R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

June 25, 2006

CONTENT Internet Compliance Information Systems Security
IT Security Question
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI
- Ahold USA pension data lost when laptop disappears - The laptop went missing after being checked in for a flight - A laptop computer containing the names and personal information of an undisclosed number of retirees of grocery store chain Ahold USA disappeared last month after it was placed in checked baggage on a commercial U.S. flight and the bag was lost by the airline. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000953

FYI - Lost IRS laptop stored employee fingerprints - Hundreds notified they are at risk of ID theft, including some applicants - A laptop computer containing fingerprints of Internal Revenue Service employees is missing, MSNBC.com has learned. http://www.msnbc.msn.com/id/13152636/

FYI - Computers Stolen in Ohio with 72,000 Medicaid Subscribers' Personal Info - Laptop computers with personal information on 72,000 Ohio Medicaid recipients were stolen from a private managed care agency in Ohio, according to an Associated Press account. Officials with Buckeye Community Health Plan notified authorities that four computers were stolen from their Columbus office. http://www.insurancejournal.com/news/midwest/2006/06/06/69179.htm?print=1

FYI - YMCA laptop with 65,000 members' information stolen - YMCA officials announced that a laptop computer was stolen last week containing personal information for more than 65,000 members in Rhode Island, including members of the YMCA of Greater Providence and branches in Woonsocket, Smithfield and Pawtucket. http://www.projo.com/cgi-bin/bi/gold_print.cgi

FYI - UK employees at risk for identity theft - The potential of identity theft has become a nagging fear for 1,300 current and former University of Kentucky employees after the university notified them that their personal information, including Social Security numbers, was inadvertently accessible to the public for 19 days last month. http://www.kentucky.com/mld/kentucky/news/14721839.htm?template=contentModules/printstory.jsp

FYI - Couple's Supposedly Destroyed Hard Drive Purchased In Chicago - A year ago, Henry and Roma Gerbus took their computer to Best Buy in Springfield Township to have its hard drive replaced. Henry Gerbus said Best Buy assured him the computer's old hard drive -- loaded with personal information -- would be destroyed. http://www.channelcincinnati.com/target5/9303216/detail.html

FYI - Credit unions, small banks see more phishing attacks - Attacks against small banks and credit unions remained on the rise last month, according to a recent fraud report from RSA Security. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060612/563797/

FYI - Two-thirds fail to guard against mobile threat - Two-thirds of IT professionals fail to include mobile devices in their security policies, according to a new study. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060612/563554/

FYI - IM attacks on the rise in May - The number of instant messaging (IM) attacks increased by 500 percent in May, Postini reported this week. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060612/563244/

FYI - Another federal breach exposes employee records - The Energy Department disclosed to Congress on Friday that it suffered a security breach from a hacker in September that compromised 1,500 personnel records. http://www.govexec.com/story_page.cfm?articleid=34301&printerfriendlyVers=1&

FYI - CPA group says hard drive with data on 330,000 members missing - 'We are looking at it as a missing shipment; that doesn't mean it's lost,' says a FedEx spokesman - Adding to the lengthening list of organizations reporting data compromises, the American Institute of Certified Public Accountants (AICPA) today confirmed that a computer hard drive containing the unencrypted names, addresses and Social Security numbers of nearly all of its 330,000 members has been missing since February. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001030

FYI - Stolen computer server sparks ID theft fears - Nearly 1 million prospective AIG customers could be at risk - A thief recently stole a computer server belonging to a major U.S. insurance company, and company officials now fear that the personal data of nearly 1 million people could be at risk, insurance industry sources tell NBC News. http://www.msnbc.msn.com/id/13327187

FYI - Visa says ATM breach may have exposed data - Visa USA on Tuesday confirmed an ATM security breakdown has exposed more consumers to potential mischief, the latest in a long line of lapses that have illuminated the often flimsy controls over the personal information entrusted to businesses, schools and government agencies.   http://news.yahoo.com/s/ap/20060621/ap_on_bi_ge/visa_atm_breach

FYI - Feds Pump Up Intellectual Property Protection Efforts - Department of Justice opens up 12 new offices to fight cybercrimes. The U.S. Department of Justice has fulfilled or exceeded all recommendations made by an intellectual property task force in October 2004, including new computer crime investigations units in 12 cities, Attorney General Alberto Gonzales announced. http://www.pcworld.com/news/article/0,aid,126192,tk,nl_dnxnws,00.asp


Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our series on the FFIEC Authentication in an Internet Banking Environment.  (Part 5 of 13)

Monitoring and Reporting

Monitoring systems can determine if unauthorized access to computer systems and customer accounts has occurred. A sound authentication system should include audit features that can assist in the detection of fraud, money laundering, compromised passwords, or other unauthorized activities. The activation and maintenance of audit logs can help institutions to identify unauthorized activities, detect intrusions, reconstruct events, and promote employee and user accountability. In addition, financial institutions should report suspicious activities to appropriate regulatory and law enforcement agencies as required by the Bank Secrecy Act.

Financial institutions should rely on multiple layers of control to prevent fraud and safeguard customer information. Much of this control is not based directly upon authentication. For example, a financial institution can analyze the activities of its customers to identify suspicious patterns. Financial institutions also can rely on other control methods, such as establishing transaction dollar limits that require manual intervention to exceed a preset limit.

Adequate reporting mechanisms are needed to promptly inform security administrators when users are no longer authorized to access a particular system and to permit the timely removal or suspension of user account access. Furthermore, if critical systems or processes are outsourced to third parties, management should ensure that the appropriate logging and monitoring procedures are in place and that suspected unauthorized activities are communicated to the institution in a timely manner. An independent party (e.g., internal or external auditor) should review activity reports documenting the security administrators' actions to provide the necessary checks and balances for managing system security.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY
We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS


Firewall Policy (Part 1 of 3)

A firewall policy states management's expectations for how the firewall should function and is a component of the overall security policy. It should establish rules for traffic coming into and going out of the security domain and how the firewall will be managed and updated. Therefore, it is a type of security policy for the firewall, and forms the basis for the firewall rules. The firewall selection and the firewall policy should stem from the ongoing security risk assessment process. Accordingly, management needs to update the firewall policy as the institution's security needs and the risks change. At a minimum, the policy should address:

! Firewall topology and architecture,
! Type of firewall(s) being utilized,
! Physical placement of the firewall components,
! Monitoring firewall traffic,
! Permissible traffic (generally based on the premise that all traffic not expressly allowed is denied, detailing which applications can traverse the firewall and under what exact circumstances such activities can take place),
! Firewall updating,
! Coordination with intrusion detection and response mechanisms,
! Responsibility for monitoring and enforcing the firewall policy,
! Protocols and applications permitted,
! Regular auditing of a firewall's configuration and testing of the firewall's effectiveness, and
! Contingency planning.

Financial institutions should also appropriately train and manage their staffs to ensure the firewall policy is implemented properly. Alternatively, institutions can outsource the firewall management, while ensuring that the outsourcer complies with the institution's specific firewall policy.


Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

11. Determine whether appropriate notification is made of authorized use, through banners or other means.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.


Initial Privacy Notice

4)  Does the institution provide initial notice after establishing a customer relationship only if:

a.  the customer relationship is not established at the customer's election; [4(e)(1)(i)] or

b.  to do otherwise would substantially delay the customer's transaction (e.g. in the case of a telephone application), and the customer agrees to the subsequent delivery? [4 (e)(1)(ii)]

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test.  With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network.  For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated