R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

November 5, 2006

CONTENT Internet Compliance Information Systems Security
IT Security Question
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI
- At U.S. borders, laptops have no right to privacy - Employers have a new worry--that business travelers' laptops will be seized at customs and immigration checkpoints. A lot of business travelers are walking around with laptops that contain private corporate information that their employers really do not want outsiders to see. http://news.com.com/2102-7348_3-6128871.html?tag=st.util.print

FYI - Hackers Zero In on Online Stock Accounts - E-Trade Financial Corp., the nation's fourth-largest online broker, said last week that "concerted rings" in Eastern Europe and Thailand caused their customers $18 million in losses in the third quarter alone.
http://www.washingtonpost.com/wp-dyn/content/article/2006/10/23/AR2006102301257.html
http://news.com.com/Brokerages+lose+millions+in+hacker+onslaught/2100-7349_3-6129391.html?tag=cd.top

FYI - National Australia Bank hit by DDoS attack - The National Australia Bank (NAB) has warned its customers to beware of new phishing attacks after the bank's Web site was hit by a DDoS attack earlier this week. http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=339271790-130061744t-110000005c

MISSING COMPUTERS

FYI - T-Mobile operates a call center in Salem where several hundred people work. Rex White Jr., a former employee of the call center now living in Utah, said he received the letter but was unhappy the company hadn't done more to publicize the theft. T-Mobile said Thursday it was preparing a statement on the situation, but it would not comment further. A company operator, though, confirmed the laptop theft and said T-Mobile sent 43,000 letters to current and former employees notifying them they are at risk. http://www.oregonlive.com/business/oregonian/index.ssf?/base/business/1161323496316290.xml&coll=7

FYI - Stolen laptop held personal data of thousands of Allina patients - A laptop computer containing the names and Social Security numbers of thousands of Allina Hospitals and Clinics obstetrics patients was stolen from a nurse's car Oct. 8, prompting alerts this week from the health-care provider to the patients. http://www.startribune.com/462/story/754898.html

FYI - Second laptop with student data was stolen - No Social Security numbers compromised - University of Minnesota officials confirmed Thursday a second theft of a laptop computer this summer that contained private student data. The incident involved a U art department laptop holding about 200 student names, university IDs and grades but no Social Security numbers. It was stolen from a faculty member in June during a trip to Spain. http://www.twincities.com/mld/twincities/news/local/15801934.htm


Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the Federal Financial Institutions Examination Council Guidance on Electronic Financial Services and Consumer Compliance.

Electronic Fund Transfer Act, Regulation E  (Part 1 of 2)

Generally, when on-line banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign-up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures. Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  


SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE

Financial institution system development, acquisition, and maintenance functions should incorporate agreed upon security controls into software prior to development and implementation. Management should integrate consideration of security controls into each phase of the system development process. For the purposes of this section, system development could include the internal development of customized systems, the creation of database systems, or the acquisition of third-party developed software. System development could include long-term projects related to large mainframe-based software projects with legacy source code or rapid Web-based software projects using fourth-generation programming. In all cases, institutions need to prioritize security controls appropriately.

SOFTWARE DEVELOPMENT AND ACQUISITION

Security Requirements

Financial institutions should develop security control requirements for new systems, system revisions, or new system acquisitions. Management will define the security control requirements based on their risk assessment process evaluating the value of the information at risk and the potential impact of unauthorized access or damage. Based on the risks posed by the system, management may use a defined methodology for determining security requirements, such as ISO 15408, the Common Criteria.23 Management may also refer to published, widely recognized industry standards as a baseline for establishing their security requirements. A member of senior management should document acceptance of the security requirements for each new system or system acquisition, acceptance of tests against the requirements, and approval for implementing in a production environment.

Development projects should consider automated controls for incorporation into the application and the need to determine supporting manual controls. Financial institutions can implement appropriate security controls with greater cost effectiveness by designing them into the original software rather than making subsequent changes after implementation. When evaluating purchased software, financial institutions should consider the availability of products that have either been independently evaluated or received security accreditation through financial institution or information technology-related industry groups.


Return to the top of the newsletter

IT SECURITY QUESTION:

F. PERSONNEL SECURITY

5. Determine if employees have an available and reliable mechanism to promptly report security incidents, weaknesses, and software malfunctions.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

22. Does the institution provide the consumer with at least one of the following reasonable means of opting out, or with another reasonable means:

a. check-off boxes prominently displayed on the relevant forms with the opt out notice; [7(a)(2)(ii)(A)]

b. a reply form included with the opt out notice; [7(a)(2)(ii)(B)]

c. an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the institution's web site, if the consumer agrees to the electronic delivery of information; [7(a)(2)(ii)(C)] or

d. a toll-free telephone number? [7(a)(2)(ii)(D)]

(
Note: the institution may require the consumer to use one specific means, as long as that means is reasonable for that consumer. [7(a)(iv)])


NETWORK SECURITY TESTING
- IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test.  With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network.  For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated