R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

December 11, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - 12 Steps to IT Security Compliance - Implementing strategic IT security steps will help organizations comply with U.S. government regulations, while securing their IT processes and digital data. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5670

OCC Anti-Fraud Resources - OCC's new feature provides Consumers and Bankers with information and resources to effectively identify, report, and combat fraud.  www.occ.treas.gov/fraudresources.htm 

FYI - Is System Lockdown the Secret Weapon? - In the ongoing battle to fight internal and external threats on the corporate desktop, IT staffers may be forgetting one very potent weapon in their arsenal - system lockdown. http://www.thechannelinsider.com/print_article2/0,1217,a=166172,00.asp

FYI - Mobile email threat to enterprises - Mobile email is on the verge of becoming mainstream, according to a new survey. But experts warn that enterprises must have strict policies in place to stop mobile devices from spreading malware. http://www.scmagazine.com/us/news/article/530041/?n=us

FYI - AIB (Allied Irish Bank) beefs up online security - AIB has updated the access measures for its online and telephone banking facility and has begun rolling out a new security feature for certain money transfer functions. http://www.siliconrepublic.com/news/news.nv?storyid=single5708

FYI - European committee approves extension to data storage law - An EU parliament committee voted on Thursday to keep details of all EU-wide telephone calls and Internet use for six months to a year to help combat terrorism and serious crime. http://www.zdnet.co.uk/print/?TYPE=story&AT=39238419-39020336t-10000014c

FYI - Secure advice for higher education - JSIC is targeting UK universities and colleges, offering formal guidance on readdressing IT security. IT advisers for the higher education sector are calling for a new approach to information security. All colleges and universities in the UK have been offered new guidance on IT security. http://news.zdnet.co.uk/internet/security/0,39020375,39237498,00.htm

FYI - Backup encryption failures leave data in peril - Potentially sensitive corporate data is being placed unnecessarily at risk because less than a quarter of companies currently encrypt their backup tapes, newly published research has claimed. http://www.scmagazine.com/us/news/article/529514/?n=us

FYI - Expert: audits not enough - Corporations must do more than just conduct audits to protect against evolving security threats, a security compliance expert warned this week. http://www.scmagazine.com/us/news/article/530058/?n=us

Return to the top of the newsletter

WEB SITE COMPLIANCE - Flood Disaster Protection Act

The regulation implementing the National Flood Insurance Program requires a financial institution to notify a prospective borrower and the servicer that the structure securing the loan is located or to be located in a special flood hazard area. The regulation also requires a notice of the servicer's identity be delivered to the insurance provider. While the regulation addresses electronic delivery to the servicer and to the insurance provider, it does not address electronic delivery of the notice to the borrower.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  



Access Rights Administration (4 of 5)

The access rights process programs the system to allow the users only the access rights they were granted. Since access rights do not automatically expire or update, periodic updating and review of access rights on the system is necessary. Updating should occur when an individual's business needs for system use changes. Many job changes can result in an expansion or reduction of access rights. Job events that would trigger a removal of access rights include transfers, resignations, and terminations. Institutions should take particular care to remove promptly the access rights for users who have remote access privileges, and those who administer the institution's systems.

Because updating may not always be accurate, periodic review of user accounts is a good control to test whether the access right removal processes are functioning, and whether users exist who should have their rights rescinded or reduced. Financial institutions should review access rights on a schedule commensurate with risk.

Access rights to new software and hardware present a unique problem. Typically, hardware and software are installed with default users, with at least one default user having full access rights. Easily obtainable lists of popular software exist that identify the default users and passwords, enabling anyone with access to the system to obtain the default user's access. Default user accounts should either be disabled, or the authentication to the account should be changed.  Additionally, access to these default accounts should be monitored more closely than other accounts.

Sometimes software installs with a default account that allows anonymous access. Anonymous access is appropriate, for instance, where the general public accesses an informational web server. Systems that allow access to or store sensitive information, including customer information, should be protected against anonymous access.

Return to the top of the newsletter


Evaluate the adequacy and accuracy of the network architecture.

a)  Obtain a schematic overview of the financial institution's network architecture.

b)  Review procedures for maintaining current information, including inventory reporting
of how new hardware are added and old hardware is removed.

c)  Review audit and security reports that assess the accuracy of network architectureschematics and identify unreported systems.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Nonpublic Personal Information:

"Nonpublic personal information" generally is any information that is not publicly available and that:

1)  a consumer provides to a financial institution to obtain a financial product or service from the institution;

2)  results from a transaction between the consumer and the institution involving a financial product or service; or

3)  a financial institution otherwise obtains about a consumer in connection with providing a financial product or service.

Information is publicly available if an institution has a reasonable basis to believe that the information is lawfully made available to the general public from government records, widely distributed media, or legally required disclosures to the general public. Examples include information in a telephone book or a publicly recorded document, such as a mortgage or securities filing.

Nonpublic personal information may include individual items of information as well as lists of information. For example, nonpublic personal information may include names, addresses, phone numbers, social security numbers, income, credit score, and information obtained through Internet collection devices (i.e., cookies).

There are special rules regarding lists. Publicly available information would be treated as nonpublic if it were included on a list of consumers derived from nonpublic personal information. For example, a list of the names and addresses of a financial institution's depositors would be nonpublic personal information even though the names and addresses might be published in local telephone directories because the list is derived from the fact that a person has a deposit account with an institution, which is not publicly available information.

However, if the financial institution has a reasonable basis to believe that certain customer relationships are a matter of public record, then any list of these relationships would be considered publicly available information. For instance, a list of mortgage customers where the mortgages are recorded in public records would be considered publicly available information. The institution could provide a list of such customers, and include on that list any other publicly available information it has about the customers on that list without having to provide notice or opt out.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated