R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

November 6, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - Developing a patch and vulnerability management strategy - In the first two quarters of 2005 more than 3,780 software vulnerabilities were reported, leaving a wide range of system components and software open to exploits. With the popular operating systems often the key target of worm and virus writers, the majority of businesses are left open to attacks. http://www.scmagazine.com/us/news/article/523151/

FYI - Most DNS servers 'wide open' to attack - Four in five authoritative domain name system (DNS) servers across the world are vulnerable to types of hacking attacks that might be used by hackers to misdirect surfers to potentially fraudulent domains. http://www.theregister.co.uk/2005/10/24/dns_security_survey/print.html

FYI - Bank of America Delays Security Update - The Bank of America's rollout of a stronger user authentication technology has hit a snag and is now expected to be completed in early 2006, several months later than originally planned. http://www.pcworld.com/news/article/0,aid,123148,tk,dn102105X,00.asp

FYI - Better protection possible with lower budgets - Organizations that focus on security processes and not products will be able to lower their total information security budgets while simultaneously improving their overall level of protection. http://www.scmagazine.com/us/news/article/523421/

FYI - Security Group Takes First Major Step Against VoIP Dangers - The Voice over IP Security Alliance (VoIPSA) today announced its much anticipated VoIP Security Threat Taxonomy, a classification and description of the types of security threats that affect IP telephony. http://www.networkingpipeline.com/showArticle.jhtml?articleID=172303368&_loopback=1

Return to the top of the newsletter

WEB SITE COMPLIANCE -
Advertisement Of Membership

The FDIC and NCUA consider every insured depository institution's online system top-level page, or "home page", to be an advertisement. Therefore, according to these agencies' interpretation of their rules, financial institutions subject to the regulations should display the official advertising statement on their home pages unless subject to one of the exceptions described under the regulations. Furthermore, each subsidiary page of an online system that contains an advertisement should display the official advertising statement unless subject to one of the exceptions described under the regulations. Additional information about the FDIC's interpretation can be found in the Federal Register, Volume 62, Page 6145, dated February 11, 1997.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY
We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY STRATEGY (1 of 2)

Action Summary - Financial institutions should develop a strategy that defines control objectives and establishes an implementation plan. The security strategy should include

1)  Cost comparisons of different strategic approaches appropriate to the institution's environment and complexity,
2)  Layered controls that establish multiple control points between threats and organization assets, and
3)  Policies that guide officers and employees in implementing the security program.

An information security strategy is a plan to mitigate risks while complying with legal, statutory, contractual, and internally developed requirements. Typical steps to building a strategy include the definition of control objectives, the identification and assessment of approaches to meet the objectives, the selection of controls, the establishment of benchmarks and metrics, and the preparation of implementation and testing plans.

The selection of controls is typically grounded in a cost comparison of different strategic approaches to risk mitigation. The cost comparison typically contrasts the costs of various approaches with the perceived gains a financial institution could realize in terms of increased confidentiality, availability, or integrity of systems and data. Those gains could include reduced financial losses, increased customer confidence, positive audit findings, and regulatory compliance. Any particular approach should consider: (1) policies, standards, and procedures; (2) technology and architecture; (3) resource dedication; (4) training; and (5) testing.

Return to the top of the newsletter

IT SECURITY QUESTION: 
A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

8. Determine whether adequate controls exist to protect against replay attacks and hijacking.

9. Determine whether token-based authentication mechanisms adequately protect against token tampering, provide for the unique identification of the token holder, and employ an adequate number of authentication factors.


Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions

48. 
If the institution discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in 4(a)(2), opt out in 7 and 10, revised notice in 8, and for service providers and joint marketing in 13, not apply because the information is disclosed as necessary to effect, administer, or enforce a transaction that the consumer requests or authorizes, or in connection with:

a.  servicing or processing a financial product or service requested or authorized by the consumer; [14(a)(1)]

b.  maintaining or servicing the consumer's account with the institution or with another entity as part of a private label credit card program or other credit extension on behalf of the entity; or [14(a)(2)]

c.  a proposed or actual securitization, secondary market sale (including sale of servicing rights) or other similar transaction related to a transaction of the consumer? [14(a)(3)]

VISTA - Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and testing focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated