Internet Banking News

February 6, 2005

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

FYI - IRS Needs Better IT Security Plan - The Internal Revenue Service isn't doing enough to assure the security of its IT systems, according to a Treasury Department Inspector General's report made public last week. http://www.informationweek.com/showArticle.jhtml?articleID=57703333

FYI - UCSD Computer Systems Hacked Again - For the third time in about a year, someone broke into computers that stored the names and Social Security numbers of students and alumni at UC San Diego. http://www.nbcsandiego.com/education/4103051/detail.html

FYI - Problems With FBI Public E-Mail - The FBI has shut down part of the commercial e-mail system it uses to communicate with the public as a precautionary measure because of a possible security breach, CBS News has learned. http://www.cbsnews.com/stories/2005/01/13/terror/main666644.shtml

FYI - Deposit Insurance Coverage Updated Versions of The Financial Institution Employee's Guide to Deposit Insurance and the Electronic Deposit Insurance Estimator - The FDIC has updated The Financial Institution Employee's Guide to Deposit Insurance and it is now available. The guide - intended specifically for a banker audience - provides an in-depth discussion of the FDIC's rules and requirements for deposit insurance coverage. In addition, the guide has been added to the Electronic Deposit Insurance Estimator System-Banker Version 2.1, which can be downloaded from the FDIC's Web site. www.fdic.gov/news/news/financial/2005/fil605.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 3 of 10)

A. RISK DISCUSSION

Reputation Risk

Customers may be confused about whether the financial institution or a third party is supplying the product, service, or other website content available through the link. The risk of customer confusion can be affected by a number of factors:

nature of the third-party product or service;
trade name of the third party; and
website appearance.

Nature of Product or Service

When a financial institution provides links to third parties that sell financial products or services, or provide information relevant to these financial products and services, the risk is generally greater than if third parties sell non-financial products and services due to the greater potential for customer confusion. For example, a link from a financial institution's website to a mortgage bank may expose the financial institution to greater reputation risk than a link from the financial institution to an online clothing store.

The risk of customer confusion with respect to links to firms selling financial products is greater for two reasons. First, customers are more likely to assume that the linking financial institution is providing or endorsing financial products rather than non-financial products. Second, products and services from certain financial institutions often have special regulatory features and protections, such as federal deposit insurance for qualifying deposits. Customers may assume that these features and protections also apply to products that are acquired through links to third-party providers, particularly when the products are financial in nature.

When a financial institution links to a third party that is providing financial products or services, management should consider taking extra precautions to prevent customer confusion. For example, a financial institution linked to a third party that offers nondeposit investment products should take steps to prevent customer confusion specifically with respect to whether the institution or the third party is offering the products and services and whether the products and services are federally insured or guaranteed by the financial institution.

Financial institutions should recognize, even in the case of non-financial products and services, that customers may have expectations about an institution's due diligence and its selection of third parties to which the financial institution links its website. Should customers experience dissatisfaction as a result of poor quality products or services, or loss as a result of their transactions with those companies, they may consider the financial institution responsible for the perceived deficiencies of the seller.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

MONITORING AND UPDATING

A static security program provides a false sense of security and will become increasingly ineffective over time. Monitoring and updating the security program is an important part of the ongoing cyclical security process. Financial institutions should treat security as dynamic with active monitoring; prompt, ongoing risk assessment; and appropriate updates to controls. Institutions should continuously gather and analyze information regarding new threats and vulnerabilities, actual attacks on the institution or others, and the effectiveness of the existing security controls. They should use that information to update the risk assessment, strategy, and implemented controls. Monitoring and updating the security program begins with the identification of the potential need to alter aspects of the security program and then recycles through the security process steps of risk assessment, strategy, implementation, and testing.

Return to the top of the newsletter

IT SECURITY QUESTION: DATA SECURITY

2. Verify that data is protected consistent with the financial institution's risk assessment.

• Identify controls used to protect data and determine if the data is protected throughout its life cycle (i.e., creation, storage, maintenance, transmission, and disposal) in a manner consistent with the risk assessment.
• Consider data security controls in effect at key stages such as data creation/acquisition, storage, transmission, maintenance, and destruction.
• Review audit and security review reports that summarize if data is protected consistent with the risk assessment.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

6) Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices at least annually (that is, at least once in any period of 12 consecutive months) to all customers, throughout the customer relationship? [§5(a)(1)and (2)]
(Note: annual notices are not required for former customers. [§5(b)(1)and (2)])

IN CLOSING - The Gramm-Leach-Bliley Act, best practices, and examiners recommend a security test of your Internet connection. The Vulnerability Internet Security Test Audit (VISTA) is an independent external penetration study of {custom4}'s network connection to the Internet that meets the regulatory requirements. We are trained information systems auditors that only work with financial institutions. As auditors, we provide an independent review of the vulnerability test results and an audit letter to your Board of Directors certifying the test results. For more information, visit http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.