Internet Banking News

April 22, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Identity Theft - FDIC's Supervisory Policy on Identity Theft - The FDIC has issued the attached "Supervisory Policy on Identity Theft." The policy describes the characteristics of identity theft. It also sets forth the FDIC's expectations that institutions under its supervision take steps to detect and prevent identity theft and mitigate its effects in order to protect consumers and help ensure institutions' safe and sound operations. www.fdic.gov/news/news/financial/2007/fil07032.html

FYI - Experts rubbish two-factor authentication - Technology will not cut phishing, e-Crime Congress hears - Two-factor authentication will not help to reduce soaring phishing levels, experts at the e-Crime Congress in London warned today. One UK bank is currently considering the introduction of two-factor authentication, where customers receive a key fob which displays a constantly changing password that allows them to access their online accounts. http://www.vnunet.com/vnunet/news/2186568/two-factor-authentication-gets

FYI - No privacy in home PC brought to work - What: City treasurer in Oklahoma protests warrantless search of his personally owned computer after a police inspection. http://news.com.com/2102-1028_3-6173540.html?tag=st.util.print

FYI - The Internal Revenue Service Is Not Adequately Protecting Taxpayer Data on Laptop Computers and Other Portable Electronic Media Devices.
http://www.treas.gov/tigta/auditreports/2007reports/200720048fr.html
http://www.fcw.com/article98135-04-03-07-Web&printLayout

FYI - ABN pays out over hacked accounts - ABN Amro has compensated four customers who lost cash when hackers stole money from their accounts using a malware phishing technique. http://www.computerweekly.com/Articles/2007/04/03/222857/abn-pays-out-over-hacked-accounts.htm

MISSING COMPUTERS/DATA

FYI - UCSF Break-In Puts Info On 46,000 At Risk - The University of California at San Francisco began notifying students, teachers, and staff that their names, Social Security numbers, and bank account numbers may have been accessed during a security breach. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=198800502

FYI - Audit reveals almost 500 IRS laptops lost or stolen - The Internal Revenue Service (IRS) reported the loss or theft of nearly 500 computers over a period of more than three years ending in 2006, according to an audit released this week. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070410/649142/

FYI - Laptop theft exposes teachers to ID fraud risk - About 40,000 Chicago Public Schools employees are at risk of identity fraud after two laptops containing their personal information were stolen on Friday. http://news.com.com/2102-1029_3-6174635.html?tag=st.util.print

FYI - Hortica Alerting Public to Loss of Backup Tapes - Florists' Mutual Insurance Company (Hortica), an Illinois-based provider of employee benefits and insurance to companies in the horticultural industry, today announced that a locked shipping case containing magnetic backup tapes cannot be located. http://www.pr-inside.com/hortica-alerting-public-to-loss-of-r87434.htm

FYI - Title Agency Warns Customers About Security Breach - There's a new warning about identity theft. Security Title Agency in Phoenix is warning customers about a security breach. About five weeks ago their Web site was altered by computer hackers. http://ktar.com/?nid=6&sid=440413

Return to the top of the newsletter

WEB SITE COMPLIANCE - We conclude the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (12 of 12)

What the Future Holds

In addition to meeting regulatory requirements and addressing applicable industry best practices, several characteristics tend to differentiate banks. The most successful banks will find a way to integrate incident response planning into normal operations and business processes. Assimilation efforts may include expanding security awareness and training initiatives to reinforce incident response actions, revising business continuity plans to incorporate security incident responses, and implementing additional security monitoring systems and procedures to provide timely incident notification. Ultimately, the adequacy of a bank's IRP reflects on the condition of the information security program along with management's willingness and ability to manage information technology risks. In essence, incident response planning is a management process, the comprehensiveness and success of which provide insight into the quality and attentiveness of management. In this respect, the condition of a bank's IRP, and the results of examiner review of the incident response planning process, fit well within the objectives of the information technology examination as described in the Information Technology-Risk Management Program.

