Hurricane Information - R.
Kinney Williams & Associates has established a web page for
financial institutions affected by Katrina and Rita at
http://www.yennik.com/hurricane_info.htm. The web page
features links to state and federal regulatory agencies for
financial institutions. If you know of
additional government links that
would benefit the banks, savings & loans, and credit unions, we will
consider the request to list the government link. In addition,
if you find a good news article on how disaster recovery worked or
did not work, please email us so we can include in future
newsletters. Since we are strictly IT auditors, we can NOT
accept or reply to postings for commercial products.
FYI - After Katrina, users start
to weigh long-term IT issues - The assessment process begins amid
efforts to restore key systems.
FYI - New law drives IT
security spending in Japan - A new legal requirement for better
handling of personal information in Japan will result in higher IT
security spending by small and medium-sized businesses (SMBs) in the
country, according to analyst firm AMI-Partners.
FYI - Expert charged in
computer hacking - A computer networking consultant hacked into a
Beaver County school district's system to peek at a competitor's
bids, but didn't escape without leaving tracks.
FYI - E-banking security
provokes fear or indifference - A recent study by analyst Forrester
Research has unearthed conflicting views about the safety or
otherwise of online banking. The survey of 11,300 UK net users found
that while many online banking consumers are complacent about
security, a large minority have given up online banking as a direct
result of security fears.
FYI - Hacking fears bog
down online banking growth - The number of people who turn to the
Internet for personal banking isn't growing--but those who are
already hooked on such services are using them more often, a new
survey has shown.
FYI - New Microsoft
portal will help cops - Expanding its efforts to help law
enforcement with cybercrime investigations, Microsoft plans in the
coming months to launch a new online resource. The Web site will
include training, tips and tools for investigations and information
FYI - Companies urged to
move beyond passwords - Companies are "fiddling while Rome burns" by
continuing to put their faith in passwords to guarantee user
authentication, a Gartner analyst has warned.
IT Auditing and Change Management - A Winning Combination - To help
chief audit executives and internal auditors better understand the
issues affecting IT change in organizations, The Institute of
Internal Auditors recently published its second in a series of
global technology audit guides, Change and Patch Management
Controls: Critical for Organizational Success.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Guidance on Safeguarding Customers Against E-Mail and
Internet-Related Fraudulent Schemes (Part 1 of 3)
E-mail and Internet-related fraudulent schemes, such as "phishing"
(pronounced "fishing"), are being perpetrated with increasing
frequency, creativity and intensity. Phishing involves the use of
seemingly legitimate e-mail messages and Internet Web sites to
deceive consumers into disclosing sensitive information, such as
bank account information, Social Security numbers, credit card
numbers, passwords, and personal identification numbers (PINs). The
perpetrator of the fraudulent e-mail message may use various means
to convince the recipient that the message is legitimate and from a
trusted source with which the recipient has an established business
relationship, such as a bank. Techniques such as a false "from"
address or the use of seemingly legitimate bank logos, Web links and
graphics may be used to mislead e-mail recipients.
In most phishing schemes, the fraudulent e-mail message will request
that recipients "update" or "validate" their financial or personal
information in order to maintain their accounts, and direct them to
a fraudulent Web site that may look very similar to the Web site of
the legitimate business. These Web sites may include copied or
"spoofed" pages from legitimate Web sites to further trick consumers
into thinking they are responding to a bona fide request. Some
consumers will mistakenly submit financial and personal information
to the perpetrator who will use it to gain access to financial
records or accounts, commit identity theft or engage in other
The Federal Deposit Insurance Corporation (FDIC) and other
government agencies have also been "spoofed" in the perpetration of
e-mail and Internet-related fraudulent schemes. For example, in
January 2004, a fictitious e-mail message that appeared to be from
the FDIC was widely distributed, and it told recipients that their
deposit insurance would be suspended until they verified their
identity. The e-mail message included a hyperlink to a fraudulent
Web site that looked similar to the FDIC's legitimate Web site and
asked for confidential information, including bank account
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
INFORMATION SECURITY RISK ASSESSMENT
Common elements of risk assessment approaches involve three phases:
information gathering, analysis, and prioritizing responses. Vendor
concerns add additional elements to the process.
Identifying and understanding risk requires the analysis of a
wide range of information relevant to the particular institution's
risk environment. Once gathered, the information can be catalogued
to facilitate later analysis. Information gathering generally
includes the following actions:
1) Obtaining listings
of information system assets (e.g., data, software, and hardware).
Inventories on a device - by - device basis can be helpful in risk
assessment as well as risk mitigation. Inventories should consider
whether data resides in house or at a TSP.
2) Determining threats
to those assets, resulting from people with malicious intent,
employees and others who accidentally cause damage, and
environmental problems that are outside the control of the
organization (e.g., natural disasters, failures of interdependent
infrastructures such as power, telecommunications, etc.).
organizational vulnerabilities (e.g., weak senior management
support, ineffective training, inadequate expertise or resource
allocation, and inadequate policies, standards, or procedures).
technical vulnerabilities (e.g., vulnerabilities in hardware and
software, configurations of hosts, networks, workstations, and
5) Documenting current
controls and security processes, including both information
technology and physical security.
6) Identifying security
requirements and considerations (e.g., GLBA).
7) Maintaining the risk
assessment process requires institutions to review and update their
risk assessment at least once a year, or more frequently in response
to material changes in any of the six actions above.
the top of the newsletter
IT SECURITY QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
1. Determine whether the financial institution
has removed or reset default profiles and passwords from new systems
2. Determine whether access to system administrator level is
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will
help ensure compliance with the privacy regulations.
42. Does the institution provide the consumer with a
reasonable opportunity to opt out such as by:
a. mailing the notices required by §10 and allowing the
consumer to respond by toll-free telephone number, return mail, or
other reasonable means (see question 22) within 30 days from the
date mailed; [§10(a)(3)(i)]
b. where the consumer opens an on-line account with the
institution and agrees to receive the notices required by §10
electronically, allowing the consumer to opt out by any reasonable
means (see question 22) within 30 days from consumer acknowledgement
of receipt of the notice in conjunction with opening the account;
c. for isolated transactions, providing the notices required
by §10 at the time of the transaction and requesting that the
consumer decide, as a necessary part of the transaction, whether to
opt out before the completion of the transaction? [§10(a)(3)(iii)]
VISTA - Does
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
testing focuses on
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit