R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

March 6, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - A New Cyber-Security Breach - Bank of America says at least 1.2 million federal employee credit card accounts may be exposed to theft or hacking - In the financial world's latest cyber-identity crisis, Bank of America today is warning the holders of at least 1.2 million of its federal employee credit card accounts that a major security breach may have left their account information exposed to theft or hacking, according to a senior U.S. official and Bank spokeswoman. http://www.time.com/time/nation/article/0,8599,1032140,00.html

FYI - Getting Patches Under Control - Software both enables and limits the performance of an organization's computer systems. When software fails or performs poorly, it impacts business operations and leaves the organization open to attack or damage. With most products containing millions of lines of programming code, plenty of things can go wrong, and they are not always accidental. http://www.theiia.org/itaudit/index.cfm?fuseaction=print&fid=5592

FYI - VeriSign's Unified Authentication software will be used to protect online business-banking services. - Bank of America has tapped VeriSign Inc.'s Unified Authentication encryption software to safeguard applications used by business customers to access online banking services. The system employs two-factor authentication, a method that requires two forms of ID, such as a password, token, or smart card, in order to gain access to online services. http://www.informationweek.com/showArticle.jhtml?articleID=60402074

FYI - Digital Information Rights Need Tech-Savvy Courts - Opinion: The courts need to recognize that in the information age, virtual privacy and physical privacy don't have the same boundaries. http://www.eweek.com/article2/0%2C1759%2C1761739%2C00.asp

FYI - Davis questions security of Treasury Web site - Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee, wrote today to Van Zeck, the Treasury Department's commissioner of the Public Debt, to express concern over the safety and security of personal information collected on the www.treasurydirect.gov Web site, which enables people to purchase government savings bonds electronically. Treasury received a D+ on the 2004 federal computer security scorecard Davis' committee released yesterday. http://www.gcn.com/vol1_no1/daily-updates/35113-1.html

FYI - Researchers find security flaw in SHA-1 algorithm - Security experts are warning that a security flaw has been found in a powerful data encryption algorithm, dubbed SHA-1, by a team of scientists from Shandong University in China. The three scientists are circulating a paper within the cryptographic research community that describes successful tests of a technique that could speed up how fast SHA-1 could be compromised. http://www.computerworld.com/printthis/2005/0,4814,99852,00.html

FYI - Citibank Tries On-Screen Keyboard To Foil Phishers - The U.K. division of global giant Citibank has introduced an on-screen "keyboard" for its online banking customers in an attempt to foil some types identity theft. http://www.messagingpipeline.com/60401926

FYI - Payroll site closes on security worries - Online payroll service provider PayMaxx shuttered its automated W-2 site on Wednesday after a researcher claimed that two security holes had exposed data on more than 25,000 people. http://news.com.com/2102-1029_3-5587859.html?tag=st.util.print

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 7 of 10)

B. RISK MANAGEMENT TECHNIQUES

Planning Weblinking Relationships

Agreements

If a financial institution receives compensation from a third party as the result of a weblink to the third-party's website, the financial institution should enter into a written agreement with that third party in order to mitigate certain risks. Financial institutions should consider that certain forms of business arrangements, such as joint ventures, can increase their risk. The financial institution should consider including contract provisions to indemnify itself against claims by:

1)  dissatisfied purchasers of third-party products or services;

2)  patent or trademark holders for infringement by the third party; and

3)  persons alleging the unauthorized release or compromise of their confidential information, as a result of the third-party's conduct.

The agreement should not include any provision obligating the financial institution to engage in activities inconsistent with the scope of its legally permissible activities. In addition, financial institutions should be mindful that various contract provisions, including compensation arrangements, may subject the financial institution to laws and regulations applicable to insurance, securities, or real estate activities, such as RESPA, that establish broad consumer protections.

In addition, the agreement should include conditions for terminating the link. Third parties, whether they provide services directly to customers or are merely intermediaries, may enter into bankruptcy, liquidation, or reorganization during the period of the agreement. The quality of their products or services may decline, as may the effectiveness of their security or privacy policies. Also potentially just as harmful, the public may fear or assume such a decline will occur. The financial institution will limit its risks if it can terminate the agreement in the event the service provider fails to deliver service in a satisfactory manner.

Some weblinking agreements between a financial institution and a third party may involve ancillary or collateral information-sharing arrangements that require compliance with the Privacy Regulations.  For example, this may occur when a financial institution links to the website of an insurance company with which the financial institution shares customer information pursuant to a joint marketing agreement.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITYWe continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Risk Mitigation

Security should not be compromised when offering wireless financial services to customers or deploying wireless internal networks. Financial institutions should carefully consider the risks of wireless technology and take appropriate steps to mitigate those risks before deploying either wireless networks or applications. As wireless technologies evolve, the security and control features available to financial institutions will make the process of risk mitigation easier. Steps that can be taken immediately in wireless implementation include:

1)  Establishing a minimum set of security requirements for wireless networks and applications;

2)  Adopting proven security policies and procedures to address the security weaknesses of the wireless environment;

3)  Adopting strong encryption methods that encompass end-to-end encryption of information as it passes throughout the wireless network;

4)  Adopting authentication protocols for customers using wireless applications that are separate and distinct from those provided by the wireless network operator;

5)  Ensuring that the wireless software includes appropriate audit capabilities (for such things as recording dropped transactions);

6)  Providing appropriate training to IT personnel on network, application and security controls so that they understand and can respond to potential risks; and

9)  Performing independent security testing of wireless network and application implementations.
Return to the top of the newsletter

IT SECURITY QUESTION:  Computer operations:

a. Is the core application in-house or outsourced to a data center?
b. What type of network configuration is used?
c. What are the servers' operating systems?
d. What are the workstations' operating systems?
e. Is there a telephone-banking server?
f.  Is there a server hosting Internet banking?
g. Are there system logs maintained and reviewed regularly?
h. Are there modem connections to the network?
i.  Is a modem log maintained?
j.  Is there IT job descriptions?
k. Is there an anti-virus program on all workstations and is the program current?
l.  Are there software license agreements for all software?
m. Does the IT department program applications?
n. Are programming requirements outsourced? Vender?
o. Are unauthorized programs such as screen savers prohibited?
p. Does the Board of Directors annually approval the IT policies?
q. If individual computers are not backed up, is important data saved to network server?
r. Are stand-alone computers with critical data backed up?
s. Are there written IT procedures?
t. Are there network activity reports?
u. Does the personnel manual inform personnel of the Bank's policies and acceptable computer use?
v. Is a network problem log maintained?
Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

 Content of Privacy Notice

9)  Does the institution list the following categories of nonpublic personal information that it collects, as applicable:

a)  information from the consumer; [§6(c)(1)(i)]

b)  information about the consumer's transactions with the institution or its affiliates; [§6(c)(1)(ii)]

c)  information about the consumer's transactions with nonaffiliated third parties; [§6(c)(1)(iii)] and

d)  information from a consumer reporting agency? [§6(c)(1)(iv)]
IN CLOSING - The Gramm-Leach-Bliley Act, best practices, and examiners recommend a security test of your Internet  connection.   The Vulnerability Internet Security Test Audit (VISTA) is an independent external penetration study of {custom4}'s network connection to the Internet that meets the regulatory requirements.  We are trained information systems auditors that only work with financial institutions.  As auditors, we provide an independent review of the vulnerability test results and an audit letter to your Board of Directors certifying the test results.  For more information, visit http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated