FYI - Model
Governance, Online Banking Security Highlighted in FDIC's
Supervisory Insights Flawed modeling presents risk to sound
management decision-making; rise in online fraud, theft of consumer
data dictate need for tighter online banking security - Banks'
financial modeling, the security of Internet banking transactions,
and bank insider misconduct are some of the issues of current focus
for the bank regulatory community that are highlighted in the FDIC's
Winter 2005 issue of Supervisory Insights, released today.
FYI - Securing the IT Infrastructure Reduces Data
Theft - As data theft continues to be a major issue in the United
States, organizations must implement data security programs and
practices aimed at safeguarding private information.
FYI - Online Delivery of Banking Services: Making Consumers Feel Secure -
Strengthening security for Internet-based financial transactions has
become a priority for banks, regulators, and consumers. This article
reviews key findings of an FDIC study that evaluates a variety of
identity authentication technologies.
FYI - DSW to Beef Up Computer Security in U.S. Settlement - Shoe retailer
DSW Inc. agreed to beef up its computer security to settle U.S.
charges that it did not adequately protect customers' credit cards
and checking accounts, the Federal Trade Commission said.
FYI - 2005 hurricanes prompt more companies to store data off-site - IT
managers are also more willing to consider the use of third-party
storage services - The number of companies making copies of data to
protect it has dramatically risen in the wake of hurricanes Katrina
and Wilma this year, but most of those companies are keeping that
duplicate data locally where it's still vulnerable to disasters,
according to a survey released by Gartner Inc.
FYI - Security flaw allows wiretap evasion - The technology used for
decades by law enforcement agents to wiretap telephones has a
security flaw that allows the person being wiretapped to stop the
recorder remotely, according to research by computer security
experts who studied the system.
FYI - Federal flaw database commits to grading system - A federal database
of software vulnerabilities funded by the U.S. Department of
Homeland Security has decided on a common method of ranking flaw
severity and has assigned scores to the more than 13,000
vulnerabilities currently contained in its database.
FYI - Birch cuts some services
in Kansas, Oklahoma - Birch Telecom Inc. has eliminated
facilities-based services for about 1,700 customers in Topeka,
Wichita, Oklahoma City and Tulsa, a company spokesman said Thursday.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Several consumer regulations provide for disclosures and/or notices
to consumers. The compliance officer should check the specific
regulations to determine whether the disclosures/notices can be
delivered via electronic means. The delivery of disclosures
via electronic means has raised many issues with respect to the
format of the disclosures, the manner of delivery, and the ability
to ensure receipt by the appropriate person(s). The following
highlights some of those issues and offers guidance and examples
that may be of use to institutions in developing their electronic
Disclosures are generally required to be "clear and
conspicuous." Therefore, compliance officers should
review the web site to determine whether the disclosures have been
designed to meet this standard. Institutions may find that the
format(s) previously used for providing paper disclosures may need
to be redesigned for an electronic medium. Institutions may find it
helpful to use "pointers " and "hotlinks" that
will automatically present the disclosures to customers when
selected. A financial institution's use solely of asterisks or
other symbols as pointers or hotlinks would not be as clear as
descriptive references that specifically indicate the content of the
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Access Rights Administration (5 of 5)
The access rights process also constrains user activities through an
acceptable - use policy (AUP). Users who can access internal systems
typically are required to agree to an AUP before using a system. An
AUP details the permitted system uses and user activities and the
consequences of noncompliance. AUPs can be created for all
categories of system users, from internal programmers to customers.
An AUP is a key control for user awareness and administrative
policing of system activities. Examples of AUP elements for internal
network and stand - alone users include:
! The specific access devices that can be used to access the
! Hardware and software changes the user can make to their access
! The purpose and scope of network activity;
! Network services that can be used, and those that cannot be used;
! Information that is allowable and not allowable for transmission
using each allowable service;
! Bans on attempting to break into accounts, crack passwords, or
! Responsibilities for secure operation; and
! Consequences of noncompliance.
Depending on the risk associated with the access, authorized
internal users should generally receive a copy of the policy and
appropriate training, and signify their understanding and agreement
with the policy before management grants access to the system.
Customers may be provided with a Web site disclosure as their AUP.
Based on the nature of the Web site, the financial institution may
require customers to demonstrate knowledge of and agreement to abide
by the terms of the AUP. That evidence can be paper based or
Authorized users may seek to extend their activities beyond what is
allowed in the AUP, and unauthorized users may seek to gain access
to the system and move within the system. Network security controls
provide the protection necessary to guard against those threats.
the top of the newsletter
IT SECURITY QUESTION:
controls that are in place to install new or change existing network
infrastructure and to prevent unauthorized connections to the
financial institution's network.
• Review network architecture policies and procedures to establish
new, or change
existing, network connections and equipment.
• Identify controls used to prevent unauthorized deployment of
network connections and
• Review the effectiveness and timeliness of controls used to
prevent and report unauthorized
network connections and equipment.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Opt Out Right and Exceptions:
Consumers must be given the right to "opt out" of, or
prevent, a financial institution from disclosing nonpublic personal
information about them to a nonaffiliated third party, unless an
exception to that right applies. The exceptions are detailed in
sections 13, 14, and 15 of the regulations and described below.
As part of the opt out right, consumers must be given a reasonable
opportunity and a reasonable means to opt out. What constitutes a reasonable
opportunity to opt out depends on the circumstances surrounding
the consumer's transaction, but a consumer must be provided a
reasonable amount of time to exercise the opt out right. For
example, it would be reasonable if the financial institution allows
30 days from the date of mailing a notice or 30 days after customer
acknowledgement of an electronic notice for an opt out direction to
be returned. What constitutes a reasonable means to opt out
may include check-off boxes, a reply form, or a toll-free telephone
number, again depending on the circumstances surrounding the
consumer's transaction. It is not reasonable to require a consumer
to write his or her own letter as the only means to opt out.