|
April 6, 2003
FYI Schwab's online-bank plan delayed - The San Francisco-based
company, which has $755 billion in customer assets, expected to
launch an online bank earlier this year in a bid to expand its
offerings and offset persistent weakness in its main stock-trading
business. But Charles Schwab Bank, as the unit is called, is still
mired in an approval process required by banking regulators. http://news.com.com/2100-1019-995422.html?tag=cd_mh
FYI - Security Incidents Skyrocket - Fast-spreading worms
pose the greatest threat. The number of computer security
incidents and attacks detected at businesses worldwide soared by 84
percent between the fourth quarter of 2002 and the first quarter of
this year, fueled in part by a surge in the number of mass-mailing
worms, according to a report due out Monday from Internet Security
Systems. http://www.pcworld.com/news/article/0,aid,110140,tk,dn040403X,00.asp
FYI
- Chinese hacker groups are planning attacks on U.S. and
U.K. based Web sites to protest the war in Iraq, the Department of
Homeland Security warned in an alert that it unintentionally posted
on a government Web site.
http://www.washingtonpost.com/wp-dyn/articles/A60363-2003Mar31.html
INTERNET
COMPLIANCE - Fair Housing Act
A financial institution that advertises on-line credit products that
are subject to the Fair Housing Act must display the Equal Housing
Lender logotype and legend or other permissible disclosure of its
nondiscrimination policy if required by rules of the institution's
regulator.
Home Mortgage Disclosure Act (Regulation C)
The regulations clarify that applications accepted through
electronic media with a video component (the financial institution
has the ability to see the applicant) must be treated as "in
person" applications. Accordingly, information about these
applicants' race or national origin and sex must be collected. An
institution that accepts applications through electronic media
without a video component, for example, the Internet or facsimile,
may treat the applications as received by mail.
INFORMATION SYSTEMS SECURITY
- We
continue our series on the FFIEC interagency Information Security
Booklet. This booklet is required reading for anyone
involved in information systems security, such as the Network Administrator,
Information Security Officer, members of the IS Steering Committee,
and most important your outsourced network security consultants.
Your outsourced network security consultants can receive the
"Internet Banking News" by completing the subscription for
at https://yennik.com/newletter_page.htm.
There is no charge for the e-newsletter.
ROLES AND RESPONSIBILITIES (1 of 2)
Information security is the responsibility of everyone at the
institution, as well as the institution’s service providers and
contractors. The board, management, and employees all have different
roles in developing and implementing an effective security process.
The board of directors is responsible for overseeing the
development, implementation, and maintenance of the institution’s
information security program. Oversight requires the board to
provide management with guidance and receive reports on the
effectiveness of management’s response. The board should approve
written information security policies and the information security
program at least annually. The board should provide management with
its expectations and requirements for:
1) Central oversight
and coordination,
2) Areas of
responsibility,
3) Risk measurement,
4) Monitoring and
testing,
5) Reporting, and
6) Acceptable residual
risk.
Senior management’s attitude towards security affects the entire
organization’s commitment to security. For example, the failure of
a financial institution president to comply with security policies
could undermine the entire organization’s commitment to security.
Senior management should designate one or more individuals as
information security officers. Security officers should be
responsible and accountable for security administration. At a
minimum, they should directly manage or oversee risk assessment,
development of policies, standards, and procedures, testing, and
security reporting processes. Security officers should have the
authority to respond to a security event by ordering emergency
actions to protect the financial institution and its customers from
an imminent loss of information or value. They should have
sufficient knowledge, background, and training, as well as an
organizational position, to enable them to perform their assigned
tasks.
INFORMATION SECURITY
QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
- Access Rights Administration
3. Determine whether employee’s levels of
online access (blocked, read-only, update, override, etc.) match
current job responsibilities.
4. Determine that administrator or root privilege access is
appropriately monitored, where appropriate.
• Management may choose to further categorize types of
administrator/root access based upon a risk assessment. Categorizing
this type of access can be used to identify and monitor higher-risk
administrator and root access requests that should be promptly
reported.
PRIVACY
- We continue covering various issues in the "Privacy of Consumer
Financial Information" published by the financial regulatory
agencies in May 2001.
Financial Institution Duties ( Part 5 of 6)
Limitations on Disclosure of Account Numbers:
A financial institution must not disclose an account number or
similar form of access number or access code for a credit card,
deposit, or transaction account to any nonaffiliated third party
(other than a consumer reporting agency) for use in telemarketing,
direct mail marketing, or other marketing through electronic mail to
the consumer.
The disclosure of encrypted account numbers without an accompanying
means of decryption, however, is not subject to this prohibition.
The regulation also expressly allows disclosures by a financial
institution to its agent to market the institution's own products or
services (although the financial institution must not authorize the
agent to directly initiate charges to the customer's account). Also
not barred are disclosures to participants in private-label or
affinity card programs, where the participants are identified to the
customer when the customer enters the program.
IN CLOSING - On pages 80-81 of
the newly released FFIEC
interagency Information Security Booklet, the regulators are
requiring financial institutions to
have at least an annual independent penetration test.
Did you know that there are over 2,000 known
vulnerabilities with approximately 25 new vulnerabilities added
every week, and that in 2001, 99% of unauthorized intrusions
resulted from known vulnerabilities? We can provide independent
penetration testing to help protect {custom4}
from
unauthorized external access.
For
more information, please visit our web site at http://www.internetbankingaudits.com/
or email Kinney Williams at examiner@yennik.com.
|
