Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
PBX FRAUD - A banker called this
week and asked us to inform our readers that PBX fraud is real.
Someone hacked into their VOIP system and forward calls overseas.
will cost the bank $30,000 because the bank is responsible to the
telephone company for the
The banker stated that the FBI told them that this was the third
report regarding PBX fraud they had taken this morning.
FYI - Deposit Insurance
Coverage New Electronic Deposit Insurance Estimator - The Federal
Deposit Insurance Corporation has released a new expanded version of
its Electronic Deposit Insurance Estimator, also known as "Online
EDIE," for use by bank customers. With this new version, users can
estimate insurance coverage for a wider range of account types.
FYI - ChoicePoint to pay
$15 million to settle charges - In the largest civil fine levied by
the Federal Trade Commission, data broker ChoicePoint has agreed to
pay $15 million to settle charges it did not properly protect
consumers' personal financial information, the FTC said Thursday.
FYI - Providence
Launches Outreach to Home Services Patients After Data Theft -
Providence Home Services has begun contacting current and former
patients following the theft of tapes and disks that hold
confidential data. The theft involves the records of some 365,000
patients who received health care through Providence Home Services.
FYI - Computer security
breach in urban affairs, agriculture - Two recent computer security
breaches at the University of Delaware have resulted in the possible
exposure of names and Social Security Numbers that were stored on
the machines. A computer in the University's School of Urban Affairs
and Public Policy was hacked, and a back-up hard drive in the UD
Department of Entomology and Wildlife Ecology was stolen.
FYI - Enterprises
ignorant of outsourcing security risks - Organizations that
outsource their IT systems are increasing their vulnerability to
security breaches, causing possible long-term damage to their
businesses, insurers have warned.
FYI - Dial ‘D' for DoS;
VoIP's hidden security threat - Communication technology experts
have released a report highlighting inherent security issues with
VoIP applications such as Skype and Vonage that could give online
criminals an opportunity to operate undetected.
FYI - Credit card
numbers stolen off state Web site - Thousands stolen from Rhode
Island site run by contractor - Thousands of credit card numbers
were stolen from a state government Web site that allows residents
to register their cars and buy state permits, authorities said.
FYI - Mobile devices are
IT managers' security headache - Two-third of IT managers are still
experiencing security breaches because of poor practices on mobile
devices, according to new findings.
FYI - Mass. newspapers
expose credit card data - The Boston Globe and Worcester Telegram &
Gazette have mistakenly sent out slips of paper with the credit card
data of up to nearly a quarter million subscribers.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
(Part 1 of 2)
Several regulations require disclosures and notices to be given at
specified times during a financial transaction. For example, some
regulations require that disclosures be given at the time an
application form is provided to the consumer. In this situation,
institutions will want to ensure that disclosures are given to the
consumer along with any application form. Institutions may
accomplish this through various means, one of which may be through
the automatic presentation of disclosures with the application form.
Regulations that allow disclosures/notices to be delivered
electronically and require institutions to deliver disclosures in a
form the customer can keep have been the subject of questions
regarding how institutions can ensure that the consumer can "keep"
the disclosure. A consumer using certain electronic devices, such as
Web TV, may not be able to print or download the disclosure. If
feasible, a financial institution may wish to include in its on-line
program the ability for consumers to give the financial institution
a non-electronic address to which the disclosures can be mailed.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Public Key Infrastructure (Part 3 of 3)
When utilizing PKI policies and controls, financial institutions
need to consider the following:
! Defining within the certificate issuance policy the methods of
initial verification that are appropriate for different types of
certificate applicants and the controls for issuing digital
certificates and key pairs;
! Selecting an appropriate certificate validity period to minimize
transactional and reputation risk exposure - expiration provides an
opportunity to evaluate the continuing adequacy of key lengths and
encryption algorithms, which can be changed as needed before issuing
a new certificate;
! Ensuring that the digital certificate is valid by such means as
checking a certificate revocation list before accepting transactions
accompanied by a certificate;
! Defining the circumstances for authorizing a certificate's
revocation, such as the compromise of a user's private key or the
closure of user accounts;
! Updating the database of revoked certificates frequently, ideally
in real - time mode;
! Employing stringent measures to protect the root key including
limited physical access to CA facilities, tamper - resistant
security modules, dual control over private keys and the process of
signing certificates, as well as the storage of original and back -
up keys on computers that do not connect with outside networks;
! Requiring regular independent audits to ensure controls are in
place, public and private key lengths remain appropriate,
cryptographic modules conform to industry standards, and procedures
are followed to safeguard the CA system;
! Recording in a secure audit log all significant events performed
by the CA system, including the use of the root key, where each
entry is time/date stamped and signed;
! Regularly reviewing exception reports and system activity by the
CA's employees to detect malfunctions and unauthorized activities;
! Ensuring the institution's certificates and authentication
systems comply with widely accepted PKI standards to retain the
flexibility to participate in ventures that require the acceptance
of the financial institution's certificates by other CAs.
The encryption components of PKI are addressed more fully under "Encryption."
Return to the top of the
11. Determine if network-based IDSs (Intrusion
Detection System) are properly coordinated with firewalls (see "Intrusion Detection" procedures).
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Financial Institution Duties ( Part 5 of 6)
Limitations on Disclosure of Account Numbers:
A financial institution must not disclose an account number or
similar form of access number or access code for a credit card,
deposit, or transaction account to any nonaffiliated third party
(other than a consumer reporting agency) for use in telemarketing,
direct mail marketing, or other marketing through electronic mail to
The disclosure of encrypted account numbers without an accompanying
means of decryption, however, is not subject to this prohibition.
The regulation also expressly allows disclosures by a financial
institution to its agent to market the institution's own products or
services (although the financial institution must not authorize the
agent to directly initiate charges to the customer's account). Also
not barred are disclosures to participants in private-label or
affinity card programs, where the participants are identified to the
customer when the customer enters the program.