Internet Banking News

January 15, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Critical Elements of Information Security Program Success - The challenges of implementing an effective information security program are broad and diverse. To address these challenges the Information Systems Audit and Control Association (ISACA) sponsored an international focus group and survey, which resulted in this report, to identify the elements that impact information security program success. http://www.isaca.org/Template.cfm?Section=Downloads3&CONTENTID=23217&TEMPLATE=/ContentManagement/ContentDisplay.cfm

FYI - 2005 worst year for breaches of computer security - Data breaches disclosed at Marriott International, Ford Motor, ABN Amro Mortgage Group and Sam's Club this month capped what computer experts call the worst year ever for known computer-security breaches. http://www.usatoday.com/tech/news/computersecurity/2005-12-28-computer-security_x.htm

FYI - Government Web sites are keeping an eye on you - Dozens of federal agencies are tracking visits to U.S. government Web sites in violation of long-standing rules designed to protect online privacy, a CNET News.com investigation shows. http://news.com.com/2102-1028_3-6018702.html?tag=st.util.print

FYI - FBI Recruiting Information Technology Personnel -The FBI recently launched a recruitment campaign aimed at hiring a large number of Information Technology (IT) Professionals. These candidates will work with some of the most cutting-edge technology available in the world, to operate and maintain a robust, secure FBI global information technology (IT) infrastructure environment. http://www.fbi.gov/pressrel/pressrel05/pr_it122305.htm

FYI - Marriott Says Customer Data Missing - The company's time-sharing division has notified customers that backup tapes are missing with personal data--including Social Security, bank account, and credit-card numbers--on them. http://www.informationweek.com/showArticle.jhtml?articleID=175700593

FYI - H&R Block blunder exposes consumer data - Some consumers may be dismayed to find their Social Security numbers printed on unsolicited packages from H&R Block, the result of a recent labeling blunder at the company. http://news.com.com/2102-1029_3-6016720.html?tag=st.util.print

FYI - Bank tape lost with data on 90,000 customers - People's Bank in Connecticut said the tape was lost in transit - A computer tape from a Connecticut bank containing personal data on 90,000 customers was lost in transit recently, the bank reported. http://www.computerworld.com/securitytopics/security/story/0,10801,107661,00.html?source=NLT_AM&nid=107661
http://news.com.com/2102-1029_3-6026692.html?tag=st.util.print

Return to the top of the newsletter

WEB SITE COMPLIANCE - The Role Of Consumer Compliance In Developing And Implementing Electronic Services from FDIC:

When violations of the consumer protection laws regarding a financial institution's electronic services have been cited, generally the compliance officer has not been involved in the development and implementation of the electronic services. Therefore, it is suggested that management and system designers consult with the compliance officer during the development and implementation stages in order to minimize compliance risk. The compliance officer should ensure that the proper controls are incorporated into the system so that all relevant compliance issues are fully addressed. This level of involvement will help decrease an institution's compliance risk and may prevent the need to delay deployment or redesign programs that do not meet regulatory requirements.

The compliance officer should develop a compliance risk profile as a component of the institution's online banking business and/or technology plan. This profile will establish a framework from which the compliance officer and technology staff can discuss specific technical elements that should be incorporated into the system to ensure that the online system meets regulatory requirements. For example, the compliance officer may communicate with the technology staff about whether compliance disclosures/notices on a web site should be indicated or delivered by the use of "pointers" or "hotlinks" to ensure that required disclosures are presented to the consumer. The compliance officer can also be an ongoing resource to test the system for regulatory compliance.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

AUTHENTICATION - Token Systems (1 of 2)

Token systems typically authenticate the token and assume that the user who was issued the token is the one requesting access. One example is a token that generates dynamic passwords every X seconds. When prompted for a password, the user enters the password generated by the token. The token's password - generating system is identical and synchronized to that in the system, allowing the system to recognize the password as valid. The strength of this system of authentication rests in the frequent changing of the password and the inability of an attacker to guess the seed and password at any point in time.

Another example of a token system uses a challenge/response mechanism. In this case, the user identifies him/herself to the system, and the system returns a code to enter into the password - generating token. The token and the system use identical logic and initial starting points to separately calculate a new password. The user enters that password into the system. If the system's calculated password matches that entered by the user, the user is authenticated. The strengths of this system are the frequency of password change and the difficulty in guessing the challenge, seed, and password.

Other token methods involve multi - factor authentication, or the use of more than one authentication method. For instance, an ATM card is a token. The magnetic strip on the back of the card contains a code that is recognized in the authentication process. However, the user is not authenticated until he or she also provides a PIN, or shared secret. This method is two - factor, using both something the user has and something the user knows. Two - factor authentication is generally stronger than single - factor authentication. This method can allow the institution to authenticate the user as well as the token.

Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

B. NETWORK SECURITY

7. Determine whether network users are authenticated, and that the type and nature of the authentication (user and machine) is supported by the risk assessment. Access should only be provided where specific authorization occurs.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 1 of 6)

The regulations establish specific duties and limitations for a financial institution based on its activities. Financial institutions that intend to disclose nonpublic personal information outside the exceptions will have to provide opt out rights to their customers and to consumers who are not customers. All financial institutions have an obligation to provide an initial and annual notice of their privacy policies to their customers. All financial institutions must abide by the regulatory limits on the disclosure of account numbers to nonaffiliated third parties and on the redisclosure and reuse of nonpublic personal information received from nonaffiliated financial institutions.

A brief summary of financial institution duties and limitations appears below. A more complete explanation of each appears in the regulations.

Notice and Opt Out Duties to Consumers:

If a financial institution intends to disclose nonpublic personal information about any of its consumers (whether or not they are customers) to a nonaffiliated third party, and an exception does not apply, then the financial institution must provide to the consumer:

1) an initial notice of its privacy policies;

2) an opt out notice (including, among other things, a reasonable means to opt out); and

3) a reasonable opportunity, before the financial institution discloses the information to the nonaffiliated third party, to opt out.

The financial institution may not disclose any nonpublic personal information to nonaffiliated third parties except under the enumerated exceptions unless these notices have been provided and the consumer has not opted out. Additionally, the institution must provide a revised notice before the financial institution begins to share a new category of nonpublic personal information or shares information with a new category of nonaffiliated third party in a manner that was not described in the previous notice.

Note that a financial institution need not comply with the initial and opt-out notice requirements for consumers who are not customers if the institution limits disclosure of nonpublic personal information to the exceptions.