R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

August 29, 2004

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - CYBER FEARS ON FED'S WEB PLAN - With little fanfare, the Federal Reserve will begin transferring the nation's money supply over an Internet-based system this month - a move critics say could open the U.S.'s banking system to cyber threats. http://www.nypost.com/business/18671.htm

FYI - The Technology Group for The Financial Services Roundtable recently publish risk assessment information that you will find beneficial toward developing a risk assessment program.
Narrative: http://www.bitsinfo.org/bitskalcnarrative.pdf 
Spreadsheet: http://www.bitsinfo.org/bitskalculatorspreadsht.xls
Papers and presentations: http://www.bitsinfo.org/wp.html

FYI - The Technology Group for The Financial Services Roundtable also published best practices regarding software patch management. http://www.bitsinfo.org/bitspatchmgmt2004.pdf

FYI - Unprotected PCs can expect infection in minutes - The average survival time for an unprotected networked computer dropped from 40 minutes to 20 minutes over the last year, according to the SANS Institute of Bethesda, Md. http://www.gcn.com/vol1_no1/daily-updates/26967-1.html

FYI - Microsoft Garners Support For Authentication Scheme - Microsoft on Thursday hosted a meeting with more than 80 e-mail providers to spread the news about its Sender ID authentication scheme, and got the support from some heavyweights in the messaging security market, such as Tumbleweed, Cloudmark, and VeriSign. http://www.techweb.com/wire/story/TWB20040812S0004

FYI - UK police issue 'vicious' Trojan alert - Britain's top cybercrime fighters have joined up with the banking industry today in warning of the latest attempt to defraud online banking customers. http://www.theregister.co.uk/2004/08/13/trojan_phish/

FYI - Copiers Need Security, Too - A new generation of jazzed-up office copiers can scan documents, send faxes or e-mail, and store reams of document images. The new networked machines are akin to modern desktop computers and servers, which makes them more vulnerable to predatory hackers. http://www.pcworld.com/resource/printable/article/0,aid,117354,00.asp

FYI - Travel sites agree to changes for the blind - Priceline.com and Ramada.com have agreed to make their Web pages easier to navigate for the blind and visually impaired as part of a settlement with New York Attorney General Eliot Spitzer.
http://news.com.com/Travel+sites+agree+to+changes+for+the+blind/2100-1038_3-5318568.html?tag=nefd.top

Return to the top of the newsletter

INTERNET COMPLIANCE -
Equal Credit Opportunity Act (Regulation B)

The regulations clarifies the rules concerning the taking of credit applications by specifying that application information entered directly into and retained by a computerized system qualifies as a written application under this section. If an institution makes credit application forms available through its on-line system, it must ensure that the forms satisfy the requirements.

The regulations also clarify the regulatory requirements that apply when an institution takes loan applications through electronic media. If an applicant applies through an electronic medium (for example, the Internet or a facsimile) without video capability that allows employees of the institution to see the applicant, the institution may treat the application as if it were received by mail.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  

ELECTRONIC AND PAPER - BASED MEDIA HANDLING

DISPOSAL


Financial institutions need appropriate disposal procedures for both electronic and paper based media. Policies should prohibit employees from discarding sensitive media along with regular garbage to avoid accidental disclosure. Many institutions shred paper - based media on site and others use collection and disposal services to ensure the media is rendered unreadable and unreconstructable before disposal. Institutions that contract with third parties should use care in selecting vendors to ensure adequate employee background checks, controls, and experience.

Computer - based media presents unique disposal problems. Residual data frequently remains on media after erasure. Since that data can be recovered, additional disposal techniques should be applied to sensitive data. Physical destruction of the media, for instance by subjecting a compact disk to microwaves, can make the data unrecoverable. Additionally, data can sometimes be destroyed after overwriting. Overwriting may be preferred when the media will be re - used. Institutions should base their disposal policies on the sensitivity of the information contained on the media and, through policies, procedures, and training, ensure that the actions taken to securely dispose of computer-based media adequately protect the data from the risks of reconstruction. Where practical, management should log the disposal of sensitive media, especially computer - based media.

TRANSIT

Financial institutions should maintain the security of media while in transit or when shared with third parties. Policies should include:

! Restrictions on the carriers used and procedures to verify the identity of couriers,
! Requirements for appropriate packaging to protect the media from damage,
! Use of encryption for transmission of sensitive information,
! Security reviews or independent security reports of receiving companies, and
! Use of nondisclosure agreements between couriers and third parties.

Financial institutions should address the security of their back - up tapes at all times, including when the tapes are in transit from the data center to off - site storage.


Return to the top of the newsletter

IT SECURITY QUESTION: 
SOFTWARE DEVELOPMENT AND ACQUISITION

5. Evaluate whether the software contains appropriate authentication and encryption.

6. Evaluate the adequacy of the change control process.

7. Evaluate the appropriateness of software libraries and their access controls.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 3 of 6)

Requirements for Notices

Clear and Conspicuous. Privacy notices must be clear and conspicuous, meaning they must be reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice. The regulations do not prescribe specific methods for making a notice clear and conspicuous, but do provide examples of ways in which to achieve the standard, such as the use of short explanatory sentences or bullet lists, and the use of plain-language headings and easily readable typeface and type size. Privacy notices also must accurately reflect the institution's privacy practices.

Delivery Rules. Privacy notices must be provided so that each recipient can reasonably be expected to receive actual notice in writing, or if the consumer agrees, electronically. To meet this standard, a financial institution could, for example, (1) hand-deliver a printed copy of the notice to its consumers, (2) mail a printed copy of the notice to a consumer's last known address, or (3) for the consumer who conducts transactions electronically, post the notice on the institution's web site and require the consumer to acknowledge receipt of the notice as a necessary step to completing the transaction.

For customers only, a financial institution must provide the initial notice (as well as the annual notice and any revised notice) so that a customer may be able to retain or subsequently access the notice. A written notice satisfies this requirement. For customers who obtain financial products or services electronically, and agree to receive their notices on the institution's web site, the institution may provide the current version of its privacy notice on its web site.

IN CLOSING - The Gramm-Leach-Bliley Act, best practices, and examiners recommend a security test of your Internet  connection.   The Vulnerability Internet Security Test Audit (VISTA) is an independent penetration study of your network connection to the Internet that meets the regulatory requirements.  We are trained information systems auditors that only work with financial institutions.  As auditors, we provide an independent review of the vulnerability test results and an audit letter to your Board of Directors certifying the test results.  For more information, visit http://www.internetbankingaudits.com/.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated