Internet Banking News

April 2, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test. With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network. For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm or complete the request-information form at https://yennik.com/forms-vista-info/internal_vista_info_form.htm, and we will email you (financial institutions only) due diligence information about our company, Internal VISTA agreement, and fees. All communication is kept strictly confidential.

FYI - Laptop with Hewlett-Packard employees' ID stolen196,000 - WORKERS AND RETIREES HAD PENSION ACCOUNTS WITH FIDELITY - A laptop computer containing the names, Social Security numbers, compensation and other information for 196,000 current and former Hewlett-Packard employees was stolen a week ago, HP confirmed. http://www.mercurynews.com/mld/mercurynews/14162732.htm

FYI - Lost Ernst & Young laptop exposes IBM staff - Ernst & Young has lost another laptop containing the social security numbers and other personal information of its clients' employees. This time, the incident puts thousands of IBM workers at risk. Ex-IBM employees are also affected. http://www.theregister.co.uk/2006/03/15/ernstyoung_ibm_laptop/print.html

FYI - Feds get failing grade in computer security report - The scorecards give failing grades to some of the agencies most critical to the nation's defense, including Fs for the U.S. Department of Defense and the U.S. Department of Homeland Security - The U.S. government will get low marks for computer security in a congressional report scheduled to be released Thursday. According to documents obtained by the IDG News Service, the federal government will get a D+ overall rating in the 2005 federal computer security scorecards, the same score it received last year. http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/03/15/76516_HNfedsecurityfailures_1.html

FYI - Bank strikes back at ID cheats - All A&L online bankers issued with two-factor authentication - Alliance & Leicester has issued security technology to all its one million online banking customers, in a move intended to cut identity theft and internet fraud. http://www.vnunet.com/computing/news/2152053/bank-strikes-back-id-cheats

FYI - NIST sets FISMA standards for federal IT systems - The National Institute of Standards and Technology has released the final standard for securing agency computer systems under the Federal Information Security Management Act. http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=40127

FYI - Merrill Lynch fined 2.5M for lax email backups - The Securities and Exchange Commission has ordered brokerage firm Merrill Lynch to pay $2.5 million for not providing email records in a timely manner, the agency announced this week. http://www.scmagazine.com/us/news/article/547575/?n=us

FYI - More clever hackers emerging - Cyber crime grew more sophisticated, targeted, and dangerous in 2005 according to a report released this week by Counterpane Internet Security and MessageLabs. http://www.scmagazine.com/us/news/article/547781/?n=us

FYI CLIENTS - Third of U.K. business fails to test disaster plans - A new study has claimed that a third of British businesses fail to test their disaster-recovery strategy regularly. http://www.scmagazine.com/us/news/article/547805/?n=us

FYI CLIENTS - Consumer groups rail against proposed data-breach notification law - Bill called 'flawed,' too easy on businesses - Consumer and privacy advocacy groups are up in arms over a proposed federal data-breach notification bill that today was approved by the House Financial Services Committee. http://www.computerworld.com/printthis/2006/0,4814,109619,00.html

FYI CLIENTS - We need a national IT disaster response plan - Looking back at Hurricane Katrina, Steve Cooper, the Red Cross' senior vice president and chief information officer, said he realized that such catastrophes require a national information technology response plan. But the federal government should not lead it, he said. http://www.fcw.com/article92624-03-16-06-Web

FYI CLIENTS - Banks set up text, email fraud alerts for customers - The threat of electronic thievery has prompted a security strategy rethink at several US banks. As part of a broader security initiative, Bank of America is offering to alert customers of any suspicious charges or changes to their account via email or text messages almost as soon as they occur. http://software.silicon.com/security/0,39024655,39157302,00.htm

FYI - GAO - Social Security Numbers: More Could be Done to Protect SSNs.
http://www.gao.gov/cgi-bin/getrpt?GAO-06-586T
Highlights - http://www.gao.gov/highlights/d06586thigh.pdf

FYI - Bank Secrecy Act - Commercial Bank of Syria - Designation of Primary Money Laundering Concern - The Department of the Treasury has designated Commercial Bank of Syria, including its subsidiary, Syrian Lebanese Commercial Bank, as a financial institution of primary money laundering concern and has issued the attached final rule restricting domestic financial institutions' banking relationships with this entity. www.fdic.gov/news/news/financial/2006/fil06028.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our series on the FFIEC "Authentication in an Internet Banking Environment."

