FYI  - Why a token gesture is the perfect approach to enterprise security - The inadequacies of password-based logon have been widely discussed: passwords alone provide weak authentication to enterprise assets, jeopardize an organization's legislative compliance, and they cost money to administer.   http://204.249.42.113/opinion/2004/04/28_01.htm

FYI  - Bits and The Financial Services Roundtable Adopt Software Security Policy - Software Providers Should Accept Responsibility for Their Role in Supporting US Financial Institutions and Critical Infrastructure. 
http://www.bitsinfo.org/bitssoftsecuritypolicyapr04.pdf

FYI - Banks targeted in Windows hack attack - Malicious attackers in Brazil, Germany and the Netherlands tried to use a vulnerability in Windows to break into some of Australia's largest financial institutions, including at least three banks, over the Anzac weekend, according to the Atlanta-based security firm, Internet Security Systems.  
http://www.smh.com.au/articles/2004/04/27/1082831541968.html

FYI  - Hack-attack law to cost banks millions - Britain's banks are being forced to reveal potentially damaging details about how often they have been attacked by computer hackers.  http://www.thisismoney.com/20040422/nm77286.html

FYI  - Alarm growing over bot software - While many network administrators worry about the next worm, security experts are warning that a quieter but equally damaging threat is slowly gaining control of large networks of computers.   http://news.com.com/2100-7349-5202236.html?part=dht&tag=ntop

FYI - Britain makes a first 'phishing' arrest - British police have made one of the first arrests in connection with an Internet scam known as "phishing," which is plaguing the fast-growing Web-banking business. 
http://news.com.com/2100-7355_3-5201857.html?tag=nefd.top

Return to the top of the newsletter

INTERNET COMPLIANCE -  Disclosures/Notices (Part 2 of 2)

In those instances where an electronic form of communication is permissible by regulation, to reduce compliance risk institutions should ensure that the consumer has agreed to receive disclosures and notices through electronic means. Additionally, institutions may want to provide information to consumers about the ability to discontinue receiving disclosures through electronic means, and to implement procedures to carry out consumer requests to change the method of delivery. Furthermore, financial institutions advertising or selling non-deposit investment products through on-line systems, like the Internet, should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance. 

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

ENCRYPTION

Encryption is used to secure communications and data storage, particularly authentication credentials and the transmission of sensitive information. It can be used throughout a technological environment, including the operating systems, middleware, applications, file systems, and communications protocols.

Encryption is used both as a prevention and detection control. As a prevention control, encryption acts to protect data from disclosure to unauthorized parties. As a detective control, encryption is used to allow discovery of unauthorized changes to data and to assign responsibility for data among authorized parties. When prevention and detection are joined, encryption is a key control in ensuring confidentiality, data integrity, and accountability.

Properly used, encryption can strengthen the security of an institution's systems. Encryption also has the potential, however, to weaken other security aspects. For instance, encrypted data drastically lessens the effectiveness of any security mechanism that relies on inspections of the data, such as anti - virus scanning and intrusion detection systems. When encrypted communications are used, networks may have to be reconfigured to allow for adequate detection of malicious code and system intrusions.

Although necessary, encryption carries the risk of making data unavailable should anything go wrong with data handling, key management, or the actual encryption. The products used and administrative controls should contain robust and effective controls to ensure reliability.

Encryption can impose significant overhead on networks and computing devices. A loss of encryption keys or other failures in the encryption process can deny the institution access to the encrypted data.

Financial institutions should employ an encryption strength sufficient to protect information from disclosure until such time as the information's disclosure poses no material threat. For instance, authenticators should be encrypted at a strength sufficient to allow the institution time to detect and react to an authenticator theft before the attacker can decrypt the stolen authenticators.

Decisions regarding what data to encrypt and at what points to encrypt the data are typically based on the risk of disclosure and the costs and risks of encryption. Generally speaking, authenticators are always encrypted whether on public networks or on the financial institution's network. Sensitive information is also encrypted when passing over a public network, and also may be encrypted within the institution.

Encryption cannot guarantee data security. Even if encryption is properly implemented, for example, a security breach at one of the endpoints of the communication can be used to steal the data or allow an intruder to masquerade as a legitimate system user.

Return to the top of the newsletter

IT SECURITY QUESTION:

E. PHYSICAL SECURITY

2. Determine whether sensitive data in both electronic and paper form is adequately controlled physically through creation, processing, storage, maintenance, and disposal. 

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

43.  Does the institution allow the consumer to select certain nonpublic personal information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out? [§10(c)]

(Note: an institution may allow partial opt outs in addition to, but may not allow them instead of, a comprehensive opt out.)

IN CLOSING - The FFIEC interagency Information Security Booklet states in part that financial institutions should have at least an annual independent penetration test.  Did you know that there are over 3,300 known vulnerabilities with approximately 25 new vulnerabilities added every week?  As IS auditors, we can provide the independent penetration-vulnerability testing to help protect {custom4} from unauthorized external access.  Why should you use the VISTA security testing services instead of another company?  For more information, please visit our web site at http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.