FYI - Auditing Wide Area Networks - http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5450 

FYI  - Is the Internet More Dangerous Than Ever? - E-commerce fraud, security attacks on the rise, new study reveals.  http://www.pcworld.com/news/article/0,aid,112930,tk,dn101403X,00.asp 

FYI  - Teen charged in cyber stock scam - Federal officials filed securities fraud and computer crime complaints against a Pennsylvania teenager who allegedly used a Trojan horse and someone else's online brokerage account to sell thousands of worthless stock options to an unwilling buyer.  http://www.securityfocus.com/news/7177 

FYI  - The Myth of Information Security ROI: Not Every Expense Is an "Investment" - Information security teams are under increasing pressure to demonstrate financial return on investment (ROI) for security projects. However, the nature of information security activities makes financial projections difficult at best.  http://www.infosecnews.com/opinion/2003/10/15_01.htm 

FYI  - IM Poses Legal, Personnel Problems - Most people think of instant messaging as a good tool for fleeting conversations, but as the technology is used more in business, the potential cost of misuse is becoming a concern to companies. Firms that allow IM would do well to protect themselves from privacy and security breaches, experts say.  http://www.pcworld.com/news/article/0,aid,112969,tk,dn101703X,00.asp 

FYI  - Security as part of the strategic gameplan http://www.infosecnews.com/opinion/2003/10/15_03.htm 

FYI - The European Parliament approved a proposal this week to set up a European cybersecurity agency with the aim of forming a common approach to network and information security.  http://www.infoworld.com/article/03/10/09/HNeuagency_1.html 

Return to the top of the newsletter

INTERNET COMPLIANCE - Reserve Requirements of Depository Institutions (Regulation D)

Pursuant to the withdrawal and transfer restrictions imposed on savings deposits, electronic transfers, electronic withdrawals (paid electronically) or payments to third parties initiated by a depositor from a personal computer are included as a type of transfer subject to the six transaction limit imposed on passbook savings and MMDA accounts.

Institutions also should note that, to the extent stored value or other electronic money represents a demand deposit or transaction account, the provisions of Regulation D would apply to such obligations. 

Consumer Leasing Act (Regulation M)

The regulation provides examples of advertisements that clarify the definition of an advertisement under Regulation M. The term advertisement includes messages inviting, offering, or otherwise generally announcing to prospective customers the availability of consumer leases, whether in visual, oral, print, or electronic media. Included in the examples are on-line messages, such as those on the Internet. Therefore, such messages are subject to the general advertising requirements.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Single Sign – On

Several single sign - on protocols are in use. Those protocols allow clients to authenticate themselves once to obtain access to a range of services. An advantage of single sign – on systems is that users do not have to remember or possess multiple authentication mechanisms, potentially allowing for more complex authentication methods and fewer user - created weaknesses. Disadvantages include the broad system authorizations potentially tied to any given successful authentication, the centralization of authenticators in the single sign - on server, and potential weaknesses in the single sign - on technologies.

When single sign - on systems allow access for a single login to multiple instances of sensitive data or systems, financial institutions should employ robust authentication techniques, such as multi - factor, PKI, and biometric techniques. Financial institutions should also employ additional controls to protect the authentication server and detect attacks against the server and server communications.

Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

B. NETWORK SECURITY

14. Determine whether appropriate filtering occurs for spoofed addresses, both within the network and at external connections, covering network ingress and egress.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

11. Does the institution list the following categories of affiliates and nonaffiliated third parties to whom it discloses information, as applicable, and a few examples to illustrate the types of the third parties in each category:

a. financial service providers; [§6(c)(3)(i)]

b. non-financial companies; [§6(c)(3)(ii)] and

c. others? [§6(c)(3)(iii)]

Return to the top of the newsletter

INTERNET AUDITING SERVICES - We offer independent Internet auditing regarding web sites compliance and penetration-vulnerability  testing.  Visit http://www.bankwebsiteaudits.com for more information about web site audits.  For information regarding penetration-vulnerability testing visit http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.  We have clients in 37 states and more than 40 years banking and bank examining experience.