FYI - Online Crime Costs Rising - Online criminals are attacking corporate and government networks more frequently, costing businesses an estimated $666 million in 2003, according to a survey of computer security executives released today.   http://www.securityfocus.com/printable/news/8767

FYI  - FDIC faulted for weak security - The federal agency that insures U.S. bank deposits suffers from network security holes that make it vulnerable to cyber thieves and saboteurs, a report by congressional investigators concluded Friday.
News story:   http://www.securityfocus.com/printable/news/8796
GAO report:  http://www.gao.gov/new.items/d04630.pdf

FYI  - Group wants input on vulnerability reporting guidelines - The Organization for Internet Safety is soliciting comments on its guidelines for reporting and responding to software security vulnerabilities. 
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=26045

FYI - GAO Technology Assessment: Cybersecurity for Critical Infrastructure Protection. 
GAO Report:  http://www.gao.gov/new.items/d04321.pdf
Highlights:  http://www.gao.gov/highlights/d04321high.pdf

FYI  - GAO Information Security: Agencies Face Challenges in Implementing Effective Software Patch Management Processes.
GAO Report:  http://www.gao.gov/new.items/d04816t.pdf
Highlights:  http://www.gao.gov/highlights/d04816thigh.pdf

Return to the top of the newsletter

INTERNET COMPLIANCE -  We begin this week reviewing the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques" issued in April 2003.

A. RISK DISCUSSION

Introduction

A significant number of financial institutions regulated by the financial institution regulatory agencies (Agencies) maintain sites on the World Wide Web. Many of these websites contain weblinks to other sites not under direct control of the financial institution. The use of weblinks can create certain risks to the financial institution. Management should be aware of these risks and take appropriate steps to address them. The purpose of this guidance is to discuss the most significant risks of weblinking and how financial institutions can mitigate these risks.

When financial institutions use weblinks to connect to third-party websites, the resulting association is called a "weblinking relationship." Financial institutions with weblinking relationships are exposed to several risks associated with the use of this technology. The most significant risks are reputation risk and compliance risk.

Generally, reputation risk arises when a linked third party adversely affects the financial institution's customer and, in turn, the financial institution, because the customer blames the financial institution for problems experienced. The customer may be under a misimpression that the institution is providing the product or service, or that the institution recommends or endorses the third-party provider. More specifically, reputation risk could arise in any of the following ways:

• customer confusion in distinguishing whether the financial institution or the linked third party is offering products and services;
• customer dissatisfaction with the quality of products or services obtained from a third party; and
• customer confusion as to whether certain regulatory protections apply to third-party products or services.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

MALICIOUS CODE

Malicious code is any program that acts in unexpected and potentially damaging ways. Common types of malicious code are viruses, worms, and Trojan horses. The functions of each were once mutually exclusive; however, developers combined functions to create more powerful malicious code. Currently malicious code can replicate itself within a computer and transmit itself between computers. Malicious code also can change, delete, or insert data, transmit data outside the institution, and insert backdoors into institution systems. Malicious code can attack institutions at either the server or the client level. It can also attack routers, switches, and other parts of the institution infrastructure. Malicious code can also monitor users in many ways, such as logging keystrokes, and transmitting screenshots to the attacker.

Typically malicious code is mobile, using e - mail, Instant Messenger, and other peer-to-peer (P2P) applications, or active content attached to Web pages as transmission mechanisms. The code also can be hidden in programs that are downloaded from the Internet or brought into the institution on diskette. At times, the malicious code can be created on the institution's systems either by intruders or by authorized users. The code can also be introduced to a Web server in numerous ways, such as entering the code in a response form on a Web page.

Malicious code does not have to be targeted at the institution to damage the institution's systems or steal the institution's data. Most malicious code is general in application, potentially affecting all Internet users with whatever operating system or application the code needs to function.

Return to the top of the newsletter

IT SECURITY QUESTION:

F. PERSONNEL SECURITY

3. Determine if the institution requires personnel with authority to access customer information and confidential institution information to sign and abide by confidentiality agreements.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions

48.  If the institution discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in §4(a)(2), opt out in §§7 and 10, revised notice in §8, and for service providers and joint marketing in §13, not apply because the information is disclosed as necessary to effect, administer, or enforce a transaction that the consumer requests or authorizes, or in connection with:

a.  servicing or processing a financial product or service requested or authorized by the consumer; [§14(a)(1)]

b.  maintaining or servicing the consumer's account with the institution or with another entity as part of a private label credit card program or other credit extension on behalf of the entity; or [§14(a)(2)]

c.  a proposed or actual securitization, secondary market sale (including sale of servicing rights) or other similar transaction related to a transaction of the consumer? [§14(a)(3)]

IN CLOSING - Did you know that R. Kinney Williams & Associates performs intranet-internal penetration testing in addition to its popular external-Internet testing?  To keep your cost affordable, we install our pre-programmed scanner box on your network.  To maintain the independent testing required by the examiners, we control the scanner box programming and testing procedures.  For more information, please visit http://www.internetbankingaudits.com/internal_testing.htm or email Kinney Williams at examiner@yennik.com.