R. Kinney Williams
September 17, 2006
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
This week, I am attending the Network Security
Conference sponsored by the Information Systems Audit and Control
Association (ISACA) being held at Caesars Place in Las Vegas. I look forward to
meeting any of you that will also be in attendance.
FYI - Bank To Pay $50
Million For Buying Personal Data - A bank has been ordered to pay a
$50 million settlement for buying more than 650,000 names and
addresses from the Florida Department of Highway Safety and Motor
Vehicles. The Electronic Privacy Information Center, which filed an
amicus brief in favor of the plaintiffs, announced the decision this
week. EPIC said Fidelity Federal Bank & Trust bought 656,600 names
and addresses for use in direct marketing and the purchase violated
the Drivers Privacy Protection Act.
FYI - NIST releases
guidelines for sanitizing files - The National Institute of
Standards and Technology has released a new publication that
provides guidance on disposing of files. Special Publication 800-88,
"Guidelines for Media Sanitization," gives agencies assistance to
ensure that deleted or disposed files are unrecoverable.
FYI - eBayed smart
phones give up corporate secrets - Sold PDAs still stuffed with
data, says Trust Digital. Smart phones and PDAs offer the benefit of
storing information but consumers are not always wiping the data
clean before selling the devices on eBay. Personal banking records,
corporate notes on sales activity and product plans were among
sensitive data found on PDAs and smart phones sold on eBay,
according to a small sampling taken by security software company
Trust Digital. The problem is akin to one that plagues used
computers that are sold or discarded before the hard drive is wiped
FYI - AT&T hack exposes
19,000 identities - AT&T on Tuesday said hackers broke into one of
its computer systems and accessed personal data on thousands of
customers who used its online store.
FYI - FDIC needs better
information security - The Government Accountability Office has
released a new report that criticizes the Federal Deposit Insurance
Corp.'s (FDIC) efforts to implement information security controls.
FYI - NIST solicits
comment on new security publications - The National Institute of
Standards and Technologies released three new drafts of
security-related special publications today. They cover e-mail
security, intrusion detection and prevention, and securing Web
services and applications.
FYI - Personal Data Of
Chicago Employees Stolen - Thousands of city employees could be at
risk of identity theft following the theft of a laptop computer from
a city contractor, and a delay of more than a year in reporting the
theft to the proper personnel within the company, according to a
release from the Mayor's office.
FYI - Laptops with
sensitive data stolen from Education contractor - Two laptop
computers believed to contain unencrypted personal information about
43 grant reviewers were stolen from an Education Department
contractor in Washington, D.C., earlier this month. The laptops,
stolen Aug. 11, contained information about grant reviewers for the
Teacher Incentive Fund.
FYI - Patient info on
stolen computer - A medical lab is notifying patients that a
computer with sensitive personal information was stolen from its
Prospect Plains Road sample-collection center. LabCorp is
identifying patients who may have had their names and Social
Security numbers on a computer stolen from its Monroe Patient
Service Center and notifying those people by mail.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 4 of 10)
A. RISK DISCUSSION
If the third party has a name similar to that of the financial
institution, there is an increased likelihood of confusion for the
customer and increased exposure to reputation risk for the financial
institution. For example, if customers access a similarly named
broker from the financial institution's website, they may believe
that the financial institution is providing the brokerage service or
that the broker's products are federally insured.
The use of frame technology and other similar technologies may
confuse customers about which products and services the financial
institution provides and which products and services third parties,
including affiliates, provide. If frames are used, when customers
link to a third-party website through the institution-provided link,
the third-party webpages open within the institution's master
webpage frame. For example, if a financial institution provides
links to a discount broker and the discount broker's webpage opens
within the institution's frame, the appearance of the financial
institution's logo on the frame may give the impression that the
financial institution is providing the brokerage service or that the
two entities are affiliated. Customers may believe that their funds
are federally insured, creating potential reputation risk to the
financial institution in the event the brokerage service should fail
or the product loses value.
The compliance risk to an institution linking to a third-party's
website depends on several factors. These factors include the nature
of the products and services provided on the third-party's website,
and the nature of the institution's business relationship with the
third party. This is particularly true with respect to compensation
arrangements for links. For example, a financial institution that
receives payment for offering advertisement-related weblinks to a
settlement service provider's website should carefully consider the
prohibition against kickbacks, unearned fees, and compensated
referrals under the Real Estate Settlement Procedures Act (RESPA).
The financial institution has compliance risk as well as reputation
risk if linked third parties offer less security and privacy
protection than the financial institution. Third-party sites may
have less secure encryption policies, or less stringent policies
regarding the use and security of their customer's information. The
customer may be comfortable with the financial institution's
policies for privacy and security, but not with those of the linked
third party. If the third-party's policies and procedures create
security weaknesses or apply privacy standards that permit the third
party to release confidential customer information, customers may
blame the financial institution.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
Encryption is used to secure communications and data storage,
particularly authentication credentials and the transmission of
sensitive information. It can be used throughout a technological
environment, including the operating systems, middleware,
applications, file systems, and communications protocols.
Encryption is used both as a prevention and detection control. As a
prevention control, encryption acts to protect data from disclosure
to unauthorized parties. As a detective control, encryption is used
to allow discovery of unauthorized changes to data and to assign
responsibility for data among authorized parties. When prevention
and detection are joined, encryption is a key control in ensuring
confidentiality, data integrity, and accountability.
Properly used, encryption can strengthen the security of an
institution's systems. Encryption also has the potential, however,
to weaken other security aspects. For instance, encrypted data
drastically lessens the effectiveness of any security mechanism that
relies on inspections of the data, such as anti - virus scanning and
intrusion detection systems. When encrypted communications are used,
networks may have to be reconfigured to allow for adequate detection
of malicious code and system intrusions.
Although necessary, encryption carries the risk of making data
unavailable should anything go wrong with data handling, key
management, or the actual encryption. The products used and
administrative controls should contain robust and effective controls
to ensure reliability.
Encryption can impose significant overhead on networks and computing
devices. A loss of encryption keys or other failures in the
encryption process can deny the institution access to the encrypted
Financial institutions should employ an encryption strength
sufficient to protect information from disclosure until such time as
the information's disclosure poses no material threat. For instance,
authenticators should be encrypted at a strength sufficient to allow
the institution time to detect and react to an authenticator theft
before the attacker can decrypt the stolen authenticators.
Decisions regarding what data to encrypt and at what points to
encrypt the data are typically based on the risk of disclosure and
the costs and risks of encryption. Generally speaking,
authenticators are always encrypted whether on public networks or on
the financial institution's network. Sensitive information is also
encrypted when passing over a public network, and also may be
encrypted within the institution.
Encryption cannot guarantee data security. Even if encryption is
properly implemented, for example, a security breach at one of the
endpoints of the communication can be used to steal the data or
allow an intruder to masquerade as a legitimate system user.
Return to the top of the
2. Determine whether sensitive data in both electronic and
paper form is adequately controlled physically through creation,
processing, storage, maintenance, and disposal.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
15. If the institution provides a short-form initial privacy notice
with the opt out notice, does the institution do so only to
consumers with whom the institution does not have a customer
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.