June 24, 2001
FYI - New rules to boost access for disabled - Curtis Chong, like
thousands of blind Web surfers, uses special software that reads the text
aloud. But many government Web pages give him problems. http://news.cnet.com/news/0-1005-200-6302672.html?tag=dd.ne.dht.nl-hed.0
FYI - Disgruntled insiders and accounts held by former employees are a
greater computer security threat to U.S. companies than outside hackers,
according to a new survey. http://news.cnet.com/news/0-1003-200-6334879.html?tag=mn_hd
INTERNET COMPLIANCE - Disclosures and Notices
Several consumer regulations provide for disclosures and/or notices to
consumers. The compliance officer should check the specific regulations to
determine whether the disclosures/notices can be delivered via electronic
means. The delivery of disclosures via electronic means has raised many
issues with respect to the format of the disclosures, the manner of
delivery, and the ability to ensure receipt by the appropriate person(s).
The following highlights some of those issues and offers guidance and
examples that may be of use to institutions in developing their electronic
Disclosures are generally required to be "clear and
conspicuous." Therefore, compliance officers should review the web
site to determine whether the disclosures have been designed to meet this
standard. Institutions may find that the format(s) previously used for
providing paper disclosures may need to be redesigned for an electronic
medium. Institutions may find it helpful to use "pointers" and
"hotlinks" that will automatically present the disclosures to
customers when selected. A financial institution's use solely of asterisks
or other symbols as pointers or hotlinks would not be as clear as
descriptive references that specifically indicate the content of the
INTERNET SECURITY - We continue the series from the FDIC "Security
Risks Associated with the Internet." This is the final comment
covering the primary interrelated technologies, standards, and controls
that presently exist to manage the risks of data privacy and
confidentiality, data integrity, authentication, and non-repudiation.
Certificate Authorities and Digital Certificates
Certificate authorities and digital certificates are emerging to
further address the issues of authentication, non-repudiation, data
privacy, and cryptographic key management. A certificate authority (CA) is
a trusted third party that verifies the identity of a party to a
transaction . To do this, the CA vouches for the identity of a party by
attaching the CA's digital signature to any messages, public keys, etc.,
which are transmitted. Obviously, the CA must be trusted by the parties
involved, and identities must have been proven to the CA beforehand.
Digital certificates are messages that are signed with the CA's private
key. They identify the CA, the represented party, and could even include
the represented party's public key.
The responsibilities of CAs and their position among emerging
technologies continue to develop. They are likely to play an important
role in key management by issuing, retaining, or distributing
public/private key pairs.
The implementation and use of encryption technologies, digital
signatures, certificate authorities, and digital certificates can vary.
The technologies and methods can be used individually, or in combination
with one another. Some techniques may merely encrypt data in transit from
one location to another. While this keeps the data confidential during
transmission, it offers little in regard to authentication and
non-repudiation. Other techniques may utilize digital signatures, but
still require the encrypted submission of sensitive information, like
credit card numbers. Although protected during transmission, additional
measures would need to be taken to ensure the sensitive information
remains protected once received and stored.
The protection afforded by the above security measures will be governed
by the capabilities of the technologies, the appropriateness of the
technologies for the intended use, and the administration of the
technologies utilized. Care should be taken to ensure the techniques
utilized are sufficient to meet the required needs of the institution. All
of the technical and implementation differences should be explored when
determining the most appropriate package.
IN CLOSING - For more information about our new service concerning
assessing R. Kinney Williams & Associates's Internet consumer privacy,
please visit http://www.yennik.com/privacy.
To signup, please complete the Internet On-line Privacy Assessment Program
Agreement at http://www.yennik.com/form.
The user name is "internet" and the password is
"privacy" both in lower case and without the quotes.