FYI - Web banks not secure enough for customers - Mistrust of internet security is hampering the adoption of online banking.  http://www.vnunet.com/News/1141079 

FYI  - Worker vengeance makes its way online - Furious that he'd been fired from the travel agency where he worked, James O'Brien waited months before allegedly springing his carefully plotted revenge. Just before Christmas 2000, according to federal prosecutors, O'Brien hacked into his former employer's computer system and canceled 60 customers' airline tickets.  http://www.boston.com/dailyglobe2/142/metro/Workers_vengeance_makes_its_way_on_Web+.shtml 

FYI - Computer Software Patch Management - The FDIC is providing guidance to financial institutions about the importance of maintaining an effective computer software patch management program. This guidance provides institutions with background information on the risks associated with software vulnerabilities and how they can be mitigated through an effective patch management program. www.fdic.gov/news/news/financial/2003/fil0343.html 

FYI - Final Rule on Customer Identification Programs - The Department of the Treasury and the federal banking, thrift and credit union regulatory agencies have jointly issued a final rule to implement Section 326 of the USA PATRIOT Act. This section requires financial institutions to implement a customer identification program to verify the identity of customers opening new accounts. www.fdic.gov/news/news/financial/2003/fil0342.html

FYI - PayPal users are once again the targets of a hit-and-run e-mail scam aimed at conning them out of their personal and financial information.  http://www.securityfocus.com/news/5039 

FYI - Latest E-Mail Bank Scam Targets Citibank - Yet another bank-related e-mail scam is beginning to show up in Internet users' mailboxes this week, this one targeting users of a money-transfer service owned by Citibank FSB.  http://www.eweek.com/article2/0,3959,1102980,00.asp 

  Return to the top of the newsletter

INTERNET COMPLIANCE - Advertisement Of Membership

The FDIC and NCUA consider every insured depository institution's online system top-level page, or "home page", to be an advertisement. Therefore, according to these agencies' interpretation of their rules, financial institutions subject to the regulations should display the official advertising statement on their home pages unless subject to one of the exceptions described under the regulations. Furthermore, each subsidiary page of an online system that contains an advertisement should display the official advertising statement unless subject to one of the exceptions described under the regulations. Additional information about the FDIC's interpretation can be found in the Federal Register, Volume 62, Page 6145, dated February 11, 1997.

  Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT

KEY RISK ASSESSMENT PRACTICES (1 of 2)

A risk assessment is the key driver of the information security process. Its effectiveness is directly related to the following key practices:

1)  Multidisciplinary and Knowledge - based Approach - A consensus evaluation of the risks and risk mitigation practices followed by the institution requires the involvement of a broad range of users, with a range of expertise and business knowledge. Not all users may have the same opinion of the severity of various attacks, the importance of various controls, and the importance of various data elements and information system components. Management should apply a sufficient level of expertise to the assessment.

2)  Systematic and Central Control - Defined procedures and central control and coordination help to ensure standardization, consistency, and completeness of risk assessment policies and procedures, as well as coordination in planning and performance. Central control and coordination will also facilitate an organizational view of risks and lessons learned from the risk assessment process.

3)  Integrated Process - A risk assessment provides a foundation for the remainder of the security process by guiding the selection and implementation of security controls and the timing and nature of testing those controls. Testing results, in turn, provide evidence to the risk assessment process that the controls selected and implemented are achieving their intended purpose. Testing can also validate the basis for accepting risks.

  Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

6. Determine if unauthorized attempts to access authentication mechanisms (e.g., password storage location) are appropriately monitored, reported and followed up.  Attacks on shared secret mechanisms, for instance, could involve multiple log-in attempts using the same username and multiple passwords or multiple usernames and the same password.

  Return to the top of the newsletter

INTERNET PRIVACY -We continue covering various issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies in May 2001.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13).  (Part 2 of 3)

B. Presentation, Content, and Delivery of Privacy Notices 

1)  Review the financial institution's initial, annual and revised notices, as well as any short-form notices that the institution may use for consumers who are not customers. Determine whether or not these notices:

a.  Are clear and conspicuous (§§3(b), 4(a), 5(a)(1), 8(a)(1));

b.  Accurately reflect the policies and practices used by the institution (§§4(a), 5(a)(1), 8(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

c.  Include, and adequately describe, all required items of information and contain examples as applicable (§6). Note that if the institution shares under Section 13 the notice provisions for that section shall also apply.

2)  Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written consumer records where available, determine if the institution has adequate procedures in place to provide notices to consumers, as appropriate. Assess the following:

a.  Timeliness of delivery (§§4(a), 7(c), 8(a)); and

b.  Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§9).

c.  For customers only, review the timeliness of delivery (§§4(d), 4(e), 5(a)), means of delivery of annual notice (§9(c)), and accessibility of or ability to retain the notice (§9(e)).

  Return to the top of the newsletter

PENETRATION TESTS - WEB SITE AUDITS - We offer independent Internet auditing regarding web sites compliance and penetration-vulnerability  testing.  Visit http://www.bankwebsiteaudits.com for more information about web site audits.  For information regarding penetration-vulnerability testing visit http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.