|
July 21, 2002
FYI
- Creating a "Good Housekeeping" approval seal of
sorts, the government is releasing standards and a software program
that will help computer users configure their systems for maximum
security against hackers and thieves. http://www.foxnews.com/story/0,2933,57870,00.html
FYI - Federal agency officials could be held accountable for
inadequately securing their information systems under new guidelines
issued by the Office of Management and Budget.
Press release: http://www.fcw.com/fcw/articles/2002/0715/news-gisra-07-15-02.asp
Regulation: http://www.whitehouse.gov/omb/memoranda/m02-09.pdf
FYI
- The Office of Thrift Supervision is hosting an inter-agency
information technology security conference October 15 - 17, 2002 at the Hilton
DFW Lakes Executive Center in Grapevine, Texas. The conference is offered in
cooperation with the Federal Deposit Insurance Corporation Office of the
Comptroller of the Currency, Texas Department of Banking and the Federal Reserve
Bank of Dallas. www.ots.treas.gov/docs/48906.pdf
FYI
-
Treasury and Federal Financial Regulators Issue Patriot Act
Regulations on Customer Identification - The Department of the Treasury and
seven federal financial regulators today issued proposed rules that would
require certain financial institutions to establish minimum procedures for
identifying and verifying the identity of customers seeking to open new
financial accounts.
FRB
Press Release: www.federalreserve.gov/boarddocs/press/bcreg/2002/20020717/default.htm
FDIC
Press Release: www.fdic.gov/news/news/press/2002/pr8502.html
NCUA
Press Release:
www.ncua.gov/news/press_releases/nr02-0717-1.html
OCC
Press Release:
www.occ.treas.gov/ftp/release/2002-59.txt
OCC
Attachment : www.occ.treas.gov/ftp/release/2002-59a.pdf
OTS
Press Release: www.ots.treas.gov/docs/77231.html
FYI
-
Weaknesses in the Federal Deposit Insurance
Corp.'s IT strategy have left financial information open to attack,
a new report says. The report from the General Accounting
Office identified "new weaknesses" in the FDIC's
information systems controls that affect its ability to safeguard
electronic access to sensitive data. The complete GAO
report can be found at http://www.gao.gov/new.items/d02689.pdf.
FYI
- Malicious computer hackers could soon face life in prison for some
computer crimes. http://news.bbc.co.uk/hi/english/sci/tech/newsid_2131000/2131773.stm
INTERNET
COMPLIANCE - Electronic Fund Transfer Act,
Regulation E (Part 1 of 2)
Generally, when on-line banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction involving stored value products is covered by
Regulation E when the transaction accesses a consumer's account
(such as when value is "loaded" onto the card from the
consumer's deposit account at an electronic terminal or personal
computer).
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule was issued on March 20, 1998 that allows
depository institutions to satisfy the requirement to deliver by
electronic communication any of these disclosures and other
information required by the act and regulations, as long as the
consumer agrees to such method of delivery.
Financial institutions must ensure that consumers who sign-up for a
new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not
specifically mentioned in the commentary, this applies to all new
banking services including electronic financial services.
INTERNET SECURITY - We continue the series
from the FDIC "Security Risks Associated with the Internet."
While this Financial Institution Letter was published in
December 1997, the issues still are relevant.
Logical Access Controls (Part 1 of 2)
If passwords are used for access control or authentication measures,
users should be properly educated in password selection. Strong
passwords consist of at least six to eight alpha numeric characters,
with no resemblance to any personal data. PINs should also be
unique, with no resemblance to personal data. Neither passwords nor
PINs should ever be reduced to writing or shared with others.
Other security measures should include the adoption of one-time
passwords, or password aging measures that require periodic changes.
Encryption technology can also be employed in the entry and
transmission of passwords, PINs, user IDs, etc. Any password
directories or databases should be properly protected, as well.
Password guessing programs can be run against a system. Some can run
through tens of thousands of password variations based on personal
information, such as a user's name or address. It is preferable to
test for such vulnerabilities by running this type of program as a
preventive measure, before an unauthorized party has the opportunity
to do so. Incorporating a brief delay requirement after each
incorrect login attempt can be very effective against these types of
programs. In cases where a potential attacker is monitoring a
network to collect passwords, a system utilizing one-time passwords
would render any data collected useless.
When additional measures are necessary to confirm that passwords or
PINs are entered by the user, technologies such as tokens, smart
cards, and biometrics can be useful. Utilizing these technologies
adds another dimension to the security structure by requiring the
user to possess something physical.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
22. Does the institution provide the consumer with at least one of
the following reasonable means of opting out, or with another
reasonable means:
a. check-off boxes prominently displayed on the relevant forms with
the opt out notice; [§7(a)(2)(ii)(A)]
b. a reply form included with the opt out notice; [§7(a)(2)(ii)(B)]
c. an electronic means to opt out, such as a form that can be sent
via electronic mail or a process at the institution’s web site, if
the consumer agrees to the electronic delivery of information;
[§7(a)(2)(ii)(C)] or
d. a toll-free telephone number? [§7(a)(2)(ii)(D)]
(Note: the
institution may require the consumer to use one specific means, as
long as that means is reasonable for that consumer. [§7(a)(iv)]) |
