R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

September 26, 2004
With more than 40 years auditing only financial institutions, my experience to test your Internet connection for vulnerabilities and understand your IT operation is unmatched.  Visit http://www.internetbankingaudits.com/ for more detailed information.

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing

FYI - When Hackers Strike - Why do hackers hack? Some do it for fun; some do it to prove they can break into a system. Some hackers want free information and rationalize their acts by saying "information wants to be free." Some hackers claim they do it to help improve security. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5552

FYI - Making Security Assessments Count - Although the need for connectivity continues to drive an open network business mentality, the threat profile for organizations has dramatically changed over the past year. The average time between an operating system vulnerability announcement and the release of attack code to exploit it is less than 14 days, compared to 30 days a year ago, yet the ability of organizations to respond to such threats has not kept pace, according to the Symantec Internet Security Threat Report.

FYI - Largest Security Study Ever Conducted Finds Asia and South America Trail North America and Europe in Security Development and Best Practice Implementation - 64 Percent Plan to Increase in Security Spending According To International Survey by PricewaterhouseCoopers and CIO Magazine. http://www.itsecurity.com/tecsnews/sep2004/sep143.htm

FYI - Downtime Will Triple For Security-Lax Firms - Enterprises that don't take proactive security steps will see their vulnerability-caused downtime triple in the next five years, a research firm said. http://www.techweb.com/article/printableArticle.jhtml;jsessionid=CQDFRV3WOI4CKQSNDBCSKHY?articleID=47204480

FYI - Man pleads guilty in massive identity theft - A former help-desk worker at a New York company that provides credit reports to banks and other lenders pleaded guilty on Tuesday for his role in what federal prosecutors said was the largest identity theft case ever.

FYI - FDIC Awards Contract for Infrastructure Support Services - The Federal Deposit Insurance Corporation today announced the award of the Infrastructure Support Services contract to SRA International, Inc. The five-year, performance-based contract is a key part of the effort to consolidate the FDIC's information technology contracts. www.fdic.gov/news/news/press/2004/pr10004.html

FYI - GAO - Information Management: Planning for the Electronic Records Archives Has Improved.
Report:  http://www.gao.gov/cgi-bin/getrpt?GAO-04-927
Highlights - http://www.gao.gov/highlights/d04927high.pdf

Return to the top of the newsletter

Record Retention

Record retention provisions apply to electronic delivery of disclosures to the same extent required for non-electronic delivery of information. For example, if the web site contains an advertisement, the same record retention provisions that apply to paper-based or other types of advertisements apply. Copies of such advertisements should be retained for the time period set out in the relevant regulation. Retention of electronic copies is acceptable.

Return to the top of the newsletter

- We continue our series on the FFIEC interagency Information Security Booklet.  


Frequently TSPs or user groups will contract with an accounting firm to report on security using Statement on Auditing Standards 70 (SAS 70), an auditing standard developed by the American Institute of Certified Public Accountants. SAS 70 focuses on controls and control objectives. It allows for two types of reports. A SAS 70 Type I report gives the service provider's description of controls at a specific point in time, and an auditor's report. The auditor's report will provide an opinion on whether the control description fairly presents the relevant aspects of the controls, and whether the controls were suitably designed for their purpose.

A SAS 70 Type II report expands upon a Type I report by addressing whether the controls were functioning. It provides a description of the auditor's tests of the controls. It also provides an expanded auditor's report that addresses whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the specified period.

Financial institutions should carefully evaluate the scope and findings of any SAS 70 report. The report may be based on different security requirements than those established by the institution. It may not provide a thorough test of security controls unless requested by the TSP or augmented with additional coverage. Additionally, the report may not address the effectiveness of the security process in continually mitigating changing risks.  Therefore, financial institutions may require additional reports to oversee the security program of the service provider.

Return to the top of the newsletter


5. Evaluate the procedure for granting temporary access to personnel during the implementation of contingency plans.

!  Evaluate the extent to which back-up personnel have been assigned different tasks when contingency planning scenarios are in effect and the need for different levels of systems, operational, data and facilities access.
!  Review the assignment of authentication and authorization credentials to see if they are based upon primary job responsibilities or if they also include contingency planning responsibilities. (If an employee is permanently assigned access credential to fill in for another employee who is on vacation or out the office, this assignment would be a primary job responsibility.)

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Other Matters

Fair Credit Reporting Act

The regulations do not modify, limit, or supersede the operation of the Fair Credit Reporting Act.

State Law

The regulations do not supersede, alter, or affect any state statute, regulation, order, or interpretation, except to the extent that it is inconsistent with the regulations. A state statute, regulation, order, etc. is consistent with the regulations if the protection it affords any consumer is greater than the protection provided under the regulations, as determined by the FTC.

Grandfathered Service Contracts

Contracts that a financial institution has entered into, on or before July 1, 2000, with a nonaffiliated third party to perform services for the financial institution or functions on its behalf, as described in section 13, will satisfy the confidentiality requirements of section 13(a)(1)(ii) until July 1, 2002, even if the contract does not include a requirement that the third party maintain the confidentiality of nonpublic personal information.

Guidelines Regarding Protecting Customer Information

The regulations require a financial institution to disclose its policies and practices for protecting the confidentiality, security, and integrity of nonpublic personal information about consumers (whether or not they are customers). The disclosure need not describe these policies and practices in detail, but instead may describe in general terms who is authorized to have access to the information and whether the institution has security practices and procedures in place to ensure the confidentiality of the information in accordance with the institution's policies.

The four federal bank and thrift regulators have published guidelines, pursuant to section 501(b) of the Gramm-Leach-Bliley Act, that address steps a financial institution should take in order to protect customer information. The guidelines relate only to information about customers, rather than all consumers. Compliance examiners should consider the findings of a 501(b) inspection during the compliance examination of a financial institution for purposes of evaluating the accuracy of the institution's disclosure regarding data security.

Next week we will start covering the examination objectives.

IN CLOSING - The FFIEC interagency Internet guidelines require financial institution web sites to comply with consumer compliance, advertising, notifications, weblinking, and other federal regulations.  We have identified 17 federal regulations and over 130 issues that relate to an institution's web site.  We also verify weblinks for functionality and appropriateness.  As a former bank examiner with over 40 year experience, we audit web sites following the FFIEC Internet guidelines for financial institutions across the country.  Visit http://www.bankwebsiteaudits.com and learn how we can assist your financial institution.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated