|
 ®
Yennik, Inc.
|
Internet Banking
News
brought to you by Yennik, Inc.
The
acknowledged
leader in independent Internet audits for financial institutions.
|
|
January 14, 2007
|
Does
Your Financial Institution need an affordable Internet security
audit?
Yennik, Inc. has clients in 41 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
to
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
focuses on
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
http://www.internetbankingaudits.com/. |
FYI -
FDIC's Supervisory Insights Reports How Banks can Effectively
Handle Security Breaches Through Incident Response Programs -
Other supervisory "hot topics" covered - best practices for
identifying and controlling risk in commercial real estate lending,
how examiners identify and address unfair or deceptive acts or
practices, and understanding Bank Secrecy Act violations.
www.fdic.gov/news/news/press/2007/pr07001.html
FYI -
Breach of county bank account likely identity theft - The theft of
an undisclosed amount of money from Oceana County accounts with
Fifth Third Bank was likely the result of someone responding to a
fraudulent e-mail called "phishing."
http://www.mlive.com/news/muchronicle/index.ssf?/base/news-0/116714610359880.xml&coll=8
FYI - From SANS - What
is an IT Security Manager's Responsibility with Phishing?
http://www.sans.edu/resources/leadershiplab/phishing.php
FYI - China's Internet
expected to be back to normal by Jan. 15 - Internet services in
China will not be back to normal until mid-January after being
disrupted by a powerful earthquake off Taiwan, a news report Sunday
quoted the country's biggest telephone company as saying.
http://www.usatoday.com/tech/world/2006-12-31-china-internet_x.htm?csp=34
FYI - Seven steps for a
more secure network - IT security professionals should rely on
personal vigilance and implemented methodologies - not just the slew
of new products hitting the marketplace - to protect their networks
in 2007.
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070103/623764/
MISSING COMPUTERS/DATA
FYI - Patients warned of
possible identity theft - A Deaconess Hospital laptop that contained
private information on up to 128 patients has been missing for at
least a month, a hospital spokesman.
http://www.courierpress.com/news/2006/dec/27/patients-warned-of-possible-identity-theft/
FYI - A major health
insurer has delivered a gloomy holiday message to 42,000 city
employees, warning that their personal data may have been
compromised during a burglary in Massachusetts, The Post has
learned. Group Health Insurance Inc. reported that thieves made off
with computer tapes containing the names, Social Security numbers
"as well as other data" in a break-in at the office of one of its
vendors, Concentra Preferred Systems, on Oct. 26.
http://www.nypost.com/php/pfriendly/print.php?url=http://www.nypost.com/seven/12232006/news/regionalnews/city_workers_in_id_fear_over_data_theft_regionalnews_david_seifman.htm
FYI - Personal data of
15,000 TWU students made vulnerable - In the wake of this recent
potential personal data nightmare at UT Dallas, comes one at Texas
Woman's University. Texas Woman's University is notifying
approximately 15,000 students that their personal data has been
exposed to potential identity theft.
http://www.pegasusnews.com/news/2006/dec/22/personal-data-15000-twu-students-made-vulnerable/?print
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Electronic
Fund Transfer Act, Regulation E (Part 1 of 2)
Generally, when online banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction
involving stored value products is covered by Regulation E when the
transaction accesses a consumer's account (such as when value is
"loaded" onto the card from the consumer's deposit account
at an electronic terminal or personal computer).
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule
was issued on March 20, 1998 that allows depository institutions to
satisfy the requirement to deliver by electronic communication any
of these disclosures and other information required by the act and
regulations, as long as the consumer agrees to such method of
delivery.
Financial institutions must ensure that consumers who sign up for a
new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not specifically mentioned in the commentary, this
applies to all new banking services including electronic financial
services.
The Federal Reserve Board Official Staff Commentary (OSC) also
clarifies that terminal receipts are unnecessary for transfers
initiated online. Specifically, OSC regulations provides that,
because the term "electronic terminal" excludes a
telephone operated by a consumer, financial institutions need not
provide a terminal receipt when a consumer initiates a transfer by a
means analogous in function to a telephone, such as by a personal
computer or a facsimile machine.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
Booklet.
ELECTRONIC AND PAPER - BASED MEDIA HANDLING
DISPOSAL
Financial institutions need appropriate disposal procedures for both
electronic and paper based media. Policies should prohibit employees
from discarding sensitive media along with regular garbage to avoid
accidental disclosure. Many institutions shred paper - based media
on site and others use collection and disposal services to ensure
the media is rendered unreadable and unreconstructable before
disposal. Institutions that contract with third parties should use
care in selecting vendors to ensure adequate employee background
checks, controls, and experience.
Computer - based media presents unique disposal problems. Residual
data frequently remains on media after erasure. Since that data can
be recovered, additional disposal techniques should be applied to
sensitive data. Physical destruction of the media, for instance by
subjecting a compact disk to microwaves, can make the data
unrecoverable. Additionally, data can sometimes be destroyed after
overwriting. Overwriting may be preferred when the media will be re
- used. Institutions should base their disposal policies on the
sensitivity of the information contained on the media and, through
policies, procedures, and training, ensure that the actions taken to
securely dispose of computer-based media adequately protect the data
from the risks of reconstruction. Where practical, management should
log the disposal of sensitive media, especially computer - based
media.
TRANSIT
Financial institutions should maintain the security of media while
in transit or when shared with third parties. Policies should
include:
! Restrictions on the carriers used and procedures to verify the
identity of couriers,
! Requirements for appropriate packaging to protect the media from
damage,
! Use of encryption for transmission of sensitive information,
! Security reviews or independent security reports of receiving
companies, and
! Use of nondisclosure agreements between couriers and third
parties.
Financial institutions should address the security of their back -
up tapes at all times, including when the tapes are in transit from
the data center to off - site storage.
Return to the top of the
newsletter
IT SECURITY
QUESTION:
SOFTWARE DEVELOPMENT AND ACQUISITION
5. Evaluate whether the software contains appropriate authentication
and encryption.
6. Evaluate the adequacy of the change control process.
7.
Evaluate the appropriateness of software libraries and their access
controls.
Return to the top of
the newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
36. Does the institution use a reasonable means for delivering
the notices, such as:
a. hand-delivery of a printed copy; [§9(b)(1)(i)]
b. mailing a printed copy to the last known address of the consumer;
[§9(b)(1)(ii)]
c. for the consumer who conducts transactions electronically,
clearly and conspicuously posting the notice on the institution's
electronic site and requiring the consumer to acknowledge receipt as
a necessary step to obtaining a financial product or service; [§9(b)(1)(iii)]
or
d. for isolated transactions, such as ATM transactions, posting the
notice on the screen and requiring the consumer to acknowledge
receipt as a necessary step to obtaining the financial product or
service? [§9(b)(1)(iv)]
(Note: insufficient or unreasonable means of delivery include:
exclusively oral notice, in person or by telephone; branch or office
signs or generally published advertisements; and electronic mail to
a customer who does not obtain products or services electronically.
[§9 (b)(2)(i) and (ii), and (d)]) |
|
| PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at examiner@yennik.com if we
can be of assistance. |
|