R. Kinney Williams & Associates®
R. Kinney Williams
& Associates

Internet Banking News

July 25, 2004

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - Guidance on Information Technology Management and Outsourcing Technology Services Released by Federal Financial Institution Regulators - The Federal Financial Institutions Examination Council today issued revised guidance for examiners, financial institutions, and technology service providers on two topics: managing financial institutions' information technology activities and outsourcing technology services. www.ffiec.gov/press/pr071504.htm

FYI - Bank IDs tackle cyber fraud - A WORRYING industry-wide surge in cyber fraud has prompted Bendigo Bank to offer upgraded security to its 70,000 internet banking customers, by way of a device that generates a one-off user password. http://australianit.news.com.au/common/print/0,7208,10051563%5E15331%5E%5Enbv%5E15306%2D15318,00.html

FYI - Classified Information Items Missing at LANL - Two items containing classified information are missing from Los Alamos National Laboratory, a lab spokesman said. http://www.abqjournal.com/north/aplanl07-09-04.htm

FYI - iPods, other small storage devices pose security risk - The iPod may be popular, but it also poses such a major security risk for businesses that enterprises should seriously consider banning it and other portable storage devices, according to a study by research firm Gartner Inc. http://www.computerworld.com/printthis/2004/0,4814,94319,00.html

FYI - Banking law mints tech windfall - New legislation taking effect later this year is triggering a wave of technology spending as banks take further steps toward an all-digital future. http://news.com.com/Banking+law+mints+tech+windfall/2100-7343-5271187.html?part=dht&tag=ntop

FYI - President Signs Identify-Theft Law - The amount of prison time for using someone else's identity is increased. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=23901861

 FYI - New York man indicted for hacking into Verizon computers - Verizon had to spend $120,000 to restore security to its systems. http://www.computerworld.com/printthis/2004/0,4814,94512,00.html

Return to the top of the newsletter

INTERNET COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." 

B. RISK MANAGEMENT TECHNIQUES

Implementing Weblinking Relationships

The strategy that financial institutions choose when implementing weblinking relationships should address ways to avoid customer confusion regarding linked third-party products and services. This includes disclaimers and disclosures to limit customer confusion and a customer service plan to address confusion when it occurs.

Disclaimers and Disclosures

Financial institutions should use clear and conspicuous webpage disclosures to explain their limited role and responsibility with respect to products and services offered through linked third-party websites. The level of detail of the disclosure and its prominence should be appropriate to the harm that may ensue from customer confusion inherent in a particular link. The institution might post a disclosure stating it does not provide, and is not responsible for, the product, service, or overall website content available at a third-party site. It might also advise the customer that its privacy polices do not apply to linked websites and that a viewer should consult the privacy disclosures on that site for further information. The conspicuous display of the disclosure, including its placement on the appropriate webpage, by effective use of size, color, and graphic treatment, will help ensure that the information is noticeable to customers. For example, if a financial institution places an otherwise conspicuous disclosure at the bottom of its webpage (requiring a customer to scroll down to read it), prominent visual cues that emphasize the information's importance should point the viewer to the disclosure.

In addition, the technology used to provide disclosures is important. While many institutions may simply place a disclaimer notice on applicable webpages, some institutions use "pop-ups," or intermediate webpages called "speedbumps," to notify customers they are leaving the institution's website. For the reasons described below, financial institutions should use speedbumps rather than pop-ups if they choose to use this type of technology to deliver their online disclaimers.

A "pop up" is a screen generated by mobile code, for example Java or Active X, when the customer clicks on a particular hyperlink. Mobile code is used to send small programs to the user's browser. Frequently, those programs cause unsolicited messages to appear automatically on a user's screen. At times, the programs may be malicious, enabling harmful viruses or allowing unauthorized access to a user's personal information. Consequently, customers may reconfigure their browsers or install software to block disclosures delivered via mobile codes.

