R. Kinney Williams
August 20, 2006
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
FYI - Barclays to
tighten web security - Barclays plans to issue card readers to
online banking customers to provide two-factor authentication - High
street bank Barclays plans to issue hand-held card readers to all of
its 1.6 million active online banking customers to tighten security
and combat identity theft.
FYI - Belhaven College
data stolen - Employees warned identity theft possible - A laptop
computer stolen last month from a Belhaven College employee
contained names and Social Security numbers of college employees,
leaving them vulnerable to identity theft.
FYI - Agency says laptop
with client information stolen - The West Virginia Division of
Rehabilitation Services is warning clients that one of its laptop
computers containing their personal information has been stolen. The
information includes clients' names, addresses, Social Security
numbers and telephone numbers.
FYI - Poly heist risks
identity thefts - Current and former students advised to put fraud
alerts on credit reports; thefts of Social Security numbers have
happened before - Cal Poly has notified 3,020 current and former
students that their names and Social Security numbers were on a
laptop computer stolen earlier this month from a physics professor's
San Luis Obispo home.
FYI - Agencies push to
meet IT security deadline - Federal information security officials
are struggling to comply with the June 23 Office of Management and
Budget mandate requiring agencies to improve the security of
personally identifiable information by Aug. 7. The memorandum,
signed by OMB Deputy Director for Management Clay Johnson, was in
response to a recent rash of data breaches reported across the
FYI - Laptop thefts pose
real gov't data risk - Lost or stolen? The distinction matters. A
Freedom of Information enquiry by silicon.com has uncovered the
number of laptops stolen from key UK government departments over the
past year, raising questions and concerns about sensitive data
falling into the wrong hands. The worst affected department was the
Ministry of Defence. It reported 21 laptops were stolen between July
2005 and July 2006.
FYI - Mobile phones leak
from UK government - And desktops, PDAs and projectors as well - A
recent Freedom of Information (FoI) enquiry by silicon.com into lost
devices within the UK government has revealed how many mobile phones
have gone astray in a number of departments, as well as unearthing
some more unusual losses.
FYI - NCUA - Board
Member Hyland Outlines IT Issues at CUNA's Technology Council -
Speaking today before 150 IT professionals attending CUNA's
Technology Council conference, Board Member Gigi Hyland underscored
the crucial role of IT professionals as strategic partners in
assuring that credit unions thrive in the future. Among the topics
discussed were upcoming requirements to deploy multifactor
authentication, as well as data security, plastic card fraud, and ID
FYI - The Federal Reserve Bank
of Dallas will host Directo a México Seminars throughout the
Eleventh Federal Reserve District in September and October 2006.
These seminars will provide an opportunity for financial
institutions to learn more about our Directo a México service,
through which institutions can send FedACH® payments to Mexico.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We conclude our series on the FFIEC Authentication in an Internet
Banking Environment. (Part 13 of
13) Next week we will begin our series on the
FFIEC interagency statement
Identifying Risks and Risk Management Techniques."
Customer Verification Techniques
Customer verification is a related but separate process from that of
authentication. Customer verification complements the authentication
process and should occur during account origination. Verification of
personal information may be achieved in three ways:
• Positive verification to ensure that material
information provided by an applicant matches information available
from trusted third party sources. More specifically, a financial
institution can verify a potential customer's identity by comparing
the applicant's answers to a series of detailed questions against
information in a trusted database (e.g., a reliable credit report)
to see if the information supplied by the applicant matches
information in the database. As the questions become more specific
and detailed, correct answers provide the financial institution with
an increasing level of confidence that the applicant is who they say
• Logical verification to ensure that information
provided is logically consistent (e.g., do the telephone area code,
ZIP code, and street address match).
• Negative verification to ensure that information
provided has not previously been associated with fraudulent
activity. For example, applicant information can be compared against
fraud databases to determine whether any of the information is
associated with known incidents of fraudulent behavior. In the case
of commercial customers, however, the sole reliance on online
electronic database comparison techniques is not adequate since
certain documents (e.g., bylaws) needed to establish an individual's
right to act on a company's behalf are not available from databases.
Institutions still must rely on traditional forms of personal
identification and document validation combined with electronic
Another authentication method consists of the financial institution
relying on a third party to verify the identity of the applicant.
The third party would issue the applicant an electronic credential,
such as a digital certificate, that can be used by the applicant to
prove his/her identity. The financial institution is responsible for
ensuring that the third party uses the same level of authentication
that the financial institution would use itself.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION - PHYSICAL
The confidentiality, integrity, and availability of information can
be impaired through physical access and damage or destruction to
physical components. Conceptually, those physical security risks are
mitigated through zone-oriented implementations. Zones are physical
areas with differing physical security requirements. The security
requirements of each zone are a function of the sensitivity of the
data contained or accessible through the zone and the information
technology components in the zone. For instance, data centers may be
in the highest security zone, and branches may be in a much lower
security zone. Different security zones can exist within the same
structure. Routers and servers in a branch, for instance, may be
protected to a greater degree than customer service terminals.
Computers and telecommunications equipment within an operations
center will have a higher security zone than I/O operations, with
the media used in those equipment stored at yet a higher zone.
The requirements for each zone should be determined through the risk
assessment. The risk assessment should include, but is not limited
to, the following threats:
! Aircraft crashes
! Chemical effects
! Electrical supply interference
! Electromagnetic radiation
! Wireless emissions
! Any other threats applicable based on the entity's unique
geographical location, building configuration, neighboring entities,
Return to the top of the
D. USER EQUIPMENT SECURITY
(E.G. WORKSTATION, LAPTOP, HANDHELD)
5. Determine whether adequate policies and
procedures govern the destruction of sensitive data on machines that
are taken out of service, and that those policies and procedures are
consistently followed by appropriately trained personnel.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
11. Does the institution list the following categories of
affiliates and nonaffiliated third parties to whom it discloses
information, as applicable, and a few examples to illustrate the
types of the third parties in each category:
a. financial service providers; [§6(c)(3)(i)]
b. non-financial companies; [§6(c)(3)(ii)] and
c. others? [§6(c)(3)(iii)]
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.