R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

December 3, 2006

CONTENT Internet Compliance Information Systems Security
IT Security Question
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI
- Media exec charged with computer break-in - He broke into corporate network after dismissal, prosecutors say - A former Source Media Inc. executive was charged with hacking into the company's computer system three years after he was dismissed, and tipping off employees whose jobs were in jeopardy, prosecutors said. http://www.msnbc.msn.com/id/15739188/

FYI - Guidance Software settles with FTC - A computer forensics firm has settled Federal Trade Commission (FTC) charges that it failed to protect private customer data, including that of IT security professionals, when hackers hijacked its network last year.  http://news.com.com/2102-7350_3-6136165.html?tag=st.util.print and http://www.scmagazine.com/us/newsletter/dailyupdate/article/20061120/605457/

FYI - Man used MP3 player to hack ATMs - Parsons plugged his MP3 player into the back of free standing cash machines and was able to use it to read data about customers' cards. That data could then be used to 'clone' cards and use them for bogus purchases. http://www.theregister.co.uk/2006/11/18/mp3_player_atm_hack/print.html

MISSING COMPUTERS/DATA

FYI - IRS Latest Federal Agency to Lose Laptops - According to documents obtained by WTOP through the Freedom of Information Act, between 2002 and 2006 year-to-date, the agency charged with collecting taxes and protecting taxpayers' personal information had 478 laptops either lost or stolen. http://www.wtopnews.com/index.php?nid=428&sid=975026

FYI - Stolen laptop leaves Nationwide red-faced - FSA probes data loss... The theft of a laptop containing Nationwide Building Society customer information is being probed by the Financial Services Authority (FSA). The laptop was stolen from an employee's house in a burglary in August. http://software.silicon.com/security/0,39024888,39164041,00.htm

FYI - Data on thousands of college students stolen - State education officials say personal information on thousands of college students is on a laptop computer stolen from Connors State College in Warner. Connors President Donnie Nero says the laptop has been recovered and a Connors State student is under investigation. http://www.kten.com/global/story.asp?s=5679797&ClientType=Printable

FYI - Hackers Steal Data From Landis Lab - A hacker stole data from computers at the French anti-doping lab where tests are being challenged by American cyclist Floyd Landis, police said. http://www.washingtonpost.com/wp-dyn/content/article/2006/11/14/AR2006111400389_pf.html


Return to the top of the newsletter

WEB SITE COMPLIANCE -
Truth in Lending Act (Regulation Z)

The commentary to regulation Z was amended recently to clarify that periodic statements for open-end credit accounts may be provided electronically, for example, via remote access devices. The regulations state that financial institutions may permit customers to call for their periodic statements, but may not require them to do so. If the customer wishes to pick up the statement and the plan has a grace period for payment without imposition of finance charges, the statement, including a statement provided by electronic means, must be made available in accordance with the "14-day rule," requiring mailing or delivery of the statement not later than 14 days before the end of the grace period.

Provisions pertaining to advertising of credit products should be carefully applied to an on-line system to ensure compliance with the regulation. Financial institutions advertising open-end or closed-end credit products on-line have options. Financial institutions should ensure that on-line advertising complies with the regulations. For on-line advertisements that may be deemed to contain more than a single page, financial institutions should comply with the regulations, which describe the requirements for multiple-page advertisements.

CLIENTS - You will find the following related regulations at:
http://www.fdic.gov/regulations/laws/rules/6500-1600.html#6500226.5 
http://www.fdic.gov/regulations/laws/rules/6500-1650.html#6500226.16 
http://www.fdic.gov/regulations/laws/rules/6500-1700.html#6500226.24
 


Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY
We continue our series on the FFIEC interagency Information Security Booklet.  

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION

Outsourced Development

Many financial institutions outsource software development to third parties. Numerous vendor management issues exist when outsourcing software development. The vendor management program established by management should address the following:

! Verifying credentials and contracting only with reputable providers;
! Evaluating the provider's secure development environment, including background checks on its employees and code development and testing processes;
! Obtaining fidelity coverage;
! Requiring signed nondisclosure agreements to protect the financial institution's rights to source code and customer data as appropriate;
! Establishing security requirements, acceptance criterion, and test plans;
! Reviewing and testing source code for security vulnerabilities, including covert channels or backdoors that might obscure unauthorized access into the system;
! Restricting any vendor access to production source code and systems and monitoring their access to development systems; and
! Performing security tests to verify that the security requirements are met before implementing the software in production.


Return to the top of the newsletter

IT SECURITY QUESTION:

G. APPLICATION SECURITY

3. Determine if appropriate message authentication takes place.

CLIENTS - The complete Information Security Booklet can be found at http://www.ffiec.gov/ffiecinfobase/booklets/information_secruity/information_security.pdf.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

28. Does the institution refrain from requiring all joint consumers to opt out before implementing any opt out direction with respect to the joint account? [7(d)(4)]

29. Does the institution comply with a consumer's direction to opt out as soon as is reasonably practicable after receiving it? [7(e)]


NETWORK SECURITY TESTING
- IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test.  With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network.  For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated