April 30, 2000
WELCOME - We welcome Paul Quinlan as our newest associate. Paul's responsibilities include web page auditing. He is a Kansas City, Kansas native and works out of Kansas City. Paul brings web page programming and over ten years Internet experience. As a Senior Associate, his experience and Internet knowledge will benefit the web page auditing process. Please welcome Paul by sending him an e-mail at
Paul@yennik.com with any Internet questions. His phone number in Kansas City is 913-281-5097.
FYI - The Office of Thrift Supervision has granted a federal thrift charter to Bank of Internet USA (BOI), which will operate both as a traditional thrift institution and as a full-service Internet operation.
INTERNET SECURITY - Determining Which Intrusion Detection System (IDS) is Best for an Institution
An institution's risk assessment process should first determine whether an IDS is necessary. Next, the type or placement of an IDS depends on the priority of identified threats or vulnerabilities. If one or a few hosts contain information that management views as critical, a host-based IDS may be warranted. If the information is less essential, other controls such as a firewall and/or filtering routers may be sufficient to protect the information. If an institution is primarily concerned with attacks from the outside or views the entire network system as critical, a network-based product may be appropriate. A combination of host- and network-based IDSs may also be appropriate for effective system security. Management should be aware that even after an IDS is in place, there may be other access points to the bank's systems that are not being monitored. Management should determine what types of security precautions are needed for the other access points.
The placement of the IDS within the institution's system architecture should be carefully considered. The primary benefit of placing an IDS inside a firewall is the detection of attacks that penetrate the firewall as well as insider abuses. The primary benefit of placing an IDS outside of a firewall is the ability to detect such activities as sweeping, which can be the first sign of attack; repeated failed log-in attempts; and attempted denial of service and spoofing attacks. Placing an IDS outside the firewall will also allow the monitoring of traffic that the firewall stops.
INTERNET COMPLIANCE - Record retention provisions apply to electronic delivery of disclosures to the same extent required for non-electronic delivery of information. For example, if the web site contains an advertisement, the same record retention provisions that apply to paper-based or other types of advertisements apply. Copies of such advertisements should be retained for the time period set out in the relevant regulation. Retention of electronic copies is acceptable.
IN CLOSING - Are you making plans for your annual on-site Information Systems audit? We would appreciate the opportunity to present a proposal.