|
April 13, 2003
FYI- A Guide To The ATM
and Debit Card Industry - The ATM and debit card industry is
undergoing dramatic change. From the sharp growth in point of sale
debit card transactions to the heavy consolidation of the regional
networks handling electronic transactions, the industry’s
transformation raises economic and public policy issues. www.kc.frb.org/pubaffrs/pressrel/pr03-14.htm
FYI- A close look at system logs provides clues to spot hacking or worm
activity. - You can deploy all of the
firewalls and intrusion-detection devices money can buy to protect
your network from hackers and malicious code, but when it comes to
truly knowing what's happening on your network, there's no
substitute for digging through system log files. http://www.computerworld.com/securitytopics/security/story/0,10801,79803,00.html
FYI - The
number of computer security incidents and attacks detected at
businesses worldwide soared by 37% between the fourth quarter of
2002 and the first quarter of this year. http://www.computerworld.com/securitytopics/security/holes/story/0,10801,80049,00.html
FYI
- Virus costs keep rising - Firms are taking more time to
recover from virus attacks, according to a new report, and costs are
rising. http://www.vnunet.com/News/1139852
FYI
- Online thieves hit Georgia Tech - Online intruders broke into a
server containing the credit card numbers of some 57,000 patrons of
a Georgia Institute of Technology arts and theater program, a
university official said Monday. http://zdnet.com.com/2100-1105-994821.html
INTERNET
COMPLIANCE - Non-Deposit Investment Products
Financial institutions advertising or selling non-deposit investment
products on-line should ensure that consumers are informed of the
risks associated with non-deposit investment products as discussed
in the "Interagency Statement on Retail Sales of Non Deposit
Investment Products." On-line systems should comply with
this Interagency Statement, minimizing the possibility of customer
confusion and preventing any inaccurate or misleading impression
about the nature of the non-deposit investment product or its lack
of FDIC insurance.
INFORMATION SYSTEMS SECURITY
- We
continue our series on the FFIEC interagency Information Security
Booklet. This booklet is required reading for anyone
involved in information systems security, such as the Network Administrator,
Information Security Officer, members of the IS Steering Committee,
and most important your outsourced network security consultants.
Your outsourced network security consultants can receive the
"Internet Banking News" by completing the subscription for
at https://yennik.com/newletter_page.htm.
There is no charge for the e-newsletter.
ROLES
AND RESPONSIBILITIES (2 of 2)
Senior management should enforce its security program by clearly
communicating responsibilities and holding appropriate individuals
accountable for complying with these requirements. A central
authority should be responsible for establishing and monitoring the
security program. Security management responsibilities, however, may
be distributed throughout the institution from the IT department to
various lines of business depending on the institution’s size,
complexity, culture, nature of operations, and other factors. The
distribution of duties should ensure an appropriate segregation of
duties between individuals or organizational groups.
Senior management also has the responsibility to ensure integration
of security controls throughout the organization. To support
integration, senior management should
1) Ensure the security
process is governed by organizational policies and practices that
are consistently applied,
2) Require that data
with similar criticality and sensitivity characteristics be
protected consistently regardless of where in the organization it
resides,
3) Enforce compliance
with the security program in a balanced and consistent manner across
the organization, and
4)
Coordinate information security with physical security.
Senior management should make decisions regarding the acceptance of
security risks and the performance of risk mitigation activities
using guidance approved by the board of directors.
Employees should know, understand, and be held accountable for
fulfilling their security responsibilities. Institutions should
define these responsibilities in their security policy. Job
descriptions or contracts should specify any additional security
responsibilities beyond the general policies. Financial institutions
can achieve effective employee awareness and understanding through
security training, employee certifications of compliance, self -
assessments, audits, and monitoring.
Management also should consider the roles and responsibilities of
external parties. Technology service providers (TSPs), contractors,
customers, and others who have access to the institution’s systems
and data should have their security responsibilities clearly
delineated and documented in contracts.
INFORMATION SECURITY
QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
- Access Rights Administration
5. Evaluate the
effectiveness and timeliness with which changes in access control
privileges are implemented and the effectiveness of supporting
policies and procedures.
• Review procedures and controls in place and determine whether
access control privileges are promptly eliminated when they are no
longer needed. Include former employees, and temporary access for remote
access and contract workers in the review.
• Assess the procedures and controls in place to change, when
appropriate, access control privileges (e.g., changes in job
responsibility and promotion).
• Determine whether access rights expire after a predetermined
period of inactivity.
• Review and assess the effectiveness of a formal review process
to periodically review the access rights to assure all access rights
are proper. Determine
whether necessary changes made as a result of that review.
PRIVACY
-We continue covering various issues in the "Privacy of Consumer Financial
Information" published by the financial regulatory agencies in
May 2001.
Financial Institution Duties ( Part 6 of 6)
Redisclosure and Reuse Limitations on Nonpublic Personal
Information Received:
If a financial institution receives nonpublic personal
information from a nonaffiliated financial institution, its
disclosure and use of the information is limited.
A) For nonpublic personal information received under a section
14 or 15 exception, the financial institution is limited to:
1) Disclosing the information to the
affiliates of the financial institution from which it received the
information;
2) Disclosing the information to its
own affiliates, who may, in turn, disclose and use the information
only to the extent that the financial institution can do so; and
3) Disclosing and using the
information pursuant to a section 14 or 15 exception (for example,
an institution receiving information for account processing could
disclose the information to its auditors).
B) For nonpublic personal information received other than
under a section 14 or 15 exception, the recipient's use of the
information is unlimited, but its disclosure of the information is
limited to:
1) Disclosing the information to the
affiliates of the financial institution from which it received the
information;
2) Disclosing the information to its
own affiliates, who may, in turn disclose the information only to
the extent that the financial institution can do so; and
3) Disclosing the information to any
other person, if the disclosure would be lawful if made directly to
that person by the financial institution from which it received the
information. For example, an institution that received a customer
list from another financial institution could disclose the list (1)
in accordance with the privacy policy of the financial institution
that provided the list, (2) subject to any opt out election or
revocation by the consumers on the list, and (3) in accordance with
appropriate exceptions under sections 14 and 15. |
