R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

August 1, 2004

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI -
FFIEC Information Technology Examination Handbook: FFIEC IT Booklets on Outsourcing Technology Services and Management - This bulletin announces that the FFIEC has issued two booklets: the "Outsourcing Technology Services Booklet" and the "Management Booklet." These are the latest in a series that will update and replace the "1996 FFIEC Information Systems Examination Handbook."
Press Release: www.occ.treas.gov/ftp/bulletin/2004-32.txt 
Attachment: www.occ.treas.gov/ftp/bulletin/2004-32a.pdf
OTS: 
www.ots.treas.gov/docs/7/77428.html

FYI -
Letter to Credit Unions - ATMs: Triple DES Encryption - The purpose of this letter is to ensure credit unions are aware of the new minimum encryptions standards being required by the major ATM switch network vendors. www.ncua.gov/letters/2004/04-CU-09.pdf 

FYI -
Guidance on the Risks Associated With Instant Messaging - The FDIC is providing guidance to financial institutions on the risks associated with publicly available instant messaging and network file-sharing. This guidance includes background information on the risks and how they can be mitigated through an effective management program. www.fdic.gov/news/news/financial/2004/fil8404.html 

FYI - Is Your Bank Helping Phishers? - Leading financial institutions may make it too easy for scam artists to duplicate their sites. -Leading financial institutions have adopted a more aggressive attitude toward online identity theft cons known as "phishing scams" in recent months. http://www.pcworld.com/news/article/0,aid,116949,tk,dn072004X,00.asp

FYI - The weakest security link? It's you. http://news.com.com/The+weakest+security+link%3F+It%27s+you/2100-7355-5278576.html?part=dht&tag=ntop

FYI - GAO - Information and Technology Management: Responsibilities - Reporting Relationships, Tenure, and Challenges of Agency Chief Information Officers. http://www.gao.gov/new.items/d04957t.pdf

FYI - Los Alamos security under scrutiny - Reports of missing computer disks and e-mail violations. - An investigation of security violations is under way at Los Alamos National Laboratory in New Mexico, including the latest reports of employees sending classified information over a non-secure e-mail system, a lab spokesman. http://www.cnn.com/2004/US/Southwest/07/19/losalamos.lab.security/

FYI - California Department of Insurance Computer Hacked, Agents Notified - Department Employs Security Measures to Ensure Information, even if Accessed, is worthless - And Immediately Began an Investigation; Adding Additional Security Measures to Prevent Reoccurrence. http://www.insurancenewsnet.com/article.asp?a=top_news&id=22774

FYI - Intuit warns of credit card risk - Intuit, a provider of financial software and services, is warning 47,000 customers that their credit card data may be at risk after computers were stolen from a company office. http://news.com.com/2102-1029_3-5269821.html?tag=st.util.print


FYI - NIST wants to phase out DES - The 56-bit Data Encryption Standard has outlived its usefulness, and the National Institute of Standards and Technology has proposed withdrawing it from government use.
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=26721

FYI - Big companies employing snoopers for staff email - Large companies are now so concerned about the contents of the electronic communications leaving their offices that they're employing staff to read employees' outgoing emails. http://management.silicon.com/government/print.htm?TYPE=story&AT=39122384-39024673t-40000033c

FYI - New Guidance for Examiners, Financial Institutions and Technology Service Providers on Management and Outsourcing Technology Services  - The Federal Financial Institutions Examination Council has issued booklets with guidance on evaluating management and outsourcing technology services. The booklets are the ninth and tenth in a series of updates, which will eventually replace the 1996 FFIEC Information Systems Examination Handbook and comprise the new FFIEC Information Technology Examination Handbook. www.fdic.gov/news/news/financial/2004/fil8904.html 

Return to the top of the newsletter

INTERNET COMPLIANCE -
We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." 

B. RISK MANAGEMENT TECHNIQUES

Implementing Weblinking Relationships


Customer Service Complaints

Financial institutions should have plans to respond to customer complaints, including those regarding the appropriateness or quality of content, services, or products provided or the privacy and security policies of the third-party site. The plan also should address how the financial institution will address complaints regarding any failures of linked third parties to provide agreed upon products or services.

Monitoring Weblinking Relationships

The financial institution should consider monitoring the activities of linked third parties as a part of its risk management strategy. Monitoring policies and procedures should include periodic content review and testing to ensure that links function properly, and to verify that the levels of services provided by third parties are in accordance with contracts and agreements.  Website content is dynamic, and third parties may change the presentation or content of a website in a way that results in risk to the financial institution's reputation. Periodic review and testing will reduce this risk exposure. The frequency of review should be commensurate with the degree of risk presented by the linked site.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  


SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST AND USER EQUIPMENT ACQUISITION AND MAINTENANCE

System Patches

Software support should incorporate a process to update and patch operating system and application software for new vulnerabilities. Frequently, security vulnerabilities are discovered in operating systems and other software after deployment. Vendors often issue software patches to correct those vulnerabilities. Financial institutions should have an effective monitoring process to identify new vulnerabilities in their hardware and software.  Monitoring involves such actions as the receipt and analysis of vendor and governmental alerts and security mailing lists. Once identified, secure installation of those patches requires a process for obtaining, testing, and installing the patch.

Patches make direct changes to the software and configuration of each system to which they are applied. They may degrade system performance. Also, patches may introduce new vulnerabilities, or reintroduce old vulnerabilities. The following considerations can help ensure patches do not compromise the security of systems:

! Obtain the patch from a known, trusted source;
! Verify the integrity of the patch through such means as comparisons of cryptographic hashes to ensure the patch obtained is the correct, unaltered patch;
! Apply the patch to an isolated test system and verify that the patch (1) is compatible with other software used on systems to which the patch will be applied, (2) does not alter the system's security posture in unexpected ways, such as altering log settings, and (3) corrects the pertinent vulnerability;
! Back up production systems prior to applying the patch;
! Apply the patch to production systems using secure methods, and update the cryptographic checksums of key files as well as that system's software archive;
! Test the resulting system for known vulnerabilities;
! Update the master configurations used to build new systems;
! Create and document an audit trail of all changes; and
! Seek additional expertise as necessary to maintain a secure computing environment.

Return to the top of the newsletter

IT SECURITY QUESTION: 
APPLICATION SECURITY

5. Determine whether re-establishment of any session after interruption requires normal user identification, authentication, and authorization.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Consumer and Customer:

The distinction between consumers and customers is significant because financial institutions have additional disclosure duties with respect to customers. All customers covered under the regulation are consumers, but not all consumers are customers.

A "consumer" is an individual, or that individual's legal representative, who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes.

A "financial service" includes, among other things, a financial institution's evaluation or brokerage of information that the institution collects in connection with a request or an application from a consumer for a financial product or service. For example, a financial service includes a lender's evaluation of an application for a consumer loan or for opening a deposit account even if the application is ultimately rejected or withdrawn.

Consumers who are not customers are entitled to an initial privacy and opt out notice only if their financial institution wants to share their nonpublic personal information with nonaffiliated third parties outside of the exceptions.

A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship between a consumer and a financial institution under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.

IN CLOSING - Did you know that R. Kinney Williams & Associates performs intranet-internal penetration testing in addition to its popular external-Internet testing?  To keep your cost affordable, we install our pre-programmed scanner box on your network.  To maintain the independent testing required by the examiners, we control the scanner box programming and testing procedures.  For more information, please visit http://www.internetbankingaudits.com/internal_testing.htm or email Kinney Williams at examiner@yennik.com.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated