|
March 16, 2003
NEWS RELEASE - R. Kinney Williams has been recognized by Information
Systems Audit and Control Association (ISACA) as a Certified
Information Systems Manager (CISM). Overall, the CISM
designation denotes expertise in management of information security
governance, risk management, program development, and incident
response. Our information systems security experience
assures you that our penetration-vulnerability study of your
Internet connection meets the highest standards and complies with
the FFIEC independent penetration testing requirements outlined in the interagency
Information Security Booklet on page 80-81.
FYI - Hacking
incidents and other computer-systems breaches are on the rise. But
will they reach C-level? http://www.cfo.com/printarticle/0,5317,8841,00.html
FYI- GAO published Federal Reserve Banks: Areas for
Improvement in Computer Controls. http://www.gao.gov/new.items/d03525r.pdf
FYI- Protecting Copyrights - Although it is no longer
required, including a proper copyright notice provides several
advantages for protecting a copyrighted work. For one, it prevents
someone who infringes on a copyright from claiming innocence as a
defense. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5392
FYI - When
asked why he always went after banks, the famed Depression-era
robber Willie Sutton once explained that he picked them because
"that's where the money is." Nowadays,
with more banking transactions performed over electronic networks
than teller windows, a federal agency believes the same logic might
appeal to cyber terrorists. http://www.wired.com/news/business/0,1367,57911,00.html
FYI
-
Strategies & Issues: Justifying Security Spending - To get the
dollars they need, security administrators have to start speaking
the language of business. http://www.networkmagazine.com/article/NMG20030305S0012
FYI -
An
online banking glitch gave a Princeton University student access to
university accounts totaling $9.9 million when he tried to access a
student publication's account. http://www.cnn.com/2003/TECH/internet/03/06/offbeat.banking.error.ap/index.html
FYI
- Two men were arrested for allegedly
hacking into bank accounts through the Internet and stealing
$136,000, police said Thursday. http://www.cnn.com/2003/TECH/internet/03/06/internet.theft.ap/index.html
FYI
- On February 28, 2003, the Department of the
Treasury's Office of Foreign Assets Control amended its list of
Specially Designated Nationals and Blocked Persons by adding three
entities to its list of Specially Designated Global Terrorists
A detailed list of additional SDGTs is attached. www.fdic.gov/news/news/financial/2003/fil0319.html
INTERNET
COMPLIANCE -
Reserve Requirements of Depository Institutions (Regulation D)
Pursuant to the withdrawal and transfer restrictions imposed on
savings deposits, electronic transfers, electronic withdrawals (paid
electronically) or payments to third parties initiated by a
depositor from a personal computer are included as a type of
transfer subject to the six transaction limit imposed on passbook
savings and MMDA accounts.
Institutions also should note that, to the extent stored value or
other electronic money represents a demand deposit or transaction
account, the provisions of Regulation D would apply to such
obligations.
Consumer Leasing Act (Regulation M)
The regulation provides examples of advertisements that clarify the
definition of an advertisement under Regulation M. The term
advertisement includes messages inviting, offering, or otherwise
generally announcing to prospective customers the availability of
consumer leases, whether in visual, oral, print, or electronic
media. Included in the examples are on-line messages, such as those
on the Internet. Therefore, such messages are subject to the general
advertising requirements.
INTERNET SECURITY - This concludes our coverage
of the FDIC's "Guidance
on Managing Risks Associated With Wireless Networks and Wireless
Customer Access."
Part III. Risks Associated with Both Internal Wireless Networks and
Wireless Internet Devices
Evolution and Obsolescence
As the wireless technologies available today evolve, financial
institutions and their customers face the risk of current
investments becoming obsolete in a relatively short time. As
demonstrated by the weaknesses in WEP and earlier versions of WAP
and the changes in standards for wireless technologies, wireless
networking as a technology may change significantly before it is
considered mature. Financial institutions that invest heavily in
components that may become obsolete quickly may feel the cost of
adopting an immature technology.
Controlling the Impact of Obsolescence
Wireless internal networks are subject to the same types of
evolution that encompass the computing environment in general. Key
questions to ask a vendor before purchasing a wireless internal
network solution include:
1) What is the upgrade path to the next class of network?
2) Do the devices support firmware (Flash) upgrades for
security patches and upgrades?
3) How does the vendor distribute security information and
patches?
The financial institution should also consider the evolving
standards of the wireless community. Before entering into an
expensive implementation, the institution should research when the
next major advances in wireless are likely to be released. Bank
management can then make an informed decision on whether the
implementation should be based on currently available technology or
a future implementation based on newer technology.
The potential obsolescence of wireless customer access can be
controlled in other ways. As the financial institution designs
applications that are to be delivered through wireless devices, they
should design the application so that the business logic is not tied
to a particular wireless technology. This can be accomplished by
placing the majority of the business logic on back-end or mid-tier
servers that are independent of the wireless application server. The
wireless application server then becomes a connection point between
the customer and the transactions performed. As the institution
decides to upgrade or replace the application server, the business
logic can remain relatively undisturbed.
PRIVACY
- We continue our coverage of the various issues in the "Privacy of
Consumer Financial Information" published by the financial
regulatory agencies.
Financial Institution Duties ( Part 2 of 6)
Notice Duties to Customers:
In addition to the duties described above, there are several
duties unique to customers. In particular, regardless of whether the
institution discloses or intends to disclose nonpublic personal
information, a financial institution must provide notice to its
customers of its privacy policies and practices at various times.
1) A financial institution must provide an initial notice of
its privacy policies and practices to each customer, not later than
the time a customer relationship is established. Section 4(e) of the
regulations describes the exceptional cases in which delivery of the
notice is allowed subsequent to the establishment of the customer
relationship.
2) A financial institution must provide an annual notice at
least once in any period of 12 consecutive months during the
continuation of the customer relationship.
3) Generally, new privacy notices are not required for each
new product or service. However, a financial institution must
provide a new notice to an existing customer when the customer
obtains a new financial product or service from the institution, if
the initial or annual notice most recently provided to the customer
was not accurate with respect to the new financial product or
service.
4) When a financial institution does not disclose nonpublic
personal information (other than as permitted under section 14 and
section 15 exceptions) and does not reserve the right to do so, the
institution has the option of providing a simplified notice. |
