|
March 23, 2003
FYI-
NCUA - Wireless Technology
- The purpose of this letter is to provide important
considerations for credit unions that are currently engaged in or
may be considering the use of wireless technology. www.ncua.gov/ref/letters/2003/03-CU-03.htm
FYI - OTS Releases Guidance on Third Party Arrangements - The Office of
Thrift Supervision (OTS) today issued general guidance for savings
associations and examiners on outsourcing relationships. www.ots.treas.gov/docs/77310.html
FYI- IP spoofing is one of the most common forms of on-line
camouflage. In IP spoofing, an attacker gains unauthorized access to
a computer or a network by making it appear that a malicious message
has come from a trusted machine by “spoofing” the IP address of
that machine. In this article, we will examine the concepts of IP
spoofing: why it is possible, how it works, what it is used for and
how to defend against it. http://www.securityfocus.com/infocus/1674
FYI- How a managed security
provider helps protect the enterprise - Having
followed the history of intrusion-detection systems (IDS) during the
past few years and understanding the different deployment
methodologies, we believe IDS has finally come of age.
http://www.computerworld.com/securitytopics/security/story/0,10801,79255,00.html?nas=SEC-79255
FYI - LapLink says hackers left key clue - The hackers used
the login names and passwords of two former employees. Most
companies intend to delete an employee's computer account after that
person leaves, but sometimes they don't follow through. http://seattletimes.nwsource.com/html/businesstechnology/134653561_laplink150.html
FYI - For sale: memory stick plus cancer patient records -
Health bosses in Lancashire are facing awkward questions after
confidential medical records of 13 cancer patients found their way
onto a portable memory stick, which was repackaged and sold as new
to a Crewe estate agent. http://www.theregister.co.uk/content/55/29752.html
FYI - Hundreds warned as data disappears - British Columbia's
Ministry of Human Resources is warning 568 people to keep a close
eye on their bank accounts and credit cards after confidential,
personal information was stolen during a break-in. http://www.globetechnology.com/servlet/story/RTGAM.20030311.wdata311/GTStory
INTERNET
COMPLIANCE - The
Role Of Consumer Compliance In Developing And Implementing
Electronic Services from FDIC:
When violations of the consumer protection laws regarding a
financial institution's electronic services have been cited,
generally the compliance officer has not been involved in the
development and implementation of the electronic services.
Therefore, it is suggested that management and system
designers consult with the compliance officer during the development
and implementation stages in order to minimize compliance risk.
The compliance officer should ensure that the proper controls
are incorporated into the system so that all relevant compliance
issues are fully addressed. This
level of involvement will help decrease an institution's compliance
risk and may prevent the need to delay deployment or redesign
programs that do not meet regulatory requirements.
The compliance officer should develop a compliance risk profile as a
component of the institution's online banking business and/or
technology plan. This
profile will establish a framework from which the compliance officer
and technology staff can discuss specific technical elements that
should be incorporated into the system to ensure that the online
system meets regulatory requirements.
For example, the compliance officer may communicate with the
technology staff about whether compliance disclosures/notices on a
web site should be indicated or delivered by the use of
"pointers" or "hotlinks" to ensure that required
disclosures are presented to the consumer. The compliance officer can also be an ongoing resource to
test the system for regulatory compliance.
INFORMATION SYSTEMS SECURITY - The
FFIEC along with the OCC, FDIC, OTS, FRB, and NCUA released the
first booklet of the much anticipated IT Examination Handbook.
The first booklet released, Information Security, is a
comprehensive discussion of about computer security. This
booklet is required reading for anyone involved in information
systems security, such as the Network Administrator, Information
Security Officer, members of the IS Steering Committee, and most
important your outsourced network security consultants.
Because of the importance of computer security, we will begin a new
series this week that will cover the Information Systems Booklet.
We
will also start sharing one or two questions from the examination
procedures. Your outsourced network security consultants
can receive the "Internet Banking News" by completing the
subscription for at https://yennik.com/newletter_page.htm.
There is no charge for the e-newsletter.
SECURITY OBJECTIVES
Information security enables a financial institution to meet its
business objectives by implementing business systems with due
consideration of information technology (IT) - related
risks to the organization, business and trading partners, technology
service providers, and customers. Organizations meet this goal by
striving to accomplish the following objectives.
1) Availability - The
ongoing availability of systems addresses the processes, policies,
and controls used to ensure authorized users have prompt access to
information. This objective protects against intentional or
accidental attempts to deny legitimate users access to information
and/or systems.
2) Integrity of Data or
Systems - System and data integrity relate to the processes,
policies, and controls used to ensure information has not been
altered in an unauthorized manner and that systems are free from
unauthorized manipulation that will compromise accuracy,
completeness, and reliability.
3) Confidentiality of
Data or Systems - Confidentiality covers the processes, policies,
and controls employed to protect information of customers and the
institution against unauthorized access or use.
4) Accountability -
Clear accountability involves the processes, policies, and controls
necessary to trace actions to their source. Accountability directly
supports non-repudiation, deterrence, intrusion prevention,
intrusion detection, recovery, and legal admissibility of records.
5) Assurance -
Assurance addresses the processes, policies, and controls used to
develop confidence that technical and operational security measures
work as intended. Assurance levels are part of the system design and
include availability, integrity, confidentiality, and
accountability. Assurance highlights the notion that secure systems
provide the intended functionality while preventing undesired
actions.
Appropriate security controls are necessary for financial
institutions to challenge potential customer or user claims that
they did not initiate a transaction. Financial institutions can
accomplish this by achieving both integrity and accountability to
produce what is known as non-repudiation. Non-repudiation occurs
when the financial institution demonstrates that the originators who
initiated the transaction are who they say they are, the recipient
is the intended counter party, and no changes occurred in transit or
storage. Non-repudiation can reduce fraud and promote the legal
enforceability of electronic agreements and transactions. While
non-repudiation is a goal and is conceptually clear, the manner in
which non-repudiation can be achieved for electronic systems in a
practical, legal sense may have to wait for further judicial
clarification.
INFORMATION SECURITY QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
- Access
Rights Administration
1. Evaluate
the adequacy of policies and procedures for authentication and
access controls to manage effectively the risks to the financial
institution.
• Evaluate the processes that management uses to define access
rights and privileges (e.g., software and/or hardware systems
access) and determine if they are based upon business need
requirements.
• Review processes that assign rights and privileges and ensure
that they take into account and provide for adequate segregation of
duties.
• Determine if access rights are the minimum necessary for
business purposes. If greater access rights are permitted, determine
why the condition exists and identify any mitigating issues or
compensating controls.
• Ensure that access to operating systems is based on either a
need-to-use or an event-by-event basis.
PRIVACY
- We continue our coverage of the various issues in the "Privacy of
Consumer Financial Information" published by the financial
regulatory agencies.
Financial Institution Duties ( Part 3 of 6)
Requirements for Notices
Clear and Conspicuous. Privacy notices must be clear and
conspicuous, meaning they must be reasonably understandable and
designed to call attention to the nature and significance of the
information contained in the notice. The regulations do not
prescribe specific methods for making a notice clear and
conspicuous, but do provide examples of ways in which to achieve the
standard, such as the use of short explanatory sentences or bullet
lists, and the use of plain-language headings and easily readable
typeface and type size. Privacy notices also must accurately reflect
the institution's privacy practices.
Delivery Rules. Privacy notices must be provided so that each
recipient can reasonably be expected to receive actual notice in
writing, or if the consumer agrees, electronically. To meet this
standard, a financial institution could, for example, (1)
hand-deliver a printed copy of the notice to its consumers, (2) mail
a printed copy of the notice to a consumer's last known address, or
(3) for the consumer who conducts transactions electronically, post
the notice on the institution's web site and require the consumer to
acknowledge receipt of the notice as a necessary step to completing
the transaction.
For customers only, a financial institution must provide the initial
notice (as well as the annual notice and any revised notice) so that
a customer may be able to retain or subsequently access the notice.
A written notice satisfies this requirement. For customers who
obtain financial products or services electronically, and agree to
receive their notices on the institution's web site, the institution
may provide the current version of its privacy notice on its web
site. |
