R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

November 10, 2002

FYI  - Microsoft on Monday announced plans for its first set of software tools designed to help banks and other financial institutions process payments and conduct capital markets trading entirely online.  http://news.com.com/2100-1001-964455.html?tag=fd_top 

FYI  - Bank of the West exposed the e-mail addresses of thousands of its online banking customers Monday, in a mistake it blamed on "human error."  http://news.com.com/2100-1017-964611.html?tag=fd_top 


INTERNET COMPLIANCE - "Member FDIC" Logo - When is it required?

The FDIC believes that every bank's home page is to some extent an advertisement. Accordingly, bank web site home pages should contain the official advertising statement unless the advertisement is subject to exceptions such as advertisements for loans, securities, trust services and/or radio or television advertisements that do not exceed thirty seconds. 

Whether subsidiary web pages require the official advertising statement will depend upon the content of the particular page.  Subsidiary web pages that advertise deposits must contain the official advertising statement.  Conversely, subsidiary web pages that relate to loans do not require the official advertising statement. 

INTERNET SECURITY
- We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security."

INFORMATION SECURITY PROGRAM

A financial institution's board of directors and senior management should be aware of information security issues and be involved in developing an appropriate information security program. A comprehensive information security policy should outline a proactive and ongoing program incorporating three components: 

1) Prevention 
2) Detection 
3) Response 

Prevention measures include sound security policies, well-designed system architecture, properly configured firewalls, and strong authentication programs. This paper discusses two additional prevention measures: vulnerability assessment tools and penetration analyses. Vulnerability assessment tools generally involve running scans on a system to proactively detect known vulnerabilities such as security flaws and bugs in software and hardware. These tools can also detect holes allowing unauthorized access to a network, or insiders to misuse the system. Penetration analysis involves an independent party (internal or external) testing an institution's information system security to identify (and possibly exploit) vulnerabilities in the system and surrounding processes. Using vulnerability assessment tools and performing regular penetration analyses will assist an institution in determining what security weaknesses exist in its information systems. 

Detection measures involve analyzing available information to determine if an information system has been compromised, misused, or accessed by unauthorized individuals. Detection measures may be enhanced by the use of intrusion detection systems (IDSs) that act as a burglar alarm, alerting the bank or service provider to potential external break-ins or internal misuse of the system(s) being monitored.


Another key area involves preparing a response program to handle suspected intrusions and system misuse once they are detected. Institutions should have an effective incident response program outlined in a security policy that prioritizes incidents, discusses appropriate responses to incidents, and establishes reporting requirements.
 

PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

41. Does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as permitted under 13-15, unless:

a.  it has provided the consumer with an initial notice; [10(a)(1)(i)]

b.  it has provided the consumer with an opt out notice; [10(a)(1)(ii)]

c.  it has given the consumer a reasonable opportunity to opt out before the disclosure; [10(a)(1)(iii)] and

d.  the consumer has not opted out? [10(a)(1)(iv)]

(Note: this disclosure limitation applies to consumers as well as to customers [10(b)(1)], and to all nonpublic personal information regardless of whether collected before or after receiving an opt out direction. [10(b)(2)])

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated