February 4, 2001
FYI - We received information from FDIC clarifying the "membership advertisement" and FDIC logo on Demos for Internet banking and the actual Internet banking section of web pages. In brief, the information states that "Member FDIC" or the FDIC logo is required on the Internet banking demo web pages because the demo is considered an advertisement. Member FDIC or the FDIC logo is not required on the actual Internet banking web pages unless there are specific advertisements on the page in addition to the transactional sections. This is because the actual Internet banking section is information about an account and not an advertisement. In addition, the information stated that the compliance examiners are responsible for examining the bank's web site for compliance regulations.
INTERNET SECURITY - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security."
VULNERABILITY ASSESSMENT TOOLS
Vulnerability assessment tools, also called security scanning tools, assess the security of network or host systems and report system vulnerabilities. These tools can scan networks, servers, firewalls, routers, and applications for vulnerabilities. Generally, the tools can detect known security flaws or bugs in software and hardware, determine if the systems are susceptible to known attacks and exploits, and search for system vulnerabilities such as settings contrary to established security policies.
In evaluating a vulnerability assessment tool, management should consider how frequently the tool is updated to include the detection of any new weaknesses such as security flaws and bugs. If there is a time delay before a system patch is made available to correct an identified weakness, mitigating controls may be needed until the system patch is issued.
Generally, vulnerability assessment tools are not run in real-time, but they are commonly run on a periodic basis. When using the tools, it is important to ensure that the results from the scan are secure and only provided to authorized parties. The tools can generate both technical and management reports, including text, charts, and graphs. The vulnerability assessment reports can tell a user what weaknesses exist and how to fix them. Some tools can automatically fix vulnerabilities after detection.
Please remember that we perform vulnerability testing and would be happy to e-mail the financial institution a proposal. Please send an e-mail to Kinney Williams at
email@example.com for more information.
INTERNET COMPLIANCE - During a seminar I gave last year for bank examiners, an OCC examiner raised the issue that the equal housing logo is not required by the OCC on residential real estate lending web page for national banks. After researching this issue, we learned that national banks are not required to use the equal housing logo in any advertising about real estate mortgages; however, other financial institutions are required by their regulator to display the equal housing logo. An OCC attorney stated "The OCC does not require the logo to be displayed, but we urge national banks to display the logo on web pages advertising residential mortgage lending. HUD has informally told OCC staff that the lack of the Equal Housing logo is "another factor" that HUD would consider if allegations regarding discriminatory lending practices are made against a lender."