FYI - ID-theft alert follows break-in at federal contractor - Government contractor Science Applications International Corp. warned stockholders on Monday that their personal information may be at risk, after desktop computers holding the information were stolen from the company's offices. http://news.com.com/2102-1029_3-5575861.html?tag=st.util.print

FYI - Are Audit Committees Out of Touch With IT Risks? - Audit committees fail to recognize information technology risks to their organizations, according to a new Ernst & Young report. Forty-two percent of chief audit executives (CAEs) and 72 percent of chief information officers (CIOs) interviewed for Ernst & Young's "Charting the Course" study said their audit committees did not understand the IT risks to their organization and did not spend sufficient time addressing them. http://www.theiia.org/itaudit/index.cfm?fuseaction=print&fid=5590

FYI - Database giant gives access to fake firms - ChoicePoint warns more than 30,000 they may be at risk - Criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint Inc., a firm that maintains databases of background information on virtually every U.S. citizen, MSNBC.com has learned. http://www.msnbc.msn.com/id/6969799/

FYI - JPMorgan to pay $2.1 million in e-mail case - Wall Street investment bank JPMorgan Chase will pay $2.1 million in fines to settle accusations that it failed to retain e-mails sought in investigations of stock research analyst misconduct, the U.S. Securities and Exchange Commission said Monday. http://news.com.com/2102-1030_3-5577315.html?tag=st.util.print

FYI - Florida man sues bank over $90K wire fraud - A Miami businessman is suing his bank after $90,000 was lifted from his firm's online banking account following a computer virus attack. http://www.theregister.co.uk/2005/02/08/e-banking_trojan_lawsuit/print.html

FYI - Feds urged to tighten cybersecurity - As experts warned that major cyberattacks could be brewing, a government report gave U.S. federal systems a "D+" for computer security. While the overall mark is an improvement on last year's "D" average, seven of the 24 agencies surveyed did not provide enough protection on their networks to get a pass score.
http://news.com.com/2102-7347_3-5581502.html?tag=st.util.print
http://www.computerworld.com/printthis/2005/0,4814,99846,00.html

FYI - "Other Consumer Protection Laws and Regulations," a revision of a booklet in the Comptroller's Handbook for Consumer Compliance, updates interagency examination procedures for such laws and regulations as the Homeowners Protection Act, the Consumer Leasing Act, the "Disclosure and Reporting of CRA-Related Agreements," and the "Prohibition Against Use of Interstate Branches Primarily for Deposit Production." www.occ.treas.gov/handbook/other.pdf 

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 6 of 10)

B. RISK MANAGEMENT TECHNIQUES

Introduction

Management must effectively plan, implement, and monitor the financial institution's weblinking relationships. This includes situations in which the institution has a third-party service provider create, arrange, or manage its website. There are several methods of managing a financial institution's risk exposure from third-party weblinking relationships. The methods adopted to manage the risks of a particular link should be appropriate to the level of risk presented by that link as discussed in the prior section.

Planning Weblinking Relationships

In general, a financial institution planning the use of weblinks should review the types of products or services and the overall website content made available to its customers through the weblinks. Management should consider whether the links support the institution's overall strategic plan. Tools useful in planning weblinking relationships include:

1)  due diligence with respect to third parties to which the financial institution is considering links; and

2)  written agreements with significant third parties.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - Over the next few weeks, we will cover the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Financial institutions are actively evaluating and implementing wireless technology as a means to reach customers and reduce the costs of implementing new networks. In light of this fast-developing trend, the Federal Deposit Insurance Corporation (FDIC) is providing financial institutions with the following information about the risks associated with wireless technology and suggestions on managing those risks. Please share this information with your Chief Information Officer.

Wireless Technology and the Risks of Implementation

Wireless networks are rapidly becoming a cost-effective alternative for providing network connectivity to financial institution information systems. Institutions that are installing new networks are finding the installation costs of wireless networks competitive compared with traditional network wiring. Performance enhancements in wireless technology have also made the adoption of wireless networks attractive to institutions. Wireless networks operate at speeds that are sufficient to meet the needs of many institutions and can be seamlessly integrated into existing networks. Wireless networks can also be used to provide connectivity between geographically close locations without having to install dedicated lines.

Wireless Internet access to banking applications is also becoming attractive to financial institutions. It offers customers the ability to perform routine banking tasks while away from the bank branch, automated teller machines or their own personal computers. Wireless Internet access is a standard feature on many new cellular phones and hand-held computers.

Many of the risks that financial institutions face when implementing wireless technology are risks that exist in any networked environment (see FIL-67-2000, "Security Monitoring of Computer Networks," dated October 3, 2000, and the 1996 FFIEC Information Systems Examination Handbook, Volume 1, Chapter 15). However, wireless technology carries additional risks that financial institutions should consider when designing, implementing and operating a wireless network. Common risks include the potential:

1)  Compromise of customer information and transactions over the wireless network;

2)  Disruption of wireless service from radio transmissions of other wireless devices;

3)  Intrusion into the institution's network through wireless network connections; and

4)  Obsolescence of current systems due to rapidly changing standards.

These risks could ultimately compromise the bank's computer system, potentially causing:

1)  Financial loss due to the execution of unauthorized transactions;

2)  Disclosure of confidential customer information, resulting in - among other things - identity theft (see FIL-39-2001, "Guidance on Identity Theft and Pretext Calling," dated May 9, 2001, and FIL-22-2001, "Guidelines Establishing Standards for Safeguarding Customer Information," dated March 14, 2001);

3)  Negative media attention, resulting in harm to the institution's reputation; and

4)  Loss of customer confidence.

Return to the top of the newsletter

IT SECURITY QUESTION:  Auditing:

Does the institution have an internal auditor?
Does internal auditor audit the IT operations?
Does the institution have an external financial auditor?
Does the institution have an external IT auditor?
Does the auditor report IT auditing activities to the Board of Directors or a committee thereof?
Does the internal auditor have any conflicting duties?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice 

8)  Do the initial, annual, and revised privacy notices include each of the following, as applicable: (Part 2 of 2)

e)  if the institution discloses nonpublic personal information to a nonaffiliated third party under '13, and no exception under '14 or '15 applies, a separate statement of the categories of information the institution discloses and the categories of third parties with whom the institution has contracted; ['6(a)(5)]

f)  an explanation of the opt out right, including the method(s) of opt out that the consumer can use at the time of the notice; ['6(a)(6)]

g)  any disclosures that the institution makes under '603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA); ['6(a)(7)]

h)  the institution's policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; ['6(a)(8)] and

i)  a general statement--with no specific reference to the exceptions or to the third parties--that the institution makes disclosures to other nonaffiliated third parties as permitted by law? ['6(a)(9), (b)]

IN CLOSING - The Gramm-Leach-Bliley Act, best practices, and examiners recommend a security test of your Internet  connection.   The Vulnerability Internet Security Test Audit (VISTA) is an independent external penetration study of {custom4}'s network connection to the Internet that meets the regulatory requirements.  We are trained information systems auditors that only work with financial institutions.  As auditors, we provide an independent review of the vulnerability test results and an audit letter to your Board of Directors certifying the test results.  For more information, visit http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.