|
FYI -
Singapore's DBS Bank Moves to Higher Security - Singapore's
DBS Bank has introduced enhanced security systems on its e-banking
service, following a hacking incident which cost the bank $62,000
last summer. http://www.infosecnews.com/sgold/news/2003/05/22_03.htm
FYI - Bank of America Corp. has warned its
customers to be aware of a scam that attempts to get them to log
into a fake Web site that then captures their personal financial
details. http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,81211,00.html
FYI
- Hacking 2003: The new agenda - Bank
robbers rarely choose a target at random when planning a heist. They
usually have intimate knowledge of their target, scope it out and
plan the attack. We see a similar approach now being used on the
Internet. http://news.com.com/2010-1071-1001016.html
FYI - Hack attacks on banks increase - Nearly 40
percent of financial institutions in a new survey admitted that
their systems had been compromised, as 'intelligent attacks'
increased
. http://news.zdnet.co.uk/story/0,,t269-s2134573,00.html
FYI -
FFIEC Information Technology Examination Handbook - The
Federal Financial Institutions Examination Council has issued two
booklets - one, with revised guidance for evaluating risk-management
processes to ensure the availability of critical financial services,
and the other covering the supervision and examination of services
performed for financial institutions by technology service
providers. The booklets are the second and third in a series of
updates, which will eventually replace the 1996 FFIEC Information
Systems Examination Handbook and comprise the new FFIEC Information
Technology Examination Handbook. www.fdic.gov/news/news/financial/2003/fil0340.html
FYI - U.S.
law-enforcement officers arrested 50 suspects this week in an effort
to combat the fast-growing online crime that now accounts for more
than half of all fraud complaints. Those arrested stand
accused of a variety of crimes, from setting up fake banking Web
sites to collect the account numbers of unsuspecting customers
to surreptitiously taping and selling unreleased movies. http://www.cnn.com/2003/TECH/internet/05/16/cybercrime.feds.ap/index.html
FYI
- The Federal Reserve Board announced it will expand the
operating hours for the online Fedwire® Funds Service. www.federalreserve.gov/boarddocs/press/other/2003/20030521/default.htm
FYI - Business Continuity
Planning and Supervision of Technology Service Providers Booklets -
The Federal Financial Institutions Examination Council has issued
updated guidance in two booklets, one on business continuity
planning, and the other on FFIEC supervision of technology service
providers These booklets are the second and third in a series that
will completely update and replace the 1996 FFIEC Information
Systems Examination Handbook.
Press release www.occ.treas.gov/ftp/bulletin/2003-18.txt
Attachment http://www.ffiec.gov/press/pr052003.htm
Press release www.ots.treas.gov/docs/77318.html
Press release www.ncua.gov/news/press_releases/2003/FFIEC03-0520.htm
Return to the top of the newsletter
INTERNET
COMPLIANCE - Equal Credit Opportunity Act (Regulation
B)
The regulations clarifies the rules concerning the taking of credit
applications by specifying that application information entered
directly into and retained by a computerized system qualifies as a
written application under this section. If an institution makes
credit application forms available through its on-line system, it
must ensure that the forms satisfy the requirements.
The regulations also clarify the regulatory requirements that apply
when an institution takes loan applications through electronic
media. If an applicant applies through an electronic medium (for
example, the Internet or a facsimile) without video capability that
allows employees of the institution to see the applicant, the
institution may treat the application as if it were received by
mail.
Return to the top of the newsletter
INFORMATION SYSTEMS SECURITY
- We
continue our series on the FFIEC interagency Information Security
Booklet.
INFORMATION SECURITY RISK ASSESSMENT
PRIORITIZE RESPONSES
This phase ranks the risk (outcomes and probabilities) presented
by various scenarios produced in the analysis phase to prioritize
management’s response. Management may decide that since some risks
do not meet the threshold set in their security requirement, they
will accept those risks and not proceed with a mitigation strategy.
Other risks may require immediate corrective action. Still others
may require mitigation, either fully or partially, over time. Risks
that warrant action are addressed in the information security
strategy.
In some borderline instances, or if planned controls cannot fully
mitigate the risk, management may need to review the risk assessment
and risk ranking with the board of directors or a delegated
committee. The board should then document its acceptance of the risk
or authorize other risk mitigation measures.
Return to the top of the newsletter
INFORMATION SECURITY
QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
- Authentication
5. Determine if passwords are stored on any
machine that is directly or easily accessible from outside the
institution, and if passwords are stored in programs on machines,
which query customer information databases.
Evaluate the appropriateness of such storage and the
associated protective mechanisms.
Return to the top of the newsletter
INTERNET PRIVACY -We continue covering various issues in the "Privacy of
Consumer Financial Information" published by the financial
regulatory agencies in May 2001.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 1 of 3)
Note: Financial institutions whose practices fall within this
category engage in the most expansive degree of information sharing
permissible. Consequently, these institutions are held to the most
comprehensive compliance standards imposed by the Privacy
regulation.
A. Disclosure of Nonpublic Personal Information
1) Select a
sample of third party relationships with nonaffiliated third parties
and obtain a sample of data shared between the institution and the
third party both inside and outside of the exceptions. The sample
should include a cross-section of relationships but should emphasize
those that are higher risk in nature as determined by the initial
procedures. Perform the following comparisons to evaluate the
financial institution's compliance with disclosure limitations.
a. Compare the categories of data shared and with whom the
data were shared to those stated in the privacy notice and verify
that what the institution tells consumers (customers and those who
are not customers) in its notices about its policies and practices
in this regard and what the institution actually does are consistent
(§§10, 6).
b. Compare the data shared to a sample of opt out directions
and verify that only nonpublic personal information covered under
the exceptions or from consumers (customers and those who are not
customers) who chose not to opt out is shared (§10).
2) If the financial institution also shares information under
Section 13, obtain and review contracts with nonaffiliated third
parties that perform services for the financial institution not
covered by the exceptions in section 14 or 15. Determine whether the
contracts prohibit the third party from disclosing or using the
information other than to carry out the purposes for which the
information was disclosed. Note that the "grandfather"
provisions of Section 18 apply to certain of these contracts (§13(a))
.
Return to the top of the newsletter
PENETRATION TESTS - WEB SITE AUDITS
- We offer independent Internet auditing regarding web
sites compliance and penetration-vulnerability testing. Visit http://www.bankwebsiteaudits.com
for more information about web site audits. For information
regarding penetration-vulnerability testing visit http://www.internetbankingaudits.com/
or email Kinney Williams at examiner@yennik.com.
|
