Internet Banking News

August 15, 1999

1) INTERNET SECURITY - Vulnerability assessment tools, also called security scanning tools, assess the security of network or host systems and report system vulnerabilities. These tools can scan networks, servers, firewalls, routers, and applications for vulnerabilities. Generally, the tools can detect known security flaws or bugs in software and hardware, determine if the systems are susceptible to known attacks and exploits, and search for system vulnerabilities such as settings contrary to established security policies.

In evaluating a vulnerability assessment tool, management should consider how frequently the tool is updated to include the detection of any new weaknesses such as security flaws and bugs. If there is a time delay before a system patch is made available to correct an identified weakness, mitigating controls may be needed until the system patch is issued.

Generally, vulnerability assessment tools are not run in real-time, but they are commonly run on a periodic basis. When using the tools, it is important to ensure that the results from the scan are secure and only provided to authorized parties. The tools can generate both technical and management reports, including text, charts, and graphs. The vulnerability assessment reports can tell a user what weaknesses exist and how to fix them. Some tools can automatically fix vulnerabilities after detection.

FYI - If your bank is using an Internet Service Provider, you should check with your ISP about what vulnerability assessment tool(s) they are using. If your bank has its own Internet server, the hosting program that you are using should be able to recommend a vulnerability assessment tool(s). In either case, you should be receiving periodic reports that need to be analyzed, and the results reported to your IS Committee.

2) INTERNET COMPLIANCE - Equal Credit Opportunity Act (Regulation B) - OSC 202.5(e) clarifies the rules concerning the taking of credit applications by specifying that application information entered directly into and retained by a computerized system qualifies as a written application under this section. If an institution makes credit application forms available through its on-line system, it must ensure that the forms satisfy the requirements of 202.5.

OSC 202.13(b) also clarifies the regulatory requirements that apply when an institution takes loan applications through electronic media. If an applicant applies through an electronic medium (for example, the Internet or a facsimile) without video capability that allows employees of the institution to see the applicant, the institution may treat the application as if it were received by mail.

3) July 6, 1999, The Government Accounting Office (GAO) issued its report entitled "Electronic Banking - Enhancing Federal Oversight of Internet Banking Activities." In short, the report recommends that the FDIC, OCC, FRB, OTS, and NCUA needs to improve their supervision of banks on the Internet in areas such as compliance laws and Internet security.

IN CONCLUSION - This past week, I was privileged to give a presentation to FDIC, OCC, FRB, OTS, and NCUA examiners in Washington D. C. about Internet Banking for the FFIEC Payment Systems Risk Conference. A copy of my outline can be found at

Back Button

Go to the Bank Web Site Audit home page.

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated