R. Kinney Williams
March 26, 2006
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
Quiz: Microsoft Office security, basic
- You use Microsoft Office 2003 programs every day, but do you
really know how to use their security features to your best
advantage? Take this five question quiz and see if you know how to
let Office 2003 work best for you.
FYI - Citibank reissues
cards after fraudulent withdrawals - Fraudulent cash withdrawls have
prompted Citibank to re-issue an unspecified number of credit and
debit cards. The bank has also blocked PIN-based transactions of
Citi-branded MasterCard cards in the UK, Russia and Canada to
protect customer accounts.
FYI - Lloyds TSB
security trial wipes out online fraud - But banking industry asks
what is the best approach? Lloyds TSB has cut online banking fraud
to zero among its customers who are trialling two-factor
FYI - SSL tunnels create
'invisible' backdoors into corporate networks - Encrypted Secure
Socket Layer (SSL) communications between internal corporate
employees and external internet applications is "invisible" to
companies and so comprises a "risk to the enterprise," new research
FYI - Community banks
team up with Microsoft - Microsoft and the Independent Community
Bankers of America (ICBA) have joined forces to help community banks
improve their information security practices.
FYI - Web banking fraud
losses double in U.K. A sharp hike in the volume and sophistication
of phishing scams pushed British online banking fraud losses to
record levels of £23 million in 2005 - almost double the previous
year's losses of £12 million, APACS, the U.K. payments association
FYI - GAO - Managing
Sensitive Information: Departments of Energy and Defense Policies
and Oversight Could Be Improved.
FYI - GAO - Information
Security: Federal Agencies Show Mixed Progress in Implementing
FYI - Citibank card
fraud - magnetic strip to blame? - A Citibank ATM network breach in
Canada, Russia and the UK could have been prevented if the bank's US
customers had chip and PIN technology on their cards, a leading
analyst has said.
FYI - Chase scam traced
to Chinese bank - A phishing scam where unwary users are lured into
filling out a bogus survey has been traced to a hacked web server of
a state-owned Chinese bank.
FYI - State seizes newspaper's
hard drives in leak probe - The Pennsylvania Attorney General's
Office has seized four newsroom hard drives as part of a probe into
alleged leaks by a county coroner, after the state Supreme Court
denied the newspaper's challenge to the search.
GAO - Information Security: Department of Health and Human
Services Needs to Fully Implement Its Program.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our series on the FFIEC "Authentication in an Internet
The implementation of appropriate authentication methodologies
should start with an assessment of the risk posed by the
institution's Internet banking systems. The risk should be evaluated
in light of the type of customer (e.g., retail or commercial); the
customer transactional capabilities (e.g., bill payment, wire
transfer, loan origination); the sensitivity of customer information
being communicated to both the institution and the customer; the
ease of using the communication method; and the volume of
transactions. Prior agency guidance has elaborated on this
risk-based and "layered" approach to information security.
An effective authentication program should be implemented to ensure
that controls and authentication tools are appropriate for all of
the financial institution's Internet-based products and services.
Authentication processes should be designed to maximize
interoperability and should be consistent with the financial
institution's overall strategy for Internet banking and electronic
commerce customer services. The level of authentication used by a
financial institution in a particular application should be
appropriate to the level of risk in that application.
A comprehensive approach to authentication requires development of,
and adherence to, the institution's information security standards,
integration of authentication processes within the overall
information security framework, risk assessments within lines of
businesses supporting selection of authentication tools, and central
authority for oversight and risk monitoring. This authentication
process should be consistent with and support the financial
institution's overall security and risk management programs.
The method of authentication used in a specific Internet application
should be appropriate and reasonable, from a business perspective,
in light of the reasonably foreseeable risks in that application.
Because the standards for implementing a commercially reasonable
system may change over time as technology and other procedures
develop, financial institutions and technology service providers
should develop an ongoing process to review authentication
technology and ensure appropriate changes are implemented.
