|
April 27, 2003
FYI
-
Regulators Issue Guidance on the Risks of Weblinking
- Four financial
services regulatory agencies today issued guidance to assist
financial institutions in identifying and managing the potential
risks involved in the use of weblinks. A weblink transports a viewer
to a different part of a website or to another website.
www.occ.treas.gov/ftp/release/2003-33.htm
www.fdic.gov/news/news/press/2003/pr3403.html
www.fdic.gov/news/news/financial/2003/fil0330.html
www.ots.treas.gov/docs/77315.html
www.ncua.gov/news/press_releases/2003/Joint0423-.htm
WEB SITE AUDIT -
As
a web site audit client, you know that we checked the weblinks on
your site for functionality and appropriateness. We will
continue to study the new weblink guidelines and will adjust future
web site audits accordingly.
FYI- Banks offer
sweeteners to paying bills online http://news.com.com/2100-1019-997610.html?tag=cd_mh
FYI- Virus attack on PC downloaded porn -
A man accused of having pornographic pictures of children on his PC
was acquitted after a court heard that his machine was infected with
a Trojan on his PC which probably auto-downloaded the images. http://www.theinquirer.net/?article=9023
FYI-
A survey of the state of information security, as measured against
ISO guidelines, shows plenty of room for improvement. Is the
problem a lack of overarching vision, a dearth of adequate resources
or a little of both? http://www.csoonline.com/read/040103/survey.html
INTERNET
COMPLIANCE - Disclosures/Notices (Part 2 of 2)
In those instances where an electronic form of communication is
permissible by regulation, to reduce compliance risk institutions
should ensure that the consumer has agreed to receive disclosures
and notices through electronic means. Additionally, institutions may
want to provide information to consumers about the ability to
discontinue receiving disclosures through electronic means, and to
implement procedures to carry out consumer requests to change the
method of delivery. Furthermore, financial institutions advertising
or selling non-deposit investment products through on-line systems,
like the Internet, should ensure that consumers are informed of the
risks associated with non-deposit investment products as discussed
in the "Interagency Statement on Retail Sales of Non Deposit
Investment Products." On-line systems should comply with this
Interagency Statement, minimizing the possibility of customer
confusion and preventing any inaccurate or misleading impression
about the nature of the non-deposit investment product or its lack
of FDIC insurance.
INFORMATION SYSTEMS SECURITY
- We
continue our series on the FFIEC interagency Information Security
Booklet.
INFORMATION SECURITY RISK ASSESSMENT
OVERVIEW
The quality of security controls can significantly influence all
categories of risk. Traditionally, examiners and bankers recognize
the direct impact on operational/transaction risk from incidents
related to fraud, theft, or accidental damage. Many security
weaknesses, however, can directly increase exposure in other risk
areas. For example, the GLBA introduced additional legal/compliance
risk due to the potential for regulatory noncompliance in
safeguarding customer information. The potential for legal liability
related to customer privacy breaches may present additional risk in
the future. Effective application access controls can reduce credit
and market risk by imposing risk limits on loan officers or traders.
If a trader were to exceed the intended trade authority, the
institution may unknowingly assume additional market risk exposure.
A strong security program reduces levels of reputation and strategic
risk by limiting the institution's vulnerability to intrusion
attempts and maintaining customer confidence and trust in the
institution. Security concerns can quickly erode customer confidence
and potentially decrease the adoption rate and rate of return on
investment for strategically important products or services.
Examiners and risk managers should incorporate security issues into
their risk assessment process for each risk category. Financial
institutions should ensure that security risk assessments adequately
consider potential risk in all business lines and risk categories.
Information security risk assessment is the process used to identify
and understand risks to the confidentiality, integrity, and
availability of information and information systems. An adequate
assessment identifies the value and sensitivity of information and
system components and then balances that knowledge with the exposure
from threats and vulnerabilities. A risk assessment is a necessary
pre-requisite to the formation of strategies that guide the
institution as it develops, implements, tests, and maintains its
information systems security posture. An initial risk assessment may
involve a significant one-time effort, but the risk assessment
process should be an ongoing part of the information security
program.
Risk assessments for most industries focus only on the risk to the
business entity. Financial institutions should also consider the
risk to their customers' information. For example, section 501(b) of
the GLBA requires financial institutions to “protect against
unauthorized access to or use of customer information that could
result in substantial harm or inconvenience to any customer.”
INFORMATION SECURITY
QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
- Access Rights Administration
8. Determine if users are aware of the authorized uses of the
system.
• Do internal users receive a copy of the authorized-use policy,
appropriate training, and signify understanding and agreement before
usage rights are granted?
• Is contractor usage appropriately detailed and controlled
through the contract?
• Do customers and Web site visitors either explicitly agree to
usage terms or are provided a disclosure, as appropriate?
PRIVACY
-We continue covering various issues in the "Privacy of Consumer Financial
Information" published by the financial regulatory agencies in
May 2001.
Examination Objectives
1. To assess the quality of a financial institution's compliance
management policies and procedures for implementing the privacy
regulation, specifically ensuring consistency between what the
financial institution tells consumers in its notices about its
policies and practices and what it actually does.
2. To determine the reliance that can be placed on a financial
institution's internal controls and procedures for monitoring the
institution's compliance with the privacy regulation.
3. To determine a financial institution's compliance with the
privacy regulation, specifically in meeting the following
requirements:
a) Providing to customers notices of its privacy policies and
practices that are timely, accurate, clear and conspicuous, and
delivered so that each customer can reasonably be expected to
receive actual notice;
b) Disclosing nonpublic personal information to nonaffiliated
third parties, other than under an exception, after first meeting
the applicable requirements for giving consumers notice and the
right to opt out;
c) Appropriately honoring consumer opt out directions;
d) Lawfully using or disclosing nonpublic personal information
received from a nonaffiliated financial institution; and
e) Disclosing account numbers only according to the limits in
the regulations.
4. To initiate effective corrective actions when violations of law
are identified, or when policies or internal controls are deficient. |
