FYI - Model Governance, Online Banking Security Highlighted in FDIC's Supervisory Insights Flawed modeling presents risk to sound management decision-making; rise in online fraud, theft of consumer data dictate need for tighter online banking security - Banks' financial modeling, the security of Internet banking transactions, and bank insider misconduct are some of the issues of current focus for the bank regulatory community that are highlighted in the FDIC's Winter 2005 issue of Supervisory Insights, released today. www.fdic.gov/news/news/press/2005/pr12405.html 

FYI - Securing the IT Infrastructure Reduces Data Theft - As data theft continues to be a major issue in the United States, organizations must implement data security programs and practices aimed at safeguarding private information. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5668

FYI - Online Delivery of Banking Services: Making Consumers Feel Secure - Strengthening security for Internet-based financial transactions has become a priority for banks, regulators, and consumers. This article reviews key findings of an FDIC study that evaluates a variety of identity authentication technologies. http://www.fdic.gov/regulations/examinations/supervisory/insights/siwin05/article02_secure.html

FYI - DSW to Beef Up Computer Security in U.S. Settlement - Shoe retailer DSW Inc. agreed to beef up its computer security to settle U.S. charges that it did not adequately protect customers' credit cards and checking accounts, the Federal Trade Commission said. http://www.eweek.com/article2/0%2C1895%2C1895148%2C00.asp

FYI - 2005 hurricanes prompt more companies to store data off-site - IT managers are also more willing to consider the use of third-party storage services - The number of companies making copies of data to protect it has dramatically risen in the wake of hurricanes Katrina and Wilma this year, but most of those companies are keeping that duplicate data locally where it's still vulnerable to disasters, according to a survey released by Gartner Inc. http://www.computerworld.com/printthis/2005/0,4814,106641,00.html

FYI - Security flaw allows wiretap evasion - The technology used for decades by law enforcement agents to wiretap telephones has a security flaw that allows the person being wiretapped to stop the recorder remotely, according to research by computer security experts who studied the system. http://news.com.com/2102-1036_3-5976523.html?tag=st.util.print

FYI - Federal flaw database commits to grading system - A federal database of software vulnerabilities funded by the U.S. Department of Homeland Security has decided on a common method of ranking flaw severity and has assigned scores to the more than 13,000 vulnerabilities currently contained in its database. http://www.securityfocus.com/news/11360

FYI - Birch cuts some services in Kansas, Oklahoma - Birch Telecom Inc. has eliminated facilities-based services for about 1,700 customers in Topeka, Wichita, Oklahoma City and Tulsa, a company spokesman said Thursday. http://www.bizjournals.com/kansascity/stories/2005/12/12/daily42.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures and Notices

Several consumer regulations provide for disclosures and/or notices to consumers.  The compliance officer should check the specific regulations to determine whether the disclosures/notices can be delivered via electronic means.  The delivery of disclosures via electronic means has raised many issues with respect to the format of the disclosures, the manner of delivery, and the ability to ensure receipt by the appropriate person(s).  The following highlights some of those issues and offers guidance and examples that may be of use to institutions in developing their electronic services.

Disclosures are generally required to be "clear and conspicuous."  Therefore, compliance officers should review the web site to determine whether the disclosures have been designed to meet this standard. Institutions may find that the format(s) previously used for providing paper disclosures may need to be redesigned for an electronic medium. Institutions may find it helpful to use "pointers " and "hotlinks" that will automatically present the disclosures to customers when selected.  A financial institution's use solely of asterisks or other symbols as pointers or hotlinks would not be as clear as descriptive references that specifically indicate the content of the linked material.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

Access Rights Administration (5 of 5)

The access rights process also constrains user activities through an acceptable - use policy (AUP). Users who can access internal systems typically are required to agree to an AUP before using a system. An AUP details the permitted system uses and user activities and the consequences of noncompliance. AUPs can be created for all categories of system users, from internal programmers to customers. An AUP is a key control for user awareness and administrative policing of system activities. Examples of AUP elements for internal network and stand - alone users include:

! The specific access devices that can be used to access the network;

! Hardware and software changes the user can make to their access device;

! The purpose and scope of network activity;

! Network services that can be used, and those that cannot be used;

! Information that is allowable and not allowable for transmission using each allowable service;

! Bans on attempting to break into accounts, crack passwords, or disrupt service;

! Responsibilities for secure operation; and

! Consequences of noncompliance.

Depending on the risk associated with the access, authorized internal users should generally receive a copy of the policy and appropriate training, and signify their understanding and agreement with the policy before management grants access to the system.

Customers may be provided with a Web site disclosure as their AUP. Based on the nature of the Web site, the financial institution may require customers to demonstrate knowledge of and agreement to abide by the terms of the AUP. That evidence can be paper based or electronic.

Authorized users may seek to extend their activities beyond what is allowed in the AUP, and unauthorized users may seek to gain access to the system and move within the system. Network security controls provide the protection necessary to guard against those threats.

Return to the top of the newsletter

IT SECURITY QUESTION:  B. NETWORK SECURITY

2.  Evaluate controls that are in place to install new or change existing network infrastructure and to prevent unauthorized connections to the financial institution's network.

• Review network architecture policies and procedures to establish new, or change existing, network connections and equipment.

• Identify controls used to prevent unauthorized deployment of network connections and equipment.

• Review the effectiveness and timeliness of controls used to prevent and report unauthorized network connections and equipment.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Opt Out Right and Exceptions:

The Right

Consumers must be given the right to "opt out" of, or prevent, a financial institution from disclosing nonpublic personal information about them to a nonaffiliated third party, unless an exception to that right applies. The exceptions are detailed in sections 13, 14, and 15 of the regulations and described below.

As part of the opt out right, consumers must be given a reasonable opportunity and a reasonable means to opt out. What constitutes a reasonable opportunity to opt out depends on the circumstances surrounding the consumer's transaction, but a consumer must be provided a reasonable amount of time to exercise the opt out right. For example, it would be reasonable if the financial institution allows 30 days from the date of mailing a notice or 30 days after customer acknowledgement of an electronic notice for an opt out direction to be returned. What constitutes a reasonable means to opt out may include check-off boxes, a reply form, or a toll-free telephone number, again depending on the circumstances surrounding the consumer's transaction. It is not reasonable to require a consumer to write his or her own letter as the only means to opt out.