Internet Banking News

November 7, 2010

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FFIEC's "Interagency Guidelines Establishing Information Security Standards." For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - Open slather for hackers on official databases - Computer hackers could gain access to personal information held in government (New South Wales, Australia) databases as state departments routinely ignore government edicts that tighter security be imposed. http://www.smh.com.au/technology/technology-news/open-slather-for-hackers-on-official-databases-20101020-16ucw.html

FYI - Murky FinCEN SAR reporting: Is malware responsible? - Is there finally a "smoking gun" for business banking trojans? Consider 10 years of the growth of malware compared to 10 years of the growth of FinCEN SAR category reporting in Delaware. http://www.scmagazineus.com/murky-fincen-sar-reporting-is-malware-responsible/article/181483/?DCMP=EMC-SCUS_Newswire

FYI - Air Force manual describes shadowy cyberwar world - A new Air Force manual for cyberwarfare describes a shadowy, fast-changing world where anonymous enemies can carry out devastating attacks in seconds and where conventional ideas about time and space don't apply. http://www.washingtonpost.com/wp-dyn/content/article/2010/10/25/AR2010102500324_pf.html

FYI - Govt plans to cut internet services in case of cyber attacks - NEW DELHI: Indian law enforcement and national security officials are drawing up plans that will give them technology capabilities to cut off all internet services during emergencies. http://economictimes.indiatimes.com/tech/internet/Govt-plans-to-cut-internet-services-in-case-of-cyber-attacks/articleshow/6791296.cms

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Penn. Medicaid recipients' information on missing flash drive - Two health insurers said a flash drive containing the personal health information of hundreds of thousands of Pennsylvania Medicaid recipients has gone missing. http://www.scmagazineus.com/penn-medicaid-recipients-information-on-missing-flash-drive/article/181490/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - TRUTH IN SAVINGS ACT (REG DD)

Financial institutions that advertise deposit products and services on-line must verify that proper advertising disclosures are made in accordance with all provisions of the regulations. Institutions should note that the disclosure exemption for electronic media does not specifically address commercial messages made through an institution's web site or other on-line banking system. Accordingly, adherence to all of the advertising disclosure requirements is required.

Advertisements should be monitored for recency, accuracy, and compliance. Financial institutions should also refer to OSC regulations if the institution's deposit rates appear on third party web sites or as part of a rate sheet summary. These types of messages are not considered advertisements unless the depository institution, or a deposit broker offering accounts at the institution, pays a fee for or otherwise controls the publication.

Disclosures generally are required to be in writing and in a form that the consumer can keep. Until the regulation has been reviewed and changed, if necessary, to allow electronic delivery of disclosures, an institution that wishes to deliver disclosures electronically to consumers, would supplement electronic disclosures with paper disclosures.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet. This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants. Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm. There is no charge for the e-newsletter.

SECURITY PROCESS

Action Summary - Financial institutions should implement an ongoing security process, and assign clear and appropriate roles and responsibilities to the board of directors, management, and employees.

OVERVIEW

The security process is the method an organization uses to implement and achieve its security objectives. The process is designed to identify, measure, manage and control the risks to system and data availability, integrity, and confidentiality, and ensure accountability for system actions. The process includes five areas that serve as the framework for this booklet:

1) Information Security Risk Assessment - A process to identify threats, vulnerabilities, attacks, probabilities of occurrence, and outcomes.

2) Information Security Strategy - A plan to mitigate risk that integrates technology, policies, procedures and training. The plan should be reviewed and approved by the board of directors.

3) Security Controls Implementation - The acquisition and operation of technology, the specific assignment of duties and responsibilities to managers and staff, the deployment of risk - appropriate controls, and assurance that management and staff understand their responsibilities and have the knowledge, skills, and motivation necessary to fulfill their duties.

4) Security Testing - The use of various methodologies to gain assurance that risks are appropriately assessed and mitigated. These testing methodologies should verify that significant controls are effective and performing as intended.

5) Monitoring and Updating - The process of continuously gathering and analyzing information regarding new threats and vulnerabilities, actual attacks on the institution or others combined with the effectiveness of the existing security controls. This information is used to update the risk assessment, strategy, and controls. Monitoring and updating makes the process continuous instead of a one - time event.

Security risk variables include threats, vulnerabilities, attack techniques, the expected frequency of attacks, financial institution operations and technology, and the financial institution's defensive posture. All of these variables change constantly. Therefore, an institution's management of the risks requires an ongoing process.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

9) Does the institution list the following categories of nonpublic personal information that it collects, as applicable:

a) information from the consumer; [§6(c)(1)(i)]

b) information about the consumer's transactions with the institution or its affiliates; [§6(c)(1)(ii)]

c) information about the consumer's transactions with nonaffiliated third parties; [§6(c)(1)(iii)] and

d) information from a consumer reporting agency? [§6(c)(1)(iv)]

IT Security Checklist
A weekly email that provides an effective
method to prepare for your IT examination.