|
January 12, 2003
FYI - Securing Outlook, Part Two:
Many Choices to Make - This is the second of two articles focusing
on ways to secure one of the world's most popular e-mail clients,
Microsoft's Outlook. The first
article offered a brief overview of Outlook, as well as some of
the threats that undermine its security. It also discussed
configuring Outlook for optimal security. This article will look at
some more things that Outlook users can do to improve their e-mail
security. http://online.securityfocus.com/infocus/1652
FYI - California disclosure law has
national reach - A
new California law requiring companies to notify their customers of
computer security breaches applies to any online business that
counts Californians as customers, even if the company isn't based in
the Golden State. http://online.securityfocus.com/news/1984
FYI - Security
Threats to Beware of in 2003 - In this New Year, virus attacks just
begin with e-mail. Here's what to do to stay safe from
Internet-borne nasties. http://www.pcworld.com/news/article/0,aid,108376,tk,wb010703x,00.asp
FYI - Wal-Mart to offer discount financial services -
Wal-Mart is introducing basic financial services for US customers, using the
same low-margin strategy that has turned it into the world's biggest retailer.
http://www.yennik.com/article_walmart1-7-03.htm
FYI - Feds back off proposed disaster
recovery regs for Wall Street - Federal
regulators have reportedly dropped a proposed plan to require Wall
Street firms to move their disaster recovery data centers 200 to 300
miles away from primary data centers, according to an announcement
by a U.S. senator. http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,77250,00.html
FYI - Virus outlook: Bigger trouble ahead - The year 2002 may have
been a relatively quiet for virus attacks, but security experts say
that this is likely to be the calm before the storm. In 2003, they
say, new breeds of computer attacks are likely to emerge that are
capable of knocking out millions of computers around the Internet in
a matter of minutes. http://msn.com.com/2100-1105-979066.html
INTERNET
COMPLIANCE - Advertisement Of Membership
The FDIC and NCUA consider every insured depository institution's
online system top-level page, or "home page", to be an
advertisement. Therefore, according to these agencies'
interpretation of their rules, financial institutions subject to the
regulations should display the official advertising statement on
their home pages unless subject to one of the exceptions described
under the regulations. Furthermore, each subsidiary page of an
online system that contains an advertisement should display the
official advertising statement unless subject to one of the
exceptions described under the regulations. Additional information
about the FDIC's interpretation can be found in the Federal
Register, Volume 62, Page 6145, dated February 11, 1997.
INTERNET SECURITY - We continue our review of
the FDIC paper "Risk Assessment Tools and Practices or
Information System Security."
PENETRATION ANALYSIS (Part 2 of 2)
A penetration analysis itself can introduce new risks to an
institution; therefore, several items should be considered before
having an analysis completed, including the following:
1) If using outside testers, the reputation of the firm or
consultants hired. The evaluators will assess the weaknesses in the
bank's information security system. As such, the confidentiality of
results and bank data is crucial. Just like screening potential
employees prior to their hire, banks should carefully screen firms,
consultants, and subcontractors who are entrusted with access to
sensitive data. A bank may want to require security clearance checks
on the evaluators. An institution should ask if the evaluators have
liability insurance in case something goes wrong during the test.
The bank should enter into a written contact with the evaluators,
which at a minimum should address the above items.
2) If using internal testers, the independence of the testers from
system administrators.
3) The secrecy of the test. Some senior executives may order an
analysis without the knowledge of information systems personnel.
This can create unwanted results, including the notification of law
enforcement personnel and wasted resources responding to an attack.
To prevent excessive responses to the attacks, bank management may
consider informing certain individuals in the organization of the
penetration analysis.
4) The importance of the systems to be tested. Some systems may be
too critical to be exposed to some of the methods used by the
evaluators such as a critical database that could be damaged during
the test.
FYI - Please remember that we
perform vulnerability-penetration studies and would be happy to
e-mail {custom4} a proposal. E-mail Kinney Williams at examiner@yennik.com
for more information.
PRIVACY EXAMINATION QUESTION
- We finish our series of listing the regulatory-privacy
examination questions. Next week, we will cover the issues
outlined in the "Privacy of Consumer Financial
Information" published by the financial regulatory agencies in
May 2001.
50. If the institution discloses nonpublic personal
information to nonaffiliated third parties, do the requirements for
initial notice in §4(a)(2), opt out in §§7 and 10, revised notice
in §8, and for service providers and joint marketers in §13, not
apply because the institution makes the disclosure:
a. with the consent or at the direction of the consumer;
[§15(a)(1)]
b.
1. to
protect the confidentiality or security of records; [§15(a)(2)(i)]
2. to protect against or prevent actual or potential fraud,
unauthorized transactions, claims, or other liability; [§15(a)(2)(ii)]
3. for required institutional risk control or for resolving
consumer disputes or inquiries; [§15(a)(2)(iii)]
4. to persons holding a legal or beneficial interest relating
to the consumer; [§15(a)(2)(iv)] or
5. to persons acting in a fiduciary or representative capacity
on behalf of the consumer; [§15(a)(2)(v)]
c. to insurance rate advisory organizations, guaranty funds or
agencies, agencies rating the institution, persons assessing
compliance, and the institution's attorneys, accountants, and
auditors; [§15(a)(3)]
d. in compliance with the Right to Financial Privacy Act, or
to law enforcement agencies; [§15(a)(4)]
e. to a consumer reporting agency in accordance with the FCRA
or from a consumer report reported by a consumer reporting agency; [§15(a)(5)]
f. in connection with a proposed or actual sale, merger,
transfer, or exchange of all or a portion of a business or operating
unit, if the disclosure of nonpublic personal information concerns
solely consumers of such business or unit; [§15(a)(6)]
g. to comply with Federal, state, or local laws, rules, or
legal requirements; [§15(a)(7)(i)]
h. to comply with a properly authorized civil, criminal, or
regulatory investigation, or subpoena or summons by Federal, state,
or local authorities; [§15(a)(7)(ii)] or
i. to respond to judicial process or government regulatory
authorities having jurisdiction over the institution for
examination, compliance, or other purposes as authorized by law? [§15(a)(7)(iii)]
(Note: the regulation gives the following as an example of
the exception described in section a of this question: "A
consumer may specifically consent to [an institution's] disclosure
to a nonaffiliated insurance company of the fact that the consumer
has applied to [the institution] for a mortgage so that the
insurance company can offer homeowner's insurance to the
consumer.") |
