|June is the 10th anniversary of the Internet Banking
News. The 520 weekend editions is a labor of love,
which we enjoy bringing you. We look forward to
your continued readership and hope you will send us your
suggestions to make the newsletter better during our
second decade. Thanks - R. Kinney Williams, President of
P. S. If you know someone
that would like to receive the newsletter, please let us
There is no charge.
Aetna named in security-breach lawsuit - Hartford health insurer
Aetna Inc. is being sued for a data breach that allegedly exposed
current, former and prospective employees' personal information to
Webhost denies poor passwords led to catastrophic hack - The
director of an internet service provider has denied public
allegations that poor password management and server configurations
were responsible for an attack that wiped out data for more than
FTC releases FAQs on Red Flags Rules - A new
frequently-asked-questions document aims to clear up some of the
confusion around the Red Flags Rules.
Army ends ban on Facebook, Flickr, other social media sites -
Certain U.S. Army bases that formerly blocked access to Web 2.0
sites now permit users to surf to sites such as Facebook and Flickr.
Survey reveals culture of IT admin snooping - IT staff admit to
regularly accessing privileged information for personal gain - Over
a third of IT staff have used their administration rights to access
privileged information about employees, customers and their company
for personal reasons, according to a recent survey by Cyber-Ark.
Online banking is booming - Once a niche market, online banking has
grown into a widely-used tool for the average consumer. Among 3,988
adults surveyed in the U.S. by Gartner Group, 47 percent said they
now bank online. In the U.K, 30 percent echoed the same response.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
T-Mobile confirms hack but doubts crooks have the goods - T-Mobile
has confirmed that hackers were able to swipe data from its systems,
but the wireless carrier is downplaying the threat to customers.
Israel suffered massive cyber attack during Gaza offensive - Hackers
launched an unprecedented attack on Israel's Internet infrastructure
during the January military offensive in the Gaza Strip, and briefly
paralyzed government sites, government officials said.
52 computers missing from state agency - State auditors released
reports Thursday that found several cases of government
mismanagement, from lax oversight of a $100,000 education grant to
52 missing computers that may contain sensitive information.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by the Basel
Committee on Bank Supervision.
Risk management principles (Part 1 of 2)
Based on the early work of the Electronic Banking Group EBG, the
Committee concluded that, while traditional banking risk management
principles are applicable to e-banking activities, the complex
characteristics of the Internet delivery channel dictate that the
application of these principles must be tailored to fit many online
banking activities and their attendant risk management challenges.
To this end, the Committee believes that it is incumbent upon the
Boards of Directors and banks' senior management to take steps to
ensure that their institutions have reviewed and modified where
necessary their existing risk management policies and processes to
cover their current or planned e-banking activities. Further, as the
Committee believes that banks should adopt an integrated risk
management approach for all banking activities, it is critical that
the risk management oversight afforded e-banking activities becomes
an integral part of the banking institution's overall risk
To facilitate these developments, the Committee asked the EBG to
identify the key risk management principles that would help banking
institutions expand their existing risk oversight policies and
processes to cover their e-banking activities and, in turn, promote
the safe and sound electronic delivery of banking products and
These Risk Management Principles for Electronic Banking, which are
identified in this Report, are not put forth as absolute
requirements or even "best practice" but rather as
guidance to promote safe and sound e-banking activities. The
Committee believes that setting detailed risk management
requirements in the area of e-banking might be counter-productive,
if only because these would be likely to become rapidly outdated by
the speed of change related to technological and product innovation.
Therefore the principles included in the present Report express
supervisory expectations related to the overall objective of banking
supervision to ensure safety and soundness in the financial system
rather than stringent regulations.
The Committee is of the view that such supervisory expectations
should be tailored and adapted to the e-banking distribution channel
but not be fundamentally different to those applied to banking
activities delivered through other distribution channels.
Consequently, the principles presented below are largely derived and
adapted from supervisory principles that have already been expressed
by the Committee or national supervisors over a number of years. In
some areas, such as the management of outsourcing relationships,
security controls and legal and reputational risk management, the
characteristics and implications of the Internet distribution
channel introduce a need for more detailed principles than those
expressed to date.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
SERVICE PROVIDER OVERSIGHT - SAS 70 REPORTS
Frequently TSPs or user groups will contract with an accounting firm
to report on security using Statement on Auditing Standards 70 (SAS
70), an auditing standard developed by the American Institute of
Certified Public Accountants. SAS 70 focuses on controls and control
objectives. It allows for two types of reports. A SAS 70 Type I
report gives the service provider's description of controls at a
specific point in time, and an auditor's report. The auditor's
report will provide an opinion on whether the control description
fairly presents the relevant aspects of the controls, and whether
the controls were suitably designed for their purpose.
A SAS 70 Type II report expands upon a Type I report by addressing
whether the controls were functioning. It provides a description of
the auditor's tests of the controls. It also provides an expanded
auditor's report that addresses whether the controls that were
tested were operating with sufficient effectiveness to provide
reasonable, but not absolute, assurance that the control objectives
were achieved during the specified period.
Financial institutions should carefully evaluate the scope and
findings of any SAS 70 report. The report may be based on different
security requirements than those established by the institution. It
may not provide a thorough test of security controls unless
requested by the TSP or augmented with additional coverage.
Additionally, the report may not address the effectiveness of the
security process in continually mitigating changing risks.
Therefore, financial institutions may require additional reports to
oversee the security program of the service provider.
Return to the top of the
5. Evaluate the procedure for granting temporary access to personnel
during the implementation of contingency plans.
! Evaluate the extent to which back-up personnel have been
assigned different tasks when contingency planning scenarios are in
effect and the need for different levels of systems, operational,
data and facilities access.
! Review the assignment of authentication and authorization
credentials to see if they are based upon primary job
responsibilities or if they also include contingency planning
responsibilities. (If an employee is permanently assigned access
credential to fill in for another employee who is on vacation or out
the office, this assignment would be a primary job responsibility.)
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
12. Does the institution make the following disclosures regarding
service providers and joint marketers to whom it discloses nonpublic
personal information under §13:
a. as applicable, the
same categories and examples of nonpublic personal information
disclosed as described in paragraphs (a)(2) and (c)(2) of section
six (6) (see questions 8b and 10); and [§6(c)(4)(i)]
b. that the third party is a service provider that performs
marketing on the institution's behalf or on behalf of the
institution and another financial institution; [§6(c)(4)(ii)(A)] or
c. that the third party is a financial institution with which the
institution has a joint marketing agreement? [§6(c)(4)(ii)(B)]