September 10, 2000
FYI - The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) amended its listing of specially designated nationals and blocked persons to remove some names of significant foreign narcotics traffickers and add others.
FYI - Federal agencies share taxpayer info from Web sites http://www.shns.com/stories/view-story.php?slug=PRIVACY-09-07-00
FYI - A Federal Reserve System committee outlined a series of cooperative steps the Federal Reserve and the private sector can take to remove barriers to the development of electronic check presentment in the United States.
FYI - The OTS announced it will join the other federal bank regulators in providing free software to help institutions file their annual Home Mortgage Disclosure Act (HMDA) report.
INTERNET SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we start a three part review of controls to prevent and detect intrusions. Management should determine the controls necessary to deter, detect, and respond to intrusions, consistent with the best practices of information system operators. Controls may include the following:
1) Authentication. Authentication provides identification by means of some previously agreed upon method, such as passwords and biometrics. (A method of identifying a person's identity by analyzing a unique physical attribute.) The means and strength of authentication should be commensurate with the risk. For instance, passwords should be of an appropriate length, character set, and lifespan (The lifespan of a password is the length of time the password allows access to the system. Generally speaking, shorter lifespans reduce the risk of password compromises.) for the systems being protected. Employees should be trained to recognize and respond to fraudulent attempts to compromise the integrity of security systems. This may include "social engineering" whereby intruders pose as authorized users to gain access to bank systems or customer records.
2) Install and Update Systems. When a bank acquires and installs new or upgraded systems or equipment, it should review security parameters and settings to ensure that these are consistent with the intrusion risk assessment plan. For example, the bank should review user passwords and authorization levels for maintaining "separation of duties" and "need to know" policies. Once installed, security flaws to software and hardware should be identified and remediated through updates or "patches." Continuous monitoring and updating is essential to protect the bank from vulnerabilities. Information related to vulnerabilities and patches are typically available from the vendor, security-related web sites, and in bi-weekly National Infrastructure Protection Center's CyberNotes.
3) Software Integrity. Copies of software and integrity checkers (An integrity checker uses logical analysis to identify whether a file has been changed.) are used to identify unauthorized changes to software. Banks should ensure the security of the integrity checklist and checking software. Where sufficient risk exists, the checklist and software should be stored away from the network, in a location where access is limited. Banks should also protect against viruses and other malicious software by using automated virus scanning software and frequently updating the signature file (The signature file contains the information necessary to identify each virus.) to enable identification of new viruses.
FYI - Networks have a "back door" that is often overlooked when setting security configurations that is easily protected.
INTERNET COMPLIANCE - Record Retention
Record retention provisions apply to electronic delivery of disclosures to the same extent required for non-electronic delivery of information. For example, if the web site contains an advertisement, the same record retention provisions that apply to paper-based or other types of advertisements apply. Copies of such advertisements should be retained for the time period set out in the relevant regulation. Retention of electronic copies is acceptable.
PRIVACY STATEMENT - Bank Sold Defendants Access to Active MasterCard, Visa Card Numbers; More Than 700,000 Consumers Illegally Billed - FTC Wins $37. 5 Million Judgment from X-Rated Web Site Operators
IN CLOSING - On the Community Banker web site, we keep a list of the regulator's press releases at
We also have the bi-weekly "E-mail Banking News" which covers the regulatory press releases. There is no charge for the newsletter, which you can subscribe to at