FYI - The attack of the $2 million worm - Internet-based business disruptions triggered by worms and viruses are costing companies an average of nearly $2 million in lost revenue per incident, market researcher Aberdeen said on Tuesday.  http://news.com.com/The+attack+of+the+%242+million+worm/2100-7355_3-5258769.html?tag=cd.top

FYI - Cyber-loafing boss sacks office spyware detective - A man who became so frustrated at the extent of his boss's 'cyber-loafing' has been sacked after he installed spyware on his computer to prove he did little more than play video game each day. http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39151920-2000061744t-10000005c

FYI - Court Creates Snoopers' Heaven - A federal appeals court in Massachusetts ruled that an e-mail provider did not break the law when he copied and read e-mail messages sent to customers through his server. http://www.wired.com/news/privacy/0,1848,64094,00.html%3Ftw%3Dwn_tophead_2

FYI - Auditors: DHS flunks wireless security - The Homeland Security Department's failure to impose security controls on its wireless data exposes sensitive information to potential eavesdropping and misuse, the department's inspector general said. http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=26454

FYI - NIST aims to ease XP security setup - Officials at the National Institute of Standards and Technology hope their new publication will help simplify the process of setting security controls on Microsoft Corp.'s Windows XP Professional operating system.
Article: http://www.fcw.com/fcw/articles/2004/0628/web-nist-06-29-04.asp
Download draft: http://csrc.nist.gov/itsec/guidance_WinXP.html

Return to the top of the newsletter

INTERNET COMPLIANCE -  We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." 

B. RISK MANAGEMENT TECHNIQUES

Planning Weblinking Relationships

Agreements

If a financial institution receives compensation from a third party as the result of a weblink to the third-party's website, the financial institution should enter into a written agreement with that third party in order to mitigate certain risks. Financial institutions should consider that certain forms of business arrangements, such as joint ventures, can increase their risk. The financial institution should consider including contract provisions to indemnify itself against claims by:

1)  dissatisfied purchasers of third-party products or services;

2)  patent or trademark holders for infringement by the third party; and

3)  persons alleging the unauthorized release or compromise of their confidential information, as a result of the third-party's conduct.

The agreement should not include any provision obligating the financial institution to engage in activities inconsistent with the scope of its legally permissible activities. In addition, financial institutions should be mindful that various contract provisions, including compensation arrangements, may subject the financial institution to laws and regulations applicable to insurance, securities, or real estate activities, such as RESPA, that establish broad consumer protections.

In addition, the agreement should include conditions for terminating the link. Third parties, whether they provide services directly to customers or are merely intermediaries, may enter into bankruptcy, liquidation, or reorganization during the period of the agreement. The quality of their products or services may decline, as may the effectiveness of their security or privacy policies. Also potentially just as harmful, the public may fear or assume such a decline will occur. The financial institution will limit its risks if it can terminate the agreement in the event the service provider fails to deliver service in a satisfactory manner.

Some weblinking agreements between a financial institution and a third party may involve ancillary or collateral information-sharing arrangements that require compliance with the Privacy Regulations.  For example, this may occur when a financial institution links to the website of an insurance company with which the financial institution shares customer information pursuant to a joint marketing agreement.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION

Outsourced Development

Many financial institutions outsource software development to third parties. Numerous vendor management issues exist when outsourcing software development. The vendor management program established by management should address the following:

! Verifying credentials and contracting only with reputable providers;
! Evaluating the provider's secure development environment, including background checks on its employees and code development and testing processes;
! Obtaining fidelity coverage;
! Requiring signed nondisclosure agreements to protect the financial institution's rights to source code and customer data as appropriate;
! Establishing security requirements, acceptance criterion, and test plans;
! Reviewing and testing source code for security vulnerabilities, including covert channels or backdoors that might obscure unauthorized access into the system;
! Restricting any vendor access to production source code and systems and monitoring their access to development systems; and
! Performing security tests to verify that the security requirements are met before implementing the software in production.

Return to the top of the newsletter

IT SECURITY QUESTION:

G. APPLICATION SECURITY

3. Determine if appropriate message authentication takes place.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Opt Out Right and Exceptions:

The Right

Consumers must be given the right to "opt out" of, or prevent, a financial institution from disclosing nonpublic personal information about them to a nonaffiliated third party, unless an exception to that right applies. The exceptions are detailed in sections 13, 14, and 15 of the regulations and described below.

As part of the opt out right, consumers must be given a reasonable opportunity and a reasonable means to opt out. What constitutes a reasonable opportunity to opt out depends on the circumstances surrounding the consumer's transaction, but a consumer must be provided a reasonable amount of time to exercise the opt out right. For example, it would be reasonable if the financial institution allows 30 days from the date of mailing a notice or 30 days after customer acknowledgement of an electronic notice for an opt out direction to be returned. What constitutes a reasonable means to opt out may include check-off boxes, a reply form, or a toll-free telephone number, again depending on the circumstances surrounding the consumer's transaction. It is not reasonable to require a consumer to write his or her own letter as the only means to opt out.

IN CLOSING - Did you know that R. Kinney Williams & Associates performs intranet-internal penetration testing in addition to its popular external-Internet testing?  To keep your cost affordable, we install our pre-programmed scanner box on your network.  To maintain the independent testing required by the examiners, we control the scanner box programming and testing procedures.  For more information, please visit http://www.internetbankingaudits.com/internal_testing.htm or email Kinney Williams at examiner@yennik.com.