February 25, 2001
FYI - On February 15, 2001, OCC released Guidelines Establishing Standards for Safeguarding Customer Information.
INTERNET COMPLIANCE - Expedited Funds Availability Act (Regulation CC)
Generally, the rules pertaining to the duty of an institution to make deposited funds available for withdrawal apply in the electronic financial services environment. This includes rules on fund availability schedules, disclosure of policy, and payment of interest. Recently, the FRB published a commentary that clarifies requirements for providing certain written notices or disclosures to customers via electronic means. Specifically, the commentary to the regulations states that a financial institution satisfies the written exception hold notice requirement, and the commentary to the regulations states that a financial institution satisfies the general disclosure requirement by sending an electronic version that displays the text and is in a form that the customer may keep. However, the customer must agree to such means of delivery of notices and disclosures. Information is considered to be in a form that the customer may keep if, for example, it can be downloaded or printed by the customer. To reduce compliance risk, financial institutions should test their programs' ability to provide disclosures in a form that can be downloaded or printed.
INTERNET SECURITY - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security."
A penetration analysis itself can introduce new risks to an institution; therefore, several items should be considered before having an analysis completed, including the following:
1) If using outside testers, the reputation of the firm or consultants hired. The evaluators will assess the weaknesses in the bank's information security system. As such, the confidentiality of results and bank data is crucial. Just like screening potential employees prior to their hire, banks should carefully screen firms, consultants, and subcontractors who are entrusted with access to sensitive data. A bank may want to require security clearance checks on the evaluators. An institution should ask if the evaluators have liability insurance in case something goes wrong during the test. The bank should enter into a written contact with the evaluators, which at a minimum should address the above items.
2) If using internal testers, the independence of the testers from system administrators.
3) The secrecy of the test. Some senior executives may order an analysis without the knowledge of information systems personnel. This can create unwanted results, including the notification of law enforcement personnel and wasted resources responding to an attack. To prevent excessive responses to the attacks, bank management may consider informing certain individuals in the organization of the penetration analysis.
4) The importance of the systems to be tested. Some systems may be too critical to be exposed to some of the methods used by the evaluators such as a critical database that could be damaged during the test.
Please remember that we perform vulnerability testing and would be happy to e-mail the financial institution a proposal. Please send an e-mail to Kinney Williams at
firstname.lastname@example.org for more information.