In contrast, an intermediate webpage, or "speedbump," alerts the customer to the transition to the third-party website. Like a pop-up, a speedbump is activated when the customer clicks on a particular weblink. However, use of a speedbump avoids the problems of pop-up technology, because the speedbump is not generated externally using mobile code, but is created within the institution's operating system, and cannot be disabled by the customer.
Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST AND USER EQUIPMENT ACQUISITION AND MAINTENANCE

Hardening Systems

Many financial institutions use commercial off-the-shelf (COTS) software for operating systems and applications. COTS systems generally provide more functions than are required for the specific purposes for which it is employed. For example, a default installation of a server operating system may install mail, Web, and file-sharing services on a system whose sole function is a DNS server. Unnecessary software and services represent a potential security weakness. Their presence increases the potential number of discovered and undiscovered vulnerabilities present in the system. Additionally, system administrators may not install patches or monitor the unused software and services to the same degree as operational software and services. Protection against those risks begins when the systems are constructed and software installed through a process that is referred to as hardening a system.

When deploying off-the-shelf software, management should harden the resulting system. Hardening includes the following actions:

! Determining the purpose of the system and minimum software and hardware requirements;
! Documenting the minimum hardware, software and services to be included on the system;
! Installing the minimum hardware, software, and services necessary to meet the requirements using a documented installation procedure;
! Installing necessary patches;
! Installing the most secure and up-to-date versions of applications;
! Configuring privilege and access controls by first denying all, then granting back the minimum necessary to each user;
! Configuring security settings as appropriate, enabling allowed activity, and disallowing other activity;
! Enabling logging;
! Creating cryptographic hashes of key files;
! Archiving the configuration and checksums in secure storage prior to system deployment;
! Testing the system to ensure a secure configuration;
! Using secure replication procedures for additional, identically configured systems, making configuration changes on a case-by-case basis;
! Changing all default passwords; and
! Testing the resulting systems.

After deployment, the COTS systems may need updating with current security patches. Additionally, the systems should be periodically audited to ensure that the software present on the systems is authorized and properly configured.

Return to the top of the newsletter

IT SECURITY QUESTION:

 G. APPLICATION SECURITY

 4. Determine if access to sensitive information and processes require appropriate authentication and verification of authorized use before access is granted.
Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

The Exceptions

Exceptions to the opt out right are detailed in sections 13, 14, and 15 of the regulations. Financial institutions need not comply with opt-out requirements if they limit disclosure of nonpublic personal information:

1)  To a nonaffiliated third party to perform services for the financial institution or to function on its behalf, including marketing the institution's own products or services or those offered jointly by the institution and another financial institution. The exception is permitted only if the financial institution provides notice of these arrangements and by contract prohibits the third party from disclosing or using the information for other than the specified purposes. In a contract for a joint marketing agreement, the contract must provide that the parties to the agreement are jointly offering, sponsoring, or endorsing a financial product or service. However, if the service or function is covered by the exceptions in section 14 or 15 (discussed below), the financial institution does not have to comply with the additional disclosure and confidentiality requirements of section 13. Disclosure under this exception could include the outsourcing of marketing to an advertising company. (Section 13)

2)  As necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or under certain other circumstances relating to existing relationships with customers. Disclosures under this exception could be in connection with the audit of credit information, administration of a rewards program, or to provide an account statement. (Section 14)

3)  For specified other disclosures that a financial institution normally makes, such as to protect against or prevent actual or potential fraud; to the financial institution's attorneys, accountants, and auditors; or to comply with applicable legal requirements, such as the disclosure of information to regulators. (Section 15)

IN CLOSING - Did you know that R. Kinney Williams & Associates performs intranet-internal penetration testing in addition to its popular external-Internet testing?  To keep your cost affordable, we install our pre-programmed scanner box on your network.  To maintain the independent testing required by the examiners, we control the scanner box programming and testing procedures.  For more information, please visit http://www.internetbankingaudits.com/internal_testing.htm or email Kinney Williams at examiner@yennik.com.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated