R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

February 13, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - Keep thieves out of your bank account - With millions falling victim to high-tech theft, you need all the protection you can get. Here are the biggest vulnerabilities and what you can do about them. http://moneycentral.msn.com/content/Banking/FinancialPrivacy/P87303.asp?special=0501id

FYI - Feds aim to tighten nuclear cyber security - Federal regulators are proposing to add computer security standards to their criteria for installing new computerized safety systems in nuclear power plants. http://www.securityfocus.com/printable/news/10353

FYI - Lexus a nexus between cars and phone viruses? - Antivirus companies are researching reports that computer viruses have attacked the onboard computers of cars. http://asia.cnet.com/news/security/printfriendly.htm?AT=39214840-39037064t-39000005c

FYI - UK tech police: Cash-strapped and ineffective - A UK high-tech crime buster has warned that his investigations are being severely hampered by a lack of money and has said funding could still be pared down further to the point that police units such as his become untenable. http://www.silicon.com/research/specialreports/thespamreport/print.htm?TYPE=story&AT=39127363-39025001t-40000011c

FYI - Tough local laws drive corporate security - Cautious corporations are applying the most restrictive local and national laws globally to ensure they obey compliance regulations. http://www.theregister.co.uk/2005/01/25/international_security_policy/print.html

FYI - UNC's Missing Hard Drive Has More Info Than Previously Thought - Personal Information For Thousands Of Family Members Also On Computer - Irritation turned to anger when University of Northern Colorado employees learned that a missing computer hard drive contained personal information about thousands of family members as well as the workers themselves. http://www.thedenverchannel.com/news/4121643/detail.html

FYI - The Federal Reserve Board has announced amendments to Appendix A of Regulation CC that reflect the restructuring of the Federal Reserve's check processing operations in the Sixth District. These amendments are the first in a series of amendments to Appendix A that will take place through the first quarter of 2006, associated with the previously-announced restructuring of the Reserve Banks' check processing operations. www.federalreserve.gov/boarddocs/press/bcreg/2005/20050208/default.htm 

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 4 of 10)

A. RISK DISCUSSION

Reputation Risk

Trade Names

If the third party has a name similar to that of the financial institution, there is an increased likelihood of confusion for the customer and increased exposure to reputation risk for the financial institution. For example, if customers access a similarly named broker from the financial institution's website, they may believe that the financial institution is providing the brokerage service or that the broker's products are federally insured.

Website Appearance

The use of frame technology and other similar technologies may confuse customers about which products and services the financial institution provides and which products and services third parties, including affiliates, provide. If frames are used, when customers link to a third-party website through the institution-provided link, the third-party webpages open within the institution's master webpage frame. For example, if a financial institution provides links to a discount broker and the discount broker's webpage opens within the institution's frame, the appearance of the financial institution's logo on the frame may give the impression that the financial institution is providing the brokerage service or that the two entities are affiliated. Customers may believe that their funds are federally insured, creating potential reputation risk to the financial institution in the event the brokerage service should fail or the product loses value.

Compliance Risk

The compliance risk to an institution linking to a third-party's website depends on several factors. These factors include the nature of the products and services provided on the third-party's website, and the nature of the institution's business relationship with the third party. This is particularly true with respect to compensation arrangements for links. For example, a financial institution that receives payment for offering advertisement-related weblinks to a settlement service provider's website should carefully consider the prohibition against kickbacks, unearned fees, and compensated referrals under the Real Estate Settlement Procedures Act (RESPA).

The financial institution has compliance risk as well as reputation risk if linked third parties offer less security and privacy protection than the financial institution. Third-party sites may have less secure encryption policies, or less stringent policies regarding the use and security of their customer's information. The customer may be comfortable with the financial institution's policies for privacy and security, but not with those of the linked third party. If the third-party's policies and procedures create security weaknesses or apply privacy standards that permit the third party to release confidential customer information, customers may blame the financial institution.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

MONITORING AND UPDATING - MONITORING

Effective monitoring of threats includes both non - technical and technical sources. Nontechnical sources include organizational changes, business process changes, new business locations, increased sensitivity of information, or new products and services. Technical sources include new systems, new service providers, and increased access. Security personnel and financial institution management must remain alert to emerging threats and vulnerabilities. This effort could include the following security activities:

! Senior management support for strong security policy awareness and compliance. Management and employees must remain alert to operational changes that could affect security and actively communicate issues with security personnel. Business line managers must have responsibility and accountability for maintaining the security of their personnel, systems, facilities, and information.

! Security personnel should monitor the information technology environment and review performance reports to identify trends, new threats, or control deficiencies. Specific activities could include reviewing security and activity logs, investigating operational anomalies, and routinely reviewing system and application access levels.

! Security personnel and system owners should monitor external sources for new technical and nontechnical vulnerabilities and develop appropriate mitigation solutions to address them. Examples include many controls discussed elsewhere in this booklet including:

 -  Establishing an effective configuration management process that monitors for vulnerabilities in hardware and software and establishes a process to install and test security patches,

 -  Maintaining up - to - date anti - virus definitions and intrusion detection attack definitions, and

 -  Providing effective oversight of service providers and vendors to identify and react to new security issues.

! Senior management should require periodic security selfassessments and audits to provide an ongoing assessment of policy compliance and ensure prompt corrective action of significant deficiencies.

! Security personnel should have access to automated tools appropriate for the complexity of the financial institution systems. Automated security policy and security log analysis tools can significantly increase the effectiveness and productivity of security personnel.

Return to the top of the newsletter

IT SECURITY QUESTION:  DATA SECURITY

 3. Determine whether individual and group access to data is based on business needs.
Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

 Initial Privacy Notice
6. Does the institution provide an annual privacy notice to each customer whose loan the institution owns the right to service? [§§5(c), 4(c)(2)]
IN CLOSING - The Gramm-Leach-Bliley Act, best practices, and examiners recommend a security test of your Internet  connection.   The Vulnerability Internet Security Test Audit (VISTA) is an independent external penetration study of {custom4}'s network connection to the Internet that meets the regulatory requirements.  We are trained information systems auditors that only work with financial institutions.  As auditors, we provide an independent review of the vulnerability test results and an audit letter to your Board of Directors certifying the test results.  For more information, visit http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated