Internet Banking News

January 11, 2009

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - SF engineer to stand trial in hijacked network - A network administrator will stand trial for allegedly hijacking the network he designed and maintained for the city of San Francisco. http://news.cnet.com/8301-1009_3-10129313-83.html?part=rss&subj=news&tag=2547-1009_3-0-20

FYI - Top 10 Security Breaches of 2008 - Ghost of Christmas Past (TJX) Still Casts Specter on Present and Future - From Hannaford to Countrywide to the Bank of New York Mellon, 2008 has been a year of high-profile security breaches in or impacting the financial services industry. Here's our list of the top 10 - and lessons that should be learned, so we aren't back revisiting these issues in '09. http://www.bankinfosecurity.com/articles.php?art_id=1120&opg=1

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - RBS WorldPay breach exposes 1.5 million - RBS WorldPay belatedly admitted last week that hackers broke into its systems. The attack against the electronic payment services firm leaves to to 1.5 million payroll and gift card holders in the US at risk of fraud. Up to 1.1 million social security records were also exposed as a result of the breach. http://www.theregister.co.uk/2008/12/29/rbs_worldpay_breach/

FYI - Former Cedars-Sinai employee held in identity theft, fraud - More than 1,000 patients at Cedars-Sinai Medical Center had their personal information taken by a former employee in the hospital's billing department, according to hospital officials who said prosecutors allege that the man used the identities to steal from insurance companies. http://www.latimes.com/business/careers/work/la-me-cedars-sinai23-2008dec23,0,5508589.story

Return to the top of the newsletter

WEB SITE COMPLIANCE - Equal Credit Opportunity Act (Regulation B)

The regulations clarifies the rules concerning the taking of credit applications by specifying that application information entered directly into and retained by a computerized system qualifies as a written application under this section. If an institution makes credit application forms available through its on-line system, it must ensure that the forms satisfy the requirements.

The regulations also clarify the regulatory requirements that apply when an institution takes loan applications through electronic media. If an applicant applies through an electronic medium (for example, the Internet or a facsimile) without video capability that allows employees of the institution to see the applicant, the institution may treat the application as if it were received by mail.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - DATA CENTER SECURITY

When selecting a site for the most important information systems components, one major objective is to limit the risk of exposure from internal and external sources. The selection process should include a review of the surrounding area to determine if it is relatively safe from exposure to fire, flood, explosion, or similar environmental hazards. Outside intruders can be deterred through the use of guards, fences, barriers, surveillance equipment, or other similar devices. Since access to key information system hardware and software should be limited, doors and windows must be secure. Additionally, the location should not be identified or advertised by signage or other indicators.

Detection devices, where applicable, should be utilized to prevent theft and safeguard the equipment. They should provide continuous coverage. Detection devices have two purposes - to alarm when a response is necessary and to support subsequent forensics. The alarm capability is only useful when a response will occur. Some intruder detection devices available include:

! Switches that activate an alarm when an electrical circuit is broken;
! Light and laser beams, ultraviolet beams and sound or vibration detectors that are invisible to the intruder, and ultrasonic and radar devices that detect movement in a room; and
! Closed-circuit television that allows visual observation and recording of actions.

Risks from environmental threats can be addressed somewhat through devices such as halon gas, smoke alarms, raised flooring, heat sensors, and the like.

Physical security devices frequently need preventive maintenance to function properly. Maintenance logs are one control the institution can use to determine whether the devices are appropriately maintained. Periodic testing of the devices provides assurance that they are operating correctly.

Security guards should be properly instructed about their duties. The employees who access secured areas should have proper identification and authorization to enter the area. All visitors should sign in and wear proper IDs so that they can be identified easily. Security guards should be trained to restrict the removal of assets from the premises and to record the identity of anyone removing assets. Consideration should be given to implementing a specific and formal authorization process for the removal of hardware and software from premises.

The following security zones should have access restricted to a need basis:

! Operations center
! Uninterrupted power supply
! Telecommunications equipment
! Media library

CABINET AND VAULT SECURITY

Protective containers are designed to meet either fire-resistant or burglar-resistant standards. Labels describing expected tolerance levels are usually attached to safes and vault doors. An institution should select the tolerance level based on the sensitivity and importance of the information being protected.

Return to the top of the newsletter

IT SECURITY QUESTION:

D. USER EQUIPMENT SECURITY (E.G. WORKSTATION, LAPTOP, HANDHELD)

6. Determine whether appropriate workstations are deactivated after a period of inactivity through screen saver passwords, server time-outs, powering down, or other means.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Procedures (Part 1 of 3)

A. Through discussions with management and review of available information, identify the institution's information sharing practices (and changes to those practices) with affiliates and nonaffiliated third parties; how it treats nonpublic personal information; and how it administers opt-outs. Consider the following as appropriate:

1) Notices (initial, annual, revised, opt out, short-form, and simplified);

2) Institutional privacy policies and procedures, including those to:
     a) process requests for nonpublic personal information, including requests for aggregated data;
     b) deliver notices to consumers; manage consumer opt out directions (e.g., designating files, allowing a reasonable time to opt out, providing new opt out and privacy notices when necessary, receiving opt out directions, handling joint account holders);
     c) prevent the unlawful disclosure and use of the information received from nonaffiliated financial institutions; and
     d) prevent the unlawful disclosure of account numbers;

3) Information sharing agreements between the institution and affiliates and service agreements or contracts between the institution and nonaffiliated third parties either to obtain or provide information or services;

4) Complaint logs, telemarketing scripts, and any other information obtained from nonaffiliated third parties (Note: review telemarketing scripts to determine whether the contractual terms set forth under section 13 are met and whether the institution is disclosing account number information in violation of section 12);

5) Categories of nonpublic personal information collected from or about consumers in obtaining a financial product or service (e.g., in the application process for deposit, loan, or investment products; for an over-the-counter purchase of a bank check; from E-banking products or services, including the data collected electronically through Internet cookies; or through ATM transactions);

6) Categories of nonpublic personal information shared with, or received from, each nonaffiliated third party; and

7) Consumer complaints regarding the treatment of nonpublic personal information, including those received electronically.

8) Records that reflect the bank's categorization of its information sharing practices under Sections 13, 14, 15, and outside of these exceptions.

9) Results of a 501(b) inspection (used to determine the accuracy of the institution's privacy disclosures regarding data security).