Internet Banking News

April 8, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - OCC Model Privacy Notice: Proposed Rule - Agencies request comments on proposed model privacy notice that financial institutions may use for disclosures under Gramm-Leach-Bliley Act. www.occ.treas.gov/ftp/bulletin/2007-13.html

FYI - Half of corporate web traffic not work related - Almost half of all web traffic originating from corporate networks is non-productive, it was claimed. http://www.vnunet.com/vnunet/news/2185906/half-corporate-web-traffic-work

FYI - Loss of data a major fear among Irish firms - Around three quarters of Irish IT managers cite "loss of business-critical data" and "downtime of key IT systems" as the greatest risks they face in IT planning. http://www.siliconrepublic.com/news/news.nv?storyid=single7981

FYI - Cingular to deposit banking app onto cell phones - AT&T Tuesday it has taken a step toward the long-promised notion of phones replacing credit cards, checks and cash by signing agreements with Wachovia and several other banks. http://news.com.com/2102-1039_3-6170748.html?tag=st.util.print

FYI - California cuts off aid to ID thieves - The California secretary of state's office has shut down portions of its website after it was discovered it had been selling hundreds of thousands of public documents containing social security numbers and signatures, a practice that lasted for years. http://www.theregister.co.uk/2007/03/26/california_privacy/print.html

MISSING COMPUTERS/DATA

FYI - Hacker sees 71,000 state employees' private data - An audit of a state government Web site database after someone hacked into the system found that personal information including Social Security numbers for 71,000 health care workers was accessed, officials said. http://www.fortwayne.com/mld/fortwayne/news/local/16945009.htm

FYI - Security flap as Scottish council loses USB key - Pay details of scores of workers of Perth and Kinross Council has been found on a memory stick left in the street. The security lapse could have exposed workers to ID theft. http://www.theregister.co.uk/2007/03/21/perth_council_usb_loss/print.html

FYI - Group Health laptops missing, 31,000 identities at risk - Group Health Cooperative Health Care System said Friday two of its laptop computers containing the personal information of 31,000 people are missing. The computers are said to contain the names, addresses, social security numbers and Group Health ID numbers of local patients and employees. http://www.komotv.com/news/6681342.html

FYI - Hard drives stolen at clinic - Contained data on 19,000 patients - Three computer hard drives were stolen from the locked office of Swedish Urology Group earlier this month, and the clinic has been notifying persons affected by the theft. The external hard drives contained information on about 19,000 current and former patients and were used to back up the clinic's computer system. http://seattlepi.nwsource.com/local/308897_swedish24.html

FYI - Hacker Suspected Of Multistate Break-In Spree - The hacker under investigation for stealing personal and financial information from an Indiana government site also is under suspicion of breaking into other state government Web sites. The hacker being investigated for stealing the personal identification information of 71,000 health-care workers certified in Indiana is suspected of breaching other state government sites. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=198500410

FYI - DOD investigates hacking of troops' personal computers - Defense Department officials have launched an investigation into recent computer hackings of servicemembers' home computers that compromised personal information and led to the redirection of funds from their military pay accounts. http://www.af.mil/news/story.asp?id=123046045

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (10 of 12)

Test affected systems or procedures prior to implementation.

Testing is an important function in the incident response process. It helps ensure that reconfigured systems, updated procedures, or new technologies implemented in response to an incident are fully effective and performing as expected. Testing can also identify whether any adjustments are necessary prior to implementing the updated system, process, or procedure.

Follow-up

During the follow-up process, an institution has the opportunity to regroup after the incident and strengthen its control structure by learning from the incident. A number of institutions have included the following best practice in their IRPs.

Conduct a "lessons-learned" meeting.

1) Successful organizations can use the incident and build from the experience. Organizations can use a lessons-learned meeting to
2) discuss whether affected controls or procedures need to be strengthened beyond what was implemented during the recovery phase;
3) discuss whether significant problems were encountered during the incident response process and how they can be addressed;
4) determine if updated written policies or procedures are needed for the customer information security risk assessment and information security program;
5) determine if updated training is necessary regarding any new procedures or updated policies that have been implemented; and
6) determine if the bank needs additional personnel or technical resources to be better prepared going forward.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INTRUSION DETECTION AND RESPONSE

INTRUSION RESPONSE (Part 1 of 2)

Intrusion detection by itself does not mitigate risks of an intrusion. Risk mitigation only occurs through an effective and timely response. The goal of the response is to minimize damage to the institution and its customers through containment of the intrusion, and restoration of systems.

The response primarily involves people rather then technologies. The quality of intrusion response is a function of the institution's culture, policies and procedures, and training.

Preparation determines the success of any intrusion response. Preparation involves defining the policies and procedures that guide the response, assigning responsibilities to individuals and providing appropriate training, formalizing information flows, and selecting, installing, and understanding the tools used in the response effort. Key considerations that directly affect the institution's policies and procedures include the following:

! How to balance concerns regarding availability, confidentiality, and integrity, for devices and data of different sensitivities. This consideration is a key driver for a containment strategy and may involve legal and liability considerations. An institution may decide that some systems must be disconnected or shut down at the first sign of intrusion, while others must be left on line.
! When and under what circumstances to invoke the intrusion response activities, and how to ensure the proper personnel are available and notified.
! How to control the frequently powerful intrusion identification and response tools.
! When to involve outside experts and how to ensure the proper expertise will be available when needed. This consideration addresses both the containment and the restoration strategy.
! When and under what circumstances to involve regulators, customers, and law enforcement. This consideration drives certain monitoring decisions, decisions regarding evidence-gathering and preservation, and communications considerations.
! Which personnel have authority to perform what actions in containment of the intrusion and restoration of the systems. This consideration affects the internal communications strategy, the commitment of personnel, and procedures that escalate involvement and decisionswithin the organization.
! How and what to communicate outside the organization, whether to law enforcement, customers, service providers, potential victims, and others. This consideration drives the communication strategy, and is a key component in mitigating reputation risk.
! How to document and maintain the evidence, decisions, and actions taken.
! What criteria must be met before compromised services, equipment and software are returned to the network.
! How to learn from the intrusion and use those lessons to improve the institution's security.
! How and when to prepare and file a Suspicious Activities Report (SAR).

Return to the top of the newsletter

IT SECURITY QUESTION:

INTRUSION DETECTION AND RESPONSE

15. Determine if the security policy specifies the actions to be taken following the discovery of an unexpected, unusual, or suspicious activity (potential intrusion), and that appropriate personnel are authorized to take those actions.

16. Evaluate the appropriateness of the security policy in addressing the review of compromised systems. Consider:

! Documentation of the roles, responsibilities and authority of employees and contractors, and
! Conditions for the examination and analysis of data, systems, and networks.

17. Determine if the information disclosure policy indicates what information is shared with others, in what circumstances, and identifies the individual(s) who have the authority to initiate disclosure beyond the stated policy.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions

48. If the institution discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in §4(a)(2), opt out in §§7 and 10, revised notice in §8, and for service providers and joint marketing in §13, not apply because the information is disclosed as necessary to effect, administer, or enforce a transaction that the consumer requests or authorizes, or in connection with:

a. servicing or processing a financial product or service requested or authorized by the consumer; [§14(a)(1)]

b. maintaining or servicing the consumer's account with the institution or with another entity as part of a private label credit card program or other credit extension on behalf of the entity; or [§14(a)(2)]

c. a proposed or actual securitization, secondary market sale (including sale of servicing rights) or other similar transaction related to a transaction of the consumer? [§14(a)(3)]