FYI - Email Encryption in the Financial Sector - Historically, encryption technology has been seen as too cumbersome, complicated and expensive for organization to invest in, with too little return. Within the financial services sector, this lack of usability has meant that the Internet has not been fully exploited as a communications channel between the various stakeholders, whether customers, partners or suppliers. http://www.infosecnews.com/opinion/2003/12/03_03.htm 

FYI  - The Role of Ethics in Information Security - n the context of IT security, ethical issues become more challenging. Hundreds of millions of people worldwide use computing resources at work and at home, seemingly under some guise of anonymity. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5466 

FYI - Man charged with stealing bank customer data - A man suspected of stealing confidential account information about thousands of Wells Fargo Bank customers has been arrested, police said. http://www.cnn.com/2003/TECH/ptech/11/27/wellsfargo.theft.ap/index.html 

FYI - Half Of Companies Surveyed Suffered Security Breach - Nearly half of the nation's fastest-growing companies suffered a recent breach in information security, according to a survey by consulting giant PricewaterhouseCoopers. http://www.techweb.com/wire/story/TWB20031124S0008 

FYI - FDIC Chairman Donald Powell announced the appointment of Michael E. Bartell as the FDIC's Chief Information Officer.  www.fdic.gov/news/news/press/2003/pr10903.html 

Return to the top of the newsletter

INTERNET COMPLIANCE - Expedited Funds Availability Act (Regulation CC)

Generally, the rules pertaining to the duty of an institution to make deposited funds available for withdrawal apply in the electronic financial services environment. This includes rules on fund availability schedules, disclosure of policy, and payment of interest. Recently, the FRB published a commentary that clarifies requirements for providing certain written notices or disclosures to customers via electronic means. Specifically, the commentary to the regulations states that a financial institution satisfies the written exception hold notice requirement, and the commentary to the regulations states that a financial institution satisfies the general disclosure requirement by sending an electronic version that displays the text and is in a form that the customer may keep. However, the customer must agree to such means of delivery of notices and disclosures. Information is considered to be in a form that the customer may keep if, for example, it can be downloaded or printed by the customer. To reduce compliance risk, financial institutions should test their programs' ability to provide disclosures in a form that can be downloaded or printed. 

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Protocols and Ports (Part 3 of 3)

Applications are built in conformance with the protocols to provide services from hosts to clients. Because clients must have a standard way of accessing the services, the services are assigned to standard host ports. Ports are logical not physical locations that are either assigned or available for specific network services. Under TCP/IP, 65536 ports are available, and the first 1024 ports are commercially accepted as being assigned to certain services. For instance, Web servers listen for requests on port 80, and secure socket layer Web servers listen on port 443. A complete list of the commercially accepted port assignments is available at www.iana.org.  Ports above 1024 are known as high ports, and are user - assignable. However, users and administrators have the freedom to assign any port to any service, and to use one port for more than one service. Additionally, the service listening on one port may only proxy a connection for a separate service. For example, a Trojan horse keystroke - monitoring program can use the Web browser to send captured keystroke information to port 80 of an attacker's machine. In that case, monitoring of the packet headers from the compromised machine would only show a Web request to port 80 of a certain IP address.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

2. Determine if the configuration minimizes the functionality of programs, scripts, and plug - ins to what is necessary and justifiable.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

18. If the institution, in its privacy policies, reserves the right to disclose nonpublic personal information to nonaffiliated third parties in the future, does the privacy notice include, as applicable, the:

a. categories of nonpublic personal information that the financial institution reserves the right to disclose in the future, but does not currently disclose;  [§6(e)(1)] and

b. categories of affiliates or nonaffiliated third parties to whom the financial institution reserves the right in the future to disclose, but to whom it does not currently disclose, nonpublic personal information? [§6(e)(2)]

Return to the top of the newsletter

INTERNET AUDITING SERVICES - R. Kinney Williams & Associates is recognized as a leader in independent Internet auditing for financial institutions.  With clients in 37 states, and an outstanding record of successful expedient testing, R. Kinney Williams & Associates is your ideal choice as an independent entity to perform your penetration assessment study, which includes the Vulnerability Internet Security Test Audit (VISTA).  You will find information about VISTA at  http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.