FYI - The Federal Reserve Bank of Boston has published an educational video and booklet on identity theft that explains what identity theft is, how consumers can protect themselves from becoming victims, and what they should do if they do become victims. These materials also explain the importance of checking consumer reports regularly, provide tips for how to read a consumer report, and list appropriate contact information for the three major consumer reporting agencies and certain federal government agencies. A copy of the Boston Reserve Bank's identity theft booklet can be viewed online at the Federal Reserve Bank of Boston's public web site. www.bos.frb.org/consumer/identity/index.htm 

FYI - Any organization looking to ensure software compliance, reduce its total cost of ownership, or increase its optimization of expensive computer software should be using some form of electronic tool to accurately locate and monitor its software assets. Dedicated tools have the ability to locate and identify a wide range of software, to "learn" the characteristics of software that is new or unique to the organization, and to analyze and report their findings in a variety of ways.  http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5434 

FYI - Committee calls for better e-banking security management - Report lists 14 "best practices" for financial institutions  http://www.infoworld.com/article/03/07/23/HNebanking_1.html  
The Basel report can be found at http://www.bis.org/publ/bcbs98.pdf 

FYI- Windows passwords cracked in seconds - If your passwords consist of letters and numbers, beware.  Swiss researchers released a paper on Tuesday outlining a way to speed the cracking of alphanumeric Windows passwords, reducing the time to break such codes to an average of 13.6 seconds, from 1 minute 41 seconds.  http://zdnet.com.com/2102-1105_2-5053063.html?tag=printthis 

FYI - A federal judge has ordered financial firm UBS to pay most of the cost of restoring lost e-mail in a gender discrimination suit against it, but she did shift some of the burden to the plaintiff.  In a decision with wide-ranging ramifications for any company that keeps electronic records, U.S. District Judge Shira Scheindlin outlined and applied a set of legal principles that judges and parties in a lawsuit must consider when deciding who should pay for electronic evidence retrieval.  http://news.com.com/2100-1023_3-5056365.html?tag=cd_mh 

FYI - Guilty Plea in Kinko's Keystroke Caper - For nearly two years ending last December, Jiang's makeshift surveillance net raked in over 450 online banking passwords and user names from hapless Kinko's customers, according to the plea.  http://www.securityfocus.com/news/6447 

FYI - Cybersecurity laws spread - At least 34 states are considering bills or have enacted laws on security for computers and networks, according to a new report.  http://www.fcw.com/geb/articles/2003/0721/web-ncs-07-23-03.asp 

Return to the top of the newsletter

INTERNET COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." 

B. RISK MANAGEMENT TECHNIQUES

Introduction

Management must effectively plan, implement, and monitor the financial institution's weblinking relationships. This includes situations in which the institution has a third-party service provider create, arrange, or manage its website. There are several methods of managing a financial institution's risk exposure from third-party weblinking relationships. The methods adopted to manage the risks of a particular link should be appropriate to the level of risk presented by that link as discussed in the prior section.

Planning Weblinking Relationships

In general, a financial institution planning the use of weblinks should review the types of products or services and the overall website content made available to its customers through the weblinks. Management should consider whether the links support the institution's overall strategic plan. Tools useful in planning weblinking relationships include:

1)  due diligence with respect to third parties to which the financial institution is considering links; and

2)  written agreements with significant third parties.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION

Action Summary - Financial institutions should use effective authentication methods appropriate to the level of risk. Steps include

1)  Selecting authentication mechanisms based on the risk associated with the particular application or services;
2)  Considering whether multi - factor authentication is appropriate for each application, taking into account that multifactor authentication is increasingly necessary for many forms of electronic banking and electronic payment activities; and
3)  Encrypting the transmission and storage of authenticators (e.g., passwords, PINs, digital certificates, and biometric templates).

Authentication is the verification of identity by a system based on the presentation of unique credentials to that system. The unique credentials are in the form of something the user knows, something the user has, or something the user is. Those forms exist as shared secrets, tokens, or biometrics. More than one form can be used in any authentication process. Authentication that relies on more than one form is called multi - factor authentication and is generally stronger than any single authentication method. Authentication contributes to the confidentiality of data and the accountability of actions performed on the system by verifying the unique identity of the system user.

Authentication is not identification as that term is used in the USA PATRIOT Act (31 U.S.C. 5318(l)). Authentication does not provide assurance that the initial identification of a system user is proper. Authentication only provides assurance that the user of the system is the same user that was initially identified. Procedures for the initial identification of a system user are beyond the scope of this booklet.

Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

B. NETWORK SECURITY

3. Evaluate controls over the management of remote equipment.

4. Determine if effective procedures and practices are in place to secure network services, utilities, and diagnostic ports, consistent with the overall risk assessment.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

2)  Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all consumers, who are not customers, before any nonpublic personal information about the consumer is disclosed to a nonaffiliated third party, other than under an exception in §§14 or 15? [§4(a)(2)]?

Return to the top of the newsletter

INTERNET AUDITING SERVICES - We offer independent Internet auditing regarding web sites compliance and penetration-vulnerability  testing.  Visit http://www.bankwebsiteaudits.com for more information about web site audits.  For information regarding penetration-vulnerability testing visit http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.  We have clients in 37 states and more than 40 years banking and bank examining experience.