Internet Banking News
August 15, 1999
1) INTERNET SECURITY - Vulnerability assessment tools, also called
security scanning tools, assess the security of network or host systems and report system
vulnerabilities. These tools can scan networks, servers, firewalls, routers, and
applications for vulnerabilities. Generally, the tools can detect known security flaws or
bugs in software and hardware, determine if the systems are susceptible to known attacks
and exploits, and search for system vulnerabilities such as settings contrary to
established security policies.
In evaluating a vulnerability assessment tool, management should consider how frequently
the tool is updated to include the detection of any new weaknesses such as security flaws
and bugs. If there is a time delay before a system patch is made available to correct an
identified weakness, mitigating controls may be needed until the system patch is issued.
Generally, vulnerability assessment tools are not run in real-time, but they are commonly
run on a periodic basis. When using the tools, it is important to ensure that the results
from the scan are secure and only provided to authorized parties. The tools can generate
both technical and management reports, including text, charts, and graphs. The
vulnerability assessment reports can tell a user what weaknesses exist and how to fix
them. Some tools can automatically fix vulnerabilities after detection.
FYI - If your bank is using an Internet Service Provider, you should check with your
ISP about what vulnerability assessment tool(s) they are using. If your bank has its own
Internet server, the hosting program that you are using should be able to recommend a
vulnerability assessment tool(s). In either case, you should be receiving periodic reports
that need to be analyzed, and the results reported to your IS Committee.
2) INTERNET COMPLIANCE - Equal Credit Opportunity Act (Regulation B) - OSC §202.5(e)
clarifies the rules concerning the taking of credit applications by specifying that
application information entered directly into and retained by a computerized system
qualifies as a written application under this section. If an institution makes credit
application forms available through its on-line system, it must ensure that the forms
satisfy the requirements of §202.5.
OSC §202.13(b) also clarifies the regulatory requirements that apply when an institution
takes loan applications through electronic media. If an applicant applies through an
electronic medium (for example, the Internet or a facsimile) without video capability that
allows employees of the institution to see the applicant, the institution may treat the
application as if it were received by mail.
3) July 6, 1999, The Government Accounting Office (GAO) issued its report entitled
"Electronic Banking - Enhancing Federal Oversight of Internet Banking
Activities." In short, the report recommends that the FDIC, OCC, FRB, OTS, and NCUA
needs to improve their supervision of banks on the Internet in areas such as compliance
laws and Internet security.
IN CONCLUSION - This past week, I was privileged to give a presentation to FDIC, OCC, FRB,
OTS, and NCUA examiners in Washington D. C. about Internet Banking for the FFIEC Payment
Systems Risk Conference. A copy of my outline can be found at http://www.bankwebsiteaudits.com/ffiec/index.htm.