R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

January 30, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - Internet 'phishing' scams getting more devious - WASHINGTON - internet "phishing" scams are becoming more difficult to detect as criminals develop new ways to trick consumers into revealing passwords, bank account numbers and other sensitive information, security experts say. http://www.nzherald.co.nz/index.cfm?c_id=5&ObjectID=10007313

FYI - IT Budgets Increase; CIOs Shop For Business-Growing Tools - A survey of more than 1,300 CIOs in 30 countries found that the execs expect information-technology budgets to increase by 2.5 percent this year, with security enhancement tools and business intelligence software rating first and second, respectively. http://www.techweb.com/wire/ebiz/57701452

FYI - Panix recovers from domain hijack - "For most customers, accesses to Panix using the panix.com domain will not work or will end up at a false site... as a temporary workaround, you can use the panix.net domain in place of panix.com." Panix warned customers that hijackers could have captured passwords inadvertently submitted to the bogus site.
Press release: http://www.theregister.co.uk/2005/01/17/panix_domain_hijack/print.html
Article on locking domain: http://news.netcraft.com/archives/2004/11/10/netsol_locks_domains_but_others_say_concerns_are_overblown.html

FYI - Windows XP Security Guide - The Windows® XP Security Guide v2.0 describes the features and recommended settings for Microsoft Windows XP Service Pack 2 (SP2).  http://www.microsoft.com/technet/security/prodtech/winclnt/secwinxp/default.mspx

FYI - Experts: Cyber-crime bigger threat than cyber-terror - The paradox of the Internet -- a computer network originally designed to survive nuclear attack succumbing to spam, viruses and other malicious code written by teenagers -- riles computer security experts. http://www.cnn.com/2005/TECH/internet/01/18/cyber.security/index.html

FYI - Banks bearing the brunt of phishing scams - Financial services companies remain the most frequent targets of online phishing schemes, according to the latest figures released by an organization working to fight the scams. http://news.com.com/Banks+bearing+the+brunt+of+phishing+scams/2100-1029_3-5543998.html?tag=nefd.top

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 2 of 10)

A. RISK DISCUSSION

Introduction

Compliance risk arises when the linked third party acts in a manner that does not conform to regulatory requirements. For example, compliance risk could arise from the inappropriate release or use of shared customer information by the linked third party. Compliance risk also arises when the link to a third party creates or affects compliance obligations of the financial institution.

Financial institutions with weblinking relationships are also exposed to other risks associated with the use of technology, as well as certain risks specific to the products and services provided by the linked third parties. The amount of risk exposure depends on several factors, including the nature of the link.

Any link to a third-party website creates some risk exposure for an institution. This guidance applies to links to affiliated, as well as non-affiliated, third parties. A link to a third-party website that provides a customer only with information usually does not create a significant risk exposure if the information being provided is relatively innocuous, for example, weather reports. Alternatively, if the linked third party is providing information or advice related to financial planning, investments, or other more substantial topics, the risks may be greater. Links to websites that enable the customer to interact with the third party, either by eliciting confidential information from the user or allowing the user to purchase a product or service, may expose the insured financial institution to more risk than those that do not have such features.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY TESTING - OUTSOURCED SYSTEMS

Management is responsible for ensuring institution and customer data is protected, even when that data is transmitted, processed, or stored by a service provider. Service providers should have appropriate security testing based on the risk to their organization, their customer institutions, and the institution's customers. Accordingly, management and auditors evaluating TSPs providers should use the above testing guidance in performing initial due diligence, constructing contracts, and exercising ongoing oversight or audit responsibilities. Where indicated by the institution's risk assessment, management is responsible for monitoring the testing performed at the service provider through review of timely audits and test results or other equivalent evaluations.

Return to the top of the newsletter

IT SECURITY QUESTION:  DATA SECURITY

1. Obtain an understanding of the data security strategy.

• Identify the financial institution's approach to protecting data (e.g., protect all data similarly, protect data based upon risk of loss).
• Obtain and review the risk assessment covering financial institution data.  Determine if the risk assessment classifies data sensitivity in a reasonable manner and consistent with the financial institution's strategic and business objectives.
• Consider whether policies and procedures address the protections for data that is sent outside the institution.
• Identify processes to periodically review data sensitivity and update corresponding risk assessments.
Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

 Initial Privacy Notice

5)  When the subsequent delivery of a privacy notice is permitted, does the institution provide notice after establishing a customer relationship within a reasonable time? [§4(e)]
IN CLOSING - The Gramm-Leach-Bliley Act, best practices, and examiners recommend a security test of your Internet  connection.   The Vulnerability Internet Security Test Audit (VISTA) is an independent external penetration study of {custom4}'s network connection to the Internet that meets the regulatory requirements.  We are trained information systems auditors that only work with financial institutions.  As auditors, we provide an independent review of the vulnerability test results and an audit letter to your Board of Directors certifying the test results.  For more information, visit http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated