November 12, 2000
FYI - The second Bank Technology Bulletin issued by the Federal Deposit Insurance Corporation's Bank Technology Group. The subject of this bulletin is Internet domain names. The bulletin highlights current issues of concern to the banking industry.
INTERNET SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Information Sharing.
Information sharing among reliable and reputable experts can help institutions reduce the risk of information system intrusions. The OCC encourages management to participate in information-sharing mechanisms as part of an effort to detect and respond to intrusions and vulnerabilities. Mechanisms for information sharing are being developed by many different organizations, each with a different mission and operation. In addition, many vendors offer information sharing and analysis services. Three organizations that are primarily involved with the federal government's national information security initiatives are the Financial Services Information Sharing and Analysis Center (FS/ISAC), the Federal Bureau of Investigation (FBI), and Carnegie Mellon University's CERT/CC.
The FS/ISAC was formed in response to Presidential Decision Directive 63: Critical Infrastructure Protection (May 22, 1998), which encourages the banking, finance, and other industries to establish information-sharing efforts in conjunction with the federal government. The FS/ISAC allows financial services entities to report incidents anonymously. In turn, the FS/ISAC rapidly distributes information about attacks to the FS/ISAC members. Banks can contact FS/ISAC by telephone at (888) 660-0134, e-mail at firstname.lastname@example.org or their Web site at http://www.fsisac.com.
The FBI operates the National Information Protection Center Infraguard outreach effort. Since Infraguard supports law enforcement efforts, Infraguard members submit two versions of an incident report. One complete version is used by law enforcement and contains information that identifies the reporting member. The other version does not contain that identifying information, and is distributed to other Infraguard members. Banks can contact the FBI by contacting local FBI field offices or via e-mail at email@example.com.
CERT/CC is part of a federally funded research and development center at Carnegie Mellon University that helps organizations identify vulnerabilities and recover from intrusions. It provides up-to-date information on specific attacks (including viruses and denial of service) and collates and shares information with other organizations. CERT/CC does not require membership to report problems. Banks can contact CERT/CC by phone at (412) 268-7090 or e-mail at firstname.lastname@example.org.
INTERNET COMPLIANCE - Financial institutions advertising or selling non-deposit investment products on-line should ensure that consumers are informed of the risks associated with nondeposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the nondeposit investment product or its lack of FDIC insurance.
We have been informed that the FDIC membership advertising and the above disclaimer should NOT be on the same web page. In addition, the disclaimer format disclosures should be boxed, set in bold face type, and displayed in a conspicuous manner.