Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
FYI - New FDIC Tool
Helps Consumers Protect Themselves Against Identity Theft and
Suggests Steps They can Take if Victimized Don't Be an On-line
Victim: How to Guard Against Internet Thieves and Electronic Scams -
The Federal Deposit Insurance Corporation today released an on-line
multimedia education tool that consumers can use to learn how to
better protect their computers and themselves from identity thieves.
FYI - Gov't
Cyber-sleuths Focusing on Linux, iPod, Xbox - Cyber-security and
computer experts from the government and law enforcement are
increasingly concerned with malicious code that runs on Linux and
Apple Computer Inc.'s Mac OS X operating systems and threats posed
by devices such as iPods and Xboxes.
FYI - Computer crime
costs $67 billion, FBI says - Dealing with viruses, spyware, PC
theft and other computer-related crimes costs U.S. businesses a
staggering $67.2 billion a year, according to the FBI.
FYI - Banks 'must tackle
online fraud' - Banks must do more to promote security among their
online customers, the UK's finance watchdog has said. The Financial
Services Authority (FSA) made the call as it revealed half of
internet users are either extremely or very concerned about the risk
FYI - E*Trade to
reimburse online-fraud victims - E*Trade Financial announced Tuesday
that it will fully reimburse any customer who is the victim of
fraudulent activity--the first online brokerage company to offer the
kind of protection that credit- and debit-card users receive.
FYI - Notre Dame probes
hack of computer system - Two computer-forensic companies are
helping the University of Notre Dame investigate an electronic
break-in that may have exposed the personal and financial
information of school donors.
FYI - Stolen Ameriprise
laptop had data on 230,000 people - Ameriprise Financial, the
investment advisory unit spun off from American Express last year,
said Wednesday that lists containing the personal information of
about 230,000 customers and advisers had been compromised.
FYI - Could your laptop
be worth millions? - The average laptop could contain data worth
almost $1 million, according to new research. A report released
Friday by security-software company Symantec suggests that an
ordinary notebook holds content valued at 550,000 pounds ($972,000),
and that some could store as much as 5 million pounds--or $8.8
million--in commercially sensitive data and intellectual property.
Return to the top
of the newsletter
WEB SITE COMPLIANCE - Non-Deposit Investment Products
Financial institutions advertising or selling non-deposit investment
products on-line should ensure that consumers are informed of the
risks associated with non-deposit investment products as discussed
in the "Interagency Statement on Retail Sales of Non Deposit
Investment Products." On-line systems should comply with
this Interagency Statement, minimizing the possibility of customer
confusion and preventing any inaccurate or misleading impression
about the nature of the non-deposit investment product or its lack
of FDIC insurance.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Public Key Infrastructure (Part 2 of 3)
The certificate authority (CA), which may be the financial
institution or its service provider, plays a key role by attesting
with a digital certificate that a particular public key and the
corresponding private key belongs to a specific user or system. It
is important when issuing a digital certificate that the
registration process for initially verifying the identity of users
is adequately controlled. The CA attests to the individual user's
identity by signing the digital certificate with its own private
key, known as the root key. Each time the user establishes a
communication link with the financial institution's systems, a
digital signature is transmitted with a digital certificate. These
electronic credentials enable the institution to determine that the
digital certificate is valid, identify the individual as a user, and
confirm that transactions entered into the institution's computer
system were performed by that user.
The user's private key exists electronically and is susceptible to
being copied over a network as easily as any other electronic file.
If it is lost or compromised, the user can no longer be assured that
messages will remain private or that fraudulent or erroneous
transactions would not be performed. User AUPs and training should
emphasize the importance of safeguarding a private key and promptly
reporting its compromise.
PKI minimizes many of the vulnerabilities associated with passwords
because it does not rely on shared secrets to authenticate
customers, its electronic credentials are difficult to compromise,
and user credentials cannot be stolen from a central server. The
primary drawback of a PKI authentication system is that it is more
complicated and costly to implement than user names and passwords.
Whether the financial institution acts as its own CA or relies on a
third party, the institution should ensure its certificate issuance
and revocation policies and other controls discussed below are
Return to the top of the
10. Determine if firewall and routing controls are in place and
updated as needs warrant.
• Identify personnel responsible for defining and setting firewall
rulesets and routing controls.
• Review procedures for updating and changing rulesets and routing
• Confirm that the ruleset is based on the premise that all
traffic that is not expressly allowed is denied, and that the
firewall's capabilities for identifying and blocking traffic are
• Confirm that network mapping through the firewall is disabled.
• Confirm that NAT and split DNS are used to hide internal names
and addresses from external users. (Note: Split DNS is a method of
segregating the internal DNS from the external DNS.)
• Confirm that malicious code is effectively filtered.
• Confirm that firewalls are backed up to external media, and not
to servers on protected networks.
• Determine that firewalls and routers are subject to appropriate
and functioning host controls.
• Determine that firewalls and routers are securely administered.
• Confirm that routing tables are regularly reviewed for
appropriateness on a schedule commensurate with risk.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will
help ensure compliance with the privacy regulations.
Financial Institution Duties ( Part 4 of 6)
Requirements for Notices (continued)
Notice Content. A privacy notice must contain specific
disclosures. However, a financial institution may provide to
consumers who are not customers a "short form" initial
notice together with an opt out notice stating that the
institution's privacy notice is available upon request and
explaining a reasonable means for the consumer to obtain it. The
following is a list of disclosures regarding nonpublic personal
information that institutions must provide in their privacy notices,
1) categories of information collected;
2) categories of information disclosed;
3) categories of affiliates and nonaffiliated third parties to
whom the institution may disclose information;
4) policies with respect to the treatment of former customers'
5) information disclosed to service providers and joint
marketers (Section 13);
6) an explanation of the opt out right and methods for opting
7) any opt out notices the institution must provide under the
Fair Credit Reporting Act with respect to affiliate information
8) policies for protecting the security and confidentiality of
9) a statement that the institution makes disclosures to other
nonaffiliated third parties as permitted by law (Sections 14 and