|
FYI
- BankRI customer
information stolen along with laptop - Bank
Rhode Island's CEO said today that her IT department plans to
install encryption and fraud-detection software on computers after a
laptop containing the names, addresses and Social Security numbers
of about 43,000 customers was stolen from its principal
data-processing provider, Fiserv Inc.
http://www.computerworld.com/printthis/2003/0,4814,88443,00.html
SANS Institute checklist to evaluate your application service
provider: http://www.sans.org/score/asp_checklist.php
FYI- NASA sites hacked
- Thirteen NASA Web sites were defaced this
morning by a Brazilian crew dubbed drwxr, according to a statement
from Zone-H, an organization that monitors hacking.
http://www.computerworld.com/printthis/2003/0,4814,88348,00.html
FYI
- OMB releases e-authentication guidance - Agencies should assess
authentication risks for online transactions and determine the
required level of assurance for each transaction, Office of
Management and Budget officials said. http://www.fcw.com/fcw/articles/2003/1215/web-omb-12-16-03.asp
FYI
- AS/400 Programmer Convicted of Computer Fraud - An
AS/400 programmer in Florida was given a one-year sentence earlier
this month for intentionally deleting his former employer's critical
OS/400 applications.
http://www.midrangeserver.com/tfh/tfh121503-story03.html
FYI
- Windows ATMs Raise Security Concerns - Banks everywhere are
replacing OS/2 with Windows, but are hackers happy? http://www.pcworld.com/news/article/0,aid,113997,tk,dn122303X,00.asp
FYI
- Raymond James Financial Inc. said it could cost more than $13
million to settle complaints that it overcharged customers who made
large purchases of mutual funds. http://famulus.msnbc.com/famulusgen/ap12-24-074810.asp?t=apcom&vts=122420030846#body
FYI
- Bush signs bill aimed at controlling
spam
- President George W.
Bush signed a bill into law today establishing federal rules for
commercial e-mail and penalties for unsolicited mass spamming.
http://www.computerworld.com/printthis/2003/0,4814,88306,00.html
FYI
- Federal Regulators Seek Public Comment on Ways to
Improve Privacy Notices - Eight federal regulators today announced
an advance notice of proposed rulemaking
requesting public comment on ways to improve the privacy
notices financial institutions provide to consumers under the
Gramm-Leach-Bliley Act .
Press Release: www.fdic.gov/news/news/press/2003/pr13003.html
Press Release: www.federalreserve.gov/boarddocs/press/bcreg/2003/20031223/default.htm
Press Release: www.ncua.gov/news/press_releases/2003/JR03-1223.pdf
Press Release: www.ots.treas.gov/docs/77340.html
Press Release: www.occ.treas.gov/ftp/release/2003-104.htm
Attachment: www.occ.treas.gov/ftp/release/2003-104a.pdf
Attachment: www.occ.treas.gov/ftp/release/2003-104b.pdf
Attachment: www.occ.treas.gov/ftp/release/2003-104c.pdf
Attachment: www.occ.treas.gov/ftp/release/2003-104d.pdf
Attachment: www.occ.treas.gov/ftp/release/2003-104e.pdf
FYI
- Burma and
Two Burmese Banks Are Considered "Primary Money Laundering
Concerns" - On November 18, 2003, the Department of the
Treasury announced the designation of Burma and two Burmese banks to
be of "primary money laundering concern" under Section 311 of the
USA PATRIOT Act. Treasury, acting through the Financial Crimes
Enforcement Network, is issuing a proposed rule to impose special
measures against Burma and the two Burmese financial institutions. www.fdic.gov/news/news/financial/2003/fil0397.html
Return to the top of the
newsletter
INTERNET
COMPLIANCE - We
continue our review of the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
A.
RISK DISCUSSION
Reputation Risk
Customers may be confused about whether the financial institution or
a third party is supplying the product, service, or other website
content available through the link. The risk of customer confusion
can be affected by a number of factors:
- nature of the
third-party product or service;
- trade name of the third
party; and
- website appearance.
