R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

September 10, 2006

CONTENT Internet Compliance Information Systems Security
IT Security Question
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI
- GAO Information Security: Federal Deposit Insurance Corporation Needs to Improve Its Program.
Report - http://www.gao.gov/cgi-bin/getrpt?GAO-06-620
Highlights - http://www.gao.gov/highlights/d06620high.pdf

FYI - Xanga settles with FTC for $1 million - The Federal Trade Commission on Thursday announced its largest-ever settlement involving the Children Online Privacy Protection Act. New York-based Xanga.com and its principals, Marc Ginsburg and John Hiler, will pay a $1 million civil penalty to settle accusations that the social networking Web site collected, used and disclosed personal information from children under the age of 13 without notifying and obtaining parental consent first, according to the FTC. http://seattlepi.nwsource.com/business/1700AP_Xanga_Settlement.html

FYI - Red storm rising - DOD's efforts to stave off nation-state cyberattacks begin with China - A growing band of civilian units inside China is writing malicous code and training to launch cyberstrikes into enemy systems. And for many of these units, the first enemy is the U.S. Defense Department. http://www.gcn.com/print/25_25/41716-1.html

FYI - Army to encrypt computers - The Army is kicking off a pilot program to begin encrypting data on notebook computers. Lt. Gen. Steven Boutelle, Army CIO, said the service would also soon release a policy that instructs Army personnel to perform an accounting of notebooks and other mobile devices. http://www.gcn.com/online/vol1_no1/41759-1.html?topic=security

FYI - Welfare spies sacked - CENTRELINK has sacked or forced out more than 100 workers, and disciplined hundreds more, for privacy breaches such as snooping on the records of neighbours and former lovers. A two-year dragnet of 25,000 Centrelink staff uncovered 790 cases of "inappropriate access" to the records of welfare recipients since 2004. http://australianit.news.com.au/articles/0,7204,20224186^15306^^nbv^,00.html

FYI - USC Online Security Breach Could Affect 6,000 - Russ McKinney, a spokesman for the University of South Carolina, says an online security breach could affect as many as 6,000 current and former USC students. McKinney said someone accessed USC's internal servers, causing a security breach in a database. http://www.wltx.com/news/story.aspx?storyid=41314

FYI - Hacker swipes PortTix data - Credit card information for about 2,000 people who ordered tickets online through PortTix, Merrill Auditorium's ticketing agency, was stolen this week when someone hacked into the PortTix Web site. http://pressherald.mainetoday.com/news/local/060826tickethack.shtml

FYI - Compliance still a struggle for most corporations - Most large corporations are not sure whether they're in line with federal regulations and some are not taking adequate steps to address compliance regulations, according to a survey released this week. Seventy-two percent of large corporations are not confident that they are complying with applicable regulations, according to a survey released by ControlPath. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060828/589565/

FYI - Federal education loan site exposes personal info of up to 21,000 - Count the Department of Education as the latest federal agency to experience a privacy breach after the personal information of as many as 21,000 student borrowers accidentally appeared on its loan website. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060828/589315/

STOLEN COMPUTERS

FYI - Laptop with data on 28,000 home care patients stolen in Detroit - An ID access code and password were with it - A laptop containing home care information on 28,000 patients has been stolen from the car of a nurse who works for Royal Oak, Mich.-based Beaumont Hospitals, according to a statement from the hospital. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002685

FYI - Aflac clients' data stolen - Laptop taken from agent's car in S.C. Upstate - Insurance giant Aflac said Monday that a laptop computer containing personal information on hundreds of customers was stolen from an agent's car in the Greenville area. The computer contained names, addresses, Social Security numbers and birth dates of 612 policy holders. http://www.charleston.net/assets/webPages/departmental/news/default_pf.aspx?NEWSID=103737

FYI - FMCSA laptop stolen; 193 CDL holders' info included - In what appears to be a growing occurrence in the news, a laptop belonging to the Federal Motor Carrier Safety Administration was stolen from a government-owned vehicle on Aug. 22 in Baltimore. The computer contains personal information - including names, dates of birth, and CDL numbers - of 193 CDL holders from 40 motor carrier companies. http://www.etrucker.com/apps/news/article.asp?id=55125

Return to the top of the newsletter

WEB SITE COMPLIANCE -

We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 3 of 10)

A. RISK DISCUSSION

Reputation Risk


Customers may be confused about whether the financial institution or a third party is supplying the product, service, or other website content available through the link. The risk of customer confusion can be affected by a number of factors:

  • nature of the third-party product or service;
  • trade name of the third party; and
  • website appearance.

