Hurricane Information - R. Kinney Williams & Associates has established a web page for financial institutions affected by Katrina and Rita at http://www.yennik.com/hurricane_info.htm.  The web page features links to state and federal regulatory agencies for financial institutions.  If you know of additional government links that would benefit the banks, savings & loans, and credit unions, we will consider the request to list the government link.  In addition, if you find a good news article on how disaster recovery worked or did not work, please email us so we can include in future newsletters.  Since we are strictly IT auditors, we can NOT accept or reply to postings for commercial products.

FYI - After Katrina, users start to weigh long-term IT issues - The assessment process begins amid efforts to restore key systems. http://www.computerworld.com/printthis/2005/0,4814,104542,00.html

FYI - New law drives IT security spending in Japan - A new legal requirement for better handling of personal information in Japan will result in higher IT security spending by small and medium-sized businesses (SMBs) in the country, according to analyst firm AMI-Partners. http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39253182-39000005c

FYI - Expert charged in computer hacking - A computer networking consultant hacked into a Beaver County school district's system to peek at a competitor's bids, but didn't escape without leaving tracks. http://pittsburghlive.com/x/tribune-review/trib/pittsburgh/s_369618.html

FYI - E-banking security provokes fear or indifference - A recent study by analyst Forrester Research has unearthed conflicting views about the safety or otherwise of online banking. The survey of 11,300 UK net users found that while many online banking consumers are complacent about security, a large minority have given up online banking as a direct result of security fears. http://www.theregister.co.uk/2005/09/07/forrester_ebanking_survey/print.html

FYI - Hacking fears bog down online banking growth - The number of people who turn to the Internet for personal banking isn't growing--but those who are already hooked on such services are using them more often, a new survey has shown. http://news.com.com/2102-1038_3-5851061.html?tag=st.util.print

FYI - New Microsoft portal will help cops - Expanding its efforts to help law enforcement with cybercrime investigations, Microsoft plans in the coming months to launch a new online resource. The Web site will include training, tips and tools for investigations and information on cybercrime. http://news.com.com/2102-7348_3-5845205.html?tag=st.util.print

FYI - Companies urged to move beyond passwords - Companies are "fiddling while Rome burns" by continuing to put their faith in passwords to guarantee user authentication, a Gartner analyst has warned. http://news.com.com/2102-1029_3-5865013.html?tag=st.util.print

FYI - IT Auditing and Change Management - A Winning Combination - To help chief audit executives and internal auditors better understand the issues affecting IT change in organizations, The Institute of Internal Auditors recently published its second in a series of global technology audit guides, Change and Patch Management Controls: Critical for Organizational Success. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5645

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 1 of 3)

E-mail and Internet-related fraudulent schemes, such as "phishing" (pronounced "fishing"), are being perpetrated with increasing frequency, creativity and intensity. Phishing involves the use of seemingly legitimate e-mail messages and Internet Web sites to deceive consumers into disclosing sensitive information, such as bank account information, Social Security numbers, credit card numbers, passwords, and personal identification numbers (PINs). The perpetrator of the fraudulent e-mail message may use various means to convince the recipient that the message is legitimate and from a trusted source with which the recipient has an established business relationship, such as a bank. Techniques such as a false "from" address or the use of seemingly legitimate bank logos, Web links and graphics may be used to mislead e-mail recipients.

In most phishing schemes, the fraudulent e-mail message will request that recipients "update" or "validate" their financial or personal information in order to maintain their accounts, and direct them to a fraudulent Web site that may look very similar to the Web site of the legitimate business. These Web sites may include copied or "spoofed" pages from legitimate Web sites to further trick consumers into thinking they are responding to a bona fide request. Some consumers will mistakenly submit financial and personal information to the perpetrator who will use it to gain access to financial records or accounts, commit identity theft or engage in other illegal acts.

The Federal Deposit Insurance Corporation (FDIC) and other government agencies have also been "spoofed" in the perpetration of e-mail and Internet-related fraudulent schemes. For example, in January 2004, a fictitious e-mail message that appeared to be from the FDIC was widely distributed, and it told recipients that their deposit insurance would be suspended until they verified their identity. The e-mail message included a hyperlink to a fraudulent Web site that looked similar to the FDIC's legitimate Web site and asked for confidential information, including bank account information.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT

KEY STEPS

Common elements of risk assessment approaches involve three phases: information gathering, analysis, and prioritizing responses. Vendor concerns add additional elements to the process.

INFORMATION GATHERING

Identifying and understanding risk requires the analysis of a wide range of information relevant to the particular institution's risk environment. Once gathered, the information can be catalogued to facilitate later analysis. Information gathering generally includes the following actions:

1)  Obtaining listings of information system assets (e.g., data, software, and hardware). Inventories on a device - by - device basis can be helpful in risk assessment as well as risk mitigation. Inventories should consider whether data resides in house or at a TSP.

2)  Determining threats to those assets, resulting from people with malicious intent, employees and others who accidentally cause damage, and environmental problems that are outside the control of the organization (e.g., natural disasters, failures of interdependent infrastructures such as power, telecommunications, etc.).

3)  Identifying organizational vulnerabilities (e.g., weak senior management support, ineffective training, inadequate expertise or resource allocation, and inadequate policies, standards, or procedures).

4)  Identifying technical vulnerabilities (e.g., vulnerabilities in hardware and software, configurations of hosts, networks, workstations, and remote access).

5)  Documenting current controls and security processes, including both information technology and physical security.

6)  Identifying security requirements and considerations (e.g., GLBA).

7)  Maintaining the risk assessment process requires institutions to review and update their risk assessment at least once a year, or more frequently in response to material changes in any of the six actions above.

Return to the top of the newsletter

IT SECURITY QUESTION:  A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

1. Determine whether the financial institution has removed or reset default profiles and passwords from new systems and equipment.

2. Determine whether access to system administrator level is adequately controlled.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

42.  Does the institution provide the consumer with a reasonable opportunity to opt out such as by:

a.  mailing the notices required by §10 and allowing the consumer to respond by toll-free telephone number, return mail, or other reasonable means (see question 22) within 30 days from the date mailed; [§10(a)(3)(i)]

b.  where the consumer opens an on-line account with the institution and agrees to receive the notices required by §10 electronically, allowing the consumer to opt out by any reasonable means (see question 22) within 30 days from consumer acknowledgement of receipt of the notice in conjunction with opening the account; [§10(a)(3)(ii)] or

c.  for isolated transactions, providing the notices required by §10 at the time of the transaction and requesting that the consumer decide, as a necessary part of the transaction, whether to opt out before the completion of the transaction? [§10(a)(3)(iii)]

VISTA - Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b).  The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and testing focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.