FYI - IRS Needs Better IT
Security Plan - The Internal Revenue Service isn't doing enough to
assure the security of its IT systems, according to a Treasury
Department Inspector General's report made public last week.
FYI - UCSD Computer Systems
Hacked Again - For the third time in about a year, someone broke
into computers that stored the names and Social Security numbers of
students and alumni at UC San Diego.
FYI - Problems With FBI Public E-Mail - The FBI has shut
down part of the commercial e-mail system it uses to communicate
with the public as a precautionary measure because of a possible
security breach, CBS News has learned.
Deposit Insurance Coverage Updated Versions of The Financial
Institution Employee's Guide to Deposit Insurance and the Electronic
Deposit Insurance Estimator - The FDIC has updated The Financial
Institution Employee's Guide to Deposit Insurance and it is now
available. The guide - intended specifically for a banker audience -
provides an in-depth discussion of the FDIC's rules and requirements
for deposit insurance coverage. In addition, the guide has been
added to the Electronic Deposit Insurance Estimator System-Banker
Version 2.1, which can be downloaded from the FDIC's Web site.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 3 of 10)
Customers may be confused about whether the financial institution or
a third party is supplying the product, service, or other website
content available through the link. The risk of customer confusion
can be affected by a number of factors:
- nature of the
third-party product or service;
- trade name of the third
- website appearance.
Nature of Product or
When a financial institution provides links to third parties that
sell financial products or services, or provide information relevant
to these financial products and services, the risk is generally
greater than if third parties sell non-financial products and
services due to the greater potential for customer confusion. For
example, a link from a financial institution's website to a mortgage
bank may expose the financial institution to greater reputation risk
than a link from the financial institution to an online clothing
The risk of customer confusion with respect to links to firms
selling financial products is greater for two reasons. First,
customers are more likely to assume that the linking financial
institution is providing or endorsing financial products rather than
non-financial products. Second, products and services from certain
financial institutions often have special regulatory features and
protections, such as federal deposit insurance for qualifying
deposits. Customers may assume that these features and protections
also apply to products that are acquired through links to
third-party providers, particularly when the products are financial
When a financial institution links to a third party that is
providing financial products or services, management should consider
taking extra precautions to prevent customer confusion. For example,
a financial institution linked to a third party that offers
nondeposit investment products should take steps to prevent customer
confusion specifically with respect to whether the institution or
the third party is offering the products and services and whether
the products and services are federally insured or guaranteed by the
Financial institutions should recognize, even in the case of
non-financial products and services, that customers may have
expectations about an institution's due diligence and its selection
of third parties to which the financial institution links its
website. Should customers experience dissatisfaction as a result of
poor quality products or services, or loss as a result of their
transactions with those companies, they may consider the financial
institution responsible for the perceived deficiencies of the
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We continue our series
on the FFIEC interagency Information Security Booklet.
MONITORING AND UPDATING
A static security program provides a false sense of security and
will become increasingly ineffective over time. Monitoring and
updating the security program is an important part of the ongoing
cyclical security process. Financial institutions should treat
security as dynamic with active monitoring; prompt, ongoing risk
assessment; and appropriate updates to controls. Institutions should
continuously gather and analyze information regarding new threats
and vulnerabilities, actual attacks on the institution or others,
and the effectiveness of the existing security controls. They should
use that information to update the risk assessment, strategy, and
implemented controls. Monitoring and updating the security program
begins with the identification of the potential need to alter
aspects of the security program and then recycles through the
security process steps of risk assessment, strategy, implementation,
the top of the newsletter
IT SECURITY QUESTION:
2. Verify that data is protected consistent with the
financial institution's risk assessment.
• Identify controls used to protect data and determine if the data
is protected throughout its life cycle (i.e., creation, storage,
maintenance, transmission, and disposal) in a manner consistent with
the risk assessment.
• Consider data security controls in effect at key stages such as
data creation/acquisition, storage, transmission, maintenance, and
• Review audit and security review reports that summarize if data is
protected consistent with the risk assessment.
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
6) Does the institution provide a clear and conspicuous notice
that accurately reflects its privacy policies and practices at least
annually (that is, at least once in any period of 12 consecutive
months) to all customers, throughout the customer relationship?
(Note: annual notices are not required for former customers.
IN CLOSING -
The Gramm-Leach-Bliley Act, best practices, and examiners recommend
a security test of your Internet connection.
The Vulnerability Internet Security Test Audit (VISTA)
is an independent external penetration study of
network connection to the Internet that meets the regulatory
We are trained information systems auditors that only work with
financial institutions. As auditors, we provide an independent
review of the vulnerability test results and an audit letter to your
Board of Directors certifying the test results. For more
or email Kinney Williams at