R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

September 17, 2006

CONTENT Internet Compliance Information Systems Security
IT Security Question
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI -
This week, I am attending the Network Security Conference sponsored by the Information Systems Audit and Control Association (ISACA) being held at Caesars Place in Las Vegas.  I look forward to meeting any of you that will also be in attendance. 

FYI - Bank To Pay $50 Million For Buying Personal Data - A bank has been ordered to pay a $50 million settlement for buying more than 650,000 names and addresses from the Florida Department of Highway Safety and Motor Vehicles. The Electronic Privacy Information Center, which filed an amicus brief in favor of the plaintiffs, announced the decision this week. EPIC said Fidelity Federal Bank & Trust bought 656,600 names and addresses for use in direct marketing and the purchase violated the Drivers Privacy Protection Act. http://www.techweb.com/wire/192500110

FYI - NIST releases guidelines for sanitizing files - The National Institute of Standards and Technology has released a new publication that provides guidance on disposing of files. Special Publication 800-88, "Guidelines for Media Sanitization," gives agencies assistance to ensure that deleted or disposed files are unrecoverable. http://www.fcw.com/article95849-08-30-06-Web&printLayout

FYI - eBayed smart phones give up corporate secrets - Sold PDAs still stuffed with data, says Trust Digital. Smart phones and PDAs offer the benefit of storing information but consumers are not always wiping the data clean before selling the devices on eBay. Personal banking records, corporate notes on sales activity and product plans were among sensitive data found on PDAs and smart phones sold on eBay, according to a small sampling taken by security software company Trust Digital. The problem is akin to one that plagues used computers that are sold or discarded before the hard drive is wiped clean. http://software.silicon.com/security/0,39024888,39161863,00.htm

FYI - AT&T hack exposes 19,000 identities - AT&T on Tuesday said hackers broke into one of its computer systems and accessed personal data on thousands of customers who used its online store. http://news.com.com/2102-1029_3-6110765.html?tag=st.util.print and http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/09/01/BUGVBKSUIE1.DTL&type=printable

FYI - FDIC needs better information security - The Government Accountability Office has released a new report that criticizes the Federal Deposit Insurance Corp.'s (FDIC) efforts to implement information security controls. http://www.fcw.com/article95904-09-01-06-Web

FYI - NIST solicits comment on new security publications - The National Institute of Standards and Technologies released three new drafts of security-related special publications today. They cover e-mail security, intrusion detection and prevention, and securing Web services and applications. http://www.fcw.com/article95885-09-01-06-Web

FYI - Personal Data Of Chicago Employees Stolen - Thousands of city employees could be at risk of identity theft following the theft of a laptop computer from a city contractor, and a delay of more than a year in reporting the theft to the proper personnel within the company, according to a release from the Mayor's office. http://www.wbbm780.com/pages/77513.php?contentType=4&contentId=198758

STOLEN COMPUTERS

FYI - Laptops with sensitive data stolen from Education contractor - Two laptop computers believed to contain unencrypted personal information about 43 grant reviewers were stolen from an Education Department contractor in Washington, D.C., earlier this month. The laptops, stolen Aug. 11, contained information about grant reviewers for the Teacher Incentive Fund. http://govexec.com/dailyfed/0806/082906p1.htm

FYI - Patient info on stolen computer - A medical lab is notifying patients that a computer with sensitive personal information was stolen from its Prospect Plains Road sample-collection center. LabCorp is identifying patients who may have had their names and Social Security numbers on a computer stolen from its Monroe Patient Service Center and notifying those people by mail. http://www.thnt.com/apps/pbcs.dll/article?AID=/20060831/NEWS/608310428/1001

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."
  (Part 4 of 10)

A. RISK DISCUSSION

Reputation Risk

Trade Names

If the third party has a name similar to that of the financial institution, there is an increased likelihood of confusion for the customer and increased exposure to reputation risk for the financial institution. For example, if customers access a similarly named broker from the financial institution's website, they may believe that the financial institution is providing the brokerage service or that the broker's products are federally insured.

