|
December 22, 2002
FYI - E-mail viruses double in 2002 - E-mail
viruses are now twice as prevalent as they were in 2001, with one
e-mail in every 200 containing a virus. http://news.com.com/2100-1001-977945.html?tag=cd_mh
FYI - New
IT Strategy: Stopping Viruses at the Gate - The
theory behind gateway filtering products is that many viruses can be
barred from the workplace by monitoring network protocols, such as
SMTP, to filter out malware, rather than depending on desktop
antivirus software alone. http://www.newsfactor.com/perl/story/20201.html
INTERNET
COMPLIANCE - Electronic Fund Transfer Act,
Regulation E (Part 1 of 2)
Generally, when on-line banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction involving stored value products is covered by
Regulation E when the transaction accesses a consumer's account
(such as when value is "loaded" onto the card from the
consumer's deposit account at an electronic terminal or personal
computer).
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule was issued on March 20, 1998 that allows
depository institutions to satisfy the requirement to deliver by
electronic communication any of these disclosures and other
information required by the act and regulations, as long as the
consumer agrees to such method of delivery.
Financial institutions must ensure that consumers who sign-up for a
new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not
specifically mentioned in the commentary, this applies to all new
banking services including electronic financial services.
INTERNET SECURITY - We continue our review of
the FDIC paper "Risk Assessment Tools and Practices or
Information System Security."
VULNERABILITY ASSESSMENT TOOLS
Vulnerability assessment tools, also called security scanning tools,
assess the security of network or host systems and report system
vulnerabilities. These tools can scan networks, servers, firewalls,
routers, and applications for vulnerabilities. Generally, the tools
can detect known security flaws or bugs in software and hardware,
determine if the systems are susceptible to known attacks and
exploits, and search for system vulnerabilities such as settings
contrary to established security policies.
In evaluating a vulnerability assessment tool, management should
consider how frequently the tool is updated to include the detection
of any new weaknesses such as security flaws and bugs. If there is a
time delay before a system patch is made available to correct an
identified weakness, mitigating controls may be needed until the
system patch is issued.
Generally, vulnerability assessment tools are not run in real-time,
but they are commonly run on a periodic basis. When using the tools,
it is important to ensure that the results from the scan are secure
and only provided to authorized parties. The tools can generate both
technical and management reports, including text, charts, and
graphs. The vulnerability assessment reports can tell a user what
weaknesses exist and how to fix them. Some tools can automatically
fix vulnerabilities after detection.
FYI - Please remember that we
perform vulnerability-penetration studies and would be happy to
e-mail {custom4} a proposal. E-mail Kinney Williams at examiner@yennik.com
for more information.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
SUBPART C - Exception to Opt Out Requirements for
Service Providers and Joint Marketing
47. If the institution discloses nonpublic personal
information to a nonaffiliated third party without permitting the
consumer to opt out, do the opt out requirements of §7 and §10,
and the revised notice requirements in §8, not apply because:
a. the institution disclosed the information to a
nonaffiliated third party who performs services for or functions on
behalf of the institution (including joint marketing of financial
products and services offered pursuant to a joint agreement as
defined in paragraph (b) of §13); [§13(a)(1)]
b. the institution has provided consumers with the initial
notice; [§13(a)(1)(i)] and
c. the institution has entered into a contract with that party
prohibiting the party from disclosing or using the information
except to carry out the purposes for which the information was
disclosed, including use under an exception in §14 or §15 in the
ordinary course of business to carry out those purposes? [§13(a)(1)(ii)]
IN CLOSING - We wish you
very happy Holiday Season and greatly appreciate you support.
|
