THANK YOU - This summer marks the fifth year I have published the "Internet Banking News" and "The Email Banking News."  To date, more than 2,700 subscribers receive the weekly newsletters.  I sincerely hope that the newsletters have been beneficial.  Please email me at examiner@yennik.com any comments to improve the newsletters.  I greatly appreciate your readership.  R. Kinney Williams, CFE, CISM

FYI - NCUA - Letter to Corporate Credit Unions 2004-03 - Critical Information System Risk Areas.   www.ncua.gov/CorporateCU/CorpLetters/2004/2004-03.pdf 

FYI - Corporations spend millions on single sign-on, yet don't achieve their security goals - Single sign-on (SSO) has gained great popularity, but due to confusion in the marketplace, decision makers in many organizations don't realize that SSO alone doesn't adequately address their security requirements, nor does it address issues of compliance with Sarbanes-Oxley, the European Privacy Directives, HIPAA and other regulations.
http://scmagazine.com/features/index.cfm?fuseaction=featureDetails&newsUID=d3007328-b941-4b3d-b286-066af6d6c251

FYI - Online data a gold mine for terrorists - Freely available on the Web, for example, are 3-D models of the exterior and limited portions of the interior of the Citigroup Inc. headquarters building in Manhattan -- one of the sites specifically named in the latest terror advisory issued by the DHS. http://computerworld.com/printthis/2004/0,4814,95098,00.html

FYI - Phishing attacks up by 50% per month - The number of new phishing attacks reported has risen by an average of 50% per month in the first six months of this year, according to the Anti-Phishing Working Group, which monitors such attacks. http://www.computerworld.com/printthis/2004/0,4814,95029,00.html 

FYI - Supervisors Say Subordinates Cause Most Security Screw-ups - Bosses point fingers at their workers when it comes to attacks on the company network, a study done by a U.K. research firm reported. http://www.techweb.com/wire/story/TWB20040806S0004

FYI - FBI publishes computer crime and security stats - Every year for the past nine years, the Computer Security Institute and the FBI undertake a computer crime and security survey among companies and institutions in the US. These surveys provide interesting insights into the level of computer crime being experienced by companies, as well as how they are responding to security breaches. http://www.theregister.co.uk/2004/08/05/fbi_security_stats/print.html

FYI - Powell candidate for Auburn AD job - Don Powell, an Amarillo native and chairman of the Federal Deposit Insurance Corp., is among candidates for the athletic director position at Auburn University in Auburn, Ala. http://www.amarillo.com/stories/082004/new_powellad.shtml

Return to the top of the newsletter

INTERNET COMPLIANCE - Electronic Fund Transfer Act, Regulation E  (Part 2 of 2)

The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated on-line. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code. According to the OSC, an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated" is a consumer's authorization via a home banking system. To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request). The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution.

Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.

Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability. A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device. Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required. 

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

ELECTRONIC AND PAPER - BASED MEDIA HANDLING

Sensitive information is frequently contained on media such as paper documents, output reports, back-up tapes, disks, cassettes, optical storage, test data, and system documentation. Protection of that data requires protection of the media. The theft, destruction, or Information Security other loss of the media could result in the exposure of corporate secrets, breaches in customer confidentiality, alteration of data, and the disruption of business activities. The policies and procedures necessary to protect media may need revision as new data storage technologies are contemplated for use and new methods of attack are developed. The sensitivity of the data (as reflected in the data classification) dictates the extent of procedures and controls required. Many institutions find it easier to store and dispose of all media consistently without having to segregate out the most sensitive information. This approach also can help reduce the likelihood that someone could infer sensitive information by aggregating a large amount of less sensitive information. Management must address three components to secure media properly: handling and storage, disposal, and transit.

HANDLING AND STORAGE

IT management should ensure secure storage of media from unauthorized access. Controls could include physical and environmental controls including fire and flood protection, limited access (e.g., physical locks, keypad, passwords, biometrics), labeling, and logged access. Management should establish access controls to limit access to media, while ensuring all employees have authorization to access the minimum level of data required to perform their responsibilities. More sensitive media like system documentation, application source code, and production transaction data should have more extensive controls to guard against alteration (e.g., integrity checkers, cryptographic hashes). Furthermore, policies should minimize the distribution of sensitive media, including the printouts of sensitive information. Periodically, the security staff, audit staff, and data owners should review authorization levels and distribution lists to ensure they remain appropriate and current.

Return to the top of the newsletter

IT SECURITY QUESTION:  SOFTWARE DEVELOPMENT AND ACQUISITION

3. Determine if the group or individual establishing security requirements has appropriate credentials, background, and/or training.

4. Evaluate whether the software incorporates appropriate security controls, audit trails, and activity logs and that appropriate and timely audit trail and log reviews and alerts can take place.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 2 of 6)

Notice Duties to Customers:

In addition to the duties described above, there are several duties unique to customers. In particular, regardless of whether the institution discloses or intends to disclose nonpublic personal information, a financial institution must provide notice to its customers of its privacy policies and practices at various times.

1)  A financial institution must provide an initial notice of its privacy policies and practices to each customer, not later than the time a customer relationship is established. Section 4(e) of the regulations describes the exceptional cases in which delivery of the notice is allowed subsequent to the establishment of the customer relationship.

2)  A financial institution must provide an annual notice at least once in any period of 12 consecutive months during the continuation of the customer relationship.

3)  Generally, new privacy notices are not required for each new product or service. However, a financial institution must provide a new notice to an existing customer when the customer obtains a new financial product or service from the institution, if the initial or annual notice most recently provided to the customer was not accurate with respect to the new financial product or service.

4)  When a financial institution does not disclose nonpublic personal information (other than as permitted under section 14 and section 15 exceptions) and does not reserve the right to do so, the institution has the option of providing a simplified notice.

IN CLOSING - The Gramm-Leach-Bliley Act, best practices, and examiners recommend a security test of your Internet  connection.   The Vulnerability Internet Security Test Audit (VISTA) is an independent penetration study of your network connection to the Internet that meets the regulatory requirements.  We are trained information systems auditors that only work with financial institutions.  As auditors, we provide an independent review of the vulnerability test results and an audit letter to your Board of Directors certifying the test results.  For more information, visit http://www.internetbankingaudits.com/.