|
|
Internet Banking News |
|
February 11, 2001 INTERNET SECURITY - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." After the initial risk assessment is completed, management may determine that a penetration analysis (test) should be conducted. For the purpose of this paper, "penetration analysis" is broadly defined. Bank management should determine the scope and objectives of the analysis. The scope can range from a specific test of a particular information system's security or a review of multiple information security processes in an institution. A penetration analysis usually involves a team of experts who identify an information system's vulnerability to a series of attacks. The evaluators may attempt to circumvent the security features of a system by exploiting the identified vulnerabilities. Similar to running vulnerability scanning tools, the objective of a penetration analysis is to locate system vulnerabilities so that appropriate corrective steps can be taken. The analysis can apply to any institution with a network, but becomes more important if system access is allowed via an external connection such as the Internet. The analysis should be independent and may be conducted by a trusted third party, qualified internal audit team, or a combination of both. The information security policy should address the frequency and scope of the analysis. In determining the scope of the analysis, items to consider include internal vs. external threats, systems to include in the test, testing methods, and system architectures. A penetration analysis is a snapshot of the security at a point in time and does not provide a complete guaranty that the system(s) being tested is secure. It can test the effectiveness of security controls and preparedness measures. Depending on the scope of the analysis, the evaluators may work under the same constraints applied to ordinary internal or external users. Conversely, the evaluators may use all system design and implementation documentation. It is common for the evaluators to be given just the IP address of the institution and any other public information, such as a listing of officers that is normally available to outside hackers. The evaluators may use vulnerability assessment tools, and employ some of the attack methods discussed in this paper such as social engineering and war dialing. After completing the agreed-upon analysis, the evaluators should provide the institution a detailed written report. The report should identify vulnerabilities, prioritize weaknesses, and provide recommendations for corrective action. FYI - CLIENTS - On February 1, 2001, Julie L. Williams 1st Senior Deputy Comptroller and Chief Counsel, Office of the Comptroller, remarked on the Emerging Law of Cyberbanking and Electronic Commerce in Washington, DC. http://www.occ.treas.gov/ftp/release/2001-13a.txt. She also stated that technology enhances a banks' ability to segment banking business and play to strengths, http://www.occ.treas.gov/ftp/release/2001-13.txt OCC Advisory Letter alerts national bank management and boards of directors to specific internet initiated Automated Clearing House (ACH) risks and emphasizes the importance of sound ACH risk management practices. http://www.occ.treas.gov/ftp/advisory/2001-3.txt Please remember that we perform vulnerability testing and would be happy to e-mail the financial institution a proposal. Please send an e-mail to Kinney Williams at examiner@yennik.com for more information. INTERNET COMPLIANCE - Disclosures and Notices Several consumer regulations provide for disclosures and/or notices to consumers. The compliance officer should check the specific regulations to determine whether the disclosures/notices can be delivered via electronic means. The delivery of disclosures via electronic means has raised many issues with respect to the format of the disclosures, the manner of delivery, and the ability to ensure receipt by the appropriate person(s). The following highlights some of those issues and offers guidance and examples that may be of use to institutions in developing their electronic services. Disclosures are generally required to be "clear and conspicuous." Therefore, compliance officers should review the web site to determine whether the disclosures have been designed to meet this standard. Institutions may find that the format(s) previously used for providing paper disclosures may need to be redesigned for an electronic medium. Institutions may find it helpful to use "pointers " and "hotlinks" that will automatically present the disclosures to customers when selected. A financial institution's use solely of asterisks or other symbols as pointers or hotlinks would not be as clear as descriptive references that specifically indicate the content of the linked material. FYI - On February 5, 2001, Comptroller of the Currency John D. Hawke, Jr. underscored the need for international cooperation in the supervision of electronic banking. http://www.occ.treas.gov/ftp/release/2001-14a.txt |
| PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance. |
