R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

May 1, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - A rock and a hard place - Balancing an organization's security risk, productivity and security technology investment has been the archetypal IT security challenge. However, with costs now spiraling as a result of a plethora of new regulatory compliance requirements and the need to support federated identities, organizations need to embrace automation and 'self-service' Identity Management technologies to attain the required levels of security, without tying the organization in knots and sucking it dry of profit. http://www.scmagazine.com/features/index.cfm?fuseaction=FeatureDetails&newsUID=9c6eed7d-8b4a-40a0-9d5a-639cbdaf288d&newsType=Opinion


FYI - Skeletons on your hard drive - Tax records, resumes, photo albums--the modern hard drive can keep increasingly larger volumes of information at the ready. But that can turn into a problem when it comes to effectively erasing the devices. The National Association for Information Destruction announced that it could not endorse the use of wiping applications alone for deleting data from hard drives. http://news.com.com/2102-1029_3-5676995.html?tag=st.util.print

FYI - IRS flaws open door to identity theft - Computer-security flaws at the U.S. tax-collection agency could expose millions of taxpayers to potential identity theft or illegal police snooping, according to a congressional report. http://news.com.com/IRS+flaws+open+door+to+identity+theft/2100-1029_3-5675597.html?tag=nefd.top

FYI - Ameritrade loses customer account info - As many as 200,000 current and former customers' personal information is unaccounted for. http://money.cnn.com/2005/04/19/technology/ameritrade/index.htm?cnn=yes

FYI - It's official: ChoicePoint, LexisNexis rooted many times - Privacy invasion behemoths ChoicePoint and LexisNexis have lost control of sensitive data in the past, but deliberately covered it up because no law required them to come clean, executives from both outfits confessed during Senate Judiciary Committee hearings on the recent epidemic of ID theft plaguing the USA. http://www.theregister.co.uk/2005/04/14/privacy_invasion_is_good_for_you/print.html

FYI - Major British banks are set to agree on a physical security device for all U.K. online customers to use. - This move to two-factor authentication could make customers more secure when banking online. Such systems use a physical security device that generates a password to be used only once. http://news.zdnet.com/2102-1009_22-5671175.html?tag=printthis


Return to the top of the newsletter

WEB SITE COMPLIANCE -
Truth in Lending Act (Regulation Z)

The commentary to regulation Z was amended recently to clarify that periodic statements for open-end credit accounts may be provided electronically, for example, via remote access devices. The regulations state that financial institutions may permit customers to call for their periodic statements, but may not require them to do so. If the customer wishes to pick up the statement and the plan has a grace period for payment without imposition of finance charges, the statement, including a statement provided by electronic means, must be made available in accordance with the "14-day rule," requiring mailing or delivery of the statement not later than 14 days before the end of the grace period.

Provisions pertaining to advertising of credit products should be carefully applied to an on-line system to ensure compliance with the regulation. Financial institutions advertising open-end or closed-end credit products on-line have options. Financial institutions should ensure that on-line advertising complies with the regulations. For on-line advertisements that may be deemed to contain more than a single page, financial institutions should comply with the regulations, which describe the requirements for multiple-page advertisements.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY
We continue the series  from the FDIC "Security Risks Associated with the Internet." 

Non-repudiation
 

Non-repudiation involves creating proof of the origin or delivery of data to protect the sender against false denial by the recipient that the data has been received or to protect the recipient against false denial by the sender that the data has been sent. To ensure that a transaction is enforceable, steps must be taken to prohibit parties from disputing the validity of, or refusing to acknowledge, legitimate communications or transactions. 


Access Control / System Design 


Establishing a link between a bank's internal network and the Internet can create a number of additional access points into the internal operating system. Furthermore, because the Internet is global, unauthorized access attempts might be initiated from anywhere in the world. These factors present a heightened risk to systems and data, necessitating strong security measures to control access. Because the security of any network is only as strong as its weakest link, the functionality of all related systems must be protected from attack and unauthorized access. Specific risks include the destruction, altering, or theft of data or funds; compromised data confidentiality; denial of service (system failures); a damaged public image; and resulting legal implications. Perpetrators may include hackers, unscrupulous vendors, former or disgruntled employees, or even agents of espionage. 


Return to the top of the newsletter

IT SECURITY QUESTION:  IT Policies - effective and current:

a. Is there a network policy?
b. Is there a core application policy?
c. Is there a Disaster Recovery Policy
d. Is there a Business Continuation Policy?
e. Is there an Internet Policy?
f. Is there an IT security Policy

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

17. Does the institution provide consumers who receive the short-form initial notice with a reasonable means of obtaining the longer initial notice, such as: 

a. a toll-free telephone number that the consumer may call to request the notice;  [6(d)(4)(i)] or

b. for the consumer who conducts business in person at the institution's office, having copies available to provide immediately by hand-delivery?  [6(d)(4)(ii)]

VISTA penetration-vulnerability testing - Does {custom4} need an affordable internal or external penetration-vulnerability test?  R. Kinney Williams & Associates provides the independence required by the FFIEC IT Examination Manual.  We are IT auditors and do not sell hardware or software like many IT testing companies and consultants. In addition, we have over 30 years experience auditing IT operations for financial institutions, which includes 21 years examination experience.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated