R. Kinney Williams
April 2, 2006
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
http://www.internetbankingaudits.com/internal_testing.htm or complete the
request-information form at
and we will email you (financial institutions only) due diligence
information about our company, Internal VISTA agreement, and fees.
All communication is kept strictly confidential.
FYI - Laptop with
Hewlett-Packard employees' ID stolen196,000 - WORKERS AND RETIREES
HAD PENSION ACCOUNTS WITH FIDELITY - A laptop computer containing
the names, Social Security numbers, compensation and other
information for 196,000 current and former Hewlett-Packard employees
was stolen a week ago, HP confirmed.
FYI - Lost Ernst & Young
laptop exposes IBM staff - Ernst & Young has lost another laptop
containing the social security numbers and other personal
information of its clients' employees. This time, the incident puts
thousands of IBM workers at risk. Ex-IBM employees are also
FYI - Feds get failing
grade in computer security report - The scorecards give failing
grades to some of the agencies most critical to the nation's
defense, including Fs for the U.S. Department of Defense and the
U.S. Department of Homeland Security - The U.S. government will get
low marks for computer security in a congressional report scheduled
to be released Thursday. According to documents obtained by the IDG
News Service, the federal government will get a D+ overall rating in
the 2005 federal computer security scorecards, the same score it
received last year.
FYI - Bank strikes back
at ID cheats - All A&L online bankers issued with two-factor
authentication - Alliance & Leicester has issued security technology
to all its one million online banking customers, in a move intended
to cut identity theft and internet fraud.
FYI - NIST sets FISMA
standards for federal IT systems - The National Institute of
Standards and Technology has released the final standard for
securing agency computer systems under the Federal Information
Security Management Act.
FYI - Merrill Lynch
fined 2.5M for lax email backups - The Securities and Exchange
Commission has ordered brokerage firm Merrill Lynch to pay $2.5
million for not providing email records in a timely manner, the
agency announced this week.
FYI - More clever
hackers emerging - Cyber crime grew more sophisticated, targeted,
and dangerous in 2005 according to a report released this week by
Counterpane Internet Security and MessageLabs.
FYI CLIENTS - Third of U.K.
business fails to test disaster plans - A new study has claimed that
a third of British businesses fail to test their disaster-recovery
FYI CLIENTS - Consumer groups
rail against proposed data-breach notification law - Bill called
'flawed,' too easy on businesses - Consumer and privacy advocacy
groups are up in arms over a proposed federal data-breach
notification bill that today was approved by the House Financial
FYI CLIENTS - We need a national
IT disaster response plan - Looking back at Hurricane Katrina, Steve
Cooper, the Red Cross' senior vice president and chief information
officer, said he realized that such catastrophes require a national
information technology response plan. But the federal government
should not lead it, he said.
FYI CLIENTS - Banks set up text,
email fraud alerts for customers - The threat of electronic thievery
has prompted a security strategy rethink at several US banks. As
part of a broader security initiative, Bank of America is offering
to alert customers of any suspicious charges or changes to their
account via email or text messages almost as soon as they occur.
GAO - Social Security Numbers: More Could be Done to Protect SSNs.
Bank Secrecy Act - Commercial Bank of Syria -
Designation of Primary Money Laundering Concern - The Department of
the Treasury has designated Commercial Bank of Syria, including its
subsidiary, Syrian Lebanese Commercial Bank, as a financial
institution of primary money laundering concern and has issued the
attached final rule restricting domestic financial institutions'
banking relationships with this entity.
