FFIEC Information Technology Examination Handbook: FFIEC IT
Booklets on Outsourcing Technology Services and Management - This
bulletin announces that the FFIEC has issued two booklets: the
"Outsourcing Technology Services Booklet" and the "Management
Booklet." These are the latest in a series that will update and
replace the "1996 FFIEC Information Systems Examination Handbook."
Letter to Credit Unions - ATMs: Triple DES Encryption - The
purpose of this letter is to ensure credit unions are aware of the
new minimum encryptions standards being required by the major ATM
switch network vendors.
Guidance on the Risks Associated With Instant Messaging - The
FDIC is providing guidance to financial institutions on the risks
associated with publicly available instant messaging and network
file-sharing. This guidance includes background information on the
risks and how they can be mitigated through an effective management
FYI - Is Your Bank
Helping Phishers? - Leading financial institutions may make it too
easy for scam artists to duplicate their sites. -Leading financial
institutions have adopted a more aggressive attitude toward online
identity theft cons known as "phishing scams" in recent months.
FYI - The weakest
security link? It's you.
FYI - GAO - Information
and Technology Management: Responsibilities - Reporting
Relationships, Tenure, and Challenges of Agency Chief Information
FYI - Los Alamos
security under scrutiny - Reports of missing computer disks and
e-mail violations. - An investigation of security violations is
under way at Los Alamos National Laboratory in New Mexico, including
the latest reports of employees sending classified information over
a non-secure e-mail system, a lab spokesman.
FYI - California
Department of Insurance Computer Hacked, Agents Notified -
Department Employs Security Measures to Ensure Information, even if
Accessed, is worthless - And Immediately Began an Investigation;
Adding Additional Security Measures to Prevent Reoccurrence.
FYI - Intuit warns of
credit card risk - Intuit, a provider of financial software and
services, is warning 47,000 customers that their credit card data
may be at risk after computers were stolen from a company office.
FYI - NIST wants to phase out DES - The 56-bit Data Encryption
Standard has outlived its usefulness, and the National Institute of
Standards and Technology has proposed withdrawing it from government
FYI - Big companies employing snoopers for staff email - Large
companies are now so concerned about the contents of the electronic
communications leaving their offices that they're employing staff to
read employees' outgoing emails.
FYI - New Guidance for
Examiners, Financial Institutions and Technology Service Providers
on Management and Outsourcing Technology Services - The Federal
Financial Institutions Examination Council has issued booklets with
guidance on evaluating management and outsourcing technology
services. The booklets are the ninth and tenth in a series of
updates, which will eventually replace the 1996 FFIEC Information
Systems Examination Handbook and comprise the new FFIEC Information
Technology Examination Handbook.
Return to the top of the
continue our review of the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
B. RISK MANAGEMENT TECHNIQUES
Implementing Weblinking Relationships
Customer Service Complaints
Financial institutions should have plans to respond to customer
complaints, including those regarding the appropriateness or quality
of content, services, or products provided or the privacy and
security policies of the third-party site. The plan also should
address how the financial institution will address complaints
regarding any failures of linked third parties to provide agreed
upon products or services.
Monitoring Weblinking Relationships
The financial institution should consider monitoring the
activities of linked third parties as a part of its risk management
strategy. Monitoring policies and procedures should include periodic
content review and testing to ensure that links function properly,
and to verify that the levels of services provided by third parties
are in accordance with contracts and agreements. Website
content is dynamic, and third parties may change the presentation or
content of a website in a way that results in risk to the financial
institution's reputation. Periodic review and testing will reduce
this risk exposure. The frequency of review should be commensurate
with the degree of risk presented by the linked site.
Return to the top of the
INFORMATION SYSTEMS SECURITY
continue our series on the FFIEC interagency Information Security
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST
AND USER EQUIPMENT ACQUISITION AND MAINTENANCE
Software support should incorporate a process to update and
patch operating system and application software for new
vulnerabilities. Frequently, security vulnerabilities are discovered
in operating systems and other software after deployment. Vendors
often issue software patches to correct those vulnerabilities.
Financial institutions should have an effective monitoring process
to identify new vulnerabilities in their hardware and software.
Monitoring involves such actions as the receipt and analysis of
vendor and governmental alerts and security mailing lists. Once
identified, secure installation of those patches requires a process
for obtaining, testing, and installing the patch.
Patches make direct changes to the software and configuration of
each system to which they are applied. They may degrade system
performance. Also, patches may introduce new vulnerabilities, or
reintroduce old vulnerabilities. The following considerations can
help ensure patches do not compromise the security of systems:
! Obtain the patch from a known, trusted source;
! Verify the integrity of the patch through such means as
comparisons of cryptographic hashes to ensure the patch obtained is
the correct, unaltered patch;
! Apply the patch to an isolated test system and verify that the
patch (1) is compatible with other software used on systems to which
the patch will be applied, (2) does not alter the system's security
posture in unexpected ways, such as altering log settings, and (3)
corrects the pertinent vulnerability;
! Back up production systems prior to applying the patch;
! Apply the patch to production systems using secure methods, and
update the cryptographic checksums of key files as well as that
system's software archive;
! Test the resulting system for known vulnerabilities;
! Update the master configurations used to build new systems;
! Create and document an audit trail of all changes; and
! Seek additional expertise as necessary to maintain a secure
Return to the top of the
Determine whether re-establishment of any session after interruption
requires normal user identification, authentication, and
Return to the top of the
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Consumer and Customer:
The distinction between consumers and customers is
significant because financial institutions have additional
disclosure duties with respect to customers. All customers covered
under the regulation are consumers, but not all consumers are
A "consumer" is an individual, or that individual's legal
representative, who obtains or has obtained a financial product or
service from a financial institution that is to be used primarily
for personal, family, or household purposes.
A "financial service" includes, among other things, a
financial institution's evaluation or brokerage of information that
the institution collects in connection with a request or an
application from a consumer for a financial product or service. For
example, a financial service includes a lender's evaluation of an
application for a consumer loan or for opening a deposit account
even if the application is ultimately rejected or withdrawn.
Consumers who are not customers are entitled to an initial privacy
and opt out notice only if their financial institution wants to
share their nonpublic personal information with nonaffiliated third
parties outside of the exceptions.
A "customer" is a consumer who has a "customer
relationship" with a financial institution. A "customer
relationship" is a continuing relationship between a consumer
and a financial institution under which the institution provides one
or more financial products or services to the consumer that are to
be used primarily for personal, family, or household purposes.
IN CLOSING - Did you know that
R. Kinney Williams & Associates performs intranet-internal penetration testing
in addition to its popular external-Internet testing? To keep your cost
affordable, we install our pre-programmed scanner box on your network. To
maintain the independent testing required by the examiners, we control the
scanner box programming and testing procedures. For more information, please
http://www.internetbankingaudits.com/internal_testing.htm or email Kinney