R. Kinney Williams
December 24, 2006
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
FYI - Disabled deprived
of access to many top Web sites - Many Web sites around the world
are beyond the reach of disabled persons but could easily be
improved to meet international accessibility standards, a survey
commissioned by the United Nations found on Tuesday.
FYI - In Korea -
Insurance Covers Financial Losses From Hacking - Financial service
providers will be required to insure customers' accounts to cover
financial damage caused by hackers and financial accidents beginning
next month, the Financial Supervisory Service (FSS).
FYI - In the UK - Banks
hiding online fraud, say police - Banks and other financial
institutions are deliberately failing to report incidents of online
fraud to the police, possibly because they are worried about the
potential damage to their reputations, a senior police officer said.
FYI - ATM system called
unsafe - A U.S. Secret Service memo obtained by MSNBC.com indicates
that organized criminals are systematically attempting to subvert
the ATM system and unscramble encrypted PIN codes. Researchers who
work for an Israeli computer security company say they have
discovered a fundamental weakness in the system that banks use to
keep debit card PIN codes secret while they are transported across
bank networks - a flaw that they say could undermine the entire
debit card system.
FYI - Student hacked
into computers, police say - A student hacked into computers of four
UW-Whitewater staffers, gaining access to sensitive information such
as passwords, student disciplinary discussions and exam answers,
according to a criminal complaint. According to the complaint, Mraz
installed "Keylogger" software onto at least four computers by
downloading it from his university-issued flash drive, a portable
data storage device.
FYI - BITS and the
American Bankers Association jointly released the "BITS/ABA Key
Considerations for Responding to Unauthorized Access to Sensitive
FYI - Computer Hacking
Results In Armed Police Raid - A Denver woman who didn't have
adequate security on her home computer paid the price.
FYI - Cingular turns
cell phones into wallets in N.Y. trial - Some Cingular Wireless
cardholders in New York City will be testing a new service that
allows them to make purchases with their cell phones. The mobile
operator said Thursday that it's teaming with cell phone maker Nokia
and financial institutions Citigroup and MasterCard Worldwide to
trial new phones that have MasterCard PayPass contactless payment
FYI - Computer Stolen
from 130th Airlift Wing in Charleston - Theft prompts Army National
Guard unit to send out identity theft warnings across the state. A
laptop computer with personal information about every member of West
Virginia's Army National Guard 130th Airlift Wing in Charleston
recently was stolen.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
TRUTH IN SAVINGS ACT (REG DD)
Financial institutions that advertise deposit products and services
on-line must verify that proper advertising disclosures are made in
accordance with all provisions of the regulations. Institutions
should note that the disclosure exemption for electronic media does
not specifically address commercial messages made through an
institution's web site or other on-line banking system. Accordingly,
adherence to all of the advertising disclosure requirements is
Advertisements should be monitored for recency, accuracy, and
compliance. Financial institutions should also refer to OSC
regulations if the institution's deposit rates appear on third party
web sites or as part of a rate sheet summary. These types of
messages are not considered advertisements unless the depository
institution, or a deposit broker offering accounts at the
institution, pays a fee for or otherwise controls the publication.
Disclosures generally are required to be in writing and in a form
that the consumer can keep. Until the regulation has been reviewed
and changed, if necessary, to allow electronic delivery of
disclosures, an institution that wishes to deliver disclosures
electronically to consumers, would supplement electronic disclosures
with paper disclosures.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
Security personnel allow legitimate users to have system
access necessary to perform their duties. Because of their internal
access levels and intimate knowledge of financial institution
processes, authorized users pose a potential threat to systems and
data. Employees, contractors, or third - party employees can exploit
their legitimate computer access for malicious, fraudulent, or
economic reasons. Additionally, the degree of internal access
granted to some users increases the risk of accidental damage or
loss of information and systems. Risk exposures from internal users
! Altering data,
! Deleting production and back up data,
! Crashing systems,
! Destroying systems,
! Misusing systems for personal gain or to damage the institution,
! Holding data hostage, and
! Stealing strategic or customer data for corporate espionage or
BACKGROUND CHECKS AND SCREENING
Financial institutions should verify job application information on
all new employees. The sensitivity of a particular job or access
level may warrant additional criminal background and credit checks.
Institutions should verify that contractors are subject to similar
screening procedures. Typically, the minimum verification
! Character references;
! Confirmation of prior experience, academic record, and
professional qualifications; and
! Confirmation of identity from government issued identification.
After employment, managers should remain alert to changes in
employees' personal circumstances that could increase incentives for
system misuse or fraud.
Return to the top of the
Determine whether appropriate warning banners are displayed when
applications are accessed.
7. Determine whether appropriate logs are maintained and available
to support incident detection and response efforts.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
33. Except as permitted by §§13-15,
does the institution refrain from disclosing any nonpublic personal
information about a consumer to a nonaffiliated third party, other
than as described in the initial privacy notice provided to the
a. the institution has provided the consumer with a clear and
conspicuous revised notice that accurately describes the
institution's privacy policies and practices;
b. the institution has provided the consumer with a new opt out
c. the institution has given the consumer a reasonable opportunity
to opt out of the disclosure, before disclosing any information; [§8(a)(3)]
d. the consumer has not opted out? [§8(a)(4)]
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at email@example.com if we
can be of assistance.