FYI - Private Sector
Fights Back Against Phishing - Private-sector companies are setting
up private posses to chase down the cyber thieves. They are working
with Internet service providers, Web-hosting services and even
regional Internet authorities to alert them when a phishing
phenomenon is discerned online.
FYI - U.K. bank hits
back at phishing with token-based security trial - Key-fob tokens to
be used by 30,000 customers - U.K. bank Lloyds TSB has reacted to a
marked increase in attempted online banking fraud by embarking on a
large-scale trial of token-based security.
FYI - Online banking
security standard 'by the end of 2005' - A UK authentication
standard for online and telephone banking will be launched before
the end the year, the Association of Payment and Clearing Systems.
After the four-digit PIN is entered, a numeric, one-time-only
password is generated according to an algorithm and displayed on the
screen of the device. This password is then used to authenticate the
users so that they may then access online or telephone banking.
Security at the Governance Level - The Carnegie Mellon Software
Engineering Institute (SEI) recently released Governing for
Enterprise Security, a report designed to encourage leaders to
address security as a governance concern at the enterprise level.
FYI - CIOs still
excluded from the boardroom - Less than one in 10 have a seat at the
top table - A seat in the boardroom remains elusive for most CIOs as
businesses continue to exclude IT chiefs from high-level strategic
planning, according to new research.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Equal Credit Opportunity Act (Regulation
The regulations clarifies the rules concerning the taking of credit
applications by specifying that application information entered
directly into and retained by a computerized system qualifies as a
written application under this section. If an institution makes
credit application forms available through its on-line system, it
must ensure that the forms satisfy the requirements.
The regulations also clarify the regulatory requirements that apply
when an institution takes loan applications through electronic
media. If an applicant applies through an electronic medium (for
example, the Internet or a facsimile) without video capability that
allows employees of the institution to see the applicant, the
institution may treat the application as if it were received by
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
INFORMATION SECURITY RISK ASSESSMENT
KEY RISK ASSESSMENT PRACTICES (2
Activities - The responsibility for performing risk assessments
should reside primarily with members of management in the best
position to determine the scope of the assessment, and the
effectiveness of risk reduction techniques. For a mid - sized or
large institution, that organization will likely be the business
unit. The information security officer(s) are responsible for
overseeing the performance of each risk assessment and the
integration of the risk assessments into a cohesive whole. Senior
management is accountable for abiding by the board of directors'
guidance for risk acceptance and mitigation decisions.
5) Documentation -
Documentation of the risk assessment process and procedures assists
in ensuring consistency and completeness, as well as accountability.
Documentation of the analysis and results provides a useful starting
point for subsequent assessments, potentially reducing the effort
required in those assessments. Documentation of risks accepted and
risk mitigation decisions is fundamental to achieving accountability
for risk decisions.
6) Enhanced Knowledge -
Risk assessment increases management's knowledge of the
institution's mechanisms for storing, processing, and
communicating information, as well as the importance of those
mechanisms to the achievement of the institution's objectives.
Increased knowledge allows management to respond more rapidly to
changes in the environment. Those changes can range from new
technologies and threats to regulatory requirements.
7) Regular Updates -
Risk assessments should be updated as new information affecting
information security risks are identified (e.g., a new threat,
vulnerability, adverse test result, hardware change, software change
or configuration change). At least once a year, senior management
should review the entire risk assessment to ensure relevant
information is appropriately considered.
the top of the newsletter
IT SECURITY QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
7. Determine whether authentication error
feedback (i.e., reporting failure to successfully log-in) during the
authentication process provides a prospective attacker clues that
may allow them to hone their attack.
If so, obtain and evaluate a justification for such feedback.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
SUBPART C - Exception to Opt Out Requirements for
Service Providers and Joint Marketing
47. If the institution discloses nonpublic personal
information to a nonaffiliated third party without permitting the
consumer to opt out, do the opt out requirements of §7 and §10,
and the revised notice requirements in §8, not apply because:
a. the institution disclosed the information to a
nonaffiliated third party who performs services for or functions on
behalf of the institution (including joint marketing of financial
products and services offered pursuant to a joint agreement as
defined in paragraph (b) of §13); [§13(a)(1)]
b. the institution has provided consumers with the initial
notice; [§13(a)(1)(i)] and
c. the institution has entered into a contract with that party
prohibiting the party from disclosing or using the information
except to carry out the purposes for which the information was
disclosed, including use under an exception in §14 or §15 in the
ordinary course of business to carry out those purposes? [§13(a)(1)(ii)]
VISTA - Does
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
testing focuses on
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit