THANK YOU - This summer
marks the fifth year I have published the "Internet Banking News"
and "The Email Banking News." To date, more than 2,700 subscribers
receive the weekly newsletters. I sincerely hope that the
newsletters have been beneficial. Please email me at
firstname.lastname@example.org any comments to improve the newsletters. I
greatly appreciate your readership. R. Kinney Williams, CFE, CISM
NCUA - Letter to Corporate Credit Unions 2004-03 - Critical
Information System Risk Areas.
FYI - Corporations spend
millions on single sign-on, yet don't achieve their security goals -
Single sign-on (SSO) has gained great popularity, but due to
confusion in the marketplace, decision makers in many organizations
don't realize that SSO alone doesn't adequately address their
security requirements, nor does it address issues of compliance with
Sarbanes-Oxley, the European Privacy Directives, HIPAA and other
FYI - Online data a gold
mine for terrorists - Freely available on the Web, for example, are
3-D models of the exterior and limited portions of the interior of
the Citigroup Inc. headquarters building in Manhattan -- one of the
sites specifically named in the latest terror advisory issued by the
FYI - Phishing attacks
up by 50% per month - The number of new phishing attacks reported
has risen by an average of 50% per month in the first six months of
this year, according to the Anti-Phishing Working Group, which
monitors such attacks.
FYI - Supervisors Say
Subordinates Cause Most Security Screw-ups - Bosses point fingers at
their workers when it comes to attacks on the company network, a
study done by a U.K. research firm reported.
FYI - FBI publishes
computer crime and security stats - Every year for the past nine
years, the Computer Security Institute and the FBI undertake a
computer crime and security survey among companies and institutions
in the US. These surveys provide interesting insights into the level
of computer crime being experienced by companies, as well as how
they are responding to security breaches.
FYI - Powell candidate for
Auburn AD job - Don Powell, an Amarillo native and chairman of the
Federal Deposit Insurance Corp., is among candidates for the
athletic director position at Auburn University in Auburn, Ala.
Return to the top of the
Electronic Fund Transfer Act, Regulation E (Part 2 of 2)
The Federal Reserve Board Official Staff Commentary
(OSC) also clarifies that terminal receipts are unnecessary for
transfers initiated on-line. Specifically, OSC regulations provides
that, because the term "electronic terminal" excludes a
telephone operated by a consumer, financial institutions need not
provide a terminal receipt when a consumer initiates a transfer by a
means analogous in function to a telephone, such as by a personal
computer or a facsimile machine.
Additionally, the regulations clarifies that a written authorization
for preauthorized transfers from a consumer's account includes an
electronic authorization that is not signed, but similarly
authenticated by the consumer, such as through the use of a security
code. According to the OSC, an example of a consumer's authorization
that is not in the form of a signed writing but is, instead,
"similarly authenticated" is a consumer's authorization
via a home banking system. To satisfy the regulatory requirements,
the institution must have some means to identify the consumer (such
as a security code) and make a paper copy of the authorization
available (automatically or upon request). The text of the
electronic authorization must be displayed on a computer screen or
other visual display that enables the consumer to read the
communication from the institution.
Only the consumer may authorize the transfer and not, for example, a
third-party merchant on behalf of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A financial institution may receive
correspondence through an electronic medium concerning an
unauthorized transaction, loss, or theft of an access device.
Therefore, the institution should ensure that controls are in place
to review these notifications and also to ensure that an
investigation is initiated as required.
Return to the top of the
INFORMATION SYSTEMS SECURITY
continue our series on the FFIEC interagency Information Security
ELECTRONIC AND PAPER - BASED MEDIA HANDLING
Sensitive information is frequently contained on media such as paper
documents, output reports, back-up tapes, disks, cassettes, optical
storage, test data, and system documentation. Protection of that
data requires protection of the media. The theft, destruction, or
Information Security other loss of the media could result in the
exposure of corporate secrets, breaches in customer confidentiality,
alteration of data, and the disruption of business activities. The
policies and procedures necessary to protect media may need revision
as new data storage technologies are contemplated for use and new
methods of attack are developed. The sensitivity of the data (as
reflected in the data classification) dictates the extent of
procedures and controls required. Many institutions find it easier
to store and dispose of all media consistently without having to
segregate out the most sensitive information. This approach also can
help reduce the likelihood that someone could infer sensitive
information by aggregating a large amount of less sensitive
information. Management must address three components to secure
media properly: handling and storage, disposal, and transit.
HANDLING AND STORAGE
IT management should ensure secure storage of media from
unauthorized access. Controls could include physical and
environmental controls including fire and flood protection, limited
access (e.g., physical locks, keypad, passwords, biometrics),
labeling, and logged access. Management should establish access
controls to limit access to media, while ensuring all employees have
authorization to access the minimum level of data required to
perform their responsibilities. More sensitive media like system
documentation, application source code, and production transaction
data should have more extensive controls to guard against alteration
(e.g., integrity checkers, cryptographic hashes). Furthermore,
policies should minimize the distribution of sensitive media,
including the printouts of sensitive information. Periodically, the
security staff, audit staff, and data owners should review
authorization levels and distribution lists to ensure they remain
appropriate and current.
Return to the top of the
SOFTWARE DEVELOPMENT AND ACQUISITION
3. Determine if the group or individual establishing security
requirements has appropriate credentials, background, and/or
4. Evaluate whether the software incorporates appropriate security
controls, audit trails, and activity logs and that appropriate and
timely audit trail and log reviews and alerts can take place.
Return to the top of the
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Financial Institution Duties ( Part 2 of 6)
Notice Duties to Customers:
In addition to the duties described above, there are several
duties unique to customers. In particular, regardless of whether the
institution discloses or intends to disclose nonpublic personal
information, a financial institution must provide notice to its
customers of its privacy policies and practices at various times.
1) A financial institution must provide an initial notice of
its privacy policies and practices to each customer, not later than
the time a customer relationship is established. Section 4(e) of the
regulations describes the exceptional cases in which delivery of the
notice is allowed subsequent to the establishment of the customer
2) A financial institution must provide an annual notice at
least once in any period of 12 consecutive months during the
continuation of the customer relationship.
3) Generally, new privacy notices are not required for each
new product or service. However, a financial institution must
provide a new notice to an existing customer when the customer
obtains a new financial product or service from the institution, if
the initial or annual notice most recently provided to the customer
was not accurate with respect to the new financial product or
4) When a financial institution does not disclose nonpublic
personal information (other than as permitted under section 14 and
section 15 exceptions) and does not reserve the right to do so, the
institution has the option of providing a simplified notice.
IN CLOSING - The
Gramm-Leach-Bliley Act, best practices, and examiners recommend a security test
of your Internet connection. The
Vulnerability Internet Security Test Audit (VISTA)
is an independent penetration study of your network
connection to the Internet that meets the regulatory requirements.
are trained information
systems auditors that only work with financial institutions. As auditors,
we provide an independent review of the vulnerability test results and an audit
letter to your Board of Directors certifying the test results. For more
information, visit http://www.internetbankingaudits.com/.