R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

April 17, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing

FYI - International bank HSBC deluged by viruses - International bank HSBC is suffering thousands of virus attacks a day, a top executive at the company has revealed. http://news.com.com/2102-7349_3-5655520.html?tag=st.util.print

FYI - Japan tightens personal data protection - Companies must designate a manager called a corporate privacy officer (CPO) and other staff to be responsible for meeting the provisions, and the law also sets fines of up to US$2,804 or jail sentences up to six months for the manager or data handlers who are found to have not complied. http://www.infoworld.com/article/05/03/28/HNjapntightensdataprotection_1.html

FYI - Computer containing classified data stolen from IDF - A laptop computer containing classified military information was apparently stolen from the commander of an elite Israel Defense Forces unit while he was on vacation. The commander was sentenced to two weeks in a military prison. http://www.haaretz.com/hasen/spages/558776.html

FYI - Europeans worry about online banking security - Phishing, keystroke logging and other types of scams are increasingly worrying users of online banking services in Europe while scaring others away, according to a report issued from Forrester Research Inc. http://www.computerworld.com/printthis/2005/0,4814,100736,00.html

FYI - Police collar trojan suspect - Estonian police have arrested a man for stealing money from scores of European bank accounts. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=067b4ff6-63e6-4ebc-81c0-08d5ea9712a5&newsType=Latest%20News&s=n

FYI - Laptop security left to employees - European IT managers are leaving laptop security in the hands of employees according to a new study. 71 per cent of respondents holding the belief that corporate laptops, which are used outside the office and then reconnected to the network, pose a major security risk to their company. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=1de49ccc-1903-4360-b13e-997101a40267&newsType=Latest%20News&s=n

FYI - GAO - Information Security: Internal Revenue Service Needs to Remedy Serious Weaknesses over Taxpayer and Bank Secrecy Act Data. http://www.gao.gov/cgi-bin/getrpt?GAO-05-482
Highlights - http://www.gao.gov/highlights/d05482high.pdf

Return to the top of the newsletter

Equal Credit Opportunity Act (Regulation B)

The regulations clarifies the rules concerning the taking of credit applications by specifying that application information entered directly into and retained by a computerized system qualifies as a written application under this section. If an institution makes credit application forms available through its on-line system, it must ensure that the forms satisfy the requirements.

The regulations also clarify the regulatory requirements that apply when an institution takes loan applications through electronic media. If an applicant applies through an electronic medium (for example, the Internet or a facsimile) without video capability that allows employees of the institution to see the applicant, the institution may treat the application as if it were received by mail.

Return to the top of the newsletter

We begin a new series  from the FDIC "Security Risks Associated with the Internet."  While this Financial Institution Letter was published in December 1997, the issues still are relevant.

This FDIC paper alerts financial institutions to the fundamental technological risks presented by use of the Internet. Regardless of whether systems are maintained in-house or services are outsourced, bank management is responsible for protecting systems and data from compromise.

Security Risks 

The Internet is inherently insecure. By design, it is an open network which facilitates the flow of information between computers. Technologies are being developed so the Internet may be used for secure electronic commerce transactions, but failure to review and address the inherent risk factors increases the likelihood of system or data compromise. Five areas of concern relating to both transactional and system security issues, as discussed below, are: Data Privacy and Confidentiality, Data Integrity, Authentication, Non-repudiation, and Access Control/System Design. 

Data Privacy and Confidentiality 

Unless otherwise protected, all data transfers, including electronic mail, travel openly over the Internet and can be monitored or read by others. Given the volume of transmissions and the numerous paths available for data travel, it is unlikely that a particular transmission would be monitored at random. However, programs, such as "sniffer" programs, can be set up at opportune locations on a network, like Web servers (i.e., computers that provide services to other computers on the Internet), to simply look for and collect certain types of data. Data collected from such programs can include account numbers (e.g., credit cards, deposits, or loans) or passwords. 

Due to the design of the Internet, data privacy and confidentiality issues extend beyond data transfer and include any connected data storage systems, including network drives. Any data stored on a Web server may be susceptible to compromise if proper security precautions are not taken. 

Return to the top of the newsletter

IT SECURITY QUESTION:  IT personnel - to ensure a safe and sound continuous operation:

a. Is there a network administrator?
b. Does the Network Administrator have any conflicting duties?
c. Is there a core application administrator?
d. Does the core application administrator have any conflicting duties?
e. Is there a programming administrator?
f.  Is there an IT Security Officer?
g. Does the IT Security Officer have any conflicting duties?
h.  Are the number of IT personnel satisfactory for the IT operation?
i.  Are the IT personnel performing their respective duties satisfactory?

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

15. If the institution provides a short-form initial privacy notice with the opt out notice, does the institution do so only to consumers with whom the institution does not have a customer relationship? [6(d)(1)]

VISTA penetration-vulnerability testing - Does {custom4} need an affordable internal or external penetration-vulnerability test?  R. Kinney Williams & Associates provides the independence required by the FFIEC IT Examination Manual.  We are IT auditors and do not sell hardware or software like many IT testing companies and consultants. In addition, we have over 30 years experience auditing IT operations for financial institutions, which includes 21 years examination experience.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated