R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

June 29, 2003

CONTENT
INTERNET COMPLIANCE INFORMATION SYSTEMS SECURITY INFORMATION SECURITY QUESTION
INTERNET PRIVACY PENETRATION TESTS - WEB SITE AUDITS


FYI  - $15 million suspected stolen in September 11 fraud - Investigators suspect more than US$15 million ($26 million) was stolen from automated teller machines that malfunctioned after the September 11, 2001, attacks on New York, officials said.  http://www.nzherald.co.nz/latestnewsstory.cfm?storyID=3508252&thesection=news&thesubsection=world 

FYI  - Why you should replace frame relay with a VPN - Many companies are looking for ways to improve data communications while reducing costs.  http://idg.net/ic_1322305_9677_1-5044.html 

FYI - Bill Would Require Companies to Notify Customers When Accounts Are Hacked  http://ap.tbo.com/ap/breaking/MGAXJ3AMGHD.html 

FYI - U.S. securities regulators put a further onus on financial firms to keep records of their business this week, this time focusing on the increasingly popular form of communication known as instant messaging (IM).  http://www.infoworld.com/article/03/06/19/HNfinancialim_1.html 

FYI - Sample email retention policy from the Sans Institute.  http://www.sans.org/resources/policies/email_retention.pdf 

FYI - E-DISCOVERY ORDER CHANGING THE RULES - Federal Decision Deals With Who Pays the Costs.  http://www.abanet.org/journal/ereport/j6discovr.html
Return to the top of the newsletter

INTERNET COMPLIANCETRUTH IN SAVINGS ACT (REG DD)

Financial institutions that advertise deposit products and services on-line must verify that proper advertising disclosures are made in accordance with all provisions of the regulations. Institutions should note that the disclosure exemption for electronic media does not specifically address commercial messages made through an institution's web site or other on-line banking system. Accordingly, adherence to all of the advertising disclosure requirements is required.

Advertisements should be monitored for recency, accuracy, and compliance. Financial institutions should also refer to OSC regulations if the institution's deposit rates appear on third party web sites or as part of a rate sheet summary. These types of messages are not considered advertisements unless the depository institution, or a deposit broker offering accounts at the institution, pays a fee for or otherwise controls the publication.

Disclosures generally are required to be in writing and in a form that the consumer can keep. Until the regulation has been reviewed and changed, if necessary, to allow electronic delivery of disclosures, an institution that wishes to deliver disclosures electronically to consumers, would supplement electronic disclosures with paper disclosures.
Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

The goal of logical and administrative access control is to restrict access to system resources. Access should be provided only to authorized individuals whose identity is established, and their activities should be limited to the minimum required for business purposes. Authorized individuals (users) may be employees, TSP employees, vendors, contractors, customers, or visitors.

An effective control mechanism includes numerous controls to safeguard and limit access to key information system assets. This section addresses logical and administrative controls, including access rights administration and authentication through network, operating system, application, and remote access. A subsequent section addresses physical security controls.

ACCESS RIGHTS ADMINISTRATION (1 of 5)

Action Summary - Financial institutions should have an effective process to administer access rights. The process should include the following controls:

1)  Assign users and system resources only the access required to perform their required functions,

2)  Update access rights based on personnel or system changes,

3)  Periodically review users’ access rights at an appropriate frequency based on the risk to the application or system, and

4)  Design appropriate acceptable-use policies and require users to sign them.
Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

11. Determine that biometric systems

• Have an adequately strong and reliable enrollment process,

• Adequately protect against the presentation of forged credentials (e.g. address replay attacks), and

• Are appropriately tuned for false accepts/false rejects.
Return to the top of the newsletter

INTERNET PRIVACY - We continue covering various issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies in May 2001.

Sharing nonpublic personal information with nonaffiliated third parties only under Sections 14 and/or 15.

Note: This module applies only to customers.

A. Disclosure of Nonpublic Personal Information

1)  Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party.

a.  Compare the data shared and with whom the data were shared to ensure that the institution accurately states its information sharing practices and is not sharing nonpublic personal information outside the exceptions. 

B. Presentation, Content, and Delivery of Privacy Notices

1)  Obtain and review the financial institution's initial and annual notices, as well as any simplified notice that the institution may use. Note that the institution may only use the simplified notice when it does not also share nonpublic personal information with affiliates outside of Section 14 and 15 exceptions. Determine whether or not these notices: 

a.  Are clear and conspicuous (§§3(b), 4(a), 5(a)(1));

b.  Accurately reflect the policies and practices used by the institution (§§4(a), 5(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

c.  Include, and adequately describe, all required items of information (§6).

2)  Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written customer records where available, determine if the institution has adequate procedures in place to provide notices to customers, as appropriate. Assess the following:

a)  Timeliness of delivery (§§4(a), 4(d), 4(e), 5(a)); and

b.  Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the customer agrees; or as a necessary step of a transaction) (§9) and accessibility of or ability to retain the notice (§9(e)).

Return to the top of the newsletter

PENETRATION TESTS - WEB SITE AUDITS - We offer independent Internet auditing regarding web sites compliance and penetration-vulnerability  testing.  Visit http://www.bankwebsiteaudits.com for more information about web site audits.  For information regarding penetration-vulnerability testing visit http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated