|June is the 10th anniversary of the Internet Banking
News. The 520 weekend editions is a labor of love,
which we enjoy bringing you. We look forward to your
continued readership and hope you will send us your
suggestions to make the newsletter better during our
second decade. Thanks - R. Kinney Williams, President of
P. S. If you know someone
that would like to receive the newsletter, please let us
There is no charge.
IT managers under pressure to weaken Web security policy - IT
professionals are under pressure from upper level executives to open
the floodgates to the latest Web-based platforms, relaxing Web
security policy, according to a new survey of 1,300 IT managers.
GAO report finds security lagging at federal agencies - Twenty-three
of the 24 major U.S. government agencies contain weaknesses in their
information security programs, potentially placing sensitive data at
risk to exposure, according to a government report issued this week.
U.S. National Archives offers reward for missing hard drive - The
U.S. National Archives on Wednesday said it is offering a $50,000
reward for information leading to the recovery of a missing hard
drive that contains personal information of former Clinton
administration staff and visitors.
Spam accounted for 90 percent of all email in May - Spam is back on
the rise, according to Symantec's MessageLabs monthly report. The
report concluded that in May, the percentage of junk mail jumped 5.1
percent to 90.4 percent.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Army's stolen laptop sparks 'embarrassing' security scare - An army
laptop said to contain the personal details of serving soldiers and
their families sparked a security scare after it was stolen from a
car parked near an Edinburgh barracks.
Lotto winners' info stolen - A former Texas lottery worker was
arrested while training for a new job Tuesday - his fourth with the
state - and charged with illegally "possessing" personal information
on 140 lottery winners and employees, including their names and
Social Security numbers.
Bank worker's theft plan foiled - A SHEFFIELD bank worker whose
plans to steal £1.2m from banks were foiled when police used a
scouting handbook to crack his secret code has been jailed for more
than three years.
NHS 'loses' thousands of medical records - Information watchdog
orders overhaul after 140 security breaches in just four months -
The personal medical records of tens of thousands of people have
been lost by the NHS in a series of grave data security leaks.
Between January and April this year, 140 security breaches were
reported within the NHS - more than the total number from inside
central Government and all local authorities combined.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by the Basel
Committee on Bank Supervision.
Legal and Reputational Risk Management
To protect banks against business, legal and reputation risk,
e-banking services must be delivered on a consistent and timely
basis in accordance with high customer expectations for constant and
rapid availability and potentially high transaction demand. The bank
must have the ability to deliver e-banking services to all end-users
and be able to maintain such availability in all circumstances.
Effective incident response mechanisms are also critical to minimize
operational, legal and reputational risks arising from unexpected
events, including internal and external attacks, that may affect the
provision of e-banking systems and services. To meet customers'
expectations, banks should therefore have effective capacity,
business continuity and contingency planning. Banks should also
develop appropriate incident response plans, including communication
strategies, that ensure business continuity, control reputation risk
and limit liability associated with disruptions in their e-banking
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
LOGGING AND DATA COLLECTION (Part 1 of 2)
Financial institutions should take reasonable steps to ensure that
sufficient data is collected from secure log files to identify and
respond to security incidents and to monitor and enforce policy
compliance. Appropriate logging controls ensure that security
personnel can review and analyze log data to identify unauthorized
access attempts and security violations, provide support for
personnel actions, and aid in reconstructing compromised systems.
An institution's ongoing security risk assessment process should
evaluate the adequacy of the system logging and the type of
information collected. Security policies should address the proper
handling and analysis of log files. Institutions have to make
risk-based decisions on where and when to log activity. The
following data are typically logged to some extent including
! Inbound and outbound Internet traffic,
! Internal network traffic,
! Firewall events,
! Intrusion detection system events,
! Network and host performance,
! Operating system access (especially high - level administrative or
! Application access (especially users and objects with write - and
execute privileges), and
! Remote access.
Return to the top of the
SOFTWARE DEVELOPMENT AND ACQUISITION
8. Inquire about the method used to test the newly developed or
acquired software for vulnerabilities.
! For source code reviews, inquire about standards used,
the capabilities of the reviewers, and the results of the reviews.
! If source code reviews are not performed, inquire about
alternate actions taken to test the software for covert channels,
backdoors, and other security issues.
Return to the top of
PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
9) Does the institution list the following categories of
nonpublic personal information that it collects, as applicable:
a) information from the consumer; [§6(c)(1)(i)]
b) information about the consumer's transactions with the
institution or its affiliates; [§6(c)(1)(ii)]
c) information about the consumer's transactions with
nonaffiliated third parties; [§6(c)(1)(iii)] and
d) information from a consumer reporting agency? [§6(c)(1)(iv)]