Account Origination and Customer Verification

With the growth in electronic banking and commerce, financial institutions should use reliable methods of originating new customer accounts online. Moreover, customer identity verification during account origination is required by section 326 of the USA PATRIOT Act and is important in reducing the risk of identity theft, fraudulent account applications, and unenforceable account agreements or transactions. Potentially significant risks arise when a financial institution accepts new customers through the Internet or other electronic channels because of the absence of the physical cues that financial institutions traditionally use to identify persons.

One method to verify a customer's identity is a physical presentation of a proof of identity credential such as a driver's license. Similarly, to establish the validity of a business and the authority of persons to perform transactions on its behalf, financial institutions typically review articles of incorporation, business credit reports, board resolutions identifying officers and authorized signers, and other business credentials. However, in an Internet banking environment, reliance on these traditional forms of paper-based verification decreases substantially. Accordingly, financial institutions need to use reliable alternative methods.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Network Configuration

Computer networks often extend connectivity far beyond the financial institution and its data center. Networks provide system access and connectivity between business units, affiliates, TSPs, business partners, customers, and the public. This increased connectivity requires additional controls to segregate and restrict access between various groups and information users.

A typical approach to securing a large network involves dividing the network into logical security domains. A logical security domain is a distinct part of a network with security policies that differ from other domains. The differences may be far broader than network controls, encompassing personnel, host, and other issues.

Typical network controls that distinguish security domains include access control software permissions, dedicated lines, filtering routers, firewalls, remote-access servers, and virtual private networks. This booklet will discuss additional access controls within the applications and operating systems residing on the network in other sections. Before selecting the appropriate controls, financial institutions should map and configure the network to identify and control all access control points. Network configuration considerations could include the following actions:

! Identifying the various applications and user-groups accessed via the network;

! Identifying all access points to the network including various telecommunications channels (e.g., wireless, Ethernet, frame relay, dedicated lines, remote dial - up access, extranets, Internet);

! Mapping the internal and external connectivity between various network segments;

! Defining minimum access requirements for network services (i.e., most often referenced as a network services access policy); and

! Determining the most appropriate network configuration to ensure adequate security and performance.

With a clear understanding of network connectivity, the financial institution can avoid introducing security vulnerabilities by minimizing access to less - trusted domains and employing encryption for less secure connections. Institutions can then determine the most effective deployment of protocols, filtering routers, firewalls, gateways, proxy servers, and/or physical isolation to restrict access. Some applications and business processes may require complete segregation from the corporate network (e.g., no connectivity between corporate network and wire transfer system). Others may restrict access by placing the services that must be accessed by each zone in their own security domain, commonly called a "demilitarized zone" (DMZ).

Return to the top of the newsletter

IT SECURITY QUESTION:

B. NETWORK SECURITY

18. Determine whether an appropriate archive of boot disks, distribution media, and security patches exists.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13). (Part 1 of 3)

Note: Financial institutions whose practices fall within this category engage in the most expansive degree of information sharing permissible. Consequently, these institutions are held to the most comprehensive compliance standards imposed by the Privacy regulation.

A. Disclosure of Nonpublic Personal Information

1) Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party both inside and outside of the exceptions. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the financial institution's compliance with disclosure limitations.

a. Compare the categories of data shared and with whom the data were shared to those stated in the privacy notice and verify that what the institution tells consumers (customers and those who are not customers) in its notices about its policies and practices in this regard and what the institution actually does are consistent (��10, 6).

b. Compare the data shared to a sample of opt out directions and verify that only nonpublic personal information covered under the exceptions or from consumers (customers and those who are not customers) who chose not to opt out is shared (�10).

2) If the financial institution also shares information under Section 13, obtain and review contracts with nonaffiliated third parties that perform services for the financial institution not covered by the exceptions in section 14 or 15. Determine whether the contracts prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed. Note that the "grandfather" provisions of Section 18 apply to certain of these contracts (�13(a)).