Internet Banking News

February 4, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - ABA slams reports it wants customers liable for online security - Australian Banking Association (ABA) chief executive David Bell has slammed misleading reports that member banks have been lobbying the Australian Securities and Investment Commission (ASIC) to make customers liable for Internet banking fraud. http://www.computerworld.com.au/index.php/id;755873229;fp;16;fpid;1

FYI - Auditor warns: Beware of security vendors selling PCI compliance - Cybertrust and Cisco jump on the bandwagon - Customers beware when buying an approved Payment Card Industry Data Security Standard (PCIDSS) solution. It may be approved but implementing the solution doesn't mean customers are immediately compliant, according to a PCIDSS accredited auditor. http://www.computerworld.com.au/index.php/id;962716575;fp;16;fpid;1

MISSING COMPUTERS/DATA

FYI - CIBC loses data on 470,000 Talvest fund customers - CIBC Asset Management says a backup computer file containing information on almost half a million of its Talvest Mutual Funds clients has gone missing. The company says the missing data was in a file that disappeared "while in transit between our offices." The file had personal and financial details on current and former clients of Talvest Mutual Funds, which is a CIBC subsidiary. http://www.cbc.ca/canada/story/2007/01/18/cibc.html

FYI - School: Student hackers changed grades - An investigation is continuing into allegations that hackers got into Golden High School's computer system and changed grades before winter break. The scope of how many students' grades were changed appears to be closer to 40 than the initially suspected 200. http://www.denverpost.com/broncos/ci_5038470

FYI - ID theft fears over Hampshire hospital PC theft - The theft of 30 computers containing patient details from a disused hospital site in Hampshire has sparked ID theft fears. The TJX Companies, Inc. announced that it has suffered an unauthorized intrusion into its computer systems that process and store information related to customer transactions. While TJX has specifically identified some customer information that has been stolen from its systems, the full extent of the theft and affected customers is not yet known. http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20070117005971&newsLang=en

FYI - Customer data stolen from water district - The credit-card numbers of about 500 customers in the Rincon del Diablo Municipal Water District were stolen yesterday in an early-morning break-in, officials said. Thieves smashed a glass wall at the district's offices on North Iris Lane and stole two computers, one from the customer services department and the other from engineering, said Darlene Lynn, interim general manager. http://www.signonsandiego.com/news/northcounty/20070117-9999-1mi17rincon.html

FYI - Personal info may be at risk after burglary - Campus computers stolen over break - At least three computers and four monitors were stolen from the associate provost's office overnight between Jan. 2 and 3, said Lt. Pat Davis, UNM Police spokesman. The computers may have contained faculty members' names and Social Security numbers, said Richard Holder, associate provost. http://www.dailylobo.com/home/index.cfm?event=displayArticle&uStory_id=abad7ee1-3707-450e-acd5-0e7ed80b86b6

FYI - Population registry info leak sparks call for investigations - Vital Population Registry information was leaked and posted on the Internet, prompting the Interior Ministry to demand an investigation into the incident. The data files, compiled by the Interior Ministry on all Israeli citizens, contain personal information that could potentially be used without authorization by Internet marketers, and of course cyber-criminals. http://www.jpost.com/servlet/Satellite?cid=1167467740937&pagename=JPost%2FJPArticle%2FPrinter

FYI - Hackers steal $35,000 from customers of federal savings plan - Thieves used keylogging software to break into accounts of Thrift Savings Plan - Hackers stole $35,000 from two dozen users of the Thrift Savings Plan (TSP), a retirement savings and investment plan for federal employees. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9008619

FYI - KB Home warns of ID theft risk - Home builder issues alert to customers after computer is stolen from company's Charleston sales office - Thousands of KB Home customers are being warned of the risk of identity theft after one of the home builder's computers was stolen from a Charleston sales office. The company sent letters to 2,700 people Friday advising them to put a fraud alert on their credit reports and to monitor their credit for the next couple of years . http://www.thestate.com/mld/thestate/business/16485189.htm

