|
November 10, 2002
FYI
- Microsoft on Monday announced plans for its first set of software
tools designed to help banks and other financial institutions
process payments and conduct capital markets trading entirely
online. http://news.com.com/2100-1001-964455.html?tag=fd_top
FYI - Bank of the West
exposed the e-mail addresses of thousands of its online banking
customers Monday, in a mistake it blamed on "human
error." http://news.com.com/2100-1017-964611.html?tag=fd_top
INTERNET
COMPLIANCE - "Member
FDIC" Logo - When is it required?
The FDIC believes that every bank's home page is to some extent an
advertisement. Accordingly, bank web site home pages should contain
the official advertising statement unless the advertisement is
subject to exceptions such as advertisements for loans, securities,
trust services and/or radio or television advertisements that do not
exceed thirty seconds.
Whether subsidiary web pages require the official advertising
statement will depend upon the content of the particular page.
Subsidiary web pages that advertise deposits must contain the
official advertising statement.
Conversely, subsidiary web pages that relate to loans do not
require the official advertising statement.
INTERNET SECURITY - We continue our review of the
FDIC paper "Risk Assessment Tools and Practices or Information
System Security."
INFORMATION SECURITY PROGRAM
A
financial institution's board of directors and senior management
should be aware of information security issues and be involved in
developing an appropriate information security program. A
comprehensive information security policy should outline a proactive
and ongoing program incorporating three components:
1) Prevention
2) Detection
3) Response
Prevention measures include sound security policies,
well-designed system architecture, properly configured firewalls,
and strong authentication programs. This paper discusses two
additional prevention measures: vulnerability assessment tools and
penetration analyses. Vulnerability assessment tools generally
involve running scans on a system to proactively detect known
vulnerabilities such as security flaws and bugs in software and
hardware. These tools can also detect holes allowing unauthorized
access to a network, or insiders to misuse the system. Penetration
analysis involves an independent party (internal or external)
testing an institution's information system security to identify
(and possibly exploit) vulnerabilities in the system and surrounding
processes. Using vulnerability assessment tools and performing
regular penetration analyses will assist an institution in
determining what security weaknesses exist in its information
systems.
Detection measures involve analyzing available information to
determine if an information system has been compromised, misused, or
accessed by unauthorized individuals. Detection measures may be
enhanced by the use of intrusion detection systems (IDSs) that act
as a burglar alarm, alerting the bank or service provider to
potential external break-ins or internal misuse of the system(s)
being monitored.
Another key area involves preparing a response program to
handle suspected intrusions and system misuse once they are
detected. Institutions should have an effective incident response
program outlined in a security policy that prioritizes incidents,
discusses appropriate responses to incidents, and establishes
reporting requirements.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
41. Does the institution refrain from disclosing any nonpublic
personal information about a consumer to a nonaffiliated third
party, other than as permitted under §§13-15, unless:
a. it has provided the consumer with an initial notice; [§10(a)(1)(i)]
b. it has provided the consumer with an opt out notice; [§10(a)(1)(ii)]
c. it has given the consumer a reasonable opportunity to opt
out before the disclosure; [§10(a)(1)(iii)] and
d. the consumer has not opted out? [§10(a)(1)(iv)]
(Note: this disclosure limitation applies to consumers as
well as to customers [§10(b)(1)], and to all nonpublic personal
information regardless of whether collected before or after
receiving an opt out direction. [§10(b)(2)]) |
