December 1, 2002
- The OCC recently published "Internal
Controls - A Guide for Directors." Whether or not
you are regulated by the OCC, we recommend this as required reading
by your Directors. http://www.occ.treas.gov/IntCtrl.pdf
- Feds, firms unveil test for security pros - A
new certification program for entry-level computer-security
professionals will officially get up and running, said
representatives of the combined industry-government group behind the
FYI- System admins slow to zap bugs - System
administrators are still not patching systems frequently enough,
according to a recently published study of a software security flaw
that allowed the Linux Slapper worm to spread. http://news.com.com/2100-1001-966398.html
- A Greater Threat
than Software Viruses? - The biggest risk to organizations is active
Internet content containing invisible software that enters computer
networks and does damage.
FYI - Identity Theft Highlights Serious Security Flaws - Much
attention has been focused on high-tech solutions, but this week's
bust points out the simple problems with passwords. http://www.pcworld.com/news/article/0,aid,107426,tk,dn112702X,00.asp
FYI - Treasury Issues Moratorium on Section 314(a) Information
Requests This Notice addresses two matters associated with section
314 of the USA PATRIOT Act as described below. Generally, section
314 authorizes law enforcement authorities to communicate with
banking organizations and others about suspected money launderers
and terrorists, and banking organizations to communicate amongst
themselves about such matters.
FYI - A small Manhattan bank that prosecutors said accepted duffel
bags full of cash without questioning their origin pleaded guilty
yesterday to violating federal money laundering rules in what the
government called the first case of its kind. http://www.nytimes.com/2002/11/28/business/28LAUN.html?ex=1039150800
- Bank of
America's customers are getting a crack at moving checks off the
paper trail and into the digital realm, part of a trend that could
end up saving banks millions of dollars. http://news.com.com/2100-1017-975522.html?tag=cd_mh
- Numerous consumers moved to try to protect their finances and
credit lines Tuesday, a day after prosecutors warned that thousands
of people were vulnerable to a high-tech assault on their identities
after records were stolen from a software company. http://www.nytimes.com/aponline/national/AP-Identity-Theft.html?ex=1038891600
COMPLIANCE - Disclosures/Notices (Part 1 of 2)
Several regulations require disclosures and notices to be given at
specified times during a financial transaction. For example, some
regulations require that disclosures be given at the time an
application form is provided to the consumer. In this situation,
institutions will want to ensure that disclosures are given to the
consumer along with any application form. Institutions may
accomplish this through various means, one of which may be through
the automatic presentation of disclosures with the application form.
Regulations that allow disclosures/notices to be delivered
electronically and require institutions to deliver disclosures in a
form the customer can keep have been the subject of questions
regarding how institutions can ensure that the consumer can
"keep" the disclosure. A consumer using certain electronic
devices, such as Web TV, may not be able to print or download the
disclosure. If feasible, a financial institution may wish to include
in its on-line program the ability for consumers to give the
financial institution a non-electronic address to which the
disclosures can be mailed.
INTERNET SECURITY - We continue our review of
the FDIC paper "Risk Assessment Tools and Practices or
Information System Security."
When assessing information security products, management should be
aware that many products offer a combination of risk assessment
features, and can cover single or multiple operating systems.
Several organizations provide independent assessments and
certifications of the adequacy of computer security products (e.g.,
firewalls). While the underlying product may be certified, banks
should realize that the manner in which the products are configured
and ultimately used is an integral part of the products'
effectiveness. If relying on the certification, banks should
understand the certification process used by the organization
certifying the security product. Other examples of items to consider
in the risk assessment process include:
1) Identifying mission-critical information systems, and determining
the effectiveness of current information security programs. For
example, a vulnerability might involve critical systems that are not
reasonably isolated from the Internet and external access via modem.
Having up-to-date inventory listings of hardware and software, as
well as system topologies, is important in this process.
2) Assessing the importance and sensitivity of information and the
likelihood of outside break-ins (e.g., by hackers) and insider
misuse of information. For example, if a large depositor list were
made public, that disclosure could expose the bank to reputational
risk and the potential loss of deposits. Further, the institution
could be harmed if human resource data (e.g., salaries and personnel
files) were made public. The assessment should identify systems that
allow the transfer of funds, other assets, or sensitive
data/confidential information, and review the appropriateness of
access controls and other security policy settings.
3) Assessing the risks posed by electronic connections with business
partners. The other entity may have poor access controls that could
potentially lead to an indirect compromise of the bank's system.
Another example involves vendors that may be allowed to access the
bank's system without proper security safeguards, such as firewalls.
This could result in open access to critical information that the
vendor may have "no need to know."
4) Determining legal implications and contingent liability concerns
associated with any of the above. For example, if hackers
successfully access a bank's system and use it to subsequently
attack others, the bank may be liable for damages incurred by the
party that is attacked.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
44. If the
institution receives information from a nonaffiliated financial
institution under an exception in §14 or §15, does the institution
refrain from using or disclosing the information except:
a. to disclose the information to the affiliates of the
financial institution from which it received the information;
b. to disclose the information to its own affiliates, which
are in turn limited by the same disclosure and use restrictions as
the recipient institution; [§11(a)(1)(ii)] and
c. to disclose and use the information pursuant to an
exception in §14 or §15 in the ordinary course of business to
carry out the activity covered by the exception under which the
information was received? [§11(a)(1)(iii)]
(Note: the disclosure or use described in section c of
this question need not be directly related to the activity covered
by the applicable exception. For instance, an institution receiving
information for fraud-prevention purposes could provide the
information to its auditors. But "in the ordinary course of
business" does not include marketing. [§11(a)(2)])