Information Technology Risk Management Program - New Information
Technology Examination Procedures - The FDIC has updated its
risk-focused information technology examination procedures for
FDIC-supervised financial institutions.
Fraud Hotline - Guidance on Implementing a Fraud Hotline - The FDIC
is providing guidance to financial institutions on implementing a
fraud hotline to minimize potential and actual fraud risks as part
of a bank's governance and enterprise risk management program.
FYI - Kutztown 13 Face
Felony Charges - They're being called the Kutztown 13 -- a group of
high schoolers charged with felonies for bypassing security with
school-issued laptops, downloading forbidden internet goodies and
using monitoring software to spy on district administrators.
FYI - A closed-loop
change management process allows internal auditors and IT
administrators to detect and review changes made to the
organization's IT infrastructure and their impacts in real-time.
FYI - Intranets are gun
with safety off - Companies put themselves at risk by holding and
passing too much sensitive information on their company intranets, a
new report suggests.
Community Reinvestment Act - Final Rule - On August 2, 2005, the
Office of the Comptroller of the Currency, the Federal Deposit
Insurance Corporation, and the Board of Governors of the Federal
Reserve System jointly published in the Federal Register a final
rule revising their Community Reinvestment Act regulations.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation
and Response Guidance for Web Site Spoofing Incidents (Part 2 of
PROCEDURES TO ADDRESS SPOOFING - Detection
Banks can improve their ability to detect spoofing by monitoring
appropriate information available inside the bank and by searching
the Internet for illegal or unauthorized use of bank names and
trademarks. The following is a list of possible indicators of
* E-mail messages returned to bank mail servers that were not
originally sent by the bank. In some cases, these e-mails may
contain links to spoofed Web sites;
* Reviews of Web-server logs can reveal links to suspect Web
addresses indicating that the bank's Web site is being copied or
that other malicious activity is taking place;
* An increase in customer calls to call centers or other bank
personnel, or direct communications from consumer reporting spoofing
Banks can also detect spoofing by searching the Internet for
identifiers associated with the bank such as the name of a company
or bank. Banks can use available search engines and other tools to
monitor Web sites, bulletin boards, news reports, chat rooms,
newsgroups, and other forums to identify usage of a specific company
or bank name. The searches may uncover recent registrations of
domain names similar to the bank's domain name before they are used
to spoof the bank's Web site. Banks can conduct this monitoring
in-house or can contract with third parties who provide monitoring
Banks can encourage customers and consumers to assist in the
identification process by providing prominent links on their Web
pages or telephone contact numbers through which customers and
consumers can report phishing or other fraudulent activities.
Banks can also train customer-service personnel to identify and
report customer calls that may stem from potential Web-site attacks.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
Booklet. This booklet is required reading for anyone
involved in information systems security, such as the Network Administrator,
Information Security Officer, members of the IS Steering Committee,
and most important your outsourced network security consultants.
Your outsourced network security consultants can receive the
"Internet Banking News" by completing the subscription for
There is no charge for the e-newsletter.
ROLES AND RESPONSIBILITIES (1 of 2)
Information security is the responsibility of everyone at the
institution, as well as the institution's service providers and
contractors. The board, management, and employees all have different
roles in developing and implementing an effective security process.
The board of directors is responsible for overseeing the
development, implementation, and maintenance of the institution's
information security program. Oversight requires the board to
provide management with guidance and receive reports on the
effectiveness of management's response. The board should approve
written information security policies and the information security
program at least annually. The board should provide management with
its expectations and requirements for:
1) Central oversight
2) Areas of
3) Risk measurement,
4) Monitoring and
5) Reporting, and
6) Acceptable residual
Senior management's attitude towards security affects the entire
organization's commitment to security. For example, the failure of
a financial institution president to comply with security policies
could undermine the entire organization's commitment to security.
Senior management should designate one or more individuals as
information security officers. Security officers should be
responsible and accountable for security administration. At a
minimum, they should directly manage or oversee risk assessment,
development of policies, standards, and procedures, testing, and
security reporting processes. Security officers should have the
authority to respond to a security event by ordering emergency
actions to protect the financial institution and its customers from
an imminent loss of information or value. They should have
sufficient knowledge, background, and training, as well as an
organizational position, to enable them to perform their assigned
the top of the newsletter
IT SECURITY QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
- Access Rights Administration
3. Determine whether employee's levels of
online access (blocked, read-only, update, override, etc.) match
current job responsibilities.
4. Determine that administrator or root privilege access is
appropriately monitored, where appropriate.
* Management may choose to further categorize types of
administrator/root access based upon a risk assessment. Categorizing
this type of access can be used to identify and monitor higher-risk
administrator and root access requests that should be promptly
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
38. For customers only, does the institution ensure that the
initial, annual, and revised notices may be retained or obtained
later by the customer in writing, or if the customer agrees,
VISTA - Does
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
testing focuses on
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit