|
November 24, 2002
FYI - The General Accounting Office (GAO) releases guidance on
"Assessing the Reliability of Computer-Processed
Data." http://www.gao.gov/new.items/d03273g.pdf
FYI - Patch slipup raises security questions -
The questionable handling of a fix for a recent widespread software
vulnerability has some administrators worried that developers can't
be trusted to make security a top priority. http://news.com.com/2100-1001-966666.html
FYI - When Deborah
Fraser's credit card number was stolen, the thief didn't use it to
buy a new car or a high-end laptop. Instead, the number was used to
buy something potentially much more valuable--a domain name with the
word "ebay" in it. http://news.com.com/2100-1017-966835.html?tag=fd_top
FYI
- A sophisticated scam targeting automatic teller machines in Sydney
could spread right across Australia, NSW police warned today. http://www.ds-osac.org/view.cfm?key=7E4752424153&type=2B170C1E0A3A0F162820
FYI
- Treasury's Office of Foreign Assets Control has amended its
list of Specially Designated Nationals and Blocked Persons - On
October 25, 2002, the Department of the Treasury's Office of Foreign
Assets Control amended its list of Specially Designated Nationals
and Blocked Persons by adding 37 names to its list of Specially
Designated Global Terrorists. www.fdic.gov/news/news/financial/2002/FIL02124.html
FYI
- Treasury's Office of Foreign Assets Control has amended its
list of Specially Designated Nationals and Blocked Persons
- On October 10, 2002, the Department of the Treasury's
Office of Foreign Assets Control amended its list of Specially
Designated Nationals and Blocked Persons by adding the following
name to its list of Specially Designated Global Terrorists
www.fdic.gov/news/news/financial/2002/FIL02122.html
INTERNET
COMPLIANCE - Non-Deposit Investment Products
Financial institutions advertising or selling non-deposit investment
products on-line should ensure that consumers are informed of the
risks associated with non-deposit investment products as discussed
in the "Interagency Statement on Retail Sales of Non Deposit
Investment Products." On-line systems should comply with
this Interagency Statement, minimizing the possibility of customer
confusion and preventing any inaccurate or misleading impression
about the nature of the non-deposit investment product or its lack
of FDIC insurance.
INTERNET SECURITY - We continue our review of
the FDIC paper "Risk Assessment Tools and Practices or
Information System Security."
Performing the Risk Assessment and Determining Vulnerabilities
Performing a sound risk assessment is critical to establishing an
effective information security program. The risk assessment provides
a framework for establishing policy guidelines and identifying the
risk assessment tools and practices that may be appropriate for an
institution. Banks still should have a written information security
policy, sound security policy guidelines, and well-designed system
architecture, as well as provide for physical security, employee
education, and testing, as part of an effective program.
When institutions contract with third-party providers for
information system services, they should have a sound oversight
program. At a minimum, the security-related clauses of a written
contract should define the responsibilities of both parties with
respect to data confidentiality, system security, and notification
procedures in the event of data or system compromise. The
institution needs to conduct a sufficient analysis of the provider's
security program, including how the provider uses available risk
assessment tools and practices. Institutions also should obtain
copies of independent penetration tests run against the provider's
system.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
43. Does the institution allow the consumer to select certain
nonpublic personal information or certain nonaffiliated third
parties with respect to which the consumer wishes to opt out? [§10(c)]
(Note: an institution may allow partial opt outs
in addition to, but may not allow them instead of, a comprehensive
opt out.)
IN CLOSING - All of us at
R. Kinney Williams & Associates hope you have a very thankful
Thanksgiving.
|
