FYI - Pre-Employment Background Screening - Guidance on Developing an Effective Pre-Employment Background Screening Process - The FDIC is providing the attached guidance on developing an effective pre-employment background screening process. This process can be an effective risk-management tool by providing management with a degree of certainty that the information provided is accurate and that the applicant does not have a criminal background. www.fdic.gov/news/news/financial/2005/fil4605.html 

FYI - Network intrusion prompts Stanford to warn of possible data theft - Stanford University is notifying about 9,600 users of its Career Development Center of a network intrusion on May 11 that may have exposed their names, Social Security numbers and other personal information. http://www.computerworld.com/printthis/2005/0,4814,102075,00.html

FYI - Valdosta Hacking Bigger Than First Thought - A computer identity breach at Valdosta State University has widened, with authorities now saying up to 40,000 people could have had their Social Security numbers accessed by a computer hacker. http://www.wsbtv.com/news/4515697/detail.html

FYI - MCI: Employee Data was on Stolen Laptop - A laptop computer containing the names and Social Security numbers of about 16,500 current and former employees of MCI Inc. was stolen last month. http://www.eweek.com/article2/0%2C1759%2C1818897%2C00.asp

FYI - IT Managers Continue to Expose Companies to Internet Security Threats - Survey finds Internet security is a major problem in many European companies. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5620

FYI - Financial institutions have put convenience before security in their online interactions with customers. Identity theft is changing that. Phishing begat pharming. The rogue employee stealing data evolved into conspiracy rings of people getting jobs solely to lay their hands on customer data. http://www.informationweek.com/story/showArticle.jhtml;jsessionid=1CDKJZZA4WEE4QSNDBCCKHSCJUMEKJVN?articleID=163701864&tid=6004

FYI - New disposal rule for consumer data kicks in - Starting Wednesday, businesses that have consumer report data must ensure that their methods for discarding such information adhere to certain guidelines. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=4ef7018e-198c-4170-9dcd-bfe3bda211a2&newsType=Latest%20News&s=n

FYI - Phishers targeting credit unions - Credit unions are increasingly becoming a target of phishing scams, according to the latest report from the Anti-phishing Working Group. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=12faecec-d07f-4370-9bc6-1d65a33007bb&newsType=Latest%20News&s=n

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E (Part 1 of 2)

Generally, when online banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply.  A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep.  An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures.  Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated online. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

SECURITY MEASURES

Digital Signatures 

Digital signatures authenticate the identity of a sender, through the private, cryptographic key.  In addition, every digital signature is different because it is derived from the content of the message itself. T he combination of identity authentication and singularly unique signatures results in a transmission that cannot be repudiated. 

Digital signatures can be applied to any data transmission, including e-mail.  To generate a digital signature, the original, unencrypted message is run through a mathematical algorithm that generates what is known as a message digest (a unique, character representation of the data).  This process is known as the "hash."  The message digest is then encrypted with a private key, and sent along with the message.  The recipient receives both the message and the encrypted message digest.  The recipient decrypts the message digest, and then runs the message through the hash function again.  If the resulting message digest matches the one sent with the message, the message has not been altered and data integrity is verified.  Because the message digest was encrypted with a private key, the sender can be identified and bound to the specific message.  The digital signature cannot be reused, because it is unique to the message.  In the above example, data privacy and confidentiality could also be achieved by encrypting the message itself. The strength and security of a digital signature system is determined by its implementation, and the management of the cryptographic keys.

Return to the top of the newsletter

IT SECURITY QUESTION:  Fedline computer and security configuration:

a. Is the Fedline computer located in a secure area?
b. Is the Fedline computer properly configured for security?
c. Does the Fedline computer require a password?
d. Is the Fedline computer regularly backed up?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

23. If the institution delivers the opt out notice after the initial notice, does the institution provide the initial notice once again with the opt out notice? [§7(c)]

24. Does the institution provide an opt out notice, explaining how the institution will treat opt out directions by the joint consumers, to at least one party in a joint consumer relationship? [§7(d)(1)]

VISTA - Does {custom4} need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b).  The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and testing focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.