November 14, 1999
FYI - Internal control procedures created a security breach at NetBank.com
that advertises being the world's largest Internet bank. The CNET article can be found at http://www.bankwebsiteaudits.com/article111299.htm.
INTERNET SECURITY - Some considerations need to be evaluated before deciding to perform
penetration testing of your Network/Internet computer system.
1) Penetration analysis is only a snapshot of the security at a point in time and does not
provide a complete guaranty that the system being tested is secure.
2) If using outside testers, the reputation of the firm or consultants hired is very
important. The evaluators will assess the weaknesses in the bank's information security
system. As such, the confidentiality of results and bank data is crucial. A bank may want
to require security clearance checks on the evaluators. An institution should ask if the
evaluators have liability insurance in case something goes wrong during the test. The bank
should enter into a written contract with the evaluators, which at a minimum should
address the above items.
3) If using internal testers, the independence of the testers from system administrators.
4) The secrecy of the test. Some senior executives may order an analysis without the
knowledge of information systems personnel. This can create unwanted results, including
the notification of law enforcement personnel and wasted resources responding to an
attack. To prevent excessive responses to the attacks, bank management may consider
informing certain individuals in the organization of the penetration analysis.
5) The importance of the systems to be tested. Some systems may be too critical to be
exposed to some of the methods used by the evaluators such as a critical database that
could be damaged during the test.
INTERNET COMPLIANCE - Regulations that allow electronic disclosures have been the subject
of questions regarding how institutions can ensure that the consumer can "keep"
the disclosure. A consumer using certain electronic devices, such as Web TV, may not be
able to print or download the disclosure. The financial institution may wish to include in
its on-line program the ability for consumers to give the financial institution a mailing
address to which the disclosures can be mailed.
PRIVACY - Over the next few months, I will cover the "Interagency Financial
Institution Web Site Privacy Survey Report" dated November 1999.
The survey report defines the "Content of Privacy Disclosures" as the privacy
disclosures of "principles of fair information practice" identified by the
Federal Trade Commission. The principles include notice, choice, access, security, and
The scope of the survey did not include enforcement; however, it considered the ability of
consumers to question or complain about a privacy practice or possible violation of the
report, "contact" is treated as a principle of fair information practice. In the
report, consumer "choice" includes a sub-category referred to as "secondary
use." Secondary use refers to notification regarding disclosures to third parties
(including affiliates) or subsequent use of information for purposes other than that for
which it was initially collected.
· The principle of fair information practice most frequently addressed in privacy
disclosures was "notice" regarding information handling practices (84 percent).
· Twenty-one percent of Web sites addressed all of the principles of fair information
practices (i.e., notice, choice, access, security, and contact).
· Eighteen percent of sites with a privacy disclosure offered consumers the ability to
opt out of information sharing with third parties and 16 percent offered the opportunity
to opt out of secondary uses of information within the institution.
WEB PAGES - With all the consumer and government's concern about financial privacy, I
believe it is important that you link your privacy statement from all the bank's web
If you have had a recent examination regarding electronic banking, I would appreciate
receiving an e-mail about how the examiners are reacting to Internet security, privacy
statement, and web site content.