R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

November 9, 2003

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Internet Auditing Services


FYI  - SSL VPN Gateways: A New Approach to Secure Remote Access - Secure Sockets Layer (SSL) Virtual Private Networks (VPNs) are quickly gaining popularity as serious contenders in the remote-access marketplace.  http://www.infosecnews.com/opinion/2003/11/05_02.htm 

FYI  - There is a computer security mantra which says that the basic issues to manage are "ports, passwords and patches."  By managing these, organizations are able to address the majority of vulnerabilities - the provision of unnecessary or vulnerable services, weak user authentication in the form of guessable passwords and other avoidable flaws in the system.  If organizations can get these fundamental points right, they are well on the way to preventing and/or containing a security incident.  http://www.infosecnews.com/opinion/2003/11/05_03.htm 

FYI  - The National Institute of Standards and Technology (NIST) has completed the first draft of NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems. This draft guideline provides a recommended set of controls for low and moderate impact systems (based upon the security categorization definitions in FIPS 199, pre-publication.  http://csrc.nist.gov/publications/drafts.html  (Kinney's comments - there is a lot of good IT security information in this 238 page document.)

FYI -
More Than Half Of US Firms Hit By Computer Theft  - Research just released by Brigadoon Software claims to show that computer theft is a rising problem for US organizations.  http://www.infosecnews.com/sgold/news/2003/11/06_02.htm 

FYI - Microsoft to offer bounty on hackers - Microsoft will work with law enforcement to track down writers of worms, viruses and other malicious code, and is ponying up $5 million to fund the search.  http://news.com.com/2102-7355_3-5102110.html?tag=st_util_print 

FYI - Police data network closed for now - A computer network used to share police files among more than 175 law enforcement departments in Minnesota has been closed after a state lawmaker learned "beyond a shadow of a doubt" someone had hacked into the system to demonstrate its vulnerability.  http://www.twincities.com/mld/pioneerpress/news/politics/7154217.htm 

Return to the top of the newsletter

INTERNET COMPLIANCEFair Housing Act

A financial institution that advertises on-line credit products that are subject to the Fair Housing Act must display the Equal Housing Lender logotype and legend or other permissible disclosure of its nondiscrimination policy if required by rules of the institution's regulator.

Home Mortgage Disclosure Act (Regulation C)

The regulations clarify that applications accepted through electronic media with a video component (the financial institution has the ability to see the applicant) must be treated as "in person" applications. Accordingly, information about these applicants' race or national origin and sex must be collected. An institution that accepts applications through electronic media without a video component, for example, the Internet or facsimile, may treat the applications as received by mail.


Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  


SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS


Network security requires effective implementation of several control mechanisms to adequately secure access to systems and data. Financial institutions must evaluate and appropriately implement those controls relative to the complexity of their network.  Many institutions have increasingly complex and dynamic networks stemming from the growth of distributed computing.

Security personnel and network administrators have related but distinct responsibilities for ensuring secure network access across a diverse deployment of interconnecting network servers, file servers, routers, gateways, and local and remote client workstations.  Security personnel typically lead or assist in the development of policies, standards, and procedures, and monitor compliance. They also lead or assist in incident - response efforts.  Network administrators implement the policies, standards, and procedures in their day - to - day operational role.

Internally, networks can host or provide centralized access to mission - critical applications and information, making secure access an organizational priority. Externally, networks integrate institution and third - party applications that grant customers and insiders access to their financial information and Web - based services. Financial institutions that fail to restrict access properly expose themselves to increased transaction, reputation, and compliance risk from threats including the theft of customer information, data alteration, system misuse, or denial - of - service attacks.


Return to the top of the newsletter

IT SECURITY QUESTION:

B. NETWORK SECURITY


17. Determine whether remote access devices and network access points for remote equipment are appropriately controlled.

• Remote access is disabled by default, and enabled only by management authorization.

• Management authorization is required for each user who accesses sensitive components or data remotely.

• Authentication is of appropriate strength (e.g., two - factor for sensitive components).

• Modems are authorized, configured and managed to appropriately mitigate risks.

• Appropriate logging and monitoring takes place.

• Remote access devices are appropriately secured and controlled by the institution.


Return to the top of the newsletter

INTERNET PRIVACY
 We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

14. Does the institution describe the following about its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information:

a. who is authorized to have access to the information; and [§6(c)(6)(i)]

b. whether security practices and policies are in place to ensure the confidentiality of the information in accordance with the institution’s policy?  [§6(c)(6)(ii)]

(Note: the institution is not required to describe technical information about the safeguards used in this respect.)

Return to the top of the newsletter

INTERNET AUDITING SERVICESR. Kinney Williams & Associates is recognized as a leader in independent Internet auditing for financial institutions.  With clients in 37 states, and an outstanding record of successful expedient testing, R. Kinney Williams & Associates is your ideal choice as an independent entity to perform your penetration assessment study, which includes the Vulnerability Internet Security Test Audit (VISTA).  You will find information about VISTA at  http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated