R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

September 10, 2000

FYI  - The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) amended its listing of specially designated nationals and blocked persons to remove some names of significant foreign narcotics traffickers and add others. http://www.fdic.gov/news/news/financial/2000/fil0059.html 

FYI - Federal agencies share taxpayer info from Web sites http://www.shns.com/stories/view-story.php?slug=PRIVACY-09-07-00 

FYI - A Federal Reserve System committee outlined a series of cooperative steps the Federal Reserve and the private sector can take to remove barriers to the development of electronic check presentment in the United States. http://www.bog.frb.fed.us/boarddocs/press/General/2000/20000907/default.htm 

FYI - The OTS announced it will join the other federal bank regulators in providing free software to help institutions file their annual Home Mortgage Disclosure Act (HMDA) report. http://www.ots.treas.gov/docs/77073.html 

INTERNET SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we start a three part review of controls to prevent and detect intrusions. Management should determine the controls necessary to deter, detect, and respond to intrusions, consistent with the best practices of information system operators. Controls may include the following: 

1) Authentication. Authentication provides identification by means of some previously agreed upon method, such as passwords and biometrics. (A method of identifying a person's identity by analyzing a unique physical attribute.) The means and strength of authentication should be commensurate with the risk. For instance, passwords should be of an appropriate length, character set, and lifespan (The lifespan of a password is the length of time the password allows access to the system. Generally speaking, shorter lifespans reduce the risk of password compromises.) for the systems being protected. Employees should be trained to recognize and respond to fraudulent attempts to compromise the integrity of security systems. This may include "social engineering" whereby intruders pose as authorized users to gain access to bank systems or customer records.

2) Install and Update Systems. When a bank acquires and installs new or upgraded systems or equipment, it should review security parameters and settings to ensure that these are consistent with the intrusion risk assessment plan. For example, the bank should review user passwords and authorization levels for maintaining "separation of duties" and "need to know" policies. Once installed, security flaws to software and hardware should be identified and remediated through updates or "patches." Continuous monitoring and updating is essential to protect the bank from vulnerabilities. Information related to vulnerabilities and patches are typically available from the vendor, security-related web sites, and in bi-weekly National Infrastructure Protection Center's CyberNotes.

3) Software Integrity. Copies of software and integrity checkers (An integrity checker uses logical analysis to identify whether a file has been changed.) are used to identify unauthorized changes to software. Banks should ensure the security of the integrity checklist and checking software. Where sufficient risk exists, the checklist and software should be stored away from the network, in a location where access is limited. Banks should also protect against viruses and other malicious software by using automated virus scanning software and frequently updating the signature file (The signature file contains the information necessary to identify each virus.) to enable identification of new viruses.

FYI  - Networks have a "back door" that is often overlooked when setting security configurations that is easily protected. http://www.builder.com/Servers/SecurityIssues/090600/?tag=st.bl.3880.pro_hbl_si090600 

INTERNET COMPLIANCE - Record Retention

Record retention provisions apply to electronic delivery of disclosures to the same extent required for non-electronic delivery of information. For example, if the web site contains an advertisement, the same record retention provisions that apply to paper-based or other types of advertisements apply. Copies of such advertisements should be retained for the time period set out in the relevant regulation. Retention of electronic copies is acceptable.

PRIVACY STATEMENT - Bank Sold Defendants Access to Active MasterCard, Visa Card Numbers; More Than 700,000 Consumers Illegally Billed - FTC Wins $37. 5 Million Judgment from X-Rated Web Site Operators http://www.ftc.gov/opa/2000/09/netfill.htm 

IN CLOSING - On the Community Banker web site, we keep a list of the regulator's press releases at http://www.thecommunitybanker.com/info_current_mo.htm.  We also have the bi-weekly "E-mail Banking News" which covers the regulatory press releases. There is no charge for the newsletter, which you can subscribe to at http://www.yennik.com/b.htm.  

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated