R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

November 21, 2004
With more than 40 years auditing only financial institutions, my experience to test your Internet connection for vulnerabilities and understand your IT operation is unmatched.  Visit http://www.internetbankingaudits.com/ for more detailed information.

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing

FYI - Further setback for online banking - Another internet banking security blunder has been revealed, leaving users able to view each others' credit details. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=da1a6931-0eb3-4075-870b-9c9e5aa59e5b&newsType=Latest%20News

FFIEC Information Technology Examination Handbook New Guidance for Examiners, Financial Institutions and Technology Service Providers on Operations and Wholesale Payment Systems - The Federal Financial Institutions Examination Council has issued booklets with guidance on evaluating operations and wholesale payment systems. These booklets are the last in a series of booklets comprising the FFIEC Information Technology Examination Handbook. The outdated 1996 FFIEC Information Systems Examination Handbook has been officially retired. www.fdic.gov/news/news/financial/2004/fil11904.html

FYI - Insecure ATMs given dual protection - The worldwide banking industry has moved to plug potential security flaws as ATM networks increasingly adopt Microsoft Windows. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=d3872bee-a9fd-4d46-82f9-6bab710f2b78&newsType=Latest%20News

FYI - Bank accounts in online security scare - British Internet bank Cahoot has plugged a flaw in its online security that could have enabled people to move freely in and out of other customers' accounts. http://news.com.com/Bank+accounts+in+online+security+scare/2100-1029_3-5440931.html?tag=nefd.hed

FYI - Experts fret over online extortion attempts - It's the 21st century's equivalent of a ransom note: Pay up or suffer a massive denial of service attack on your Web site powered by thousands of hijacked "zombie" computers. http://www.msnbc.msn.com/id/6436834/

FYI - Internet banking fraudsters step up phishing scam - A potent new e-mail scam targets online bankers -
Fraudsters have developed a potent new computer program that steals Internet banking customers' details by duping them into opening up a bogus e-mail, a British security firm said yesterday. http://www.computerworld.com/printthis/2004/0,4814,97213,00.html

FYI - Microsoft to help users prep for patching - It will post a summary of planned security bulletins three days before they're released. http://www.computerworld.com/printthis/2004/0,4814,97221,00.html

FYI - Former student indicted in computer hacking - A federal grand jury has indicted a former University of Texas student on charges he hacked into the university system and stole Social Security numbers and other personal information from more than 37,000 students, faculty and staff. http://www.usatoday.com/tech/news/computersecurity/hacking/2004-11-05-ut-hack-charge_x.htm

FYI - Demand for IT security pros growing fast - Government regulations and dynamic threats driving need for qualified staff - Demand for qualified IT security staff is growing fast, with the global total of professionals expected to increase to 2.1 million by 2008 at a compound annual growth rate of 13.7 per cent from 2003. http://www.vnunet.com/news/1159247

FYI - The trouble with your double - It is estimated that identity theft accounts for nearly 40 per cent of all white collar crime in the UK. How can you protect yourself and your business from falling victim to this growing problem? http://www.scmagazine.com/features/index.cfm?fuseaction=FeatureDetails&newsUID=27569671-7be7-4710-bb28-5351092cd800&newsType=Opinion

Return to the top of the newsletter

"Member FDIC" Logo - When is it required?

The FDIC believes that every bank's home page is to some extent an advertisement. Accordingly, bank web site home pages should contain the official advertising statement unless the advertisement is subject to exceptions such as advertisements for loans, securities, trust services and/or radio or television advertisements that do not exceed thirty seconds. 

Whether subsidiary web pages require the official advertising statement will depend upon the content of the particular page.  Subsidiary web pages that advertise deposits must contain the official advertising statement.  Conversely, subsidiary web pages that relate to loans do not require the official advertising statement. 

Return to the top of the newsletter

- We continue our series on the FFIEC interagency Information Security Booklet.  


