1042006,00.html 

FYI - Preventing the next worm (Security Policy Management Tools) - Information security is a reactive world. The next intrusion, vulnerability or worm is always right around the corner.  http://zdnet.com.com/2102-1107_2-5073159.html?tag=printthis 

FYI - How Hackers Break In To Enterprise Networks--A Step-By-Step Demo  http://www.internetweek.com/shared/printableArticle.jhtml?articleID=14700217 
Return to the top of the newsletter

INTERNET COMPLIANCEDisclosures and Notices

Several consumer regulations provide for disclosures and/or notices to consumers. The compliance officer should check the specific regulations to determine whether the disclosures/notices can be delivered via electronic means. The delivery of disclosures via electronic means has raised many issues with respect to the format of the disclosures, the manner of delivery, and the ability to ensure receipt by the appropriate person(s). The following highlights some of those issues and offers guidance and examples that may be of use to institutions in developing their electronic services.

Disclosures are generally required to be "clear and conspicuous." Therefore, compliance officers should review the web site to determine whether the disclosures have been designed to meet this standard. Institutions may find that the format(s) previously used for providing paper disclosures may need to be redesigned for an electronic medium. Institutions may find it helpful to use "pointers " and "hotlinks" that will automatically present the disclosures to customers when selected. A financial institution's use solely of asterisks or other symbols as pointers or hotlinks would not be as clear as descriptive references that specifically indicate the content of the linked material.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

 AUTHENTICATION - Public Key Infrastructure (Part 3 of 3)

When utilizing PKI policies and controls, financial institutions need to consider the following:

! Defining within the certificate issuance policy the methods of initial verification that are appropriate for different types of certificate applicants and the controls for issuing digital certificates and key pairs;

! Selecting an appropriate certificate validity period to minimize transactional and reputation risk exposure - expiration provides an opportunity to evaluate the continuing adequacy of key lengths and encryption algorithms, which can be changed as needed before issuing a new certificate;

! Ensuring that the digital certificate is valid by such means as checking a certificate revocation list before accepting transactions accompanied by a certificate;

! Defining the circumstances for authorizing a certificate’s revocation, such as the compromise of a user’s private key or the closure of user accounts;

! Updating the database of revoked certificates frequently, ideally in real - time mode;

! Employing stringent measures to protect the root key including limited physical access to CA facilities, tamper - resistant security modules, dual control over private keys and the process of signing certificates, as well as the storage of original and back - up keys on computers that do not connect with outside networks;

! Requiring regular independent audits to ensure controls are in place, public and private key lengths remain appropriate, cryptographic modules conform to industry standards, and procedures are followed to safeguard the CA system;

! Recording in a secure audit log all significant events performed by the CA system, including the use of the root key, where each entry is time/date stamped and signed;

! Regularly reviewing exception reports and system activity by the CA’s employees to detect malfunctions and unauthorized activities; and

! Ensuring the institution’s certificates and authentication systems comply with widely accepted PKI standards to retain the flexibility to participate in ventures that require the acceptance of the financial institution’s certificates by other CAs.

The encryption components of PKI are addressed more fully under “Encryption.”

Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

B. NETWORK SECURITY

11. Determine if network-based IDSs (Intrusion Detection System) are properly coordinated with firewalls (see “Intrusion Detection” procedures).

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice 

8)  Do the initial, annual, and revised privacy notices include each of the following, as applicable: (Part 2 of 2)

e)  if the institution discloses nonpublic personal information to a nonaffiliated third party under §13, and no exception under §14 or §15 applies, a separate statement of the categories of information the institution discloses and the categories of third parties with whom the institution has contracted; [§6(a)(5)]

f)  an explanation of the opt out right, including the method(s) of opt out that the consumer can use at the time of the notice; [§6(a)(6)]

g)  any disclosures that the institution makes under §603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA); [§6(a)(7)]

h)  the institution's policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; [§6(a)(8)] and

i)  a general statement--with no specific reference to the exceptions or to the third parties--that the institution makes disclosures to other nonaffiliated third parties as permitted by law? [§6(a)(9), (b)]

Return to the top of the newsletter

INTERNET AUDITING SERVICES - We offer independent Internet auditing regarding web sites compliance and penetration-vulnerability  testing.  Visit http://www.bankwebsiteaudits.com for more information about web site audits.  For information regarding penetration-vulnerability testing visit http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.  We have clients in 37 states and more than 40 years banking and bank examining experience.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated