R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

February 19, 2006

CONTENT Internet Compliance Information Systems Security
IT Security Question
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


FYI - Choosing the Right Intrusion Prevention System - Intrusion prevention systems are helping organizations prevent external attacks and decrease IT security costs. However, choosing the right system is a must for organizations, as they continue to struggle through more sophisticated network attacks and vulnerabilities. http://www.theiia.org/itaudit/index.cfm?iid=440&catid=21&aid=2048

FYI - Top Greeks targeted in phone tapping scandal - The mobile phones of Greek Prime Minister Costas Caramanlis and top government and security officials were tapped by unknown individuals during the Athens 2004 Olympics and for nearly a year, the government said. http://www.smh.com.au/news/breaking/top-greeks-targeted-in-phone-tapping-scandal/2006/02/03/1138836413044.html

FYI - NIST issues guidelines for data removal - Wonder no longer about how to remove sensitive data from the hard drives and optical disks you are about to toss. The National Institute of Standards and Technology has issued a set of draft guidelines on how to safely remove information from obsolete forms of storage. http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=38206

FYI - Blind Cal student sues Target - Suit charges retailer's Web site cannot be used by the sightless - A blind UC Berkeley student has filed a class-action lawsuit against Target Corp., saying the retailer is committing civil-rights violations because its Web site is inaccessible to those who cannot see. http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/02/08/MNGO7H4VBP128.DTL

FYI - FYI - Bank of America cancels numerous debit cards - A security breach involving an undisclosed company has prompted Bank of America to cancel the debit cards of numerous customers, a spokesman for the country's largest bank said. http://news.com.com/2102-1029_3-6037619.html?tag=st.util.print

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures/Notices (Part 2 of 2)

In those instances where an electronic form of communication is permissible by regulation, to reduce compliance risk institutions should ensure that the consumer has agreed to receive disclosures and notices through electronic means. Additionally, institutions may want to provide information to consumers about the ability to discontinue receiving disclosures through electronic means, and to implement procedures to carry out consumer requests to change the method of delivery. Furthermore, financial institutions advertising or selling non-deposit investment products through on-line systems, like the Internet, should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY
We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION -
Biometrics (Part 1 of 2)

Biometrics can be implemented in many forms, including tokens. Biometrics verifies the identity of the user by reference to unique physical or behavioral characteristics. A physical characteristic can be a thumbprint or iris pattern. A behavioral characteristic is the unique pattern of key depression strength and pauses made on a keyboard when a user types a phrase. The strength of biometrics is related to the uniqueness of the physical characteristic selected for verification. Biometric technologies assign data values to the particular characteristics associated with a certain feature. For example, the iris typically provides many more characteristics to store and compare, making it more unique than facial characteristics. Unlike other authentication mechanisms, a biometric authenticator does not rely on a user's memory or possession of a token to be effective. Additional strengths are that biometrics do not rely on people to keep their biometric secret or physically secure their biometric. Biometrics is the only authentication methodology with these advantages.

Enrollment is a critical process for the use of biometric authentication. The user's physical characteristics must be reliably recorded. Reliability may require several samples of the characteristic and a recording device free of lint, dirt, or other interference. The enrollment device must be physically secure from tampering and unauthorized use.

When enrolled, the user's biometric is stored as a template. Subsequent authentication is accomplished by comparing a submitted biometric against the template, with results based on probability and statistical confidence levels. Practical usage of biometric solutions requires consideration of how precise systems must be for positive identification and authentication. More precise solutions increase the chances a person is falsely rejected. Conversely, less precise solutions can result in the wrong person being identified or authenticated as a valid user (i.e., false acceptance rate). The equal error rate (EER) is a composite rating that considers the false rejection and false acceptance rates. Lower EERs mean more consistent operations. However, EER is typically based upon laboratory testing and may not be indicative of actual results due to factors that can include the consistency of biometric readers to capture data over time, variations in how a user presents their biometric sample (e.g., occasionally pressing harder on a finger scanner), and environmental factors.


Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

B. NETWORK SECURITY

12. Determine whether logs of security-related events are sufficient to affix accountability for network activities, as well as support intrusion forensics and IDS. Additionally, determine that adequate clock synchronization takes place.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 6 of 6)

Redisclosure and Reuse Limitations on Nonpublic Personal Information Received:

If a financial institution receives nonpublic personal information from a nonaffiliated financial institution, its disclosure and use of the information is limited.

A)  For nonpublic personal information received under a section 14 or 15 exception, the financial institution is limited to:

     1)  Disclosing the information to the affiliates of the financial institution from which it received the information; 

     2)  Disclosing the information to its own affiliates, who may, in turn, disclose and use the information only to the extent that the financial institution can do so; and 

     3)  Disclosing and using the information pursuant to a section 14 or 15 exception (for example, an institution receiving information for account processing could disclose the information to its auditors). 

B)  For nonpublic personal information received other than under a section 14 or 15 exception, the recipient's use of the information is unlimited, but its disclosure of the information is limited to:

     1)  Disclosing the information to the affiliates of the financial institution from which it received the information;

     2)  Disclosing the information to its own affiliates, who may, in turn disclose the information only to the extent that the financial institution can do so; and

     3)  Disclosing the information to any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which it received the information. For example, an institution that received a customer list from another financial institution could disclose the list (1) in accordance with the privacy policy of the financial institution that provided the list, (2) subject to any opt out election or revocation by the consumers on the list, and (3) in accordance with appropriate exceptions under sections 14 and 15.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated