November 4, 2001
FYI - A 49-year-old Nevada man has been
sentenced to two years in prison for the large-scale trafficking in
counterfeit Microsoft software over the Internet, federal
prosecutors said on Friday.
FYI - Department
of the Treasury's FinCEN Publication, The SAR Activity Review
- The Federal Deposit
Insurance Corporation is providing institutions with the attached
copy of The SAR Activity Review, published by the Department
of the Treasury's Financial Crimes Enforcement Network
COMPLIANCE - Record Retention
Record retention provisions apply to electronic delivery of
disclosures to the same extent required for non-electronic delivery
of information. For example, if the web site contains an
advertisement, the same record retention provisions that apply to
paper-based or other types of advertisements apply. Copies of such
advertisements should be retained for the time period set out in the
relevant regulation. Retention of electronic copies is acceptable.
INTERNET SECURITY - We continue covering some of the
issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Supervision in May 2001.
Board and Management Oversight - Principle
2: The Board of Directors and senior management should review and
approve the key aspects of the bank's security control process.
The Board of Directors and senior management should oversee
the development and continued maintenance of a security control
infrastructure that properly safeguards e-banking systems and data
from both internal and external threats. This should include
establishing appropriate authorization privileges, logical and
physical access controls, and adequate infrastructure security to
maintain appropriate boundaries and restrictions on both internal
and external user activities.
Safeguarding of bank assets is one of the Board's fiduciary duties
and one of senior management's fundamental responsibilities.
However, it is a challenging task in a rapidly evolving e-banking
environment because of the complex security risks associated with
operating over the public Internet network and using innovative
To ensure proper security controls for e-banking activities, the
Board and senior management need to ascertain whether the bank has a
comprehensive security process, including policies and procedures,
that addresses potential internal and external security threats both
in terms of incident prevention and response. Key elements of an
effective e-banking security process include:
1) Assignment of explicit management/staff responsibility for
overseeing the establishment and maintenance of corporate security
2) Sufficient physical controls to prevent unauthorized physical
access to the computing environment.
3) Sufficient logical controls and monitoring processes to prevent
unauthorized internal and external access to e-banking applications
4) Regular review and testing of security measures and
controls, including the continuous tracking of current industry
security developments and installation of appropriate software
upgrades, service packs and other required measures.
PRIVACY - We continue covering various issues in the
"Privacy of Consumer Financial Information" published by
the financial regulatory agencies in May 2001.
Fair Credit Reporting Act
The regulations do not modify, limit, or supersede the operation
of the Fair Credit Reporting Act.
The regulations do not supersede, alter, or affect any state
statute, regulation, order, or interpretation, except to the extent
that it is inconsistent with the regulations. A state statute,
regulation, order, etc. is consistent with the regulations if the
protection it affords any consumer is greater than the protection
provided under the regulations, as determined by the FTC.
Grandfathered Service Contracts
Contracts that a financial institution has entered into, on or
before July 1, 2000, with a nonaffiliated third party to perform
services for the financial institution or functions on its behalf,
as described in section 13, will satisfy the confidentiality
requirements of section 13(a)(1)(ii) until July 1, 2002, even if the
contract does not include a requirement that the third party
maintain the confidentiality of nonpublic personal information.
Guidelines Regarding Protecting Customer Information
The regulations require a financial institution to disclose its
policies and practices for protecting the confidentiality, security,
and integrity of nonpublic personal information about consumers
(whether or not they are customers). The disclosure need not
describe these policies and practices in detail, but instead may
describe in general terms who is authorized to have access to the
information and whether the institution has security practices and
procedures in place to ensure the confidentiality of the information
in accordance with the institution's policies.
The four federal bank and thrift regulators have published
guidelines, pursuant to section 501(b) of the Gramm-Leach-Bliley
Act, that address steps a financial institution should take in order
to protect customer information. The guidelines relate only to
information about customers, rather than all consumers. Compliance
examiners should consider the findings of a 501(b) inspection during
the compliance examination of a financial institution for purposes
of evaluating the accuracy of the institution's disclosure regarding
Next week we will start covering the examination objectives.
IN CLOSING - Last week I attended an IT auditing
school sponsored by the Information Systems Audit and Control
Association (ISACA). The school covered COBIT, which is
Governance, Control and Audit for Information and Related
Technology. It was a good school that I would recommend for IT
auditors. Visit ISACA's web site at http://www.isaca.org/
for information about the educational courses available for IT