FYI  - University of Georgia computer systems hacked - The FBI and the Georgia Bureau of Investigation are investigating a break-in to the University of Georgia computer systems.   http://www.computerworld.com/printthis/2004/0,4814,89590,00.html

FYI  - Virus Alert Program Debuts - Launched Wednesday by the National Cyber Security Division of the Department of Homeland Security, the alerts will be available to members of the public as well as technology professionals responsible for the security of infrastructure systems. Interested parties can subscribe to the alerts online.  http://www.wired.com/news/print/0,1294,62078,00.html

FYI - Microsoft offers $250,000 reward in Mydoom.B attacks - Microsoft Corp. will pay a $250,000 reward for information leading to the arrest and conviction of the person or persons responsible for releasing the Mydoom.B worm, the company said in a statement yesterday.  http://www.computerworld.com/printthis/2004/0,4814,89584,00.html

FYI - NCUA - Treasury Warns Against Fraudulent E-Mail Schemes  www.ncua.gov/FBIIC/Security/04-0202-Treasury1130.pdf

Return to the top of the newsletter

INTERNET COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." 

B. RISK MANAGEMENT TECHNIQUES

Implementing Weblinking Relationships

Customer Service Complaints

Financial institutions should have plans to respond to customer complaints, including those regarding the appropriateness or quality of content, services, or products provided or the privacy and security policies of the third-party site. The plan also should address how the financial institution will address complaints regarding any failures of linked third parties to provide agreed upon products or services.

Monitoring Weblinking Relationships

The financial institution should consider monitoring the activities of linked third parties as a part of its risk management strategy. Monitoring policies and procedures should include periodic content review and testing to ensure that links function properly, and to verify that the levels of services provided by third parties are in accordance with contracts and agreements.  Website content is dynamic, and third parties may change the presentation or content of a website in a way that results in risk to the financial institution's reputation. Periodic review and testing will reduce this risk exposure. The frequency of review should be commensurate with the degree of risk presented by the linked site.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Firewall Policy (Part 1 of 3)

A firewall policy states management's expectations for how the firewall should function and is a component of the overall security policy. It should establish rules for traffic coming into and going out of the security domain and how the firewall will be managed and updated. Therefore, it is a type of security policy for the firewall, and forms the basis for the firewall rules. The firewall selection and the firewall policy should stem from the ongoing security risk assessment process. Accordingly, management needs to update the firewall policy as the institution's security needs and the risks change. At a minimum, the policy should address:

! Firewall topology and architecture,
! Type of firewall(s) being utilized,
! Physical placement of the firewall components,
! Monitoring firewall traffic,
! Permissible traffic (generally based on the premise that all traffic not expressly allowed is denied, detailing which applications can traverse the firewall and under what exact circumstances such activities can take place),
! Firewall updating,
! Coordination with intrusion detection and response mechanisms,
! Responsibility for monitoring and enforcing the firewall policy,
! Protocols and applications permitted,
! Regular auditing of a firewall's configuration and testing of the firewall's effectiveness, and
! Contingency planning.

Financial institutions should also appropriately train and manage their staffs to ensure the firewall policy is implemented properly. Alternatively, institutions can outsource the firewall management, while ensuring that the outsourcer complies with the institution's specific firewall policy.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

11. Determine whether appropriate notification is made of authorized use, through banners or other means.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

30. Does the institution allow the consumer to opt out at any time? [§7(f)]

31. Does the institution continue to honor the consumer's opt out direction until revoked by the consumer in writing, or, if the consumer agrees, electronically? [§7(g)(1)]

IN CLOSING - The FFIEC interagency Internet guidelines require financial institution web sites to comply with consumer compliance, advertising, notifications, weblinking, and other federal regulations.  We have identified 17 federal regulations and over 130 issues that relate to an institution's web site.  We also verify weblinks for functionality and appropriateness.  As a former bank examiner with over 20 year experience, we audit web sites following the FFIEC Internet guidelines for financial institutions all across the country.  Visit http://www.bankwebsiteaudits.com and learn how we can assist Your Financial Institution.