Website Appearance

The use of frame technology and other similar technologies may confuse customers about which products and services the financial institution provides and which products and services third parties, including affiliates, provide. If frames are used, when customers link to a third-party website through the institution-provided link, the third-party webpages open within the institution's master webpage frame. For example, if a financial institution provides links to a discount broker and the discount broker's webpage opens within the institution's frame, the appearance of the financial institution's logo on the frame may give the impression that the financial institution is providing the brokerage service or that the two entities are affiliated. Customers may believe that their funds are federally insured, creating potential reputation risk to the financial institution in the event the brokerage service should fail or the product loses value.

Compliance Risk

The compliance risk to an institution linking to a third-party's website depends on several factors. These factors include the nature of the products and services provided on the third-party's website, and the nature of the institution's business relationship with the third party. This is particularly true with respect to compensation arrangements for links. For example, a financial institution that receives payment for offering advertisement-related weblinks to a settlement service provider's website should carefully consider the prohibition against kickbacks, unearned fees, and compensated referrals under the Real Estate Settlement Procedures Act (RESPA).

The financial institution has compliance risk as well as reputation risk if linked third parties offer less security and privacy protection than the financial institution. Third-party sites may have less secure encryption policies, or less stringent policies regarding the use and security of their customer's information. The customer may be comfortable with the financial institution's policies for privacy and security, but not with those of the linked third party. If the third-party's policies and procedures create security weaknesses or apply privacy standards that permit the third party to release confidential customer information, customers may blame the financial institution.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY
We continue our series on the FFIEC interagency Information Security Booklet.  

ENCRYPTION

Encryption is used to secure communications and data storage, particularly authentication credentials and the transmission of sensitive information. It can be used throughout a technological environment, including the operating systems, middleware, applications, file systems, and communications protocols.

Encryption is used both as a prevention and detection control. As a prevention control, encryption acts to protect data from disclosure to unauthorized parties. As a detective control, encryption is used to allow discovery of unauthorized changes to data and to assign responsibility for data among authorized parties. When prevention and detection are joined, encryption is a key control in ensuring confidentiality, data integrity, and accountability.

Properly used, encryption can strengthen the security of an institution's systems. Encryption also has the potential, however, to weaken other security aspects. For instance, encrypted data drastically lessens the effectiveness of any security mechanism that relies on inspections of the data, such as anti - virus scanning and intrusion detection systems. When encrypted communications are used, networks may have to be reconfigured to allow for adequate detection of malicious code and system intrusions.

Although necessary, encryption carries the risk of making data unavailable should anything go wrong with data handling, key management, or the actual encryption. The products used and administrative controls should contain robust and effective controls to ensure reliability.

Encryption can impose significant overhead on networks and computing devices. A loss of encryption keys or other failures in the encryption process can deny the institution access to the encrypted data.

Financial institutions should employ an encryption strength sufficient to protect information from disclosure until such time as the information's disclosure poses no material threat. For instance, authenticators should be encrypted at a strength sufficient to allow the institution time to detect and react to an authenticator theft before the attacker can decrypt the stolen authenticators.

Decisions regarding what data to encrypt and at what points to encrypt the data are typically based on the risk of disclosure and the costs and risks of encryption. Generally speaking, authenticators are always encrypted whether on public networks or on the financial institution's network. Sensitive information is also encrypted when passing over a public network, and also may be encrypted within the institution.

Encryption cannot guarantee data security. Even if encryption is properly implemented, for example, a security breach at one of the endpoints of the communication can be used to steal the data or allow an intruder to masquerade as a legitimate system user.


Return to the top of the newsletter

IT SECURITY QUESTION:

E. PHYSICAL SECURITY

2. Determine whether sensitive data in both electronic and paper form is adequately controlled physically through creation, processing, storage, maintenance, and disposal.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.


Content of Privacy Notice

15. If the institution provides a short-form initial privacy notice with the opt out notice, does the institution do so only to consumers with whom the institution does not have a customer relationship? [6(d)(1)]

NETWORK SECURITY TESTING
- IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test.  With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network.  For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated