R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

September 5, 2004

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI -
The week of September 13, I will be attending the Network Security Conference sponsored by the Information Systems Audit and Control Association (ISACA) being held at Caesars Place in Las Vegas.  Next week's newsletter will be emailed on Friday to allow me to travel.  If you are attending the conference, I look forward to meeting you. 

FYI - Report: Mobile Devices Are Enterprise Security Risk - The threat that mobile devices pose to enterprises is significant, yet a significant majority of organizations haven't deployed systems to manage those devices, according to a study released this week by Forrester Research. "The risk of information loss or theft from laptops, PDAs, phones, converged devices, and tablets is increasing rapidly." http://www.securitypipeline.com/news/showArticle.jhtml;jsessionid=PEDNWSJF51YMUQSNDBCCKHY?articleId=29116607&printableArticle=true

FYI - Cisco flaw opens networks to attacks - Cisco has warned in a security advisory that some networks with its routers could be vulnerable to denial-of-service attacks. http://asia.cnet.com/news/communications/0,39037080,39190817,00.htm

FYI - Big German banks hit by phishing attacks - Two of Germany's biggest banks became the latest victims of phishing attacks as internationally organized criminal groups search around the globe for new targets. http://computerworld.com/securitytopics/security/story/0,10801,95429,00.html

FYI -
FFIEC Information Technology Examination Handbook- This bulletin announces that the Federal Financial Institutions Examination Council has issued two booklets that provide updated guidance on information technology operations and wholesale payment systems. These booklets complete the FFIEC Information Technology Examination Handbook series that updates and replaces the 1996 FFIEC Information Systems Examination Handbook.
Press release:  www.occ.treas.gov/ftp/bulletin/2004-40.txt 
Attachment:  http://www.occ.treas.gov/ftp/bulletin/2004-40a.pdf
FFIEC site:  http://www.ffiec.gov/ffiecinfobase/index.html

Return to the top of the newsletter

INTERNET COMPLIANCE -
Advertisement Of Membership

The FDIC and NCUA consider every insured depository institution's online system top-level page, or "home page", to be an advertisement. Therefore, according to these agencies' interpretation of their rules, financial institutions subject to the regulations should display the official advertising statement on their home pages unless subject to one of the exceptions described under the regulations. Furthermore, each subsidiary page of an online system that contains an advertisement should display the official advertising statement unless subject to one of the exceptions described under the regulations. Additional information about the FDIC's interpretation can be found in the Federal Register, Volume 62, Page 6145, dated February 11, 1997.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  

LOGGING AND DATA COLLECTION (Part 1 of 2)

Financial institutions should take reasonable steps to ensure that sufficient data is collected from secure log files to identify and respond to security incidents and to monitor and enforce policy compliance. Appropriate logging controls ensure that security personnel can review and analyze log data to identify unauthorized access attempts and security violations, provide support for personnel actions, and aid in reconstructing compromised systems.

An institution's ongoing security risk assessment process should evaluate the adequacy of the system logging and the type of information collected. Security policies should address the proper handling and analysis of log files. Institutions have to make risk-based decisions on where and when to log activity. The following data are typically logged to some extent including

! Inbound and outbound Internet traffic,
! Internal network traffic,
! Firewall events,
! Intrusion detection system events,
! Network and host performance,
! Operating system access (especially high - level administrative or root access),
! Application access (especially users and objects with write - and execute privileges), and
! Remote access.


Return to the top of the newsletter

IT SECURITY QUESTION: 
SOFTWARE DEVELOPMENT AND ACQUISITION

8. Inquire about the method used to test the newly developed or acquired software for vulnerabilities.

!   For source code reviews, inquire about standards used, the capabilities of the reviewers, and the results of the reviews.
!  If source code reviews are not performed, inquire about alternate actions taken to test the software for covert channels, backdoors, and other security issues.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 4 of 6)

Requirements for Notices
(continued)

Notice Content. A privacy notice must contain specific disclosures. However, a financial institution may provide to consumers who are not customers a "short form" initial notice together with an opt out notice stating that the institution's privacy notice is available upon request and explaining a reasonable means for the consumer to obtain it. The following is a list of disclosures regarding nonpublic personal information that institutions must provide in their privacy notices, as applicable:

1)  categories of information collected;

2)  categories of information disclosed;

3)  categories of affiliates and nonaffiliated third parties to whom the institution may disclose information;

4)  policies with respect to the treatment of former customers' information;

5)  information disclosed to service providers and joint marketers (Section 13);

6)  an explanation of the opt out right and methods for opting out;

7)  any opt out notices the institution must provide under the Fair Credit Reporting Act with respect to affiliate information sharing;

8)  policies for protecting the security and confidentiality of information; and

9)  a statement that the institution makes disclosures to other nonaffiliated third parties as permitted by law (Sections 14 and 15).

IN CLOSING - The  FFIEC interagency Information Security Booklet, the regulators are requiring financial institutions to have at least an annual independent penetration test.  Did you know that there are over 3,700 known vulnerabilities with approximately 25 new vulnerabilities added every week, and that 99% of unauthorized intrusions resulted from known vulnerabilities?  We can provide you with an independent penetration testing to help protect {custom4} from unauthorized external access.  For more information, please visit our web site at http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated