R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

December 17, 2006

CONTENT Internet Compliance Information Systems Security
IT Security Question
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI
- GAO - Credit Unions: Greater Transparency Needed on Who Credit Unions Serve and on Senior Executive Compensation.  
Report - http://www.gao.gov/cgi-bin/getrpt?GAO-07-29
Highlights - http://www.gao.gov/highlights/d0729high.pdf

FYI - Pick up the tab by texting - Forgot your credit card? Don't have cash on you? No worries--just use your cell phone to pay the bill.
That's what some folks in Boulder, Colo., can do if they sign up for an account with a Boulder-based start-up called Feed Tribes. http://news.com.com/2102-1039_3-6139451.html?tag=st.util.print

FYI - New E-Discovery Rules Benefit Some Firms - Companies that help businesses track and search their e-mails and other electronic data are experiencing a surge of interest in the wake of federal rule changes that clarify requirements to produce such evidence in lawsuits. http://news.yahoo.com/s/ap/20061201/ap_on_hi_te/storing_e_mails

MISSING COMPUTERS/DATA

FYI - Kaiser members warned of possible data theft - In yet another instance of laptop theft potentially endangering personal data, Kaiser Permanente Colorado is notifying some 38,000 members of a possible breach of their private health information. http://news.com.com/2061-10789_3-6139167.html

FYI - Linkin Park fan hacks phone data - A woman is accused of using a computer at a national laboratory to hack into a cell phone company's Web site to get a number for Chester Bennington, lead singer of the Grammy-winning rock group Linkin Park. http://news.yahoo.com/s/ap/20061124/ap_en_mu/people_linkin_park
 
FYI - Personal data at risk after Pa. DOT robbery - Thieves stole computers containing information on nearly 11,400 customers - Thieves stole equipment from a driver's license center and got away with computers containing personal information on more than 11,000 people, state officials said. http://www.msnbc.msn.com/id/15974532/

FYI - Credit Bureau Security Breached - TransUnion Credit Bureau is investigating who was able to get into their database and illegally download hundreds of people's personal information. The victims are now being told they'll have to monitor their credit report every month to make sure no one is abusing their identity. http://www.kxan.com/Global/story.asp?S=5752352&nav=menu73_2


Return to the top of the newsletter

WEB SITE COMPLIANCE -
Record Retention

Record retention provisions apply to electronic delivery of disclosures to the same extent required for non-electronic delivery of information. For example, if the web site contains an advertisement, the same record retention provisions that apply to paper-based or other types of advertisements apply. Copies of such advertisements should be retained for the time period set out in the relevant regulation. Retention of electronic copies is acceptable.
 


Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  


SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST AND USER EQUIPMENT ACQUISITION AND MAINTENANCE

System Patches

Software support should incorporate a process to update and patch operating system and application software for new vulnerabilities. Frequently, security vulnerabilities are discovered in operating systems and other software after deployment. Vendors often issue software patches to correct those vulnerabilities. Financial institutions should have an effective monitoring process to identify new vulnerabilities in their hardware and software.  Monitoring involves such actions as the receipt and analysis of vendor and governmental alerts and security mailing lists. Once identified, secure installation of those patches requires a process for obtaining, testing, and installing the patch.

Patches make direct changes to the software and configuration of each system to which they are applied. They may degrade system performance. Also, patches may introduce new vulnerabilities, or reintroduce old vulnerabilities. The following considerations can help ensure patches do not compromise the security of systems:

! Obtain the patch from a known, trusted source;
! Verify the integrity of the patch through such means as comparisons of cryptographic hashes to ensure the patch obtained is the correct, unaltered patch;
! Apply the patch to an isolated test system and verify that the patch (1) is compatible with other software used on systems to which the patch will be applied, (2) does not alter the system's security posture in unexpected ways, such as altering log settings, and (3) corrects the pertinent vulnerability;
! Back up production systems prior to applying the patch;
! Apply the patch to production systems using secure methods, and update the cryptographic checksums of key files as well as that system's software archive;
! Test the resulting system for known vulnerabilities;
! Update the master configurations used to build new systems;
! Create and document an audit trail of all changes; and
! Seek additional expertise as necessary to maintain a secure computing environment.

Return to the top of the newsletter

IT SECURITY QUESTION: 
APPLICATION SECURITY

5. Determine whether re-establishment of any session after interruption requires normal user identification, authentication, and authorization.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

32. When a customer relationship ends, does the institution continue to apply the customer's opt out direction to the nonpublic personal information collected during, or related to, that specific customer relationship (but not to new relationships, if any, subsequently established by that customer)? [7(g)(2)] 


NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test.  With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network.  For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated