FYI  - FTC Issues Warning About Fake Anti-Spam Site - Consumers should not submit their e-mail addresses to a Web site that promises to reduce unwanted "spam" because it is fraudulent, the U.S. Federal Trade Commission said Thursday.  http://www.washingtonpost.com/ac2/wp-dyn/A37291-2004Feb12?language=printer

FYI  - Federal patch service to stop - DHS officials said that the department will get out of the business of distributing security patches because the private sector is better at it than the federal government.   http://www.fcw.com/fcw/articles/2004/0209/web-patch-02-11-04.asp

FYI  - Online Search Engines Help Lift Cover of Privacy - Cybersecurity experts say an increasing number of private or putatively secret documents are online in out-of-the-way corners of computers all over the globe, leaving the government, individuals, and companies vulnerable to security breaches. 
http://www.washingtonpost.com/ac2/wp-dyn/A24053-2004Feb8?language=printer

FYI  - Two Sites Face Fines Under COPPA - The U.S. Federal Trade Commission has settled with two Web site operators charged with violating the Children's Online Privacy Protection Act, netting the agency's largest civil penalty yet under the rule.  http://www.pcworld.com/news/article/0,aid,114851,tk,dn021904X,00.asp

Return to the top of the newsletter

INTERNET COMPLIANCE - The week begins our series on the Federal Financial Institutions Examination Council Guidance on Electronic Financial Services and Consumer Compliance.

Flood Disaster Protection Act

The regulation implementing the National Flood Insurance Program requires a financial institution to notify a prospective borrower and the servicer that the structure securing the loan is located or to be located in a special flood hazard area. The regulation also requires a notice of the servicer's identity be delivered to the insurance provider. While the regulation addresses electronic delivery to the servicer and to the insurance provider, it does not address electronic delivery of the notice to the borrower.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Firewall Policy (Part 3 of 3)

Financial institutions can reduce their vulnerability to these attacks somewhat through network configuration and design, sound implementation of its firewall architecture that includes multiple filter points, active firewall monitoring and management, and integrated intrusion detection. In most cases, additional access controls within the operating system or application will provide an additional means of defense.

Given the importance of firewalls as a means of access control, good practices include:

! Hardening the firewall by removing all unnecessary services and appropriately patching, enhancing, and maintaining all software on the firewall unit;
! Restricting network mapping capabilities through the firewall, primarily by blocking inbound ICMP traffic;
! Using a ruleset that disallows all traffic that is not specifically allowed;
! Using NAT and split DNS (domain name service) to hide internal system names and addresses from external networks (split DNS uses two domain name servers, one to communicate outside the network, and the other to offer services inside the network);
! Using proxy connections for outbound HTTP connections;
! Filtering malicious code;
! Backing up firewalls to internal media, and not backing up the firewall to servers on protected networks;
! Logging activity, with daily administrator review;
! Using intrusion detection devices to monitor actions on the firewall and to monitor communications allowed through the firewall;
! Administering the firewall using encrypted communications and strong authentication, only accessing the firewall from secure devices, and monitoring all administrative access;
! Limiting administrative access to few individuals; and
! Making changes only through well - administered change control procedures.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

13. Determine whether an appropriate archive of boot disks, distribution media, and security patches exists.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

33. Except as permitted by §§13-15, does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as described in the initial privacy notice provided to the consumer, unless:

a. the institution has provided the consumer with a clear and conspicuous revised notice that accurately describes the institution's privacy policies and practices; [§8(a)(1)]

b. the institution has provided the consumer with a new opt out notice; [§8(a)(2)]

c. the institution has given the consumer a reasonable opportunity to opt out of the disclosure, before disclosing any information; [§8(a)(3)] and

d. the consumer has not opted out? [§8(a)(4)]