R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

October 16, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - Auditors hack Interior's financial and personal data - Lapses in the Interior Department's oversight allowed government-hired hackers to infiltrate the agency's systems. "We made - and then corrected - an address change in the Federal Personnel/Payroll System," the report states. "Having done this, we also believe we could have changed bank routing information and other electronic funds records to potentially divert electronic payments to other banks." http://www.fcw.com/article90981-09-30-05-Web

FYI - Visa gives CardSystems three-month reprieve - Visa U.S.A. Inc. is giving CardSystems Solutions Inc. a little more time to get its act together. On Thursday, Visa announced that it has delayed plans to sever ties with the Atlanta payment processor by three months, in order to facilitate a planned sale of CardSystems to electronic payment vendor CyberSource Corp. http://www.infoworld.nl/idgns/bericht.phtml?id=00256F6C005C22FC0025708B007A4747

FYI - Unattended PCs a menace - It's 10 a.m. and you're on break; so who's using your computer? Many organizations turn a blind eye to the risks posed by PCs that are logged into corporate networks but left unattended, according to a new analysis from research firm Gartner Inc. http://www.computerworld.com/printthis/2005/0,4814,105043,00.html

FYI - Phishers Target Swedish Bank - A phishing attack has broken new ground by attacking a Scandinavian bank operating a one-time password. F-Secure chief Mikko Hypponen said the attack was special because the emails were in Swedish, and because Nordea operates a one-time password system, consisting of a scratch sheet, which the customer scratches to uncover the next available PIN code for login. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=baadadeb-0a19-4136-94d9-a4bfac09b237&newsType=Latest%20News&s=n

FYI - Tackling mobile security - Very few companies worry about the cost of replacing mobile devices, it's more about the value and amount of data that resides of mobile devices and the adverse consequences to the company if the data on these devices falls into the wrong hands. http://www.scmagazine.com/features/index.cfm?fuseaction=FeatureDetails&newsUID=745b91bb-6e13-4430-bfd4-d7e1b6044f45&newsType=Opinion

FYI - CFOs Are Worried About Information Security - Information security was ranked as the leading technology concern for financial executives. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5652

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the Federal Financial Institutions Examination Council Guidance on Electronic Financial Services and Consumer Compliance.

Electronic Fund Transfer Act, Regulation E  (Part 1 of 2)

Generally, when on-line banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign-up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures. Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY
We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT


PRIORITIZE RESPONSES

This phase ranks the risk (outcomes and probabilities) presented by various scenarios produced in the analysis phase to prioritize management's response. Management may decide that since some risks do not meet the threshold set in their security requirement, they will accept those risks and not proceed with a mitigation strategy. Other risks may require immediate corrective action. Still others may require mitigation, either fully or partially, over time. Risks that warrant action are addressed in the information security strategy.

In some borderline instances, or if planned controls cannot fully mitigate the risk, management may need to review the risk assessment and risk ranking with the board of directors or a delegated committee. The board should then document its acceptance of the risk or authorize other risk mitigation measures.

Return to the top of the newsletter

IT SECURITY QUESTION: 
A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

5. Determine if passwords are stored on any machine that is directly or easily accessible from outside the institution, and if passwords are stored in programs on machines, which query customer information databases.  Evaluate the appropriateness of such storage and the associated protective mechanisms.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

45.  If the institution receives information from a nonaffiliated financial institution other than under an exception in 14 or 15, does the institution refrain from disclosing the information except:

a.  to the affiliates of the financial institution from which it received the information; [11(b)(1)(i)]

b.  to its own affiliates, which are in turn limited by the same disclosure restrictions as the recipient institution; [11(b)(1)(ii)] and

c.  to any other person, if the disclosure would be lawful if made directly to that person by the institution from which the recipient institution received the information? [11(b)(1)(iii)]

VISTA - Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and testing focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated