|
June 2, 2002
FYI - International
Comparisons of Productivity Growth: The Role of Information Technology and
Regulatory Practices - While information technologies (IT) are credited
with the recent acceleration in productivity in the United States, many
other industrial countries have not experienced a pickup in productivity
growth. www.federalreserve.gov/pubs/ifdp/2002/727/default.htm
FYI - Specially Designated
Nationals and Blocked Persons - On May 15, 2002, the Department of the
Treasury's Office of Foreign Assets Control (OFAC) amended its list of
Specially Designated Nationals and Blocked Persons by adding updated
"a.k.a" information to the list of Specially Designated Global
Terrorists. www.fdic.gov/news/news/financial/2002/fil0251.html
INTERNET
COMPLIANCE - The
Role Of Consumer Compliance In Developing And Implementing
Electronic Services from FDIC:
When violations of the consumer protection laws regarding a
financial institution's electronic services have been cited,
generally the compliance officer has not been involved in the
development and implementation of the electronic services.
Therefore, it is suggested that management and system
designers consult with the compliance officer during the development
and implementation stages in order to minimize compliance risk.
The compliance officer should ensure that the proper controls
are incorporated into the system so that all relevant compliance
issues are fully addressed. This
level of involvement will help decrease an institution's compliance
risk and may prevent the need to delay deployment or redesign
programs that do not meet regulatory requirements.
The compliance officer should develop a compliance risk profile as a
component of the institution's online banking business and/or
technology plan. This
profile will establish a framework from which the compliance officer
and technology staff can discuss specific technical elements that
should be incorporated into the system to ensure that the online
system meets regulatory requirements.
For example, the compliance officer may communicate with the
technology staff about whether compliance disclosures/notices on a
web site should be indicated or delivered by the use of
"pointers" or "hotlinks" to ensure that required
disclosures are presented to the consumer. The compliance officer can also be an ongoing resource to
test the system for regulatory compliance.
INTERNET SECURITY
- We continue the series
from the FDIC "Security Risks Associated with the Internet."
While this Financial Institution Letter was published in
December 1997, the issues still are relevant.
SECURITY MEASURES
Encryption
Encryption, or cryptography, is a method of converting information
to an unintelligible code. The
process can then be reversed, returning the information to an
understandable form. The information is encrypted (encoded) and
decrypted (decoded) by what are commonly referred to as "cryptographic keys." These
"keys" are actually values, used
by a mathematical algorithm to transform the data. The effectiveness
of encryption technology is determined by the strength of the
algorithm, the length of the key, and the appropriateness of the
encryption system selected.
Because encryption renders information unreadable to any party
without the ability to decrypt it, the information remains private
and confidential, whether being transmitted or stored on a system.
Unauthorized parties will see nothing but an unorganized assembly of
characters. Furthermore,
encryption technology can provide assurance of data integrity as
some algorithms offer protection against forgery and tampering. The
ability of the technology to protect the information requires that
the encryption and decryption keys be properly managed by authorized
parties.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
Content of Privacy Notice
14. Does the institution describe the following about its policies
and practices with respect to protecting the confidentiality and
security of nonpublic personal information:
a. who is authorized to have access to the information; and
[§6(c)(6)(i)]
b. whether security practices and policies are in place to ensure
the confidentiality of the information in accordance with the
institution’s policy? [§6(c)(6)(ii)]
(Note: the
institution is not required to describe technical information about
the safeguards used in this respect.)
IN CLOSING - The
Vulnerability Internet Security Test Audit (VISTA)
is
an independent security test of Yennik, Inc.'s
network connection to the Internet against unauthorized external
intrusion. While
your Network Administrator or systems consultants probably perform a
vulnerability scan, the scan would not be considered independent since
they developed and maintain your Internet security. An independent
vulnerability test is required in most cases by your regulator, the
Gramm-Leach-Bliley Act, and best practices. Before your next IT
examination, visit http://www.internetbankingaudits.com/
for more information and to schedule your independent vulnerability
security scan.
|