An IRP is a critical component of a well-formed and effective information security program and has the potential to provide tangible value and benefit to a bank. Similar to the importance of a business continuity planning program as it relates to the threat of natural and man-made disasters, sound IRPs will be necessary to combat new and existing data security threats facing the banking community. Given the high value placed on the confidential customer information held within the financial services industry, coupled with the publicized success of known compromises, one can reasonably assume that criminals will continue to probe an organization's defenses in search of weak points. The need for response programs is real and has been recognized as such by not only state and Federal regulatory agencies (through passage of a variety of legal requirements), but by the banking industry itself. The challenges each bank faces are to develop a reasonable IRP providing protections for the bank and the consumer and to incorporate the IRP into a comprehensive, enterprise-wide information security program. The most successful banks will exceed regulatory requirements to leverage the IRP for business advantages and, in turn, improved protection for the banking industry as a whole.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

BUSINESS CONTINUITY CONSIDERATIONS

Events that trigger the implementation of a business continuity plan may have significant security considerations. Depending on the event, some or all of the elements of the security environment may change. Different people may be involved in operations, at a different physical location, using similar but different machines and software which may communicate over different communications lines. Depending on the event, different tradeoffs may exist between availability, integrity, confidentiality, and accountability, with a different appetite for risk on the part of management.

Business continuity plans should be reviewed as an integral part of the security process. Risk assessments should consider the changing risks that appear in business continuity scenarios and the different security posture that may be established. Strategies should consider the different risk environment and the degree of risk mitigation necessary to protect the institution in the event the continuity plans must be implemented. The implementation should consider the training of appropriate personnel in their security roles, and the implementation and updating of technologies and plans for back - up sites and communications networks. Testing these security considerations should be integrated with the testing of business continuity plan implementations.

Return to the top of the newsletter

IT SECURITY QUESTION: SERVICE PROVIDER OVERSIGHT-SECURITY

1. Determine if contracts contain security requirements that at least meet the objectives of the Section 501(b) GLBA security guidelines and contain nondisclosure language regarding specific requirements.

2. Determine whether the institution has assessed the service provider's ability to meet contractual security requirements.

3. Determine whether appropriate controls exist over the substitution of personnel on the institution's projects and services.

4. Determine whether appropriate security testing is required and performed on any code, system, or service delivered under the contract.

5. Determine whether appropriate reporting of security incidents is required under the contract.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Other Exceptions to Notice and Opt Out Requirements

50. If the institution discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in §4(a)(2), opt out in §§7 and 10, revised notice in §8, and for service providers and joint marketers in §13, not apply because the institution makes the disclosure:

a. with the consent or at the direction of the consumer; [§15(a)(1)]
b.
1. to protect the confidentiality or security of records; [§15(a)(2)(i)]
2. to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability; [§15(a)(2)(ii)]
3. for required institutional risk control or for resolving consumer disputes or inquiries; [§15(a)(2)(iii)]
4. to persons holding a legal or beneficial interest relating to the consumer; [§15(a)(2)(iv)] or
5. to persons acting in a fiduciary or representative capacity on behalf of the consumer; [§15(a)(2)(v)]
c. to insurance rate advisory organizations, guaranty funds or agencies, agencies rating the institution, persons assessing compliance, and the institution's attorneys, accountants, and auditors; [§15(a)(3)]
d. in compliance with the Right to Financial Privacy Act, or to law enforcement agencies; [§15(a)(4)]
e. to a consumer reporting agency in accordance with the FCRA or from a consumer report reported by a consumer reporting agency; [§15(a)(5)]
f. in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit, if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; [§15(a)(6)]
g. to comply with Federal, state, or local laws, rules, or legal requirements; [§15(a)(7)(i)]
h. to comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, state, or local authorities; [§15(a)(7)(ii)] or
i. to respond to judicial process or government regulatory authorities having jurisdiction over the institution for examination, compliance, or other purposes as authorized by law? [§15(a)(7)(iii)]

(Note: the regulation gives the following as an example of the exception described in section a of this question: "A consumer may specifically consent to [an institution's] disclosure to a nonaffiliated insurance company of the fact that the consumer has applied to [the institution] for a mortgage so that the insurance company can offer homeowner's insurance to the consumer.")