September 24, 2000
THANK YOU: I want to thank the FFIEC for inviting me to speak last week in Washington DC about examining the Internet banking activities and Internet security.
FYI - FDIC Division of Supervision Director James L. Sexton has appointed Sandra L. Thompson as Assistant Director for Electronic Banking, a new position within DOS.
FYI - National Banknet is an exclusive Web service for national banks operated by the Office of the Comptroller of the Currency. It goes beyond standard Internet services. The OCC site enhances the private exchange of information between the agency and the banks it charters and provides products to assist these banks.
FYI - Comptroller of the Currency John D. Hawke, Jr. told bankers that the OCC is using technology in innovative ways to reduce the burdens and maximize the benefits of supervision.
Press release - http://www.occ.treas.gov/ftp/release/2000-71.txt
Complete speech - http://www.occ.treas.gov/ftp/release/2000-71a.txt
INTERNET SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review the last of a three part series regarding controls to prevent and detect intrusions.
8) Encryption. Encryption is a means of securing data. Data can by encrypted when it is transmitted, and when it is stored. Because networks are not impervious to penetration, management should evaluate the need to secure their data as well as their network. Management's use of encryption should be based on an internal risk assessment and a classification of data. The strength of encryption should be proportional to the risk and impact if the data were revealed.
9) Employee and Contractor Background Checks. Management should ensure that information technology staff, contractors, and others who can make changes to information systems have passed background checks. Management also should revalidate periodically access lists and logon IDs.
10) Accurate and Complete Records of Uses and Activities. Accurate and complete records of users and activities are essential for analysis, recovery, and development of additional security measures, as well as possible legal action. Information of primary importance includes the methods used to gain access, the extent of the intruder's access to systems and data, and the intruder's past and current activities. To ensure that adequate records exist, management should consider collecting information about users and user activities, systems, networks, file systems, and applications. Consideration should be given to protecting and securing this information by locating it in a physical location separate from the devices generating the records, writing the data to a tamperproof device, and encrypting the information both in transit and in storage. The OCC expects banks to limit the use of personally identifiable information collected in this manner for security purposes, and to otherwise comply with applicable law and regulations regarding the privacy of personally identifiable information.
11) Vendor Management. Banks rely on service providers, software vendors, and consultants to manage networks and operations. In outsourcing situations, management should ensure that contractual agreements are comprehensive and clear with regard to the vendor's responsibility for network security, including its monitoring and reporting obligations. Management should monitor the vendor's performance under the contract, as well as assess the vendor's financial condition at least annually.
INTERNET COMPLIANCE - Flood Disaster Protection Act
The regulation implementing the National Flood Insurance Program requires a financial
institution to notify a prospective borrower and the servicer that the structure securing the loan is located or to be located in a special flood hazard area. The regulation also requires a notice of the servicer's identity be delivered to the insurance provider. While the regulation addresses electronic delivery to the servicer and to the insurance provider, it does not address electronic delivery of the notice to the borrower.
IN CLOSING - "I saw a bank that said '24 Hour Banking', but I don't have that much time." - Steven Wright