Internet Banking News

November 14, 1999

FYI - Internal control procedures created a security breach at NetBank.com that advertises being the world's largest Internet bank. The CNET article can be found at http://www.bankwebsiteaudits.com/article111299.htm.

INTERNET SECURITY - Some considerations need to be evaluated before deciding to perform penetration testing of your Network/Internet computer system.

1) Penetration analysis is only a snapshot of the security at a point in time and does not provide a complete guaranty that the system being tested is secure.

2) If using outside testers, the reputation of the firm or consultants hired is very important. The evaluators will assess the weaknesses in the bank's information security system. As such, the confidentiality of results and bank data is crucial. A bank may want to require security clearance checks on the evaluators. An institution should ask if the evaluators have liability insurance in case something goes wrong during the test. The bank should enter into a written contract with the evaluators, which at a minimum should address the above items.

3) If using internal testers, the independence of the testers from system administrators.

4) The secrecy of the test. Some senior executives may order an analysis without the knowledge of information systems personnel. This can create unwanted results, including the notification of law enforcement personnel and wasted resources responding to an attack. To prevent excessive responses to the attacks, bank management may consider informing certain individuals in the organization of the penetration analysis.

5) The importance of the systems to be tested. Some systems may be too critical to be exposed to some of the methods used by the evaluators such as a critical database that could be damaged during the test.

INTERNET COMPLIANCE - Regulations that allow electronic disclosures have been the subject of questions regarding how institutions can ensure that the consumer can "keep" the disclosure. A consumer using certain electronic devices, such as Web TV, may not be able to print or download the disclosure. The financial institution may wish to include in its on-line program the ability for consumers to give the financial institution a mailing address to which the disclosures can be mailed.

PRIVACY - Over the next few months, I will cover the "Interagency Financial Institution Web Site Privacy Survey Report" dated November 1999.

The survey report defines the "Content of Privacy Disclosures" as the privacy disclosures of "principles of fair information practice" identified by the Federal Trade Commission. The principles include notice, choice, access, security, and enforcement.

The scope of the survey did not include enforcement; however, it considered the ability of consumers to question or complain about a privacy practice or possible violation of the privacy policy (referred to as "contact"). For ease of presentation in the report, "contact" is treated as a principle of fair information practice. In the report, consumer "choice" includes a sub-category referred to as "secondary use." Secondary use refers to notification regarding disclosures to third parties (including affiliates) or subsequent use of information for purposes other than that for which it was initially collected.

The principle of fair information practice most frequently addressed in privacy disclosures was "notice" regarding information handling practices (84 percent).

Twenty-one percent of Web sites addressed all of the principles of fair information practices (i.e., notice, choice, access, security, and contact).

Eighteen percent of sites with a privacy disclosure offered consumers the ability to opt out of information sharing with third parties and 16 percent offered the opportunity to opt out of secondary uses of information within the institution.

WEB PAGES - With all the consumer and government's concern about financial privacy, I believe it is important that you link your privacy statement from all the bank's web pages.

If you have had a recent examination regarding electronic banking, I would appreciate receiving an e-mail about how the examiners are reacting to Internet security, privacy statement, and web site content.

Back Button

Go to the Bank Web Site Audit home page.

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated