|June is the 10th anniversary of the Internet Banking
News. The 520 weekend editions is a labor of love,
which we enjoy bringing you. We look forward to
your continued readership and hope you will send us your
suggestions to make the newsletter better during our
second decade. Thanks - R. Kinney Williams, President of
P. S. If you know someone
that would like to receive the newsletter, please let us
There is no charge.
Federal IT security recommendations released in final NIST draft -
The National Institute of Standards and Technology has collaborated
with the military and intelligence communities to produce the first
set of security controls for all government information systems,
including national security systems.
Data-sniffing trojans burrow into Eastern European ATMs - Security
experts have discovered a family of data-stealing trojans that have
burrowed into automatic teller machines in Eastern Europe over the
past 18 months.
4 detained for hacking Internet servers - Chinese police have
detained four suspects for online hacking activities which
eventually led to temporary but widespread failure of Internet
access in China on May 19, the Ministry of Public Security said.
Data watchdog issues new privacy guidance for businesses -
Information Commissioner wants to ensure privacy controls are
designed in to IT from the start. The Information Commissioner's
Office (ICO) has launched a new guide to help businesses developing
IT systems to consider the privacy impact on customers and
Rakuten sold online market users' personal info to vendors - Rakuten
Inc., operator of popular online marketplace Rakuten Ichiba, sold
users' credit card numbers, mail addresses and other private
information to vendors on the market site, it has been learned.
Three local women sue state Department of Transportation - Three
local women sued state Department of Transportation officials in
federal court Thursday, alleging that the department illegally sold
drivers' personal information to firms that made it available for
sale on the Internet.
Safeguarding your mobile networks - Mobile security devices are one
of the top ways critical data is either breached or lost today. One
only has to look at some of the more recent data breach reports to
learn that laptops, personal digital assistants and even thumb
drives can cause huge problems for organizations.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Virginia patients warned about hacking of state drug Web site -
State officials are notifying more than a half-million Virginians
that their Social Security numbers may have been contained in a
prescription drug database that was targeted by a computer hacker
Insurance giant coughs to malware-related data breach - The US arm
of insurance giant Aviva has blamed a computer virus infection for
the potential disclosure of sensitive personal information.
List of U.S. nuclear facilities inadvertently posted on website - In
an inadvertent security breach, a document that detailed information
on nuclear sites was posted on the Government Printing Office's
Webhost hack wipes out data for 100,000 sites - A large internet
service provider said data for as many as 100,000 websites was
destroyed by attackers who targeted a zero-day vulnerability in a
widely-used virtualization application.
T-Mobile investigates alleged data breach -T-Mobile is investigating
a claim that a massive amount of internal data has been stolen from
the telecommunication operator's servers, a company spokesman said.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by the Basel
Committee on Bank Supervision.
Risk management challenges
The Electronic Banking Group (EBG) noted that the fundamental
characteristics of e-banking (and e-commerce more generally) posed a
number of risk management challenges:
The speed of change relating to technological and customer
service innovation in e-banking is unprecedented. Historically, new
banking applications were implemented over relatively long periods
of time and only after in-depth testing. Today, however, banks are
experiencing competitive pressure to roll out new business
applications in very compressed time frames - often only a few
months from concept to production. This competition intensifies the
management challenge to ensure that adequate strategic assessment,
risk analysis and security reviews are conducted prior to
implementing new e-banking applications.
e-banking web sites and associated retail and wholesale business
applications are typically integrated as much as possible with
legacy computer systems to allow more straight-through processing of
electronic transactions. Such straight-through automated processing
reduces opportunities for human error and fraud inherent in manual
processes, but it also increases dependence on sound systems design
and architecture as well as system interoperability and operational
E-banking increases banks'
dependence on information technology, thereby increasing the
technical complexity of many operational and security issues and
furthering a trend towards more partnerships, alliances and
outsourcing arrangements with third parties, many of whom are
unregulated. This development has been leading to the creation of
new business models involving banks and non-bank entities, such as
Internet service providers, telecommunication companies and other
4) The Internet is ubiquitous and global by nature. It is an
open network accessible from anywhere in the world by unknown
parties, with routing of messages through unknown locations and via
fast evolving wireless devices. Therefore, it significantly
magnifies the importance of security controls, customer
authentication techniques, data protection, audit trail procedures,
and customer privacy standards.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
SERVICE PROVIDER OVERSIGHT
Many financial institutions outsource some aspect of their
operations. Although outsourcing arrangements often provide a cost -
effective means to support the institution's technology needs, the
ultimate responsibility and risk rests with the institution.
Financial institutions are required under Section 501(b) of the GLBA
to ensure service providers have implemented adequate security
controls to safeguard customer information. Supporting interagency
guidelines require institutions to:
! Exercise appropriate due diligence in selecting service providers,
! Require service providers by contract to implement appropriate
security controls to comply with the guidelines, and
! Monitor service providers to confirm that they are maintaining
those controls when indicated by the institution's risk assessment.
Financial institutions should implement these same precautions in
all TSP relationships based on the level of access to systems or
data for safety and soundness reasons, in addition to the privacy
Financial institutions should determine the following security
considerations when selecting or monitoring a service provider:
! Service provider references and experience,
! Security expertise of TSP personnel,
! Background checks on TSP personnel,
! Contract assurances regarding security responsibilities and
! Nondisclosure agreements covering the institution's systems and
! Ability to conduct audit coverage of security controls or
provisions for reports of security testing from independent third
! Clear understanding of the provider's security incidence response
policy and assurance that the provider will communicate security
incidents promptly to the institution when its systems or data were
Return to the top of the
2. Determine if substitute processing facilities and systems undergo
similar testing as production facilities and systems.
3. Determine if appropriate access controls and physical controls
have been considered and planned for the former production system
and networks when processing is transferred to a substitute
4. Determine if the intrusion detection and response plan considers
the resource availability and facility and systems changes that may
exist when substitute facilities are placed in use.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
11. Does the institution list the following categories of
affiliates and nonaffiliated third parties to whom it discloses
information, as applicable, and a few examples to illustrate the
types of the third parties in each category:
a. financial service providers; [§6(c)(3)(i)]
b. non-financial companies; [§6(c)(3)(ii)] and
c. others? [§6(c)(3)(iii)]