R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

November 28, 2004
With more than 40 years auditing only financial institutions, my experience to test your Internet connection for vulnerabilities and understand your IT operation is unmatched.  Visit http://www.internetbankingaudits.com/ for more detailed information.

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI -
Computer Software Due Diligence Guidance on Developing an Effective Computer Software Evaluation Program to Assure Quality and Regulatory Compliance - The FDIC is issuing guidance to financial institutions on performing proper due diligence when selecting computer software or a service provider. This due diligence includes making sure that the software or service provider is compliant with applicable laws, including the Bank Secrecy Act, which includes the USA PATRIOT Act. www.fdic.gov/news/news/financial/2004/fil12104.html

FYI - Data-recovery Plans Can Avert Disaster - In today's technology-dependent businesses, even small disruptions can render highly sophisticated machinery and information technology systems ineffective. Without a disaster-recovery plan, disruption-tolerant solutions, and data backups, there isn't much that an organization can do when disaster strikes. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5562

FYI - A German antivirus-software company has broken off its partnership with firewall firm SecurePoint because of SecurePoint's decision to hire Sven Jaschan, the alleged creator of the Sasser virus.
http://news.zdnet.com/2102-1009_22-5453166.html?tag=printthis

FYI - Banks prepare for ATM cyber crime - An international group of law enforcement and financial industry associations hopes to prevent a new type of bank robbery before it gets off the ground: cyber attacks against automated teller machines. http://www.securityfocus.com/printable/news/9903

FYI - The Fed learns from experience - Every cyberattack is a classroom. That's the view of the Federal Reserve.  To protect the Reserve's IT infrastructure, the systems team searches for lessons to be gleaned from each attack, said Mary Ann Emerson, the Federal Reserve Board's IT director.
http://www.gcn.com/vol1_no1/daily-updates/27859-1.html

FYI - The Worst Case Scenario - A recent case in the Queens Bench in London illustrates the need for just such a handbook for the IT security environment, particularly as it applies to insurance policies that are supposed to protect you from loss of electronic information. http://www.securityfocus.com/printable/columnists/276

FYI - Net banking gains popularity, study says - The number of Americans turning to the Internet for personal banking at least some of the time has risen to 40 percent from 23 percent two years ago, according to a new study. http://news.com.com/Net+banking+gains+popularity%2C+study+says/2100-1038_3-5456228.html?tag=cd.top

FYI -
Electronic Fund Transfers: Proposed Amendments to Regulation E Concerning Payroll Cards - This bulletin transmits proposed amendments to Regulation E concerning payroll cards. Under these amendments, the term "account" would include a payroll card account; additional guidance on electronic check conversions would be provided; banks would be allowed to issue multiple replacement access cards; the rules concerning preauthorized EFTs would be amended; the "four walls rule" would be clarified; and, if an ATM operator does not always charge for a particular transaction on its ATMs, it would be allowed to provide notice on these ATMs that a fee "may be" charged.
Press Release: www.occ.treas.gov/ftp/bulletin/2004-52.txt 
Attachment: www.occ.treas.gov/fr/fedregister/69fr55996.pdf 

FYI -
Reports on the disclosure of fees that a depository institution may impose when a customer chooses to secure a point-of-sale debit transaction by providing a personal identification number. Discusses the prevalence of PIN fees; the degree of compliance by depository institutions with current disclosure requirements; the adequacy of existing disclosures and the likely benefits and costs of new requirements for disclosure statements; and the feasibility of real-time disclosure. www.federalreserve.gov/boarddocs/rptcongress/posdebit2004.pdf 

Return to the top of the newsletter

INTERNET COMPLIANCE -
Fair Housing Act

A financial institution that advertises on-line credit products that are subject to the Fair Housing Act must display the Equal Housing Lender logotype and legend or other permissible disclosure of its nondiscrimination policy if required by rules of the institution's regulator.

Home Mortgage Disclosure Act (Regulation C)

The regulations clarify that applications accepted through electronic media with a video component (the financial institution has the ability to see the applicant) must be treated as "in person" applications. Accordingly, information about these applicants' race or national origin and sex must be collected. An institution that accepts applications through electronic media without a video component, for example, the Internet or facsimile, may treat the applications as received by mail.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  

INTRUSION DETECTION AND RESPONSE

INTRUSION RESPONSE
  (Part 2 of 2)

Successful implementation of any response policy and procedure requires the assignment of responsibilities and training. Some organizations formalize the response organization with the creation of a computer security incident response team (CSIRT). The CSIRT is typically tasked with performing, coordinating, and supporting responses to security incidents. Due to the wide range of non-technical issues that are posed by an intrusion, typical CSIRT membership includes individuals with a wide range of backgrounds and expertise, from many different areas within the institution. Those areas include management, legal, public relations, as well as information technology. Other organizations may outsource some of the CSIRT functions, such as forensic examinations. When CSIRT functions are outsourced, institutions should ensure that their institution's policies are followed by the service provider and confidentiality of data and systems are maintained.

Institutions can assess best the adequacy of their preparations through testing.

While containment strategies between institutions can vary, they typically contain the following broad elements:

! Isolation of compromised systems, or enhanced monitoring of intruder activities;
! Search for additional compromised systems;
! Collection and preservation of evidence; and
! Communication with effected parties, the primary regulator, and law enforcement.
Restoration strategies should address the following:
! Elimination of an intruder's means of access;
! Restoration of systems, programs and data to known good state;
! Filing of a Suspicious Activity Report (Guidelines for filing are included in individual agency guidance); and
! Communication with effected parties.


Return to the top of the newsletter

IT SECURITY QUESTION: 
INTRUSION DETECTION AND RESPONSE

18. Determine if the information disclosure policy addresses the appropriate regulatory reporting requirements.

19. Determine if the security policy provides for a provable chain of custody for the preservation of potential evidence through such mechanisms as a detailed action and decision log indicating who made each entry.

20. Determine if the policy requires all compromised systems to be restored before reactivation, through either rebuilding with verified good media or verification of software cryptographic checksums.

21. Determine whether all participants in intrusion detection and responses are trained adequately in the intrusion detection and response policies, their roles, and the procedures they should take to implement the policies.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 13, and 14 and/or 15 but not outside of these exceptions (Part 2 of 2)

B. Presentation, Content, and Delivery of Privacy Notices 

1)  Review the financial institution's initial and annual privacy notices. Determine whether or not they:

a.  Are clear and conspicuous (3(b), 4(a), 5(a)(1)); 

b.  Accurately reflect the policies and practices used by the institution (4(a), 5(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

c.  Include, and adequately describe, all required items of information and contain examples as applicable (6, 13).

2)  Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written consumer records where available, determine if the institution has adequate procedures in place to provide notices to consumers, as appropriate. Assess the following:

a.  Timeliness of delivery (4(a)); and

b.  Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (9).

c.  For customers only, review the timeliness of delivery (4(d), 4(e), and 5(a)), means of delivery of annual notice 9(c)), and accessibility of or ability to retain the notice (9(e)).

IN CLOSING
- The FFIEC interagency Internet guidelines require financial institution web sites to comply with consumer compliance, advertising, notifications, weblinking, and other federal regulations.  We have identified 17 federal regulations and over 130 issues that relate to an institution's web site.  We also verify weblinks for functionality and appropriateness.  As a former bank examiner with over 40 year experience, we audit web sites following the FFIEC Internet guidelines for financial institutions across the country.  Visit http://www.bankwebsiteaudits.com and learn how we can assist your financial institution.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated