Keep thieves out of your bank account - With millions falling victim
to high-tech theft, you need all the protection you can get. Here
are the biggest vulnerabilities and what you can do about them.
Feds aim to tighten nuclear cyber security - Federal regulators are
proposing to add computer security standards to their criteria for
installing new computerized safety systems in nuclear power plants.
Lexus a nexus between cars and phone viruses? - Antivirus companies
are researching reports that computer viruses have attacked the
onboard computers of cars.
UK tech police: Cash-strapped and ineffective - A UK high-tech crime
buster has warned that his investigations are being severely
hampered by a lack of money and has said funding could still be
pared down further to the point that police units such as his become
Tough local laws drive corporate security - Cautious corporations
are applying the most restrictive local and national laws globally
to ensure they obey compliance regulations.
UNC's Missing Hard Drive Has More Info Than Previously Thought -
Personal Information For Thousands Of Family Members Also On
Computer - Irritation turned to anger when University of Northern
Colorado employees learned that a missing computer hard drive
contained personal information about thousands of family members as
well as the workers themselves.
FYI - The Federal Reserve Board has
announced amendments to Appendix A of Regulation CC that reflect the
restructuring of the Federal Reserve's check processing operations
in the Sixth District. These amendments are the first in a series of
amendments to Appendix A that will take place through the first
quarter of 2006, associated with the previously-announced
restructuring of the Reserve Banks' check processing operations.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 4 of 10)
A. RISK DISCUSSION
If the third party has a name similar to that of the financial
institution, there is an increased likelihood of confusion for the
customer and increased exposure to reputation risk for the financial
institution. For example, if customers access a similarly named
broker from the financial institution's website, they may believe
that the financial institution is providing the brokerage service or
that the broker's products are federally insured.
The use of frame technology and other similar technologies may
confuse customers about which products and services the financial
institution provides and which products and services third parties,
including affiliates, provide. If frames are used, when customers
link to a third-party website through the institution-provided link,
the third-party webpages open within the institution's master
webpage frame. For example, if a financial institution provides
links to a discount broker and the discount broker's webpage opens
within the institution's frame, the appearance of the financial
institution's logo on the frame may give the impression that the
financial institution is providing the brokerage service or that the
two entities are affiliated. Customers may believe that their funds
are federally insured, creating potential reputation risk to the
financial institution in the event the brokerage service should fail
or the product loses value.
The compliance risk to an institution linking to a third-party's
website depends on several factors. These factors include the nature
of the products and services provided on the third-party's website,
and the nature of the institution's business relationship with the
third party. This is particularly true with respect to compensation
arrangements for links. For example, a financial institution that
receives payment for offering advertisement-related weblinks to a
settlement service provider's website should carefully consider the
prohibition against kickbacks, unearned fees, and compensated
referrals under the Real Estate Settlement Procedures Act (RESPA).
The financial institution has compliance risk as well as reputation
risk if linked third parties offer less security and privacy
protection than the financial institution. Third-party sites may
have less secure encryption policies, or less stringent policies
regarding the use and security of their customer's information. The
customer may be comfortable with the financial institution's
policies for privacy and security, but not with those of the linked
third party. If the third-party's policies and procedures create
security weaknesses or apply privacy standards that permit the third
party to release confidential customer information, customers may
blame the financial institution.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We continue our series
on the FFIEC interagency Information Security Booklet.
MONITORING AND UPDATING
Effective monitoring of threats includes both non - technical and
technical sources. Nontechnical sources include organizational
changes, business process changes, new business locations, increased
sensitivity of information, or new products and services. Technical
sources include new systems, new service providers, and increased
access. Security personnel and financial institution management must
remain alert to emerging threats and vulnerabilities. This effort
could include the following security activities:
! Senior management support for strong security policy awareness and
compliance. Management and employees must remain alert to
operational changes that could affect security and actively
communicate issues with security personnel. Business line managers
must have responsibility and accountability for maintaining the
security of their personnel, systems, facilities, and information.
! Security personnel should monitor the information technology
environment and review performance reports to identify trends, new
threats, or control deficiencies. Specific activities could include
reviewing security and activity logs, investigating operational
anomalies, and routinely reviewing system and application access
! Security personnel and system owners should monitor external
sources for new technical and nontechnical vulnerabilities and
develop appropriate mitigation solutions to address them. Examples
include many controls discussed elsewhere in this booklet including:
- Establishing an effective configuration management process that
monitors for vulnerabilities in hardware and software and
establishes a process to install and test security patches,
- Maintaining up - to - date anti - virus definitions and
intrusion detection attack definitions, and
- Providing effective oversight of service providers and vendors
to identify and react to new security issues.
! Senior management should require periodic security selfassessments
and audits to provide an ongoing assessment of policy compliance and
ensure prompt corrective action of significant deficiencies.
! Security personnel should have access to automated tools
appropriate for the complexity of the financial institution systems.
Automated security policy and security log analysis tools can
significantly increase the effectiveness and productivity of
the top of the newsletter
IT SECURITY QUESTION:
Determine whether individual and group access to data is based on
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
6. Does the institution provide an annual privacy notice to each
customer whose loan the institution owns the right to service? [§§5(c),
IN CLOSING -
The Gramm-Leach-Bliley Act, best practices, and examiners recommend
a security test of your Internet connection.
The Vulnerability Internet Security Test Audit (VISTA)
is an independent external penetration study of
network connection to the Internet that meets the regulatory
We are trained information systems auditors that only work with
financial institutions. As auditors, we provide an independent
review of the vulnerability test results and an audit letter to your
Board of Directors certifying the test results. For more
or email Kinney Williams at