|
May 11, 2003
FYI - Auditing Web Site
Authentication, Part Two http://www.securityfocus.com/infocus/1691
FYI -
The Role of the Corporate Information Security
Steering Committee http://www.infosecnews.com/opinion/2003/05/07_04.htm
FYI - Hypothekarbank Lenzburg (HBL),
one of Switzerland's leading regional independent banks, is to give
its customers access to smartcard authentication for e-banking.
http://www.infosecnews.com/sgold/news/2003/05/08_01.htm
INTERNET
COMPLIANCE - Electronic Fund Transfer Act,
Regulation E (Part 1 of 2)
Generally, when on-line banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction involving stored value products is covered by
Regulation E when the transaction accesses a consumer's account
(such as when value is "loaded" onto the card from the
consumer's deposit account at an electronic terminal or personal
computer).
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule was issued on March 20, 1998 that allows
depository institutions to satisfy the requirement to deliver by
electronic communication any of these disclosures and other
information required by the act and regulations, as long as the
consumer agrees to such method of delivery.
Financial institutions must ensure that consumers who sign-up for a
new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not
specifically mentioned in the commentary, this applies to all new
banking services including electronic financial services.
INFORMATION SYSTEMS SECURITY
- We
continue our series on the FFIEC interagency Information Security
Booklet.
INFORMATION SECURITY RISK ASSESSMENT
ANALYZE INFORMATION (1 of 2)
The information gathered is used to characterize the system, to
identify and measure threats to the system and the data it contains
and transmits, and to estimate the likelihood that a threat will
take action against the system or data.
System characterization articulates the understanding of the system,
including the boundaries of the system being assessed, the system's
hardware and software, and the information that is stored,
processed, and transmitted. Since operational systems may have
changed since they were last documented, a current review of the
system should be performed. Developmental systems, on the other
hand, should be analyzed to determine their key security rules and
attributes. Those rules and attributes should be documented as part
of the systems development lifecycle process. System
characterization also requires the cross-referencing of
vulnerabilities to current controls to identify those that mitigate
specific threats, and to assist in highlighting the control areas
that should be improved.
A key part of system characterization is the ranking of data and
system components according to their sensitivity and importance to
the institution's operations. Additionally, consistent with the
GLBA, the ranking should consider the potential harm to customers of
unauthorized access and disclosure of customer non - public personal
information. Ranking allows for a reasoned and measured analysis of
the relative outcome of various attacks, and the limiting of the
analysis to sensitive information or information and systems that
may materially affect the institution's condition and operations.
Threats are identified and measured through the creation and
analysis of threat scenarios. Threat scenarios should be
comprehensive in their scope (e.g., they should consider reasonably
foreseeable threats and possible attacks against information and
systems that may affect the institution's condition and operations
or may cause data disclosures that could result in substantial harm or inconvenience to customers).
They should consider the potential effect and likelihood for failure
within the control environment due to non-malicious or malicious
events. They should also be coordinated with business continuity
planning to include attacks performed when those plans are
implemented. Non-malicious scenarios typically involve accidents
related to inadequate access controls and natural disasters.
Malicious scenarios, either general or specific, typically involve a
motivated attacker (i.e., threat) exploiting a vulnerability to gain
access to an asset to create an outcome that has an impact.
An example of a general malicious threat scenario is an unskilled
attacker using a program script to exploit a vulnerable
Internet-accessible Web server to extract customer information from
the institution's database. Assuming the attacker's motivation is to
seek recognition from others, the attacker publishes the
information, causing the financial institution to suffer damage to
its reputation. Ultimately, customers are likely to be victims of
identity theft.
INFORMATION SECURITY
QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
- Authentication
3. Evaluate the effectiveness of password and shared secret
administration for employees and customers considering the
complexity of the processing environment and type of information
accessed. Consider:
Confidentiality of passwords and shared secrets (whether only
known to the employee/customer);
Maintenance of confidentiality through reset procedures;
The frequency of required changes (for applications, the user
should make any changes from the initial password issued on
enrollment without any other users intervention);
Password composition in terms of length and type of characters
(new or changed passwords should result in a password whose strength
and reuse agrees with the security policy);
The strength of shared secret authentication mechanisms;
Restrictions on duplicate shared secrets among users (No
restrictions should exist); and
The extent of authorized access (e.g., privileged access, single
sign-on systems).
PRIVACY
-We continue
covering various issues in the "Privacy of Consumer Financial
Information" published by the financial regulatory agencies in
May 2001.
Examination Procedures (Part 2 of 3)
B. Use the information gathered from step A to work through the
"Privacy Notice and Opt Out Decision Tree." Identify
which module(s) of procedures is (are) applicable.
C. Use the information gathered from step A to work through the
Reuse and Redisclosure and Account Number Sharing Decision Trees, as
necessary (Attachments B & C). Identify which module is
applicable.
D. Determine the adequacy of the financial institution's internal
controls and procedures to ensure compliance with the privacy
regulation as applicable. Consider the following:
1) Sufficiency of internal policies and procedures, and
controls, including review of new products and services and controls
over servicing arrangements and marketing arrangements;
2) Effectiveness of management information systems, including
the use of technology for monitoring, exception reports, and
standardization of forms and procedures;
3) Frequency and effectiveness of monitoring procedures;
4) Adequacy and regularity of the institution's training
program;
5) Suitability of the compliance audit program for ensuring
that:
a) the procedures address all
regulatory provisions as applicable;
b) the work is accurate and
comprehensive with respect to the institution's information sharing
practices;
c) the frequency is appropriate;
d) conclusions are appropriately
reached and presented to responsible parties;
e) steps are taken to correct
deficiencies and to follow-up on previously identified deficiencies;
and
6) Knowledge level of management and personnel.
IN CLOSING - On pages 80-81 of
the newly released FFIEC
interagency Information Security Booklet, the regulators are
requiring financial institutions to
have at least an annual independent penetration test.
Did you know that there are over 2,000 known
vulnerabilities with approximately 25 new vulnerabilities added
every week, and that in 2001, 99% of unauthorized intrusions
resulted from known vulnerabilities? We can provide you with
an independent penetration
testing to help protect {custom4} from
unauthorized external access.
For
more information, please visit our web site at http://www.internetbankingaudits.com/
or email Kinney Williams at examiner@yennik.com.
|
