Internet Banking News

January 7, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Advertisement of FDIC Membership Final Rule Amending - The FDIC Board of Directors has approved the attached final rule amending FDIC Part 328, Advertisement of Membership. Recent amendments to the Federal Deposit Insurance Act required the FDIC to prescribe an official sign that all FDIC-insured depository institutions would be required to display. The rule accomplishes that requirement and provides for other changes to the regulation. The final rule will take effect on November 13, 2007. FDIC-insured depository institutions are expected to be in full compliance by that date. www.fdic.gov/news/news/financial/2006/fil06112.html

FYI - Man indicted for planting 'logic bomb' in company's IT systems - IT administrator allegedly feared losing job after company reorg - Facing a possible layoff from his job as an IT systems administrator, a 50-year-old New Jersey man was charged yesterday with planting malicious "logic bomb" code into the company systems where he worked that could have damaged more than 70 servers. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9006361&source=rss_topic17

FYI - Data Security, Terrorism Top Executive Worries - More corporate executives are more worried about data security and terrorism than anything else, according to a new study. Sixty-one percent of executives report being most concerned about information systems being compromised, and another 55% worry about terrorism, according to a Harris Interactive poll that was conducted in September. http://www.techweb.com/wire/196701706

FYI - Banks reject Lords' call to disclose security details - Apacs says disclosure will not improve situation - Members of the House of Lords Science and Technology Committee raised the issue as part of an investigation begun last week into personal internet security. http://www.vnunet.com/computing/news/2171369/banks-reject-lords-call

FYI - Congressional aide fired after trying to hire hackers - The press attaché of a Montana Congressman has been left red faced after "hackers" he was trying to hire to change his lowly college grades published his email exchanges instead. http://www.channelregister.co.uk/2006/12/28/political_aide_hack_gaffe/

MISSING COMPUTERS/DATA

FYI - Russian Banks in the eye of the storm - A huge attack against several major Russian banks ended up with the leak of a database containing the personal details of about 3 million individuals. The data is now being sold for between 2,000 - 4,000 roubles (around $76 - $150) at Russian black market. http://www.zone-h.org/content/view/14448/31/

FYI - A vast e-wasteland: Are your digital secrets for sale? - Computer files on these American high school students are private and revealing. More computer files, these from an elementary school in Virginia, contain what a security expert called "the Holy Grail" for identity thieves seeking to score: teachers' Social Security numbers, addresses and phone numbers. http://www.bradenton.com/mld/bradenton/news/world/16289389.htm

FYI - Boeing Rep Speaks Out On Laptop Thefts And Security - The latest theft of a laptop containing identifying information on 382,000 Boeing employees came as a real blow to the employees who have to worry about identify theft now, and to the company that has been working hard to prevent this from happening. http://www.techweb.com/showArticle.jhtml?articleID=196701493

FYI - Nissan says data on up to 5.38 mln customers may have been leaked - Nissan Motor Co Ltd announced that personal information from its customer database may have been leaked, potentially affecting up to 5.38 mln individuals. http://www.forbes.com/markets/feeds/afx/2006/12/21/afx3276888.html

FYI - UVSC quickly fixes Net leak of student data - Some students and faculty members are at risk of identity theft, the school says - Personal information and Social Security numbers of 15,000 Utah Valley State College students and faculty popped up on the Internet for six weeks this fall, school officials have announced. http://www.sltrib.com/news/ci_4906175

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures and Notices

Several consumer regulations provide for disclosures and/or notices to consumers. The compliance officer should check the specific regulations to determine whether the disclosures/notices can be delivered via electronic means. The delivery of disclosures via electronic means has raised many issues with respect to the format of the disclosures, the manner of delivery, and the ability to ensure receipt by the appropriate person(s). The following highlights some of those issues and offers guidance and examples that may be of use to institutions in developing their electronic services.

Disclosures are generally required to be "clear and conspicuous." Therefore, compliance officers should review the web site to determine whether the disclosures have been designed to meet this standard. Institutions may find that the format(s) previously used for providing paper disclosures may need to be redesigned for an electronic medium. Institutions may find it helpful to use "pointers " and "hotlinks" that will automatically present the disclosures to customers when selected. A financial institution's use solely of asterisks or other symbols as pointers or hotlinks would not be as clear as descriptive references that specifically indicate the content of the linked material.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

ELECTRONIC AND PAPER - BASED MEDIA HANDLING

Sensitive information is frequently contained on media such as paper documents, output reports, back-up tapes, disks, cassettes, optical storage, test data, and system documentation. Protection of that data requires protection of the media. The theft, destruction, or Information Security other loss of the media could result in the exposure of corporate secrets, breaches in customer confidentiality, alteration of data, and the disruption of business activities. The policies and procedures necessary to protect media may need revision as new data storage technologies are contemplated for use and new methods of attack are developed. The sensitivity of the data (as reflected in the data classification) dictates the extent of procedures and controls required. Many institutions find it easier to store and dispose of all media consistently without having to segregate out the most sensitive information. This approach also can help reduce the likelihood that someone could infer sensitive information by aggregating a large amount of less sensitive information. Management must address three components to secure media properly: handling and storage, disposal, and transit.

HANDLING AND STORAGE

IT management should ensure secure storage of media from unauthorized access. Controls could include physical and environmental controls including fire and flood protection, limited access (e.g., physical locks, keypad, passwords, biometrics), labeling, and logged access. Management should establish access controls to limit access to media, while ensuring all employees have authorization to access the minimum level of data required to perform their responsibilities. More sensitive media like system documentation, application source code, and production transaction data should have more extensive controls to guard against alteration (e.g., integrity checkers, cryptographic hashes). Furthermore, policies should minimize the distribution of sensitive media, including the printouts of sensitive information. Periodically, the security staff, audit staff, and data owners should review authorization levels and distribution lists to ensure they remain appropriate and current.

Return to the top of the newsletter

IT SECURITY QUESTION: SOFTWARE DEVELOPMENT AND ACQUISITION

3. Determine if the group or individual establishing security requirements has appropriate credentials, background, and/or training.

4. Evaluate whether the software incorporates appropriate security controls, audit trails, and activity logs and that appropriate and timely audit trail and log reviews and alerts can take place.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

35. Does the institution deliver the privacy and opt out notices, including the shortform notice, so that the consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically? [§9(a)]