FYI - Auditing Windows 2000 Permissions - Every resource in Windows 2000, Windows 2003, and Windows XP has an access control list of permissions that protect the resource. Without this list, anyone could read, change, or even delete the resource. The default permissions on many resources provide such access. Understanding how to analyze and audit these resource permissions is essential to protecting them.
http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5540

FYI - GAO finds information security compliance is sporadic - Agency compliance with federal information security standards is irregular and the process that measures compliance is unreliable, the Government Accountability Office said in a report released Wednesday.
News article:  http://www.govexec.com/story_page.cfm?articleid=29099&printerfriendlyVers=1&
GAO report:  http://www.gao.gov/new.items/d04376.pdf

FYI - Companies patching security holes faster - Driven by fast-appearing threats, network administrators are fixing the most prevalent flaws more quickly, according to a new survey. The survey, released by vulnerability assessment firm Qualys found that the average half life of a vulnerability--the length of time it takes for half of assailable computers to be fixed--fell to 21 days in 2004 from 30 days in 2003.
http://asia.cnet.com/newstech/security/printfriendly.htm?AT=39188665-39001150t-39000005c

FYI - Are P2P networks leaking military secrets? - A new Web log is posting what it purports are pictures, documents and letters from U.S. soldiers and military bases in Iraq and elsewhere--all of which the site's operator claims to have downloaded from peer-to-peer networks such as Gnutella.
http://zdnet.com.com/2102-1105_2-5285918.html?tag=printthis

FYI - Stealth wallpaper keeps company secrets safe - A type of wallpaper that prevents Wi-Fi signals escaping from a building without blocking mobile phone signals has been developed by a British defence contractor. The technology is designed to stop outsiders gaining access to a secure network by using Wi-Fi networks casually set up by workers at the office. http://www.newscientist.com/news/print.jsp?id=ns99996240

Return to the top of the newsletter

INTERNET COMPLIANCE - This week begins our series on the Federal Financial Institutions Examination Council Guidance on Electronic Financial Services and Consumer Compliance.

Electronic Fund Transfer Act, Regulation E  (Part 1 of 2)

Generally, when on-line banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign-up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures. Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

PERSONNEL SECURITY

AGREEMENTS: CONFIDENTIALITY, NON - DISCLOSURE, AND AUTHORIZED USE

Financial institutions should protect the confidentiality of information about their customers and organization. A breach in confidentiality could disclose competitive information, increase fraud risk, damage the institution's reputation, violate customer privacy and associated rights, and violate regulatory requirements.  Confidentiality agreements put all parties on notice that the financial institution owns its information, expects strict confidentiality, and prohibits information sharing outside of that required for legitimate business needs. Management should obtain signed confidentiality agreements before granting new employees and contractors access to information technology systems.

JOB DESCRIPTIONS

Job descriptions, employment agreements, and policy awareness acknowledgements increase accountability for security. Management can communicate general and specific security roles and responsibilities for all employees within their job descriptions. Management should expect all employees, officers, and contractors to comply with security and acceptable use policies and protect the institution's assets, including information. The job descriptions for security personnel should describe the systems and processes they will protect and the control processes for which they are responsible. Management can take similar steps to ensure contractors and consultants understand their security responsibilities as well.

TRAINING

Financial institutions need to educate users regarding their security roles and responsibilities. Training should support security awareness and should strengthen compliance with the security policy. Ultimately, the behavior and priorities of senior management heavily influence the level of employee awareness and policy compliance, so training and the commitment to security should start with senior management. Training materials would typically review the acceptable - use policy and include issues like desktop security, log - on requirements, password administration guidelines, etc. Training should also address social engineering, and the policies and procedures that protect against social engineering attacks. Many institutions integrate a signed security awareness agreement along with periodic training and refresher courses.

Return to the top of the newsletter

IT SECURITY QUESTION:  SOFTWARE DEVELOPMENT AND ACQUISITION

1. Inquire about how security requirements are determined for software, whether internally developed or acquired from a vendor.

2. Determine whether management appropriately considers either following a recognized security standard development process, or reference to widely recognized industry standards.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 1 of 6)

The regulations establish specific duties and limitations for a financial institution based on its activities. Financial institutions that intend to disclose nonpublic personal information outside the exceptions will have to provide opt out rights to their customers and to consumers who are not customers. All financial institutions have an obligation to provide an initial and annual notice of their privacy policies to their customers. All financial institutions must abide by the regulatory limits on the disclosure of account numbers to nonaffiliated third parties and on the redisclosure and reuse of nonpublic personal information received from nonaffiliated financial institutions.

A brief summary of financial institution duties and limitations appears below. A more complete explanation of each appears in the regulations.

Notice and Opt Out Duties to Consumers:

If a financial institution intends to disclose nonpublic personal information about any of its consumers (whether or not they are customers) to a nonaffiliated third party, and an exception does not apply, then the financial institution must provide to the consumer:

1)  an initial notice of its privacy policies;

2)  an opt out notice (including, among other things, a reasonable means to opt out); and

3)  a reasonable opportunity, before the financial institution discloses the information to the nonaffiliated third party, to opt out.

The financial institution may not disclose any nonpublic personal information to nonaffiliated third parties except under the enumerated exceptions unless these notices have been provided and the consumer has not opted out. Additionally, the institution must provide a revised notice before the financial institution begins to share a new category of nonpublic personal information or shares information with a new category of nonaffiliated third party in a manner that was not described in the previous notice.

Note that a financial institution need not comply with the initial and opt-out notice requirements for consumers who are not customers if the institution limits disclosure of nonpublic personal information to the exceptions.

IN CLOSING - The Gramm-Leach-Bliley Act, best practices, and examiners recommend a security test of your Internet  connection.   The Vulnerability Internet Security Test Audit (VISTA) is an independent penetration study of your network connection to the Internet that meets the regulatory requirements.  We are trained information systems auditors that only work with financial institutions.  As auditors, we provide an independent review of the vulnerability test results and an audit letter to your Board of Directors certifying the test results.  For more information, visit http://www.internetbankingaudits.com/.