|
August 25, 2002
FYI
- Board statement on Payments System Risk policy - The
Federal Reserve Board announced on Tuesday that it will not, over the near
term, incorporate two policy options into its longer-term Payments System
Risk policy plan. The Board will, however, continue to analyze the
benefits and potential drawbacks of a two-tiered pricing regime for
daylight overdrafts. www.federalreserve.gov/boarddocs/press/bcreg/2002/20020820/default.htm
FYI - Viruses don't
break the bank - HBoS deploys multi-vendor antivirus
strategy Halifax/Bank of Scotland (HBoS) has cut virus infections
by 90 per cent by using several suppliers for its antivirus strategy.
http://www.vnunet.com/News/1134385
FYI - A federal agency is
readying a report that will recommend against the U.S. government using
wireless LANs - except when applying a long, detailed list of security
controls.
News article - http://www.nwfusion.com/news/2002/134874_08-19-2002.html
Draft report - http://csrc.nist.gov/publications/drafts/draft-sp800-48.pdf
FYI - FRB
examiner says that banking
web sites fail to comply with regulations - the The
American Bankers Association's "Electronic Payments and Internet
Banking" news digests. http://www.aba.com/Industry+Issues/ealertii17.htm#b
FYI
- Audit Shows More PCs At the IRS Are Missing
- An audit released by the Office of the Treasury Inspector General for
Tax Administration found that the IRS cannot account for an unknown number
of the 6,600 laptop and desktop computers it lends to
volunteers.
http://www.washingtonpost.com/wp-dyn/articles/A24030-2002Aug15.html
http://www.govexec.com/dailyfed/0802/081502t1.htm
FYI - Wells
Fargo is closing down its wireless banking service. The financial
company said that it plans to shut down the mobile service by late
September, due to lack of interest. http://news.com.com/2100-1017-954592.html
FYI - Proposed
Rule on Customer Identification Program - On July 23, 2002, the U.S.
Department of the Treasury, through the Financial Crimes Enforcement
Network, the Federal Deposit Insurance Corporation, the Board of Governors
of the Federal Reserve System, the Office of the Comptroller of the
Currency, the Office of Thrift Supervision, and the National Credit Union
Administration jointly proposed a rule that would add a new section to the
Bank Secrecy Act regulations. www.fdic.gov/news/news/financial/2002/FIL0292.html
FYI - Fictitious Digital
Investment Certificates - The Canada Deposit Insurance Corporation has
advised North American investors and depositors of an apparent Internet
fraud scam falsely involving CDIC.
Press Release: www.occ.treas.gov/ftp/alert/2002-10.txt
Attachment: www.occ.treas.gov/ftp/alert/2002-10a.txt
INTERNET
COMPLIANCE - Advertisements
Generally, Internet web sites are considered advertising by the
regulatory agencies. In some cases, the regulations contain special
rules for multiple-page advertisements. It is not yet clear what
would constitute a single "page" in the context of the
Internet or on-line text. Thus, institutions should carefully review
their on-line advertisements in an effort to minimize compliance
risk.
In addition, Internet or other systems in which a credit application
can be made on-line may be considered "places of business"
under HUD's rules prescribing lobby notices. Thus, institutions may
want to consider including the "lobby notice,"
particularly in the case of interactive systems that accept
applications.
INTERNET SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we start a three part review of controls to prevent and detect intrusions. Management should determine the controls necessary to deter, detect, and respond to intrusions, consistent with the best practices of information system operators. Controls may include the following:
1) Authentication. Authentication provides identification by means of some previously agreed upon method, such as passwords and biometrics. (A method of identifying a person's identity by analyzing a unique physical attribute.) The means and strength of authentication should be commensurate with the risk. For instance, passwords should be of an appropriate length, character set, and lifespan (The lifespan of a password is the length of time the password allows access to the system. Generally speaking, shorter lifespans reduce the risk of password compromises.) for the systems being protected. Employees should be trained to recognize and respond to fraudulent attempts to compromise the integrity of security systems. This may include "social engineering" whereby intruders pose as authorized users to gain access to bank systems or customer records.
2) Install and Update Systems. When a bank acquires and installs new or upgraded systems or equipment, it should review security parameters and settings to ensure that these are consistent with the intrusion risk assessment plan. For example, the bank should review user passwords and authorization levels for maintaining "separation of duties" and "need to know" policies. Once installed, security flaws to software and hardware should be identified and remediated through updates or "patches." Continuous monitoring and updating is essential to protect the bank from vulnerabilities. Information related to vulnerabilities and patches are typically available from the vendor, security-related web sites, and in bi-weekly National Infrastructure Protection Center's
CyberNotes.
3) Software Integrity. Copies of software and integrity checkers (An integrity checker uses logical analysis to identify whether a file has been changed.) are used to identify unauthorized changes to software. Banks should ensure the security of the integrity checklist and checking software. Where sufficient risk exists, the checklist and software should be stored away from the network, in a location where access is limited. Banks should also protect against viruses and other malicious software by using automated virus scanning software and frequently updating the signature file (The signature file contains the information necessary to identify each virus.) to enable identification of new viruses.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
30. Does the institution allow
the consumer to opt out at any time? [§7(f)]
31. Does the institution continue to honor the consumer's opt out
direction until revoked by the consumer in writing, or, if the
consumer agrees, electronically? [§7(g)(1)] |