Nature of Product or Service

When a financial institution provides links to third parties that sell financial products or services, or provide information relevant to these financial products and services, the risk is generally greater than if third parties sell non-financial products and services due to the greater potential for customer confusion. For example, a link from a financial institution's website to a mortgage bank may expose the financial institution to greater reputation risk than a link from the financial institution to an online clothing store.

The risk of customer confusion with respect to links to firms selling financial products is greater for two reasons. First, customers are more likely to assume that the linking financial institution is providing or endorsing financial products rather than non-financial products. Second, products and services from certain financial institutions often have special regulatory features and protections, such as federal deposit insurance for qualifying deposits. Customers may assume that these features and protections also apply to products that are acquired through links to third-party providers, particularly when the products are financial in nature.

When a financial institution links to a third party that is providing financial products or services, management should consider taking extra precautions to prevent customer confusion. For example, a financial institution linked to a third party that offers nondeposit investment products should take steps to prevent customer confusion specifically with respect to whether the institution or the third party is offering the products and services and whether the products and services are federally insured or guaranteed by the financial institution.

Financial institutions should recognize, even in the case of non-financial products and services, that customers may have expectations about an institution's due diligence and its selection of third parties to which the financial institution links its website. Should customers experience dissatisfaction as a result of poor quality products or services, or loss as a result of their transactions with those companies, they may consider the financial institution responsible for the perceived deficiencies of the seller.


Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS (Part 2 of 2)

Physical security for distributed IS, particularly LANs that are usually PC - based, is slightly different than for mainframe platforms. With a network there is often no centralized computer room. In addition, a network often extends beyond the local premises. There are certain components that need physical security. These include the hardware devices and the software and data that may be stored on the file servers, PCs, or removable media (tapes and disks). As with more secure IS environments, physical network security should prevent unauthorized personnel from accessing LAN devices or the transmission of data. In the case of wire - transfer clients, more extensive physical security is required.

Physical protection for networks as well as PCs includes power protection, physical locks, and secure work areas enforced by security guards and authentication technologies such as magnetic badge readers. Physical access to the network components (i.e., files, applications, communications, etc.) should be limited to those who require access to perform their jobs. Network workstations or PCs should be password protected and monitored for workstation activity.

Network wiring requires some form of protection since it does not have to be physically penetrated for the data it carries to be revealed or contaminated. Examples of controls include using a conduit to encase the wiring, avoiding routing through publicly accessible areas, and avoiding routing networking cables in close proximity to power cables. The type of wiring can also provide a degree of protection; signals over fiber, for instance, are less susceptible to interception than signals over copper cable.


Capturing radio frequency emissions also can compromise network security. Frequency emissions are of two types, intentional and unintentional. Intentional emissions are those broadcast, for instance, by a wireless network. Unintentional emissions are the normally occurring radiation from monitors, keyboards, disk drives, and other devices. Shielding is a primary control over emissions. The goal of shielding is to confine a signal to a defined area. An example of shielding is the use of foil-backed wallboard and window treatments. Once a signal is confined to a defined area, additional controls can be implemented in that area to further minimize the risk that the signal will be intercepted or changed.


Return to the top of the newsletter

IT SECURITY QUESTION:

E. PHYSICAL SECURITY

1. Determine whether physical security for information technology equipment and operations is coordinated with that of other institution organizations.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.


Content of Privacy Notice

14. Does the institution describe the following about its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information:

a. who is authorized to have access to the information; and [6(c)(6)(i)]

b. whether security practices and policies are in place to ensure the confidentiality of the information in accordance with the institution's policy?  [6(c)(6)(ii)]

(Note: the institution is not required to describe technical information about the safeguards used in this respect.)

NETWORK SECURITY TESTING
- IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test.  With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network.  For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated