R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

May 29, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - GAO - Information Security: Federal Deposit Insurance Corporation Needs to Sustain Progress.
GAO report - http://www.gao.gov/cgi-bin/getrpt?GAO-05-486
Highlights - http://www.gao.gov/highlights/d05486high.pdf

FYI - How Secure Is Your Backup? - Ensuring a backup data system is in place and functioning is essential to an organization's internal audit process. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5618

FYI - Programmer accused of hacking driver's license files - A computer programmer for a sensitive state agency, who apparently was hired without undergoing a background check, has been charged with computer intrusion and theft for accessing Georgia driver's license files without authorization. http://www.accessnorthga.com/news/ap_newfullstory.asp?ID=60627

FYI - MasterCard battles phishing fraud - Payments giant battles back against scammers. MasterCard has shut down 1,400 phishing sites websites in the last eleven months alone, the company has revealed at its annual Global Risk Management Symposium. http://www.techworld.com/news/index.cfm?RSS&NewsID=3646

FYI - Security's weakest links - It's been a lousy year for computer security, but there's still time to learn from the mistakes of others. http://www.infoworld.com/article/05/05/16/20FEsecurenews_1.html

FYI - GAO - Information Security: Federal Agencies Need to Improve Controls over Wireless Networks.
GAO report http://www.gao.gov/cgi-bin/getrpt?GAO-05-383 
Highlights - http://www.gao.gov/highlights/d05383high.pdf

FYI - New phishing attack uses real ID hooks - Security researchers are reporting a new brand of phishing attack that attempts to use stolen consumer data to rip off individual account holders at specific banks. http://news.com.com/New+phishing+attack+uses+real+ID+hooks/2100-7349_3-5706305.html?tag=cd.top

FYI - Secret Service report details traits of insider attacks - Most insider attacks are planned well in advance by former employees intent on revenge, according to a study released by the U.S. Secret Service and the Carnegie Mellon Software Engineering Institute's CERT. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=1bee8312-4166-4526-b87d-d3927a7fc467&newsType=Latest%20News&s=n


FYI - Auditing MS SQL Server Security - Database system security is a serious issue affecting an organization's information security, damage, and loss. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5611

Return to the top of the newsletter

WEB SITE COMPLIANCE -
Flood Disaster Protection Act

The regulation implementing the National Flood Insurance Program requires a financial institution to notify a prospective borrower and the servicer that the structure securing the loan is located or to be located in a special flood hazard area. The regulation also requires a notice of the servicer's identity be delivered to the insurance provider. While the regulation addresses electronic delivery to the servicer and to the insurance provider, it does not address electronic delivery of the notice to the borrower.


Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY
We continue the series  from the FDIC "Security Risks Associated with the Internet." 

SECURITY MEASURES

Encryption 


Encryption, or cryptography, is a method of converting information to an unintelligible code.  The process can then be reversed, returning the information to an understandable form. The information is encrypted (encoded) and decrypted (decoded) by what are commonly referred to as "cryptographic keys." These "keys" are actually values, used by a mathematical algorithm to transform the data. The effectiveness of encryption technology is determined by the strength of the algorithm, the length of the key, and the appropriateness of the encryption system selected.


Because encryption renders information unreadable to any party without the ability to decrypt it, the information remains private and confidential, whether being transmitted or stored on a system. Unauthorized parties will see nothing but an unorganized assembly of characters.  Furthermore, encryption technology can provide assurance of data integrity as some algorithms offer protection against forgery and tampering. The ability of the technology to protect the information requires that the encryption and decryption keys be properly managed by authorized parties.


Return to the top of the newsletter

IT SECURITY QUESTION:  Internal controls and procedures:  (Part 2 of 2)

i. Is there separation of duties for handling un-posted items?
j. Is there separation of duties for balancing final output?
k. Is there separation of duties for statement preparation?
l. Are there controls for non-dollar transactions? In writing?
m. Are master files changes required to be in writing?
n. Are source documents microfilmed before transportation?
o. Are official checks, which are computer processed, satisfactorily controlled?
p. Are employees prohibited from using computers for personal use?

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

21. Does the institution provide the consumer with the following information about the right to opt out:

a. all the categories of nonpublic personal information that the institution discloses or reserves the right to disclose; [7(a)(2)(i)(A)]

b. all the categories of nonaffiliated third parties to whom the information is disclosed; [7(a)(2)(i)(A)];

c. that the consumer has the right to opt out of the disclosure of that information; [7(a)(2)(i)(A)] and

d. the financial products or services that the consumer obtains to which the opt out direction would apply? [7(a)(2)(i)(B)]


VISTA - Does {custom4} need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and testing focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated