|
HAPPY
HOLIDAYS - At this time of the year, we would like to
take this opportunity to thank your institution for its support over the
past year. We wish you and your staff a Happy Holiday Season and a
prosperous New Year. R.
Kinney Williams, President of Yennik, Inc.
FYI - Ten Tips to
Prevent Identity Theft - http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5476
FYI - Los Alamos lab
workers face retraining after security lapse - Poor record-keeping
is being blamed at the Los Alamos National Laboratory after nine
classified computer floppy disks and a large-capacity storage disk
were found to be missing during a routine inventory of classified
electronic storage media at the facility. http://www.computerworld.com/printthis/2003/0,4814,88167,00.html
FYI - Internet banks to
trial facial recognition for customers - Internet banks in the UK
and Europe are set to trial facial recognition technology in the New
Year that will authenticate customers from their home PC instead of
passwords or PIN numbers. http://www.silicon.com/networks/webwatch/print.htm?TYPE=story&AT=39117316-39024667t-40000019c
FYI - Windows 98
Presents Security Problems As It Ends Lifespan - Companies still
running Windows 98 risk facing unpatched Internet threats as
Microsoft puts the operating system out to pasture early next year,
said a research firm Thursday. http://www.techweb.com/wire/story/TWB20031211S0009
FYI - Beware Of
Employees Bearing Camera Phones - Camera phones are on their way to
becoming ubiquitous, but they pose significant security and
liability risks to enterprises, according to an industry analyst. http://informationweek.securitypipeline.com/news/showArticle.jhtml?articleId=16600564
Return to the top of the
newsletter
INTERNET
COMPLIANCE - We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
A. RISK DISCUSSION
Introduction
Compliance risk arises when the linked third party acts in a manner
that does not conform to regulatory requirements. For example,
compliance risk could arise from the inappropriate release or use of
shared customer information by the linked third party. Compliance
risk also arises when the link to a third party creates or affects
compliance obligations of the financial institution.
Financial institutions with weblinking relationships are also
exposed to other risks associated with the use of technology, as
well as certain risks specific to the products and services provided
by the linked third parties. The amount of risk exposure depends on
several factors, including the nature of the link.
Any link to a third-party website creates some risk exposure for an
institution. This guidance applies to links to affiliated, as well
as non-affiliated, third parties. A link to a third-party website
that provides a customer only with information usually does not
create a significant risk exposure if the information being provided
is relatively innocuous, for example, weather reports.
Alternatively, if the linked third party is providing information or
advice related to financial planning, investments, or other more
substantial topics, the risks may be greater. Links to websites that
enable the customer to interact with the third party, either by
eliciting confidential information from the user or allowing the
user to purchase a product or service, may expose the insured
financial institution to more risk than those that do not have such
features.
Return to the top of the
newsletter
INFORMATION SYSTEMS SECURITY
- We
continue our series on the FFIEC interagency Information Security
Booklet.
SECURITY
CONTROLS - IMPLEMENTATION -
NETWORK
ACCESS
Routing (Part 1 of 2)
Packets are moved through networks using routers, switches, and
hubs. The unique IP address is commonly used in routing. Since users
typically use text names instead of IP addresses for their
addressing, the user’s software must obtain the numeric IP address
before sending the message. The IP addresses are obtained from the
Domain Naming System (DNS), a distributed database of text names
(e.g., anybank.com) and their associated IP addresses. For example,
financial institution customers might enter the URL of the Web site
in their Web browser. The user’s browser queries the domain name
server for the IP associated with anybank.com. Once the IP is
obtained, the message is sent. Although the example depicts an
external address, DNS can also function on internal addresses.
A router directs where data packets will go based on a table that
links the destination IP address with the IP address of the next
machine that should receive the packet. Packets are forwarded from
router to router in that manner until they arrive at their
destination. Since the router reads the packet header and uses a table for
routing, logic can be included that provides an initial means of
access control by filtering the IP address and port information
contained in the message header. Simply put, the router can refuse
to forward, or forward to a quarantine or other restricted area, any
packets that contain IP addresses or ports that the institution
deems undesirable. Security policies should define the filtering
required by the router, including the type of access permitted
between sensitive source and destination IP addresses. Network
administrators implement these policies by configuring an access
configuration table, which creates a filtering router or a basic
firewall.
A switch directs the path a message will take within the network.
Switching works faster than IP routing because the switch only looks
at the network address for each message and directs the message to
the appropriate computer. Unlike routers, switches do not support
packet filtering. Switches, however, are designed to send messages
only to the device for which they were intended. The security
benefits from that design can be defeated and traffic through a
switch can be sniffed.
Return to the top of the
newsletter
IT SECURITY
QUESTION:
C. HOST SECURITY
4.
Determine whether new hosts are prepared according to documented
procedures for secure configuration or replication, and that
vulnerability testing takes place prior to deployment.
Return to the top of the
newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
20. Does the opt out notice
state:
a. that the institution discloses or reserves the right to disclose
nonpublic personal information about the consumer to a nonaffiliated
third party; [§7(a)(1)(i)]
b. that the consumer has the right to opt out of that disclosure; [§7(a)(1)(ii)]
and
c. a reasonable means by which the consumer may opt out? [§7(a)(1)(iii)]
Return to the top of the
newsletter
INTERNET AUDITING SERVICES
- R.
Kinney Williams & Associates is recognized as a leader in independent
Internet auditing for financial institutions. With
clients in 37 states, and an outstanding record of successful
expedient testing, R. Kinney Williams & Associates is your ideal
choice as an independent entity to perform your
penetration assessment study, which includes the Vulnerability
Internet Security Test Audit (VISTA). You will
find information about VISTA at http://www.internetbankingaudits.com/
or email Kinney Williams at examiner@yennik.com.
|
