FYI - Auditing Windows
2000 Permissions - Every resource in Windows 2000, Windows 2003, and
Windows XP has an access control list of permissions that protect
the resource. Without this list, anyone could read, change, or even
delete the resource. The default permissions on many resources
provide such access. Understanding how to analyze and audit these
resource permissions is essential to protecting them.
FYI - GAO finds
information security compliance is sporadic - Agency compliance with
federal information security standards is irregular and the process
that measures compliance is unreliable, the Government
Accountability Office said in a report released Wednesday.
FYI - Companies patching
security holes faster - Driven by fast-appearing threats, network
administrators are fixing the most prevalent flaws more quickly,
according to a new survey. The survey, released by vulnerability
assessment firm Qualys found that the average half life of a
vulnerability--the length of time it takes for half of assailable
computers to be fixed--fell to 21 days in 2004 from 30 days in 2003.
FYI - Are P2P networks
leaking military secrets? - A new Web log is posting what it
purports are pictures, documents and letters from U.S. soldiers and
military bases in Iraq and elsewhere--all of which the site's
operator claims to have downloaded from peer-to-peer networks such
FYI - Stealth wallpaper keeps
company secrets safe - A type of wallpaper that prevents Wi-Fi
signals escaping from a building without blocking mobile phone
signals has been developed by a British defence contractor. The
technology is designed to stop outsiders gaining access to a secure
network by using Wi-Fi networks casually set up by workers at the
Return to the top of the
week begins our series on the Federal Financial Institutions Examination Council Guidance
on Electronic Financial Services and Consumer Compliance.
Electronic Fund Transfer Act,
Regulation E (Part 1 of 2)
Generally, when on-line banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction involving stored value products is covered by
Regulation E when the transaction accesses a consumer's account
(such as when value is "loaded" onto the card from the
consumer's deposit account at an electronic terminal or personal
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule was issued on March 20, 1998 that allows
depository institutions to satisfy the requirement to deliver by
electronic communication any of these disclosures and other
information required by the act and regulations, as long as the
consumer agrees to such method of delivery.
Financial institutions must ensure that consumers who sign-up for a
new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not
specifically mentioned in the commentary, this applies to all new
banking services including electronic financial services.
Return to the top of the
INFORMATION SYSTEMS SECURITY
continue our series on the FFIEC interagency Information Security
AGREEMENTS: CONFIDENTIALITY, NON - DISCLOSURE, AND
Financial institutions should protect the confidentiality of
information about their customers and organization. A breach in
confidentiality could disclose competitive information, increase
fraud risk, damage the institution's reputation, violate customer
privacy and associated rights, and violate regulatory requirements.
Confidentiality agreements put all parties on notice that the
financial institution owns its information, expects strict
confidentiality, and prohibits information sharing outside of that
required for legitimate business needs. Management should obtain
signed confidentiality agreements before granting new employees and
contractors access to information technology systems.
Job descriptions, employment agreements, and policy awareness
acknowledgements increase accountability for security. Management
can communicate general and specific security roles and
responsibilities for all employees within their job descriptions.
Management should expect all employees, officers, and contractors to
comply with security and acceptable use policies and protect the
institution's assets, including information. The job descriptions
for security personnel should describe the systems and processes
they will protect and the control processes for which they are
responsible. Management can take similar steps to ensure contractors
and consultants understand their security responsibilities as well.
Financial institutions need to educate users regarding their
security roles and responsibilities. Training should support
security awareness and should strengthen compliance with the
security policy. Ultimately, the behavior and priorities of senior
management heavily influence the level of employee awareness and
policy compliance, so training and the commitment to security should
start with senior management. Training materials would typically
review the acceptable - use policy and include issues like desktop
security, log - on requirements, password administration guidelines,
etc. Training should also address social engineering, and the
policies and procedures that protect against social engineering
attacks. Many institutions integrate a signed security awareness
agreement along with periodic training and refresher courses.
Return to the top of the
SOFTWARE DEVELOPMENT AND ACQUISITION
Inquire about how security requirements are determined for software,
whether internally developed or acquired from a vendor.
2. Determine whether management appropriately considers either
following a recognized security standard development process, or
reference to widely recognized industry standards.
Return to the top of the
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Financial Institution Duties ( Part 1 of 6)
The regulations establish specific duties and limitations for a
financial institution based on its activities. Financial
institutions that intend to disclose nonpublic personal information
outside the exceptions will have to provide opt out rights to their
customers and to consumers who are not customers. All financial
institutions have an obligation to provide an initial and annual
notice of their privacy policies to their customers. All financial
institutions must abide by the regulatory limits on the disclosure
of account numbers to nonaffiliated third parties and on the
redisclosure and reuse of nonpublic personal information received
from nonaffiliated financial institutions.
A brief summary of financial institution duties and limitations
appears below. A more complete explanation of each appears in the
Notice and Opt Out Duties to Consumers:
If a financial institution intends to disclose nonpublic
personal information about any of its consumers (whether or not they
are customers) to a nonaffiliated third party, and an exception does
not apply, then the financial institution must provide to the
1) an initial notice of its privacy policies;
2) an opt out notice (including, among other things, a
reasonable means to opt out); and
3) a reasonable opportunity, before the financial institution
discloses the information to the nonaffiliated third party, to opt
The financial institution may not disclose any nonpublic personal
information to nonaffiliated third parties except under the
enumerated exceptions unless these notices have been provided and
the consumer has not opted out. Additionally, the institution must
provide a revised notice before the financial institution begins to
share a new category of nonpublic personal information or shares
information with a new category of nonaffiliated third party in a
manner that was not described in the previous notice.
Note that a financial institution need not comply with the initial
and opt-out notice requirements for consumers who are not customers
if the institution limits disclosure of nonpublic personal
information to the exceptions.
IN CLOSING - The
Gramm-Leach-Bliley Act, best practices, and examiners recommend a security test
of your Internet connection. The
Vulnerability Internet Security Test Audit (VISTA)
is an independent penetration study of your network
connection to the Internet that meets the regulatory requirements.
are trained information
systems auditors that only work with financial institutions. As auditors,
we provide an independent review of the vulnerability test results and an audit
letter to your Board of Directors certifying the test results. For more
information, visit http://www.internetbankingaudits.com/.