R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

November 16, 2003

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Internet Auditing Services


FYI - Best Practices for Wireless Network Security - Wireless technology is dramatically changing the world of computing, creating new business opportunities but also increasing security risks.  http://www.computerworld.com/printthis/2003/0,4814,86951,00.html 

 FYI  - The Risks of Outsourcing - Outsourcing IT development and services has suddenly become a big issue among business executives, IT professionals, and politicians in Europe and North America.  http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5465 

FYI - Brazil cracks down on hackers - Brazilian police arrested 18 Internet hackers in a massive effort to dismantle a gang operating across four northern states, authorities said.  http://news.com.com/2102-7355_3-5103010.html?tag=st_util_print 

 FYI  - Australia - RUBBISH tips were searched by Telstra staff in a desperate attempt to recover classified government emails stored in a wheelie bin and accidentally dumped, a Senate committee has been told.  http://news.com.au/common/story_page/0,4057,7759335^15319,00.html 

 FYI - Keeping up with the latest security updates is a full-time job.   Dale Sweitzer, a network administrator for Crossville Ceramics in Crossville, Tennessee, has hit a rough patch--or a series of rough patches to be exact.  http://www.pcworld.com/news/article/0,aid,113296,00.asp 

FYI - For the National Guard Bureau, the ability to share data for disaster planning and first response has been hampered by a constant stream of hacker intrusions on its unclassified networks over the past two years.  http://www.gcn.com/vol1_no1/daily-updates/24059-1.html 

 FYI - Execs aim to teach better security - Ten security executives have formed a group to help companies and the government create a secure information infrastructure.  http://news.com.com/2100-7355-5106573.html?tag=cd_top 

Return to the top of the newsletter

INTERNET COMPLIANCENon-Deposit Investment Products

Financial institutions advertising or selling non-deposit investment products on-line should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products."  On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.
Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
Network Configuration

Computer networks often extend connectivity far beyond the financial institution and its data center. Networks provide system access and connectivity between business units, affiliates, TSPs, business partners, customers, and the public. This increased connectivity requires additional controls to segregate and restrict access between various groups and information users.

A typical approach to securing a large network involves dividing the network into logical security domains. A logical security domain is a distinct part of a network with security policies that differ from other domains. The differences may be far broader than network controls, encompassing personnel, host, and other issues.

Typical network controls that distinguish security domains include access control software permissions, dedicated lines, filtering routers, firewalls, remote - access servers, and virtual private networks. This booklet will discuss additional access controls within the applications and operating systems residing on the network in other sections. Before selecting the appropriate controls, financial institutions should map and configure the network to identify and control all access control points. Network configuration considerations could include the following actions:

! Identifying the various applications and user - groups accessed via the network;

! Identifying all access points to the network including various telecommunications channels (e.g., wireless, Ethernet, frame relay, dedicated lines, remote dial - up access, extranets, Internet);

! Mapping the internal and external connectivity between various network segments;

! Defining minimum access requirements for network services (i.e., most often referenced as a network services access policy); and

! Determining the most appropriate network configuration to ensure adequate security and performance.

With a clear understanding of network connectivity, the financial institution can avoid introducing security vulnerabilities by minimizing access to less - trusted domains and employing encryption for less secure connections. Institutions can then determine the most effective deployment of protocols, filtering routers, firewalls, gateways, proxy servers, and/or physical isolation to restrict access. Some applications and business processes may require complete segregation from the corporate network (e.g., no connectivity between corporate network and wire transfer system). Others may restrict access by placing the services that must be accessed by each zone in their own security domain, commonly called a “demilitarized zone” (DMZ).

Return to the top of the newsletter

IT SECURITY QUESTION:

B. NETWORK SECURITY

18. Determine whether an appropriate archive of boot disks, distribution media, and security patches exists.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

15. If the institution provides a short-form initial privacy notice with the opt out notice, does the institution do so only to consumers with whom the institution does not have a customer relationship? [§6(d)(1)]
Return to the top of the newsletter

INTERNET AUDITING SERVICESR. Kinney Williams & Associates is recognized as a leader in independent Internet auditing for financial institutions.  With clients in 37 states, and an outstanding record of successful expedient testing, R. Kinney Williams & Associates is your ideal choice as an independent entity to perform your penetration assessment study, which includes the Vulnerability Internet Security Test Audit (VISTA).  You will find information about VISTA at  http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated