Required reading for all IT managers - Federal Bank and Thrift Regulatory Agencies Jointly Issue Interagency Guidance on Response Programs for Security Breaches - The federal bank and thrift regulatory agencies have jointly issued Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.  
Press Release: www.federalreserve.gov/boarddocs/press/bcreg/2005/20050323/default.htm 
Press Release: www.fdic.gov/news/news/press/2005/pr2605.html 
Press Release: www.ots.treas.gov/docs/7/77510.html 
Press Release: www.occ.treas.gov/scripts/newsrelease.aspx?JNR=1&Doc=3FSRJOC3.xml 
Attachment: www.occ.treas.gov/consumer/Customernoticeguidance.pdf 

FYI - NCUA - Updated Consumer Compliance Manual is available.   The manual is 448 pages and required reading for credit union compliance officers.   www.ncua.gov/GuidesManuals/ConsumerCompliance/ComplianceManual.pdf 

FYI - Phishers put theft in the frame - Fraudsters are starting to use a technique which allow them to exploit weaknesses in banking websites to display contents from any arbitrary URL within a frame. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=357c9cb5-a104-450b-b7c1-cb0e9093b547&newsType=Latest%20News&s=n

FYI - Cyberspace attacks rocket - Software designed to steal personal information has risen dramatically over the last six months, leading experts to fear the kind of attacks that led to last week's attempted $423 million cyber-heist . http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=f1841ada-d533-4d10-bb9e-4082d4133dd8&newsType=Latest%20News&s=n

FYI - VoIP raises security concerns - Internet phone services have drawn millions of users looking for rock-bottom rates. Now they're also attracting identity thieves looking to turn stolen credit cards into cash. http://news.com.com/2102-7352_3-5627631.html?tag=st.util.print

FYI - Spyware forces halt to NZ online banking - New Zealand's major banks have blocked access to internet banking for hundreds of customers because they say their computers are infected with a so-called "spyware" program, it was reported. http://www.smh.com.au/news/Breaking/Spyware-forces-halt-to-NZ-online-banking/2005/03/14/1110649090758.html?oneclick=true#

FYI - Tech Worker Sentenced to Prison for Hacking - IT manager will serve five months for hacking into his previous employer's network. http://www.pcworld.com/news/article/0,aid,120069,00.asp

FYI - FISMA tightens criteria - Officials can expect to be graded on the impact that a serious security breach in any of their major applications or systems would have on their mission. Many agencies may be unprepared to provide that information, even though the law requires it. http://www.fcw.com/article88317-03-16-05-Web

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the Federal Financial Institutions Examination Council Guidance on Electronic Financial Services and Consumer Compliance.

Electronic Fund Transfer Act, Regulation E  (Part 1 of 2)

Generally, when on-line banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign-up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures. Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Risk Mitigation Components - Wireless Internet Devices

For wireless customer access, the financial institution should institute policies and standards requiring that information and transactions be encrypted throughout the link between the customer and the institution. Financial institutions should carefully consider the impact of implementing technologies requiring that a third party have control over unencrypted customer information and transactions.

As wireless application technologies evolve, new security and control weaknesses will likely be identified in the wireless software and security protocols. Financial institutions should actively monitor security alert organizations for notices related to their wireless application services. They should also consider informing customers when wireless Internet devices that require the use of communications protocols deemed insecure will no longer be supported by the institution.

The financial institution should consider having regular independent security testing performed on its wireless customer access application. Specific testing goals would include the verification of appropriate security settings, the effectiveness of the wireless application security implementation and conformity to the institution's stated standards. The security testing should be performed by an organization that is technically qualified to perform wireless testing and demonstrates appropriate ethical behavior.

Return to the top of the newsletter

IT SECURITY QUESTION:  Physical access to main computers:

a. Are the servers located in a secure location in the building?
b. Is access to the computer room restricted?
c. Is the computer room locked all the time?
d. Is there a 24 hours camera surveillance in computer room?
e. Is the computer room free of clutter?
f.  Is there a fire extinguisher?
g. Are fire extinguishers regularly inspected?
h. Is there a smoke or heat detector?
i.  Is there a "power down" switch?
j.  Is there a "visitors log"?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

13. If the institution does not disclose nonpublic personal information, and does not reserve the right to do so, other than under exceptions in §14 and §15, does the institution provide a simplified privacy notice that contains at a minimum: 

a. a statement to this effect;

b. the categories of nonpublic personal information it collects;

c. the policies and practices the institution uses to protect the confidentiality and security of nonpublic personal information; and

d. a general statement that the institution makes disclosures to other nonaffiliated third parties as permitted by law? [§6(c)(5)]

(Note: use of this type of simplified notice is optional; an institution may always use a full notice.)

VISTA penetration-vulnerability testing - Does {custom4} need an affordable internal or external penetration-vulnerability test?  R. Kinney Williams & Associates provides the independence required by the FFIEC IT Examination Manual.  We are IT auditors and do not sell hardware or software like many IT testing companies and consultants. In addition, we have over 30 years experience auditing IT operations for financial institutions, which includes 21 years examination experience.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.