Nature of Product or
Service
When a financial institution provides links to third parties that
sell financial products or services, or provide information relevant
to these financial products and services, the risk is generally
greater than if third parties sell non-financial products and
services due to the greater potential for customer confusion. For
example, a link from a financial institution's website to a mortgage
bank may expose the financial institution to greater reputation risk
than a link from the financial institution to an online clothing
store.
The risk of customer confusion with respect to links to firms
selling financial products is greater for two reasons. First,
customers are more likely to assume that the linking financial
institution is providing or endorsing financial products rather than
non-financial products. Second, products and services from certain
financial institutions often have special regulatory features and
protections, such as federal deposit insurance for qualifying
deposits. Customers may assume that these features and protections
also apply to products that are acquired through links to
third-party providers, particularly when the products are financial
in nature.
When a financial institution links to a third party that is
providing financial products or services, management should consider
taking extra precautions to prevent customer confusion. For example,
a financial institution linked to a third party that offers
nondeposit investment products should take steps to prevent customer
confusion specifically with respect to whether the institution or
the third party is offering the products and services and whether
the products and services are federally insured or guaranteed by the
financial institution.
Financial institutions should recognize, even in the case of
non-financial products and services, that customers may have
expectations about an institution's due diligence and its selection
of third parties to which the financial institution links its
website. Should customers experience dissatisfaction as a result of
poor quality products or services, or loss as a result of their
transactions with those companies, they may consider the financial
institution responsible for the perceived deficiencies of the
seller.
Return to the top of the
newsletter
INFORMATION SYSTEMS SECURITY
- We
continue our series on the FFIEC interagency Information Security
Booklet.
SECURITY
CONTROLS - IMPLEMENTATION -
NETWORK
ACCESS
Routing (Part 2 of 2)
Routers and switches are sometimes difficult to locate. Users may
install their own devices and create their own unauthorized subnets.
Any unrecognized or unauthorized network devices pose security
risks. Financial institutions should periodically audit network
equipment to ensure that only authorized and maintained equipment
resides on their network.
DNS hosts, routers and switches are computers with their own
operating system. If successfully attacked, they can allow traffic
to be monitored or redirected. Financial institutions must restrict,
log, and monitor administrative access to these devices. Remote
administration typically warrants an encrypted session, strong
authentication, and a secure client. The devices should also be
appropriately patched and hardened.
Packets are sent and received by devices using a network interface
card (NIC) for each network to which they connect. Internal
computers would typically have one NIC card for the corporate
network or a subnet. Firewalls, proxy servers, and gateway servers
are typically dual-homed with two NIC cards that allow them to
communicate securely both internally and externally while limiting
access to the internal network.
Return to the top of the
newsletter
IT SECURITY
QUESTION:
C. HOST SECURITY
5.
Determine whether remotely configurable hosts are configured for
secure remote administration.
Return to the top of the
newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
21. Does the institution provide the
consumer with the following information about the
right to opt out:
a. all the categories of nonpublic personal information that the
institution discloses or reserves the right to disclose; [§7(a)(2)(i)(A)]
b. all the categories of nonaffiliated third parties to whom the
information is disclosed; [§7(a)(2)(i)(A)];
c. that the consumer has the right to opt out of the disclosure of
that information; [§7(a)(2)(i)(A)] and
d. the financial products or services that the consumer obtains to
which the opt out direction would apply? [§7(a)(2)(i)(B)]
Return to the top of the
newsletter
INTERNET AUDITING SERVICES
- R.
Kinney Williams & Associates is recognized as a leader in independent
Internet auditing for financial institutions. With
clients in 37 states, and an outstanding record of successful
expedient testing, R. Kinney Williams & Associates is your ideal
choice as an independent entity to perform your
penetration assessment study, which includes the Vulnerability
Internet Security Test Audit (VISTA). You will
find information about VISTA at http://www.internetbankingaudits.com/
or email Kinney Williams at examiner@yennik.com.
|
