|
January 5, 2003
FYI - The Future of
Retail Electronic Payments Systems: Industry Interviews and Analysis
-Electronic payments have become a prominent feature of the U.S.
economic landscape, as consumers, businesses, and governments have
increasingly used electronic instruments to make retail payments.
Survey research by the Federal Reserve published in 2002, for
example, indicates that the use of debit and credit cards and
automatic deposit and withdrawal (via the automated clearinghouse)
grew fivefold from 1979 to 2000 and that the use of paper checks for
payments probably peaked in the mid-1990s. www.federalreserve.gov/Pubs/StaffStudies/2000-present/175sum.htm
FYI - New Version of EDIE -- the Electronic Deposit
Insurance Estimator -- for Use by Financial Institution Employees -
The FDIC is releasing a new, CD-ROM version of its interactive
insurance calculator to help bankers provide accurate information to
customers. www.fdic.gov/news/news/financial/2002/FIL02147.html
FYI
- Securing Outlook, Part One: Initial
Configuration - This article is the first part of a two-part series
that will help readers to secure their Outlook email clients. This
installment will offer a brief overview of Outlook, as well as a
guide to configuring it securely. http://online.securityfocus.com/infocus/1648
FYI - White House plans wide monitoring
of Net-
The White House is proposing an Internet-wide monitoring center to
detect and defend against major cyber-attacks, but the Bush
administration sought to ease worries it might scrutinize individual
users' e-mails along with other data traffic. http://www.cnn.com/2002/TECH/internet/12/23/cyber.security.ap/index.html
INTERNET
COMPLIANCE - Equal Credit Opportunity Act (Regulation B)
The regulations clarifies the rules concerning the taking of credit
applications by specifying that application information entered
directly into and retained by a computerized system qualifies as a
written application under this section. If an institution makes
credit application forms available through its on-line system, it
must ensure that the forms satisfy the requirements.
The regulations also clarify the regulatory requirements that apply
when an institution takes loan applications through electronic
media. If an applicant applies through an electronic medium (for
example, the Internet or a facsimile) without video capability that
allows employees of the institution to see the applicant, the
institution may treat the application as if it were received by
mail.
INTERNET SECURITY
- We continue our review of
the FDIC paper "Risk Assessment Tools and Practices or
Information System Security."
PENETRATION ANALYSIS (Part 1 of 2)
After the initial risk assessment is completed, management may
determine that a penetration analysis (test) should be conducted.
For the purpose of this paper, "penetration analysis" is
broadly defined. Bank management should determine the scope and
objectives of the analysis. The scope can range from a specific test
of a particular information systems security or a review of multiple
information security processes in an institution.
A penetration analysis usually involves a team of experts who
identify an information systems vulnerability to a series of
attacks. The evaluators may attempt to circumvent the security
features of a system by exploiting the identified vulnerabilities.
Similar to running vulnerability scanning tools, the objective of a
penetration analysis is to locate system vulnerabilities so that
appropriate corrective steps can be taken.
The analysis can apply to any institution with a network, but
becomes more important if system access is allowed via an external
connection such as the Internet. The analysis should be independent
and may be conducted by a trusted third party, qualified internal
audit team, or a combination of both. The information security
policy should address the frequency and scope of the analysis. In
determining the scope of the analysis, items to consider include
internal vs. external threats, systems to include in the test,
testing methods, and system architectures.
A penetration analysis is a snapshot of the security at a point in
time and does not provide a complete guaranty that the system(s)
being tested is secure. It can test the effectiveness of security
controls and preparedness measures. Depending on the scope of the
analysis, the evaluators may work under the same constraints applied
to ordinary internal or external users. Conversely, the evaluators
may use all system design and implementation documentation. It is
common for the evaluators to be given just the IP address of the
institution and any other public information, such as a listing of
officers that is normally available to outside hackers. The
evaluators may use vulnerability assessment tools, and employ some
of the attack methods discussed in this paper such as social
engineering and war dialing. After completing the agreed-upon
analysis, the evaluators should provide the institution a detailed
written report. The report should identify vulnerabilities,
prioritize weaknesses, and provide recommendations for corrective
action.
FYI - Please remember that we
perform vulnerability-penetration studies and would be happy to
e-mail {custom4} a proposal. E-mail Kinney Williams at examiner@yennik.com
for more information.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
Exceptions to Notice and Opt Out Requirements for Processing and
Servicing Transactions
49. If the institution uses a Section 14 exception as
necessary to effect, administer, or enforce a transaction, is it :
a. required, or is one of the lawful or appropriate methods to
enforce the rights of the institution or other persons engaged in
carrying out the transaction or providing the product or service; [§14(b)(1)]
or
b. required, or is a usual, appropriate, or acceptable method
to:[§14(b)(2)]
1. carry out the transaction or the product or service
business of which the transaction is a part, including recording,
servicing, or maintaining the consumer's account in the ordinary
course of business; [§14(b)(2)(i)]
2. administer or service benefits or claims; [§14(b)(2)(ii)]
3. confirm or provide a statement or other record of
the transaction or information on the status or value of the
financial service or financial product to the consumer or the
consumer's agent or broker; [§14(b)(2)(iii)]
4. accrue or recognize incentives or bonuses; [§14(b)(2)(iv)]
5. underwrite insurance or for reinsurance or for
certain other purposes related to a consumer's insurance; [§14(b)(2)(v)]
or
6. in connection with:
i. the authorization,
settlement, billing, processing, clearing, transferring,
reconciling, or collection of amounts charged, debited, or otherwise
paid by using a debit, credit, or other payment card, check, or
account number, or by other payment means; [§14(b)(2)(vi)(A)]
ii. the transfer of
receivables, accounts or interests therein; [§14(b)(2)(vi)(B)] or
iii. the audit of debit,
credit, or other payment information? [§14(b)(2)(vi)(C)] |
