FYI - Private Sector Fights Back Against Phishing - Private-sector companies are setting up private posses to chase down the cyber thieves. They are working with Internet service providers, Web-hosting services and even regional Internet authorities to alert them when a phishing phenomenon is discerned online. http://www.newsfactor.com/story.xhtml?story_id=38544

FYI - U.K. bank hits back at phishing with token-based security trial - Key-fob tokens to be used by 30,000 customers - U.K. bank Lloyds TSB has reacted to a marked increase in attempted online banking fraud by embarking on a large-scale trial of token-based security.
Article: http://www.computerworld.com/printthis/2005/0,4814,105430,00.html
Article: http://news.bbc.co.uk/2/hi/business/4340898.stm

FYI - Online banking security standard 'by the end of 2005' - A UK authentication standard for online and telephone banking will be launched before the end the year, the Association of Payment and Clearing Systems. After the four-digit PIN is entered, a numeric, one-time-only password is generated according to an algorithm and displayed on the screen of the device. This password is then used to authenticate the users so that they may then access online or telephone banking. http://www.zdnet.co.uk/print/?TYPE=story&AT=39231006-39020375t-10000025c

FYI - Security at the Governance Level - The Carnegie Mellon Software Engineering Institute (SEI) recently released Governing for Enterprise Security, a report designed to encourage leaders to address security as a governance concern at the enterprise level. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5655

FYI - CIOs still excluded from the boardroom - Less than one in 10 have a seat at the top table - A seat in the boardroom remains elusive for most CIOs as businesses continue to exclude IT chiefs from high-level strategic planning, according to new research. http://management.silicon.com/itdirector/0,39024673,39153480,00.htm

Return to the top of the newsletter

WEB SITE COMPLIANCE - Equal Credit Opportunity Act (Regulation B)

The regulations clarifies the rules concerning the taking of credit applications by specifying that application information entered directly into and retained by a computerized system qualifies as a written application under this section. If an institution makes credit application forms available through its on-line system, it must ensure that the forms satisfy the requirements.

The regulations also clarify the regulatory requirements that apply when an institution takes loan applications through electronic media. If an applicant applies through an electronic medium (for example, the Internet or a facsimile) without video capability that allows employees of the institution to see the applicant, the institution may treat the application as if it were received by mail.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT

KEY RISK ASSESSMENT PRACTICES (2 of 2)

4)  Accountable Activities - The responsibility for performing risk assessments should reside primarily with members of management in the best position to determine the scope of the assessment, and the effectiveness of risk reduction techniques. For a mid - sized or large institution, that organization will likely be the business unit. The information security officer(s) are responsible for overseeing the performance of each risk assessment and the integration of the risk assessments into a cohesive whole. Senior management is accountable for abiding by the board of directors' guidance for risk acceptance and mitigation decisions.

5)  Documentation - Documentation of the risk assessment process and procedures assists in ensuring consistency and completeness, as well as accountability. Documentation of the analysis and results provides a useful starting point for subsequent assessments, potentially reducing the effort required in those assessments. Documentation of risks accepted and risk mitigation decisions is fundamental to achieving accountability for risk decisions.

6)  Enhanced Knowledge - Risk assessment increases management's knowledge of the institution's mechanisms for storing, processing, and communicating information, as well as the importance of those mechanisms to the achievement of the institution's objectives. Increased knowledge allows management to respond more rapidly to changes in the environment. Those changes can range from new technologies and threats to regulatory requirements.

7)  Regular Updates - Risk assessments should be updated as new information affecting information security risks are identified (e.g., a new threat, vulnerability, adverse test result, hardware change, software change or configuration change). At least once a year, senior management should review the entire risk assessment to ensure relevant information is appropriately considered.

Return to the top of the newsletter

IT SECURITY QUESTION:  A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

7. Determine whether authentication error feedback (i.e., reporting failure to successfully log-in) during the authentication process provides a prospective attacker clues that may allow them to hone their attack.  If so, obtain and evaluate a justification for such feedback.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

SUBPART C - Exception to Opt Out Requirements for Service Providers and Joint Marketing

47.  If the institution discloses nonpublic personal information to a nonaffiliated third party without permitting the consumer to opt out, do the opt out requirements of §7 and §10, and the revised notice requirements in §8, not apply because:

a.  the institution disclosed the information to a nonaffiliated third party who performs services for or functions on behalf of the institution (including joint marketing of financial products and services offered pursuant to a joint agreement as defined in paragraph (b) of §13); [§13(a)(1)]

b.  the institution has provided consumers with the initial notice; [§13(a)(1)(i)] and

c.  the institution has entered into a contract with that party prohibiting the party from disclosing or using the information except to carry out the purposes for which the information was disclosed, including use under an exception in §14 or §15 in the ordinary course of business to carry out those purposes? [§13(a)(1)(ii)]

VISTA - Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b).  The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and testing focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.