October 27, 2002
- Over the last eight months major new hacker tools have been released or
revealed, ending a lull in activity among hackers that followed the
September 11 terrorist attacks and the enactment of legislation that
enhanced law enforcement's ability to prosecute people who break code and
wreak havoc on networks by exploiting software vulnerabilities, hacking
consultant Ed Skoudis said Thursday. http://www.pcworld.com/news/article/0,aid,106352,tk,dn102502X,00.asp
- Is Microsoft Licensing Forcing Banks to Break the
Privacy Laws? http://boston.internet.com/news/article.php/1485861
- The Treasury Department is advising all financial institutions
that they will not be required to comply with section 326 of the USA
PATRIOT ACT or the proposed rules issued by Treasury and the federal
functional regulators on July 23 until final implementing
regulations are issued and become effective. http://www.ustreas.gov/press/releases/po3530.htm
- Microsoft is investigating a security breach
on a server that hosts its Windows beta community, which allows more
than 20,000 Windows users a chance to test software that is still in
- The heart of the Internet sustained its largest and most
sophisticated attack ever, starting late Monday, according to
officials at key online backbone organizations.
- In the first case of its kind, U.S. District Judge Patricia Seitz
said the Americans with Disabilities Act (ADA) applies only to
physical spaces such as restaurants and movie theaters and not to
the Internet. http://news.com.com/2100-1023-962761.html?tag=fd_top_1
COMPLIANCE - The
Role Of Consumer Compliance In Developing And Implementing
Electronic Services from FDIC:
When violations of the consumer protection laws regarding a
financial institution's electronic services have been cited,
generally the compliance officer has not been involved in the
development and implementation of the electronic services.
Therefore, it is suggested that management and system
designers consult with the compliance officer during the development
and implementation stages in order to minimize compliance risk.
The compliance officer should ensure that the proper controls
are incorporated into the system so that all relevant compliance
issues are fully addressed. This
level of involvement will help decrease an institution's compliance
risk and may prevent the need to delay deployment or redesign
programs that do not meet regulatory requirements.
The compliance officer should develop a compliance risk profile as a
component of the institution's online banking business and/or
technology plan. This
profile will establish a framework from which the compliance officer
and technology staff can discuss specific technical elements that
should be incorporated into the system to ensure that the online
system meets regulatory requirements.
For example, the compliance officer may communicate with the
technology staff about whether compliance disclosures/notices on a
web site should be indicated or delivered by the use of
"pointers" or "hotlinks" to ensure that required
disclosures are presented to the consumer. The compliance officer can also be an ongoing resource to
test the system for regulatory compliance.
INTERNET SECURITY - Over the next few weeks
we will cover the FDIC's paper "Risk Assessment Tools and
Practices or Information System Security" dated July 7, 1999.
This is our first selection for your reading.
Whether financial institutions contract with third-party providers
for computer services such as Internet banking, or maintain computer
services in-house, bank management is responsible for ensuring that
systems and data are protected against risks associated with
emerging technologies and computer networks. If a bank is relying on
a third-party provider, management must generally understand the
provider's information security program to effectively evaluate the
security system's ability to protect bank and customer data.
The FDIC has previously issued guidance on information security
concerns such as data privacy and confidentiality, data integrity,
authentication, non-repudiation, and access control/system design.
This paper is designed to supplement Financial Institution Letter
131-97, "Security Risks Associated With the Internet,"
dated December 18, 1997, and to complement the FDIC's safety and
soundness electronic banking examination procedures. Related
guidance can be found in the FFIEC Information Systems Examination
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
39. Does the institution use an appropriate means to ensure
that notices may be retained or obtained later, such as:
a. hand-delivery of a printed copy of the notice; [§9(e)(2)(i)]
b. mailing a printed copy to the last known address of the customer;
c. making the current privacy notice available on the institution's
web site (or via a link to the notice at another site) for the
customer who agrees to receive the notice at the web site? [§9(e)(2)(iii)]