The agencies consider single-factor authentication, as the only
control mechanism, to be inadequate for high-risk transactions
involving access to customer information or the movement of funds to
other parties. Single-factor authentication tools, including
passwords and PINs, have been widely used for a variety of Internet
banking and electronic commerce activities, including account
inquiry, bill payment, and account aggregation. However, financial
institutions should assess the adequacy of such authentication
techniques in light of new or changing risks such as phishing,
pharming, malware, and the evolving sophistication of compromise
techniques. Where risk assessments indicate that the use of
single-factor authentication is inadequate, financial institutions
should implement multifactor authentication, layered security, or
other controls reasonably calculated to mitigate those risks.
The risk assessment process should:
• Identify all transactions and levels of access associated with
Internet-based customer products and services;
• Identify and assess the risk mitigation techniques, including
authentication methodologies, employed for each transaction type and
level of access; and
• Include the ability to gauge the effectiveness of risk mitigation
techniques for current and changing risk factors for each
transaction type and level of access.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION -
Network security requires effective implementation of several
control mechanisms to adequately secure access to systems and data.
Financial institutions must evaluate and appropriately implement
those controls relative to the complexity of their network. Many institutions have increasingly complex and dynamic
networks stemming from the growth of distributed computing.
Security personnel and network administrators have related but
distinct responsibilities for ensuring secure network access across
a diverse deployment of interconnecting network servers, file
servers, routers, gateways, and local and remote client
workstations. Security personnel typically lead or assist in the development
of policies, standards, and procedures, and monitor compliance. They
also lead or assist in incident-response efforts.
Network administrators implement the policies, standards, and
procedures in their day-to-day operational role.
Internally, networks can host or provide centralized access to
mission-critical applications and information, making secure
access an organizational priority. Externally, networks integrate
institution and third-party applications that grant customers and
insiders access to their financial information and Web-based
services. Financial institutions that fail to restrict access
properly expose themselves to increased transaction, reputation, and
compliance risk from threats including the theft of customer
information, data alteration, system misuse, or denial-of-service attacks.
Return to the top of the
17. Determine whether remote access devices and network access
points for remote equipment are appropriately controlled.
• Remote access is disabled by default, and enabled only by
• Management authorization is required for each user who accesses
sensitive components or data remotely.
• Authentication is of appropriate strength (e.g., two - factor
for sensitive components).
• Modems are authorized, configured and managed to appropriately
• Appropriate logging and monitoring takes place.
• Remote access devices are appropriately secured and controlled
by the institution.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Examination Procedures (Part 3 of 3)
E. Ascertain areas of risk associated with the financial
institution's sharing practices (especially those within Section 13
and those that fall outside of the exceptions ) and any weaknesses
found within the compliance management program. Keep in mind any
outstanding deficiencies identified in the audit for follow-up when
completing the modules.
F. Based on the results of the foregoing initial procedures and
discussions with management, determine which procedures if any
should be completed in the applicable module, focusing on areas of
particular risk. The selection of procedures to be employed depends
upon the adequacy of the institution's compliance management system
and level of risk identified. Each module contains a series of
general instruction to verify compliance, cross-referenced to cites
within the regulation.
Additionally, there are cross-references to a more comprehensive
checklist, which the examiner may use if needed to evaluate
compliance in more detail.
G. Evaluate any additional information or documentation discovered
during the course of the examination according to these procedures.
Note that this may reveal new or different sharing practices
necessitating reapplication of the Decision Trees and completion of
additional or different modules.
H. Formulate conclusions.
1) Summarize all findings.
2) For violation(s) noted, determine the cause by identifying
weaknesses in internal controls, compliance review, training,
management oversight, or other areas.
3) Identify action needed to correct violations and weaknesses
in the institution's compliance system, as appropriate.
4) Discuss findings with management and obtain a commitment
for corrective action.
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at email@example.com if we
can be of assistance.