|
February 9, 2003
FYI - Net attacks on businesses down - Attacks
on corporate networks by online vandals fell in the second half of
last year, according to report released Monday. http://news.com.com/2100-1001-983154.html?part=dht&tag=ntop
FYI- GAO - Electronic Government: Progress in Promoting Adoption of
Smart Card Technology. http://www.gao.gov/new.items/d03144.pdf
FYI
- Crooks harvest bank details from Net kiosk - Crooks, operating in
the Birmingham, area, are preying on people using public access
terminals for Internet banking. http://www.theregister.co.uk/content/6/29054.html
FYI - The Sapphire worm, widely
known as SQL Slammer, infected more than 90 percent of vulnerable
computers within 10 minutes, opening a new era of fast-spreading
viruses on the Internet, according to a US think tank. http://news.zdnet.co.uk/story/0,,t269-s2129785,00.html
FYI - Not
only could companies have easily slammed the door on the Slammer
worm if they had installed the patch released by Microsoft Corp. six
months ago, but they could also have uncovered the vulnerability
exploited by the worm using a free benchmark developed jointly by
the government and private sector.
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,78063,00.html
FYI - Bush Approves
Cybersecurity Strategy
- President Bush has approved the White House's long-awaited
national cybersecurity strategy, a landmark document intended to
guide government and industry efforts to protect the nation's most
critical information systems from cyberattack.
http://www.washingtonpost.com/wp-dyn/articles/A6320-2003Jan31.html
FYI - Security Spending Swells
- We'll soon spend $45 billion worldwide on security services and
products, analysts predict. http://www.pcworld.com/news/article/0,aid,109221,tk,dn020403X,00.asp
FYI - From a reader - The Open
Web Application Security Project, a collaborative security education
site, has released a list of the top 10 vulnerabilities in Web
applications. http://www.eweek.com/article2/0,3959,857317,00.asp
FYI
- OCC - FFIEC Information Security Booklet - The Federal
Financial Institutions Examination Council (FFIEC) has released
updated information security guidance in the form of a new
Information Security Booklet.
Press Release: www.occ.treas.gov/ftp/bulletin/2003-4.txt
Attachment: www.ffiec.gov/ffiecinfobase/index.html
Attachment: www.ffiec.gov/ffiecinfobase/html_pages/it_01.html
FYI - Lifting
of Moratorium on FinCEN 314(a) Information Requests - On November
26, 2002, the Financial Crimes Enforcement Network of the U.S.
Treasury Department and law enforcement agencies imposed a
moratorium on requests covered by Section 314(a)of the USA PATRIOT
Act. www.occ.treas.gov/ftp/alert/2003-2.txt
INTERNET
COMPLIANCE - TRUTH IN SAVINGS ACT (REG DD)
Financial institutions that advertise deposit products and services
on-line must verify that proper advertising disclosures are made in
accordance with all provisions of the regulations. Institutions
should note that the disclosure exemption for electronic media does
not specifically address commercial messages made through an
institution's web site or other on-line banking system. Accordingly,
adherence to all of the advertising disclosure requirements is
required.
Advertisements should be monitored for recency, accuracy, and
compliance. Financial institutions should also refer to OSC
regulations if the institution's deposit rates appear on third party
web sites or as part of a rate sheet summary. These types of
messages are not considered advertisements unless the depository
institution, or a deposit broker offering accounts at the
institution, pays a fee for or otherwise controls the publication.
Disclosures generally are required to be in writing and in a form
that the consumer can keep. Until the regulation has been reviewed
and changed, if necessary, to allow electronic delivery of
disclosures, an institution that wishes to deliver disclosures
electronically to consumers, would supplement electronic disclosures
with paper disclosures.
INTERNET SECURITY - We continue our coverage of the FDIC's "Guidance
on Managing Risks Associated With Wireless Networks and Wireless
Customer Access."
Risk Mitigation
Security should not be compromised when offering wireless
financial services to customers or deploying wireless internal
networks. Financial institutions should carefully consider the risks
of wireless technology and take appropriate steps to mitigate those
risks before deploying either wireless networks or applications. As
wireless technologies evolve, the security and control features
available to financial institutions will make the process of risk
mitigation easier. Steps that can be taken immediately in wireless
implementation include:
1) Establishing a minimum set of security requirements for
wireless networks and applications;
2) Adopting proven security policies and procedures to address
the security weaknesses of the wireless environment;
3) Adopting strong encryption methods that encompass
end-to-end encryption of information as it passes throughout the
wireless network;
4) Adopting authentication protocols for customers using
wireless applications that are separate and distinct from those
provided by the wireless network operator;
5) Ensuring that the wireless software includes appropriate
audit capabilities (for such things as recording dropped
transactions);
6) Providing appropriate training to IT personnel on network,
application and security controls so that they understand and can
respond to potential risks; and
9) Performing independent security testing of wireless network
and application implementations.
PRIVACY
- We continue our coverage of the various issues in the "Privacy of
Consumer Financial Information" published by the financial
regulatory agencies.
Opt Out Right and Exceptions:
The Right
Consumers must be given the right to "opt out" of, or
prevent, a financial institution from disclosing nonpublic personal
information about them to a nonaffiliated third party, unless an
exception to that right applies. The exceptions are detailed in
sections 13, 14, and 15 of the regulations and described below.
As part of the opt out right, consumers must be given a reasonable
opportunity and a reasonable means to opt out. What constitutes a reasonable
opportunity to opt out depends on the circumstances surrounding
the consumer's transaction, but a consumer must be provided a
reasonable amount of time to exercise the opt out right. For
example, it would be reasonable if the financial institution allows
30 days from the date of mailing a notice or 30 days after customer
acknowledgement of an electronic notice for an opt out direction to
be returned. What constitutes a reasonable means to opt out
may include check-off boxes, a reply form, or a toll-free telephone
number, again depending on the circumstances surrounding the
consumer's transaction. It is not reasonable to require a consumer
to write his or her own letter as the only means to opt out.
MORE INFORMATION - Vulnerability-penetration
studies at http://www.internetbankingaudits.com/
and web site audits at http://www.bankwebsiteaudits.com/.
|