Return to the top of the newsletter

WEB SITE COMPLIANCE - Over the next 12 weeks will will cover the recently released FDIC Supervisory Insights regarding Incident Response Programs. (1of 12)

Incident Response Programs: Don't Get Caught Without One

Everyone is familiar with the old adage "Time is money." In the Information Age, data may be just as good. Reports of data compromises and security breaches at organizations ranging from universities and retail companies to financial institutions and government agencies provide evidence of the ingenuity of Internet hackers, criminal organizations, and dishonest insiders obtaining and profiting from sensitive customer information. Whether a network security breach compromising millions of credit card accounts or a lost computer tape containing names, addresses, and Social Security numbers of thousands of individuals, a security incident can damage corporate reputations, cause financial losses, and enable identity theft.

Banks are increasingly becoming prime targets for attack because they hold valuable data that, when compromised, may lead to identity theft and financial loss. This environment places significant demands on a bank's information security program to identify and prevent vulnerabilities that could result in successful attacks on sensitive customer information held by the bank. The rapid adoption of the Internet as a delivery channel for electronic commerce coupled with prevalent and highly publicized vulnerabilities in popular hardware and software have presented serious security challenges to the banking industry. In this high-risk environment, it is very likely that a bank will, at some point, need to respond to security incidents affecting its customers.

To mitigate the negative effects of security breaches, organizations are finding it necessary to develop formal incident response programs (IRPs). However, at a time when organizations need to be most prepared, many banks are finding it challenging to assemble an IRP that not only meets minimum requirements (as prescribed by Federal bank regulators), but also provides for an effective methodology to manage security incidents for the benefit of the bank and its customers. In response to these challenges, this article highlights the importance of IRPs to a bank's information security program and provides information on required content and best practices banks may consider when developing effective response programs.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SERVICE PROVIDER OVERSIGHT

Many financial institutions outsource some aspect of their operations. Although outsourcing arrangements often provide a cost - effective means to support the institution's technology needs, the ultimate responsibility and risk rests with the institution. Financial institutions are required under Section 501(b) of the GLBA to ensure service providers have implemented adequate security controls to safeguard customer information. Supporting interagency guidelines require institutions to:

! Exercise appropriate due diligence in selecting service providers,
! Require service providers by contract to implement appropriate security controls to comply with the guidelines, and
! Monitor service providers to confirm that they are maintaining those controls when indicated by the institution's risk assessment.

Financial institutions should implement these same precautions in all TSP relationships based on the level of access to systems or data for safety and soundness reasons, in addition to the privacy requirements.

Financial institutions should determine the following security considerations when selecting or monitoring a service provider:
! Service provider references and experience,
! Security expertise of TSP personnel,
! Background checks on TSP personnel,
! Contract assurances regarding security responsibilities and controls,
! Nondisclosure agreements covering the institution's systems and data,
! Ability to conduct audit coverage of security controls or provisions for reports of security testing from independent third parties, and
! Clear understanding of the provider's security incidence response policy and assurance that the provider will communicate security incidents promptly to the institution when its systems or data were potentially compromised.

Return to the top of the newsletter

IT SECURITY QUESTION: BUSINESS CONTINUITY-SECURITY

2. Determine if substitute processing facilities and systems undergo similar testing as production facilities and systems.

3. Determine if appropriate access controls and physical controls have been considered and planned for the former production system and networks when processing is transferred to a substitute facility.

4. Determine if the intrusion detection and response plan considers the resource availability and facility and systems changes that may exist when substitute facilities are placed in use.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

39. Does the institution use an appropriate means to ensure that notices may be retained or obtained later, such as:

a. hand-delivery of a printed copy of the notice; [§9(e)(2)(i)]

b. mailing a printed copy to the last known address of the customer; [§9(e)(2)(ii)] or

c. making the current privacy notice available on the institution's web site (or via a link to the notice at another site) for the customer who agrees to receive the notice at the web site? [§9(e)(2)(iii)]