Return to the top
of the newsletter
WEB SITE COMPLIANCE
We continue our series on the FFIEC "Authentication in an Internet
Account Origination and Customer Verification
With the growth in electronic banking and commerce, financial
institutions should use reliable methods of originating new customer
accounts online. Moreover, customer identity verification during
account origination is required by section 326 of the USA PATRIOT
Act and is important in reducing the risk of identity theft,
fraudulent account applications, and unenforceable account
agreements or transactions. Potentially significant risks arise when
a financial institution accepts new customers through the Internet
or other electronic channels because of the absence of the physical
cues that financial institutions traditionally use to identify
One method to verify a customer's identity is a physical
presentation of a proof of identity credential such as a driver's
license. Similarly, to establish the validity of a business and the
authority of persons to perform transactions on its behalf,
financial institutions typically review articles of incorporation,
business credit reports, board resolutions identifying officers and
authorized signers, and other business credentials. However, in an
Internet banking environment, reliance on these traditional forms of
paper-based verification decreases substantially. Accordingly,
financial institutions need to use reliable alternative methods.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION -
Computer networks often extend connectivity far beyond the financial
institution and its data center. Networks provide system access and
connectivity between business units, affiliates, TSPs, business
partners, customers, and the public. This increased connectivity
requires additional controls to segregate and restrict access
between various groups and information users.
A typical approach to securing a large network involves dividing the
network into logical security domains. A logical security domain is
a distinct part of a network with security policies that differ from
other domains. The differences may be far broader than network
controls, encompassing personnel, host, and other issues.
Typical network controls that distinguish security domains include
access control software permissions, dedicated lines, filtering
routers, firewalls, remote-access servers, and virtual private
networks. This booklet will discuss additional access controls
within the applications and operating systems residing on the
network in other sections. Before selecting the appropriate
controls, financial institutions should map and configure the
network to identify and control all access control points. Network
configuration considerations could include the following actions:
! Identifying the various applications and user-groups accessed
via the network;
! Identifying all access points to the network including various
telecommunications channels (e.g., wireless, Ethernet, frame relay,
dedicated lines, remote dial - up access, extranets, Internet);
! Mapping the internal and external connectivity between various
! Defining minimum access requirements for network services (i.e.,
most often referenced as a network services access policy); and
! Determining the most appropriate network configuration to ensure
adequate security and performance.
With a clear understanding of network connectivity, the financial
institution can avoid introducing security vulnerabilities by
minimizing access to less - trusted domains and employing encryption
for less secure connections. Institutions can then determine the
most effective deployment of protocols, filtering routers,
firewalls, gateways, proxy servers, and/or physical isolation to
restrict access. Some applications and business processes may
require complete segregation from the corporate network (e.g., no
connectivity between corporate network and wire transfer system).
Others may restrict access by placing the services that must be
accessed by each zone in their own security domain, commonly called
a "demilitarized zone" (DMZ).
Return to the top of the
Determine whether an appropriate archive of boot disks, distribution
media, and security patches exists.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 1 of 3)
Note: Financial institutions whose practices fall within this
category engage in the most expansive degree of information sharing
permissible. Consequently, these institutions are held to the most
comprehensive compliance standards imposed by the Privacy
A. Disclosure of Nonpublic Personal Information
1) Select a
sample of third party relationships with nonaffiliated third parties
and obtain a sample of data shared between the institution and the
third party both inside and outside of the exceptions. The sample
should include a cross-section of relationships but should emphasize
those that are higher risk in nature as determined by the initial
procedures. Perform the following comparisons to evaluate the
financial institution's compliance with disclosure limitations.
a. Compare the categories of data shared and with whom the
data were shared to those stated in the privacy notice and verify
that what the institution tells consumers (customers and those who
are not customers) in its notices about its policies and practices
in this regard and what the institution actually does are consistent
b. Compare the data shared to a sample of opt out directions
and verify that only nonpublic personal information covered under
the exceptions or from consumers (customers and those who are not
customers) who chose not to opt out is shared (§10).
2) If the financial institution also shares information under
Section 13, obtain and review contracts with nonaffiliated third
parties that perform services for the financial institution not
covered by the exceptions in section 14 or 15. Determine whether the
contracts prohibit the third party from disclosing or using the
information other than to carry out the purposes for which the
information was disclosed. Note that the "grandfather"
provisions of Section 18 apply to certain of these contracts (§13(a)).
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.