|
R. Kinney Williams
& Associates
|
Internet Banking
News
|
|
November 5, 2006
|
Does
Your Financial Institution need an affordable Internet security
penetration-vulnerability test?
Our clients in 41 states rely on
VISTA
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
compliance with
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
focuses on
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
http://www.internetbankingaudits.com/. |
FYI - At U.S. borders,
laptops have no right to privacy - Employers have a new worry--that
business travelers' laptops will be seized at customs and
immigration checkpoints. A lot of business travelers are walking
around with laptops that contain private corporate information that
their employers really do not want outsiders to see.
http://news.com.com/2102-7348_3-6128871.html?tag=st.util.print
FYI - Hackers Zero In on
Online Stock Accounts - E-Trade Financial Corp., the nation's
fourth-largest online broker, said last week that "concerted rings"
in Eastern Europe and Thailand caused their customers $18 million in
losses in the third quarter alone.
http://www.washingtonpost.com/wp-dyn/content/article/2006/10/23/AR2006102301257.html
http://news.com.com/Brokerages+lose+millions+in+hacker+onslaught/2100-7349_3-6129391.html?tag=cd.top
FYI - National Australia
Bank hit by DDoS attack - The National Australia Bank (NAB) has
warned its customers to beware of new phishing attacks after the
bank's Web site was hit by a DDoS attack earlier this week.
http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=339271790-130061744t-110000005c
MISSING COMPUTERS
FYI - T-Mobile operates
a call center in Salem where several hundred people work. Rex White
Jr., a former employee of the call center now living in Utah, said
he received the letter but was unhappy the company hadn't done more
to publicize the theft. T-Mobile said Thursday it was preparing a
statement on the situation, but it would not comment further. A
company operator, though, confirmed the laptop theft and said
T-Mobile sent 43,000 letters to current and former employees
notifying them they are at risk.
http://www.oregonlive.com/business/oregonian/index.ssf?/base/business/1161323496316290.xml&coll=7
FYI - Stolen laptop held
personal data of thousands of Allina patients - A laptop computer
containing the names and Social Security numbers of thousands of
Allina Hospitals and Clinics obstetrics patients was stolen from a
nurse's car Oct. 8, prompting alerts this week from the health-care
provider to the patients.
http://www.startribune.com/462/story/754898.html
FYI - Second laptop with
student data was stolen - No Social Security numbers compromised -
University of Minnesota officials confirmed Thursday a second theft
of a laptop computer this summer that contained private student
data. The incident involved a U art department laptop holding about
200 student names, university IDs and grades but no Social Security
numbers. It was stolen from a faculty member in June during a trip
to Spain.
http://www.twincities.com/mld/twincities/news/local/15801934.htm
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This
week begins our series on the Federal Financial Institutions Examination Council Guidance
on Electronic Financial Services and Consumer Compliance.
Electronic Fund Transfer Act,
Regulation E (Part 1 of 2)
Generally, when on-line banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction involving stored value products is covered by
Regulation E when the transaction accesses a consumer's account
(such as when value is "loaded" onto the card from the
consumer's deposit account at an electronic terminal or personal
computer).
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule was issued on March 20, 1998 that allows
depository institutions to satisfy the requirement to deliver by
electronic communication any of these disclosures and other
information required by the act and regulations, as long as the
consumer agrees to such method of delivery.
Financial institutions must ensure that consumers who sign-up for a
new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not
specifically mentioned in the commentary, this applies to all new
banking services including electronic financial services.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
Booklet.
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE
Financial institution system development, acquisition, and
maintenance functions should incorporate agreed upon security
controls into software prior to development and implementation.
Management should integrate consideration of security controls into
each phase of the system development process. For the purposes of
this section, system development could include the internal
development of customized systems, the creation of database systems,
or the acquisition of third-party developed software. System
development could include long-term projects related to large
mainframe-based software projects with legacy source code or rapid
Web-based software projects using fourth-generation programming. In
all cases, institutions need to prioritize security controls
appropriately.
SOFTWARE DEVELOPMENT AND ACQUISITION
Security Requirements
Financial institutions should develop security control requirements
for new systems, system revisions, or new system acquisitions.
Management will define the security control requirements based on
their risk assessment process evaluating the value of the
information at risk and the potential impact of unauthorized access
or damage. Based on the risks posed by the system, management may
use a defined methodology for determining security requirements,
such as ISO 15408, the Common Criteria.23 Management may also refer
to published, widely recognized industry standards as a baseline for
establishing their security requirements. A member of senior
management should document acceptance of the security requirements
for each new system or system acquisition, acceptance of tests
against the requirements, and approval for implementing in a
production environment.
Development projects should consider automated controls for
incorporation into the application and the need to determine
supporting manual controls. Financial institutions can implement
appropriate security controls with greater cost effectiveness by
designing them into the original software rather than making
subsequent changes after implementation. When evaluating purchased
software, financial institutions should consider the availability of
products that have either been independently evaluated or received
security accreditation through financial institution or information
technology-related industry groups.
Return to the top of the
newsletter
IT SECURITY
QUESTION:
F. PERSONNEL SECURITY
5. Determine if employees have an available and reliable
mechanism to promptly report security incidents, weaknesses, and
software malfunctions.
Return to the top of
the newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
22. Does the institution provide the consumer with at least one of
the following reasonable means of opting out, or with another
reasonable means:
a. check-off boxes prominently displayed on the relevant forms with
the opt out notice; [§7(a)(2)(ii)(A)]
b. a reply form included with the opt out notice; [§7(a)(2)(ii)(B)]
c. an electronic means to opt out, such as a form that can be sent
via electronic mail or a process at the institution's web site, if
the consumer agrees to the electronic delivery of information; [§7(a)(2)(ii)(C)]
or
d. a toll-free telephone number? [§7(a)(2)(ii)(D)]
(Note: the
institution may require the consumer to use one specific means, as
long as that means is reasonable for that consumer. [§7(a)(iv)])
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
please visit
http://www.internetbankingaudits.com/internal_testing.htm. |
|
| PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at examiner@yennik.com if we
can be of assistance. |
|