R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

February 15, 2004

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - It has come to our attention that at least one compliance examiner is requiring that each "email link" off a financial institution's web site have an email disclaimer on the "contact us" web page as well as a "email disclaimer" that appears after the "email link" is clicked.  During our web site audits, we have always recommended that there is a "email disclaimer" at least in the institution's term and use statement.  Apparently, this is not satisfying some examiners; therefore, we recommend that you place an "email disclaimer" on your "contact us" pages as well as "email disclaimer" that appears after the "email link" is clicked.  If we are not already auditing your's web site, please visit http://www.yennik.com/ for more information about our web site auditing service.

FYI  - DHS launches trio of IT security groups - The Homeland Security Department has formed three new organizations to strengthen federal IT defenses and coordinate responses to systems threats.  http://www.gcn.com/vol1_no1/daily-updates/24896-1.html

FYI  - Web applications wide open to hackers - Over 90 per cent of online apps not secured against common cracking techniques.  http://www.vnunet.com/News/1152521

FYI  - Courts make users liable for security glitches - It used to be that the rules of the game made suing a vendor for a security breach a losing proposition. It was easier to settle a dispute for less, or to take an insurance payout and move on.  No more. Because of changes in the insurance business and some recent court decisions, it looks like this is going to be the year to watch for computer security lawsuits.  http://www.computerworld.com/printthis/2004/0,4814,89854,00.html  

FYI  - ACH origination weaknesses - The Texas Department of Banking publishes a list of 12 practices for avoiding common ACH origination weaknesses:  http://www.banking.state.tx.us/EXEC/SPEECHES/01-23-04_pts.htm

FYI - Spam seen as security risk - Spam is definitely annoying, but corporate customers also see it as a potential security risk, according to a survey released Wednesday.  http://news.com.com/2100-7355_3-5157275.html?tag=nefd_top

FYI - FinCEN name used in scam - In recent weeks, electronic con artists representing themselves as federal officials have used public concern about terrorism to mislead naive e-mail users into divulging personal banking information online, according to Treasury Department officials.  http://www.fcw.com/fcw/articles/2004/0202/web-phish-02-04-04.asp

FYI - VeriSign says online fraud growing fast - A report released by VeriSign, the company that maintains the Internet's .com and .net domain registry, indicates that attempted site hacks, online fraud and identity theft are growing rapidly, as e-commerce proliferates.  http://news.com.com/2100-7355_3-5156062.html?tag=nefd_top

Return to the top of the newsletter

INTERNET COMPLIANCE - We complete our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."   

B. RISK MANAGEMENT TECHNIQUES

Managing Service Providers

Financial institutions, especially smaller institutions, may choose to subcontract with a service provider to create, arrange, and manage their websites, including weblinks. The primary risks for these financial institutions are the same as for those institutions that arrange the links directly. However, if a financial institution uses a set of pre-established links to a large number of entities whose business policies or procedures may be unfamiliar, it may increase its risk exposure. This is particularly true in situations in which the institution claims in its published privacy policy that it maintains certain minimum information security standards at all times.

When a financial institution subcontracts weblinking arrangements to a service provider, the institution should conduct sufficient due diligence to ensure that the service provider is appropriately managing the risk exposure from other parties. Management should keep in mind that a vendor might establish links to third parties that are unacceptable to the financial institution. Finally, the written agreement should contain a regulatory requirements clause in which the service provider acknowledges that its linking activities must comply with all applicable consumer protection laws and regulations.

Financial institution management should consider weblinking agreements with its service provider to mitigate significant risks. These agreements should be clear and enforceable with descriptions of all obligations, liabilities, and recourse arrangements. These may include the institution's right to exclude from its site links the financial institution considers unacceptable. Such contracts should include a termination clause, particularly if the contract does not include the ability to exclude websites. Finally, a financial institution should apply its link monitoring policies discussed above to links arranged by service providers or other vendors.
Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Firewall Policy (Part 2 of 3)

Firewalls are an essential control for a financial institution with an Internet connection and provide a means of protection against a variety of attacks. Firewalls should not be relied upon, however, to provide full protection from attacks. Institutions should complement firewalls with strong security policies and a range of other controls. In fact, firewalls are potentially vulnerable to attacks including:

! Spoofing trusted IP addresses;
! Denial of service by overloading the firewall with excessive requests or malformed packets;
! Sniffing of data that is being transmitted outside the network;
! Hostile code embedded in legitimate HTTP, SMTP, or other traffic that meet all firewall rules;
! Attacks on unpatched vulnerabilities in the firewall hardware or software;
! Attacks through flaws in the firewall design providing relatively easy access to data or services residing on firewall or proxy servers; and
! Attacks against machines and communications used for remote administration.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

12. Determine whether authoritative copies of host configuration and public server content are maintained off line.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

32. When a customer relationship ends, does the institution continue to apply the customer’s opt out direction to the nonpublic personal information collected during, or related to, that specific customer relationship (but not to new relationships, if any, subsequently established by that customer)? [§7(g)(2)] 

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated