R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

September 24, 2006

CONTENT Internet Compliance Information Systems Security
IT Security Question
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI
- Wells Fargo discloses another data breach - It's the fifth incident in less than three years - In a replay of similar incidents over the past three years, Wells Fargo & Co. this week began again to notify people about the potential compromise of their personal information. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002944&source=NLT_FIN&nlid=56

FYI - BoI to refund phishing victims - Bank of Ireland has agreed to compensate victims of a recent phishing scam, backtracking from its earlier position. The bank had initially refused to refund victims, who lost about 160,000 to scammers after receiving the fake emails. However, reports in the Irish Independent on Tuesday indicate that the bank has since had a change of heart. http://www.theregister.co.uk/2006/09/06/boi_refunds_phishing_victims/print.html

FYI - IRS Gives Away $318 Million Because Of Bungled Software Upgrade - The Internal Revenue Service issued more than $318 million in refunds on phony returns last year because of a botched software project, a government report released last week said. http://www.techweb.com/wire/192501772 and http://www.treas.gov/tigta/auditreports/2006reports/200620108fr.pdf

FYI - Calif. police probe computer breach in Schwarzenegger's office - The incident involves a digital recording leaked to the Los Angeles Times - The California Highway Patrol (CHP) is investigating the apparent hacking of a computer in Gov. Arnold Schwarzenegger's office. http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/09/11/MNG8KL3A051.DTL&type=printable

FYI - Chase trashes tapes with client info - Chase Card Services says it's notifying more than two and a-half (m) million Circuit City credit card holders that computer tapes containing their personal information were mistakenly thrown in the trash. http://news.moneycentral.msn.com/provider/providerarticle.asp?feed=AP&Date=20060907&ID=6002314


Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."
  (Part 5 of 10)

B. RISK MANAGEMENT TECHNIQUES

Introduction

Management must effectively plan, implement, and monitor the financial institution's weblinking relationships. This includes situations in which the institution has a third-party service provider create, arrange, or manage its website. There are several methods of managing a financial institution's risk exposure from third-party weblinking relationships. The methods adopted to manage the risks of a particular link should be appropriate to the level of risk presented by that link as discussed in the prior section.

Planning Weblinking Relationships

In general, a financial institution planning the use of weblinks should review the types of products or services and the overall website content made available to its customers through the weblinks. Management should consider whether the links support the institution's overall strategic plan. Tools useful in planning weblinking relationships include:

1)  due diligence with respect to third parties to which the financial institution is considering links; and

2)  written agreements with significant third parties.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  


ENCRYPTION - HOW ENCRYPTION WORKS

In general, encryption functions by taking data and a variable, called a "key," and processing those items through a fixed algorithm to create the encrypted text. The strength of the encrypted text is determined by the entropy, or degree of uncertainty, in the key and the algorithm. Key length and key selection criteria are important determinants of entropy. Greater key lengths generally indicate more possible keys. More important than key length, however, is the potential limitation of possible keys posed by the key selection criteria. For instance, a 128-bit key has much less than 128 bits of entropy if it is selected from only certain letters or numbers. The full 128 bits of entropy will only be realized if the key is randomly selected across the entire 128-bit range.


The encryption algorithm is also important. Creating a mathematical algorithm that does not limit the entropy of the key and testing the algorithm to ensure its integrity are difficult. Since the strength of an algorithm is related to its ability to maximize entropy instead of its secrecy, algorithms are generally made public and subject to peer review. The more that the algorithm is tested by knowledgeable worldwide experts, the more the algorithm can be trusted to perform as expected. Examples of public algorithms are AES, DES and Triple DES, HSA - 1, and RSA.


Return to the top of the newsletter

IT SECURITY QUESTION:

E. PHYSICAL SECURITY

3. Determine whether:
Authorization for physical access to critical or sensitive information - processing facilities is granted according to an appropriate process;
Authorizations are enforceable by appropriate preventive, detective, and corrective controls; and
Authorizations can be revoked in a practical and timely manner.


Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.


Content of Privacy Notice

16. If the institution provides a short-form initial privacy notice according to 6(d)(1), does the short-form initial notice:

a. conform to the definition of "clear and conspicuous"; [6(d)(2)(i)]

b. state that the institution's full privacy notice is available upon request; [6(d)(2)(ii)] and

c. explain a reasonable means by which the consumer may obtain the notice?  [6(d)(2)(iii)]

(Note: the institution is not required to deliver the full privacy notice with the shortform initial notice. [6(d)(3)])

NETWORK SECURITY TESTING
- IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test.  With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network.  For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated