R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

December 22, 2002

FYI  - E-mail viruses double in 2002 - E-mail viruses are now twice as prevalent as they were in 2001, with one e-mail in every 200 containing a virus.  http://news.com.com/2100-1001-977945.html?tag=cd_mh 

FYI New IT Strategy: Stopping Viruses at the Gate - The theory behind gateway filtering products is that many viruses can be barred from the workplace by monitoring network protocols, such as SMTP, to filter out malware, rather than depending on desktop antivirus software alone.  http://www.newsfactor.com/perl/story/20201.html 

INTERNET COMPLIANCE - Electronic Fund Transfer Act, Regulation E  (Part 1 of 2)

Generally, when on-line banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign-up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures. Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services. 

INTERNET SECURITY
We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

VULNERABILITY ASSESSMENT TOOLS

Vulnerability assessment tools, also called security scanning tools, assess the security of network or host systems and report system vulnerabilities. These tools can scan networks, servers, firewalls, routers, and applications for vulnerabilities. Generally, the tools can detect known security flaws or bugs in software and hardware, determine if the systems are susceptible to known attacks and exploits, and search for system vulnerabilities such as settings contrary to established security policies.

In evaluating a vulnerability assessment tool, management should consider how frequently the tool is updated to include the detection of any new weaknesses such as security flaws and bugs. If there is a time delay before a system patch is made available to correct an identified weakness, mitigating controls may be needed until the system patch is issued.

Generally, vulnerability assessment tools are not run in real-time, but they are commonly run on a periodic basis. When using the tools, it is important to ensure that the results from the scan are secure and only provided to authorized parties. The tools can generate both technical and management reports, including text, charts, and graphs. The vulnerability assessment reports can tell a user what weaknesses exist and how to fix them. Some tools can automatically fix vulnerabilities after detection.

FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail {custom4} a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

SUBPART C - Exception to Opt Out Requirements for Service Providers and Joint Marketing

47.  If the institution discloses nonpublic personal information to a nonaffiliated third party without permitting the consumer to opt out, do the opt out requirements of 7 and 10, and the revised notice requirements in 8, not apply because:

a.  the institution disclosed the information to a nonaffiliated third party who performs services for or functions on behalf of the institution (including joint marketing of financial products and services offered pursuant to a joint agreement as defined in paragraph (b) of 13); [13(a)(1)]

b.  the institution has provided consumers with the initial notice; [13(a)(1)(i)] and

c.  the institution has entered into a contract with that party prohibiting the party from disclosing or using the information except to carry out the purposes for which the information was disclosed, including use under an exception in 14 or 15 in the ordinary course of business to carry out those purposes? [13(a)(1)(ii)]

IN CLOSING - We wish you very happy Holiday Season and greatly appreciate you support.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated