July 23, 2000
FYI - OCC Issues Internal Control and Audit Reminder to Banks
Press release = http://www.occ.treas.gov/ftp/release/2000-55.txt
Memo to examiners = http://www.occ.treas.gov/ftp/advisory/2000-6.txt
FYI - The OCC issued an alert outlining steps national banks can take to protect their customers from problems arising from web sites with names similar to those used by banks.
Press release = http://www.occ.treas.gov/ftp/release/2000-53.txt
Alert = http://www.occ.treas.gov/ftp/alert/2000-9.txt
INTERNET SECURITY - In the FDIC paper "Security Risks Associated with the Internet," we continue the FDIC's discussion about the primary technical and procedural security measures necessary to properly govern access control and system security.
5) Security Flaws and Bugs
Because hardware and software continue to improve, the task of maintaining system performance and security is ongoing. Products are frequently issued which contain security flaws or other bugs, and then security patches and version upgrades are issued to correct the deficiencies. The most important action in this regard is to keep current on the latest software releases and security patches. This information is generally available from product developers and vendors. Also important is an understanding of the products and their security flaws, and how they may affect system performance. For example, if there is a time delay before a patch will be available to correct an identified problem, it may be necessary to invoke mitigating controls until the patch is issued.
Reference sources for the identification of software bugs exist, such as the Computer Emergency Response Team Coordination Center (CERT/CC) at the Software Engineering Institute of Carnegie Mellon University, Pittsburgh, Pennsylvania. The CERT/CC, among other activities, issues advisories on security flaws in software products, and provides this information to the general public through subscription e-mail, Internet newsgroups (Usenet), and their Web site at
www.cert.org. Many other resources are freely available on the Internet.
A) Active Content Languages
Active content languages have been the subject of a number of recent security discussions within the technology industry. While it is not their only application, these languages allow computer programs to be attached to Web pages. As such, more appealing and interactive Web pages can be created, but this function may also allow unauthorized programs to be automatically downloaded to a user's computer. To date, few incidents have been reported of harm caused by such programs; however, active content programs could be malicious, designed to access or damage data or insert a virus.
Security problems may result from an implementation standpoint, such as how the languages and developed programs interact with other software, such as Web browsers. Typically, users can disable the acceptance of such programs on their Web browser. Or, users can configure their browser so they may choose which programs to accept and which to deny. It is important for users to understand how these languages function and the risks involved, so that they make educated decisions regarding their use. Security alerts concerning active content languages are usually well publicized and should receive prompt reviews by those utilizing the technology.
1) Reserve Requirements of Depository Institutions (Regulation D)
Pursuant to the withdrawal and transfer restrictions imposed on savings deposits electronic transfers, electronic withdrawals (paid electronically) or payments to third parties initiated by a depositor from a personal computer are included as a type of transfer subject to the six transaction limit imposed on passbook savings and MMDA accounts.
Institutions also should note that, to the extent stored value or other electronic money represents a demand deposit or transaction account, the provisions of Regulation D would apply to such obligations.
2) Consumer Leasing Act (Regulation M)
The regulations provides examples of advertisements that clarify the definition of an advertisement under Regulation M. The term advertisement includes messages inviting, offering, or otherwise generally announcing to prospective customers the availability of consumer leases, whether in visual, oral, print, or electronic media. Included in the examples are online messages, such as those on the Internet. Therefore, such messages are subject to the general advertising requirements.
PRIVACY STATEMENT - While compliance with the new privacy rules is not required until July 1, 2001, we strongly recommend that you write your privacy statement to comply with the new regulations as soon as possible.