  (Part 1 of 2)

Intrusion detection by itself does not mitigate risks of an intrusion. Risk mitigation only occurs through an effective and timely response. The goal of the response is to minimize damage to the institution and its customers through containment of the intrusion, and restoration of systems.

The response primarily involves people rather then technologies. The quality of intrusion response is a function of the institution's culture, policies and procedures, and training.

Preparation determines the success of any intrusion response. Preparation involves defining the policies and procedures that guide the response, assigning responsibilities to individuals and providing appropriate training, formalizing information flows, and selecting, installing, and understanding the tools used in the response effort. Key considerations that directly affect the institution's policies and procedures include the following:

! How to balance concerns regarding availability, confidentiality, and integrity, for devices and data of different sensitivities. This consideration is a key driver for a containment strategy and may involve legal and liability considerations. An institution may decide that some systems must be disconnected or shut down at the first sign of intrusion, while others must be left on line.
! When and under what circumstances to invoke the intrusion response activities, and how to ensure the proper personnel are available and notified.
! How to control the frequently powerful intrusion identification and response tools.
! When to involve outside experts and how to ensure the proper expertise will be available when needed. This consideration addresses both the containment and the restoration strategy.
! When and under what circumstances to involve regulators, customers, and law enforcement. This consideration drives certain monitoring decisions, decisions regarding evidence-gathering and preservation, and communications considerations.
! Which personnel have authority to perform what actions in containment of the intrusion and restoration of the systems. This consideration affects the internal communications strategy, the commitment of personnel, and procedures that escalate involvement and decisionswithin the organization.
! How and what to communicate outside the organization, whether to law enforcement, customers, service providers, potential victims, and others. This consideration drives the communication strategy, and is a key component in mitigating reputation risk.
! How to document and maintain the evidence, decisions, and actions taken.
! What criteria must be met before compromised services, equipment and software are returned to the network.
! How to learn from the intrusion and use those lessons to improve the institution's security.
! How and when to prepare and file a Suspicious Activities Report (SAR).

Return to the top of the newsletter


15. Determine if the security policy specifies the actions to be taken following the discovery of an unexpected, unusual, or suspicious activity (potential intrusion), and that appropriate personnel are authorized to take those actions.

16. Evaluate the appropriateness of the security policy in addressing the review of compromised systems. Consider:

!  Documentation of the roles, responsibilities and authority of employees and contractors, and
!  Conditions for the examination and analysis of data, systems, and networks.

17. Determine if the information disclosure policy indicates what information is shared with others, in what circumstances, and identifies the individual(s) who have the authority to initiate disclosure beyond the stated policy.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 13=, 14, and/or 15 but outside of these exceptions (Part 1 of 2)

A. Disclosure of Nonpublic Personal Information

1)  Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the financial institution's compliance with disclosure limitations.

a.  Compare the data shared and with whom the data were shared to ensure that the institution accurately categorized its information sharing practices and is not sharing nonpublic personal information outside the exceptions (13, 14, 15).

b.  Compare the categories of data shared and with whom the data were shared to those stated in the privacy notice and verify that what the institution tells consumers in its notices about its policies and practices in this regard and what the institution actually does are consistent (10, 6).

2)  Review contracts with nonaffiliated third parties that perform services for the financial institution not covered by the exceptions in section 14 or 15. Determine whether the contracts adequately prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed. Note that the "grandfather" provisions of Section 18 apply to certain of these contracts. (13(a)).

- The FFIEC interagency Internet guidelines require financial institution web sites to comply with consumer compliance, advertising, notifications, weblinking, and other federal regulations.  We have identified 17 federal regulations and over 130 issues that relate to an institution's web site.  We also verify weblinks for functionality and appropriateness.  As a former bank examiner with over 40 year experience, we audit web sites following the FFIEC Internet guidelines for financial institutions across the country.  Visit http://www.bankwebsiteaudits.com and learn how we can assist your financial institution.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated