Internet Banking News

April 29, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Privacy of Consumer Financial Information - The FDIC, the other federal financial institution regulatory agencies, the Securities and Exchange Commission, the Federal Trade Commission, and the Commodity Futures Trading Commission have jointly published the attached Notice of Proposed Rulemaking seeking comment on a model privacy form that financial institutions could use to satisfy the privacy notice requirements of the Gramm-Leach-Bliley Act www.fdic.gov/news/news/financial/2007/fil07034.html

FYI - NIST has collaborated with the Defense Information Systems Agency (DISA), the National Security Agency (NSA), and Microsoft Corporation to produce Microsoft's Windows baseline security settings for the Enterprise (EC) and Specialized Security/ Limited Functionality (SSLF) environments.
VISTA security guidelines: http://csrc.nist.gov/itsec/guidance_vista.html
XP security guidelines: http://csrc.nist.gov/itsec/SP800-68-20051102.pdf

FYI - Former Morgan Stanley Employee Arrested On Data Theft Charges - A former Morgan Stanley client service representative was arrested and charged with stealing proprietary information relating to the brokerage firm's hedge fund clients. http://www.consumeraffairs.com/news04/2007/04/id_morgan_stanley.html

FYI - Social Security Administration Worker Charged In Identity Theft Scheme - A former Social Security Administration employee surrendered to federal authorities Wednesday to face charges of illegally disclosing personal information she took off a government computer that was then used in an identity theft scheme that racked up $2.5 million in credit card charges. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199000813

FYI - Pioneer Press alleges corporate espionage by former publisher - His password was "Mocha." But other data on Par Ridder's laptop computer would have been even tastier to his new bosses. http://news.postbulletin.com/newsmanager/templates/localnews_story.asp?a=290750

FYI - Navigating the PCI Standard - More than just another data-security standard, the PCI program is corporate America's most ambitious effort yet to prove that it can self-regulate. But even a standard with everything going for it might not be enough to stop the loss of credit card data. In mid-December 2006, just as Visa was announcing a $20 million incentive to try to hurry compliance with the credit card industry's data-security standard, a consultant for TJX was discovering precisely the sort of breach that the standard is supposed to prevent. http://www.csoonline.com/read/040107/fea_pci_pf.html

FYI - GAO - Information Security: Persistent Weaknesses Highlight Need for Further Improvement.
http://www.gao.gov/cgi-bin/getrpt?GAO-07-751T
Highlights - http://www.gao.gov/highlights/d07751thigh.pdf

MISSING COMPUTERS/DATA

FYI - Georgia on the mind of three million after CD loss - Sensitive personal information on 2.9 million Georgia residents is at risk after a company lost a CD that contained the details. http://www.theregister.co.uk/2007/04/11/georgia_data_loss/print.html

FYI - Sensitive Info Is Stolen From Adoption Agency - The highly confidential information on children and their adoptive parents is at stake in a criminal case being investigated by Ft. Lauderdale Police. http://cbs4.com/topstories/local_story_099223111.html

FYI - Technician Held In Theft Of Data On Port Workers - A computer technician at the Port of Tampa is accused of stealing employee information to apply for credit cards online, the Florida Department of Law Enforcement said. http://www.tbo.com/news/metro/MGBTN5P0G0F.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - The Role Of Consumer Compliance In Developing And Implementing Electronic Services from FDIC:

When violations of the consumer protection laws regarding a financial institution's electronic services have been cited, generally the compliance officer has not been involved in the development and implementation of the electronic services. Therefore, it is suggested that management and system designers consult with the compliance officer during the development and implementation stages in order to minimize compliance risk. The compliance officer should ensure that the proper controls are incorporated into the system so that all relevant compliance issues are fully addressed. This level of involvement will help decrease an institution's compliance risk and may prevent the need to delay deployment or redesign programs that do not meet regulatory requirements.

The compliance officer should develop a compliance risk profile as a component of the institution's online banking business and/or technology plan. This profile will establish a framework from which the compliance officer and technology staff can discuss specific technical elements that should be incorporated into the system to ensure that the online system meets regulatory requirements. For example, the compliance officer may communicate with the technology staff about whether compliance disclosures/notices on a web site should be indicated or delivered by the use of "pointers" or "hotlinks" to ensure that required disclosures are presented to the consumer. The compliance officer can also be an ongoing resource to test the system for regulatory compliance.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INSURANCE (Part 1 of 2)

Financial institutions have used insurance coverage as an effective method to transfer risks from themselves to insurance carriers. Insurance coverage is increasingly available to cover risks from security breaches or denial of service attacks. For example, several insurance companies offer e - commerce insurance packages that can reimburse financial institutions for losses from fraud, privacy breaches, system downtime, or incident response. When evaluating the need for insurance to cover information security threats, financial institutions should understand the following points:

! Insurance is not a substitute for an effective security program.
! Traditional fidelity bond coverage may not protect from losses related to security intrusions.
! Availability, cost, and covered risks vary by insurance company.
! Availability of new insurance products creates a more dynamic environment for these factors.
! Insurance cannot adequately cover the reputation and compliance risk related to customer relationships and privacy.
! Insurance companies typically require companies to certify that certain security practices are in place.

Return to the top of the newsletter

IT SECURITY QUESTION: SERVICE PROVIDER OVERSIGHT-SECURITY

6. Determine if institution oversight of third party provider security controls is adequate.

7. Determine if any third party provider access to the institution's system is controlled according to "Authentication and Access Controls" and "Network Security" procedures.

8. Determine if the contract requires secure remote communications, as appropriate.

9. Determine if the institution appropriately assessed the third party provider's procedures for hiring and monitoring personnel who have access to the institution's systems and data.

Return to the top of the newsletter

INTERNET PRIVACY - With this issue, we begin our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

On November 12, 1999, President Clinton signed into law the Gramm-Leach-Bliley Act (the "Act"). Title V, Subtitle A of the Act governs the treatment of nonpublic personal information about consumers by financial institutions. Section 502 of the Subtitle, subject to certain exceptions, prohibits a financial institution from disclosing nonpublic personal information about a consumer to nonaffiliated third parties, unless the institution satisfies various notice and opt-out requirements, and provided that the consumer has not elected to opt out of the disclosure. Section 503 requires the institution to provide notice of its privacy policies and practices to its customers. Section 504 authorizes the issuance of regulations to implement these provisions.

Accordingly, on June 1, 2000, the four federal bank and thrift regulators published substantively identical regulations implementing provisions of the Act governing the privacy of consumer financial information. The regulations establish rules governing duties of a financial institution to provide particular notices and limitations on its disclosure of nonpublic personal information, as summarized below.

1) A financial institution must provide a notice of its privacy policies, and allow the consumer to opt out of the disclosure of the consumer's nonpublic personal information, to a nonaffiliated third party if the disclosure is outside of the exceptions in sections 13, 14 or 15 of the regulations.

2) Regardless of whether a financial institution shares nonpublic personal information, the institution must provide notices of its privacy policies to its customers.

3) A financial institution generally may not disclose customer account numbers to any nonaffiliated third party for marketing purposes.

4) A financial institution must follow reuse and redisclosure limitations on any nonpublic personal information it receives from a nonaffiliated financial institution.