R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

April 25, 2004

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI  - Defense - at last - issues wireless policy - The Defense Department has released its long-awaited wireless policy, making it mandatory for all DOD personnel, contractors and even visitors entering Defense facilities to encrypt unclassified information transmitted wirelessly. 
Press release:  http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=25626
Policy:  http://gcn.com/newspics/dodd81002p.pdf

FYI -
Vulnerability database goes live - Plan is to provide unbiased technical information about security flaws.  http://www.computerworld.com/printthis/2004/0,4814,92334,00.html

FYI  - Visa cards violated: BofA is reissuing after hack attack - Holders of Fleet Visa business credit cards may be the latest victims of hackers who possibly got hold of sensitive card numbers via a merchant's computer system, officials acknowledged yesterday.  http://business.bostonherald.com/technologyNews/view.bg?articleid=439&format=text

FYI  - Federal advisory group will grade network vulnerability - A senior governmental advisory group is planning to unveil a system this summer that will grade public and private information networks on their vulnerability to a terrorist attack, a member of the group said Tuesday. 
http://www.govexec.com/news/index.cfm?mode=report2&articleid=28226&printerfriendlyVers=1&

FYI - How One Company Protected Against Bagle - Amazingly, the insidious Bagle fooled users into following manual directions to infect their own computers. To stop it, our IT organization had to make some swift and sweeping changes--in fact, the events I'm about to describe all transpired in a matter of hours.
http://informationweek.securitypipeline.com/news/showArticle.jhtml?articleId=18901208&printableArticle=true

FYI  - The number of "phishing" e-mails circulating on the Web has increased from 279 to 215,643 over the past six months, according to e-mail security company MessageLabs.
http://news.com.com/2100-7355_3-5194807.html?tag=nefd.top

FYI - US set to fine Washington bank, investigators eye Saudi accounts in money-laundering probe - US regulators are preparing to slap fines on Riggs Bank for not reporting millions of dollars in potentially suspicious transactions, and investigators are eyeing Saudi accounts in a money-laundering probe. 
http://story.news.yahoo.com/news?tmpl=story&u=/afp/20040418/bs_afp/us_saudi_040418202829

FYI -
FDIC Warns About Fraudulent E-Mails - The Federal Deposit Insurance Corporation has received complaints from consumers who received an e-mail that appears to have been sent by the FDIC. The fraudulent e-mail indicates that the FDIC has collaborated with credit card providers to provide a new service for those who wish to secure their credit cards against fraud and to be part of a secure online transaction network. www.fdic.gov/news/news/press/2004/pr4304.html

Return to the top of the newsletter

INTERNET COMPLIANCEDisclosures/Notices (Part 1 of 2)

Several regulations require disclosures and notices to be given at specified times during a financial transaction. For example, some regulations require that disclosures be given at the time an application form is provided to the consumer. In this situation, institutions will want to ensure that disclosures are given to the consumer along with any application form. Institutions may accomplish this through various means, one of which may be through the automatic presentation of disclosures with the application form. Regulations that allow disclosures/notices to be delivered electronically and require institutions to deliver disclosures in a form the customer can keep have been the subject of questions regarding how institutions can ensure that the consumer can "keep" the disclosure. A consumer using certain electronic devices, such as Web TV, may not be able to print or download the disclosure. If feasible, a financial institution may wish to include in its on-line program the ability for consumers to give the financial institution a non-electronic address to which the disclosures can be mailed. 

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  


SECURITY CONTROLS - IMPLEMENTATION

PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS (Part 2 of 2)

Physical security for distributed IS, particularly LANs that are usually PC - based, is slightly different than for mainframe platforms. With a network there is often no centralized computer room. In addition, a network often extends beyond the local premises. There are certain components that need physical security. These include the hardware devices and the software and data that may be stored on the file servers, PCs, or removable media (tapes and disks). As with more secure IS environments, physical network security should prevent unauthorized personnel from accessing LAN devices or the transmission of data. In the case of wire - transfer clients, more extensive physical security is required.

Physical protection for networks as well as PCs includes power protection, physical locks, and secure work areas enforced by security guards and authentication technologies such as magnetic badge readers. Physical access to the network components (i.e., files, applications, communications, etc.) should be limited to those who require access to perform their jobs. Network workstations or PCs should be password protected and monitored for workstation activity.

Network wiring requires some form of protection since it does not have to be physically penetrated for the data it carries to be revealed or contaminated. Examples of controls include using a conduit to encase the wiring, avoiding routing through publicly accessible areas, and avoiding routing networking cables in close proximity to power cables. The type of wiring can also provide a degree of protection; signals over fiber, for instance, are less susceptible to interception than signals over copper cable.


Capturing radio frequency emissions also can compromise network security. Frequency emissions are of two types, intentional and unintentional. Intentional emissions are those broadcast, for instance, by a wireless network. Unintentional emissions are the normally occurring radiation from monitors, keyboards, disk drives, and other devices. Shielding is a primary control over emissions. The goal of shielding is to confine a signal to a defined area. An example of shielding is the use of foil-backed wallboard and window treatments. Once a signal is confined to a defined area, additional controls can be implemented in that area to further minimize the risk that the signal will be intercepted or changed.


Return to the top of the newsletter

IT SECURITY QUESTION:

E. PHYSICAL SECURITY

1. Determine whether physical security for information technology equipment and operations is coordinated with that of other institution organizations.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

42.  Does the institution provide the consumer with a reasonable opportunity to opt out such as by:

a.  mailing the notices required by 10 and allowing the consumer to respond by toll-free telephone number, return mail, or other reasonable means (see question 22) within 30 days from the date mailed; [10(a)(3)(i)]

b.  where the consumer opens an on-line account with the institution and agrees to receive the notices required by 10 electronically, allowing the consumer to opt out by any reasonable means (see question 22) within 30 days from consumer acknowledgement of receipt of the notice in conjunction with opening the account; [10(a)(3)(ii)] or

c.  for isolated transactions, providing the notices required by 10 at the time of the transaction and requesting that the consumer decide, as a necessary part of the transaction, whether to opt out before the completion of the transaction? [10(a)(3)(iii)]

IN CLOSING - The FFIEC interagency Internet guidelines require financial institution web sites to comply with consumer compliance, advertising, notifications, weblinking, and other federal regulations.  We have identified 17 federal regulations and over 130 issues that relate to an institution's web site.  We also verify weblinks for functionality and appropriateness.  As a former bank examiner with over 40 year experience, we audit web sites following the FFIEC Internet guidelines for financial institutions across the country.  Visit http://www.bankwebsiteaudits.com and learn how we can assist your financial institution.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated