R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

December 18, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

Model Governance, Online Banking Security Highlighted in FDIC's Supervisory Insights Flawed modeling presents risk to sound management decision-making; rise in online fraud, theft of consumer data dictate need for tighter online banking security - Banks' financial modeling, the security of Internet banking transactions, and bank insider misconduct are some of the issues of current focus for the bank regulatory community that are highlighted in the FDIC's Winter 2005 issue of Supervisory Insights, released today. www.fdic.gov/news/news/press/2005/pr12405.html 

FYI - Securing the IT Infrastructure Reduces Data Theft - As data theft continues to be a major issue in the United States, organizations must implement data security programs and practices aimed at safeguarding private information. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5668

FYIOnline Delivery of Banking Services: Making Consumers Feel Secure - Strengthening security for Internet-based financial transactions has become a priority for banks, regulators, and consumers. This article reviews key findings of an FDIC study that evaluates a variety of identity authentication technologies. http://www.fdic.gov/regulations/examinations/supervisory/insights/siwin05/article02_secure.html

FYIDSW to Beef Up Computer Security in U.S. Settlement - Shoe retailer DSW Inc. agreed to beef up its computer security to settle U.S. charges that it did not adequately protect customers' credit cards and checking accounts, the Federal Trade Commission said. http://www.eweek.com/article2/0%2C1895%2C1895148%2C00.asp

FYI2005 hurricanes prompt more companies to store data off-site - IT managers are also more willing to consider the use of third-party storage services - The number of companies making copies of data to protect it has dramatically risen in the wake of hurricanes Katrina and Wilma this year, but most of those companies are keeping that duplicate data locally where it's still vulnerable to disasters, according to a survey released by Gartner Inc. http://www.computerworld.com/printthis/2005/0,4814,106641,00.html

FYISecurity flaw allows wiretap evasion - The technology used for decades by law enforcement agents to wiretap telephones has a security flaw that allows the person being wiretapped to stop the recorder remotely, according to research by computer security experts who studied the system. http://news.com.com/2102-1036_3-5976523.html?tag=st.util.print

FYIFederal flaw database commits to grading system - A federal database of software vulnerabilities funded by the U.S. Department of Homeland Security has decided on a common method of ranking flaw severity and has assigned scores to the more than 13,000 vulnerabilities currently contained in its database. http://www.securityfocus.com/news/11360

FYI - Birch cuts some services in Kansas, Oklahoma - Birch Telecom Inc. has eliminated facilities-based services for about 1,700 customers in Topeka, Wichita, Oklahoma City and Tulsa, a company spokesman said Thursday. http://www.bizjournals.com/kansascity/stories/2005/12/12/daily42.html

Return to the top of the newsletter

Disclosures and Notices

Several consumer regulations provide for disclosures and/or notices to consumers.  The compliance officer should check the specific regulations to determine whether the disclosures/notices can be delivered via electronic means.  The delivery of disclosures via electronic means has raised many issues with respect to the format of the disclosures, the manner of delivery, and the ability to ensure receipt by the appropriate person(s).  The following highlights some of those issues and offers guidance and examples that may be of use to institutions in developing their electronic services.

Disclosures are generally required to be "clear and conspicuous."  Therefore, compliance officers should review the web site to determine whether the disclosures have been designed to meet this standard. Institutions may find that the format(s) previously used for providing paper disclosures may need to be redesigned for an electronic medium. Institutions may find it helpful to use "pointers " and "hotlinks" that will automatically present the disclosures to customers when selected.  A financial institution's use solely of asterisks or other symbols as pointers or hotlinks would not be as clear as descriptive references that specifically indicate the content of the linked material.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  



Access Rights Administration (5 of 5)

The access rights process also constrains user activities through an acceptable - use policy (AUP). Users who can access internal systems typically are required to agree to an AUP before using a system. An AUP details the permitted system uses and user activities and the consequences of noncompliance. AUPs can be created for all categories of system users, from internal programmers to customers. An AUP is a key control for user awareness and administrative policing of system activities. Examples of AUP elements for internal network and stand - alone users include:

! The specific access devices that can be used to access the network;

! Hardware and software changes the user can make to their access device;

! The purpose and scope of network activity;

! Network services that can be used, and those that cannot be used;

! Information that is allowable and not allowable for transmission using each allowable service;

! Bans on attempting to break into accounts, crack passwords, or disrupt service;

! Responsibilities for secure operation; and

! Consequences of noncompliance.

Depending on the risk associated with the access, authorized internal users should generally receive a copy of the policy and appropriate training, and signify their understanding and agreement with the policy before management grants access to the system.

Customers may be provided with a Web site disclosure as their AUP. Based on the nature of the Web site, the financial institution may require customers to demonstrate knowledge of and agreement to abide by the terms of the AUP. That evidence can be paper based or electronic.

Authorized users may seek to extend their activities beyond what is allowed in the AUP, and unauthorized users may seek to gain access to the system and move within the system. Network security controls provide the protection necessary to guard against those threats.

Return to the top of the newsletter


Evaluate controls that are in place to install new or change existing network infrastructure and to prevent unauthorized connections to the financial institution's network.

Review network architecture policies and procedures to establish new, or change existing, network connections and equipment.

Identify controls used to prevent unauthorized deployment of network connections and equipment.

Review the effectiveness and timeliness of controls used to prevent and report unauthorized network connections and equipment.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Opt Out Right and Exceptions:

The Right

Consumers must be given the right to "opt out" of, or prevent, a financial institution from disclosing nonpublic personal information about them to a nonaffiliated third party, unless an exception to that right applies. The exceptions are detailed in sections 13, 14, and 15 of the regulations and described below.

As part of the opt out right, consumers must be given a reasonable opportunity and a reasonable means to opt out. What constitutes a reasonable opportunity to opt out depends on the circumstances surrounding the consumer's transaction, but a consumer must be provided a reasonable amount of time to exercise the opt out right. For example, it would be reasonable if the financial institution allows 30 days from the date of mailing a notice or 30 days after customer acknowledgement of an electronic notice for an opt out direction to be returned. What constitutes a reasonable means to opt out may include check-off boxes, a reply form, or a toll-free telephone number, again depending on the circumstances surrounding the consumer's transaction. It is not reasonable to require a consumer to write his or her own letter as the only means to opt out.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated