FYI - How to secure your company - There's no one thing a company can do to be secure. First, every company is unique; what works well for one might not work for another. Second, there's no such thing as 100% security; companies can do things to reduce and manage risk, but they can never eliminate it. Third, companies are constantly changing; just because a company is secure today doesn't mean it will be secure tomorrow.  http://www.computerworld.com/securitytopics/security/story/0,10801,82515,00.html?nas=SEC2-82515 

FYI - A disgruntled employee is suspected of hacking a global networking consultancy's computer systems and then emailing staff with confidential information about forthcoming restructuring plans.  http://www.silicon.com/news/500019/14/4804.html 

FYI - Protecting Against Wireless Threats - During the last two years, wireless fidelity (WiFi) has become one of the fastest growing electronics technologies in history. Although much of this growth can be attributed to the consumer market, businesses have also begun to appreciate the value of beaming data through the airwaves and pulling the plug on conventional networks.  http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5426 

FYI - Hackers move on to hijacking - Some call it “cyberjacking.” Others call it corporate identity theft. It’s the latest twist among computer hackers who have figured out new ways to hijack Web sites and use them to launch all kinds of unauthorized activity.  http://www.msnbc.com/news/930843.asp?0si= 

FYI - Cyber-thief nets 65,000 county Web addresses - All it took was a phone call for an Internet hijacker to steal 65,000 Web site addresses belonging to Los Angeles County.  http://www.pasadenastarnews.com/Stories/0,1413,206~22097~1479783,00.html 

FYI - Unsolicited commercial e-mail--spam--costs U.S. companies $874 per employee per year in lost productivity, according to a new report out from independent research company Nucleus Research.  http://www.pcworld.com/news/article/0,aid,111433,tk,dn070203X,00.asp 

Return to the top of the newsletter

INTERNET COMPLIANCE - We begin this week reviewing the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques" issued in April 2003.

A. RISK DISCUSSION

Introduction

A significant number of financial institutions regulated by the financial institution regulatory agencies (Agencies) maintain sites on the World Wide Web. Many of these websites contain weblinks to other sites not under direct control of the financial institution. The use of weblinks can create certain risks to the financial institution. Management should be aware of these risks and take appropriate steps to address them. The purpose of this guidance is to discuss the most significant risks of weblinking and how financial institutions can mitigate these risks.

When financial institutions use weblinks to connect to third-party websites, the resulting association is called a "weblinking relationship." Financial institutions with weblinking relationships are exposed to several risks associated with the use of this technology. The most significant risks are reputation risk and compliance risk.

Generally, reputation risk arises when a linked third party adversely affects the financial institution's customer and, in turn, the financial institution, because the customer blames the financial institution for problems experienced. The customer may be under a misimpression that the institution is providing the product or service, or that the institution recommends or endorses the third-party provider. More specifically, reputation risk could arise in any of the following ways:

• customer confusion in distinguishing whether the financial institution or the linked third party is offering products and services;
• customer dissatisfaction with the quality of products or services obtained from a third party; and
• customer confusion as to whether certain regulatory protections apply to third-party products or services.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

Access Rights Administration (3 of 5)

System devices, programs, and data are system resources. Each system resource may need to be accessed by other system resources and individuals in order for work to be performed. Access beyond the minimum required for work to be performed exposes the institution’s systems and information to a loss of confidentiality, integrity, and availability. Accordingly, the goal of access rights administration is to identify and restrict access to any particular system resource to the minimum required for work to be performed.  The financial institution’s security policy should address access rights to system resources and how those rights are to be administered.

Management and information system administrators should critically evaluate information system access privileges and establish access controls to prevent unwarranted access.  Access rights should be based upon the needs of the applicable user or system resource to carry out legitimate and approved activities on the financial institution’s information systems.  Policies, procedures, and criteria need to be established for both the granting of appropriate access rights and for the purpose of establishing those legitimate activities.  Formal access rights administration for users consists of four processes:

! An enrollment process to add new users to the system;

! An authorization process to add, delete, or modify authorized user access to operating systems, applications, directories, files, and specific types of information;

! An authentication process to identify the user during subsequent activities; and

! A monitoring process to oversee and manage the access rights granted to each user on the system.

Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

12.  Determine whether appropriate device and session authentication takes place, particularly for remote and wireless machines.

Return to the top of the newsletter

INTERNET PRIVACY - We continue covering various issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies in May 2001.

Reuse & Redisclosure of nonpublic personal information received from a nonaffiliated financial institution under Sections 14 and/or 15.

A. Through discussions with management and review of the institution's procedures, determine whether the institution has adequate practices to prevent the unlawful redisclosure and reuse of the information where the institution is the recipient of nonpublic personal information (§11(a)).

B. Select a sample of data received from nonaffiliated financial institutions, to evaluate the financial institution's compliance with reuse and redisclosure limitations.

1.  Verify that the institution's redisclosure of the information was only to affiliates of the financial institution from which the information was obtained or to the institution's own affiliates, except as otherwise allowed in the step b below (§11(a)(1)(i) and (ii)).

2.  Verify that the institution only uses and shares the data pursuant to an exception in Sections 14 and 15 (§11(a)(1)(iii)).

Return to the top of the newsletter

PENETRATION TESTS - WEB SITE AUDITS - We offer independent Internet auditing regarding web sites compliance and penetration-vulnerability  testing.  Visit http://www.bankwebsiteaudits.com for more information about web site audits.  For information regarding penetration-vulnerability testing visit http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.