Internet Banking News

May 17, 2009

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - A New Law That Protects Consumer Data - "Data breach" has become a commonly used term in recent years. Although this phrase may be interpreted in a variety of different ways, it evokes a common reaction: Fear. Individuals whose personal information is compromised by these events often fall victim to identity theft and spend years attempting to reclaim their reputations. Companies compromised by a breach are forever associated with these incidents and suffer incalculable damage. http://www.ammaxdigital.com/display_article.php?id=148068

FYI - US cyber-security 'embarrassing' - America's cyber-security has been described as "broken" by one industry expert and as "childlike" by another. http://news.bbc.co.uk/2/hi/technology/8023793.stm

FYI - FTC extends Red Flags Rule enforcement three more months - The day before the Federal Trade Commission (FTC) was to begin enforcing the Red Flags Rules, the agency announced the deadline for compliance will be extended for the second time, until Aug. 1. http://www.scmagazineus.com/FTC-extends-Red-Flags-Rule-enforcement-three-more-months/article/135996/?DCMP=EMC-SCUS_Newswire

FYI - GAO - Cyber Threats and Vulnerabilities Place Federal Systems at Risk.
Report - http://www.gao.gov/new.items/d09661t.pdf
Highlights - http://www.gao.gov/highlights/d09661thigh.pdf

FYI - Prolific spammers busted in the Midwest - A federal grand jury in Kansas City has indicted four people, including two Missouri brothers, in a nationwide email spamming case that involved the illegal harvesting of eight million student email addresses from more than 2,000 colleges. http://www.scmagazineus.com/Prolific-spammers-busted-in-the-Midwest/article/136134/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Patient data loss forces Trusts to adopt encryption - Trusts agree to encrypt mobile devices and prevent unauthorise downloading - Four NHS trusts have agreed to encrypt all portable and mobile after being found in breach of the Data Protection Act by the Information Commissioner's Office (ICO). http://www.computing.co.uk/computing/news/2241469/four-nhs-trusts-lose-patient

FYI - USPS probes possible mass security breach - CBS News has learned of another data breach potentially compromising the personal information of thousands of people. Companies Lexis Nexis and Investigative Professionals have sent up to 40,000 letters to customers whose "sensitive and personally identifiable" information may have been viewed by individuals who should not have had access.
http://news.cnet.com/8301-1009_3-10231880-83.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9132474&source=rss_null17

FYI - Virginia Health Data Potentially Held Hostage - An extortion demand seeks $10 million to return more than 8 million patient records allegedly stolen from Virginia Department of Health Professions. An extortion demand posted on WikiLeaks seeks $10 million to return more than 8 million patient records and 35 million prescriptions allegedly stolen from Virginia Department of Health Professions. http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=217201397&subSection=Cybercrime

FYI - IT Director Pleads Guilty to Deleting Organ Donation Records - The former IT director for a nonprofit organ and tissue donation center pleaded guilty to a charge that she broke into the organization's computer network and deleted organ donation database records, invoice files, and database and accounting software. http://www.pcworld.com/businesscenter/article/164221/it_director_pleads_guilty_to_deleting_organ_donation_records.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - Over the next few weeks, we will cover some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Executive Summary

Continuing technological innovation and competition among existing banking organizations and new entrants have allowed for a much wider array of banking products and services to become accessible and delivered to retail and wholesale customers through an electronic distribution channel collectively referred to as e-banking. However, the rapid development of e-banking capabilities carries risks as well as benefits.

The Basel Committee on Banking Supervision expects such risks to be recognized, addressed and managed by banking institutions in a prudent manner according to the fundamental characteristics and challenges of e-banking services. These characteristics include the unprecedented speed of change related to technological and customer service innovation, the ubiquitous and global nature of open electronic networks, the integration of e-banking applications with legacy computer systems and the increasing dependence of banks on third parties that provide the necessary information technology. While not creating inherently new risks, the Committee noted that these characteristics increased and modified some of the traditional risks associated with banking activities, in particular strategic, operational, legal and reputational risks, thereby influencing the overall risk profile of banking.

Based on these conclusions, the Committee considers that while existing risk management principles remain applicable to e-banking activities, such principles must be tailored, adapted and, in some cases, expanded to address the specific risk management challenges created by the characteristics of e-banking activities. To this end, the Committee believes that it is incumbent upon the Boards of Directors and banks' senior management to take steps to ensure that their institutions have reviewed and modified where necessary their existing risk management policies and processes to cover their current or planned e-banking activities. The Committee also believes that the integration of e-banking applications with legacy systems implies an integrated risk management approach for all banking activities of a banking institution.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

PERSONNEL SECURITY

AGREEMENTS: CONFIDENTIALITY, NON - DISCLOSURE, AND AUTHORIZED USE

Financial institutions should protect the confidentiality of information about their customers and organization. A breach in confidentiality could disclose competitive information, increase fraud risk, damage the institution's reputation, violate customer privacy and associated rights, and violate regulatory requirements. Confidentiality agreements put all parties on notice that the financial institution owns its information, expects strict confidentiality, and prohibits information sharing outside of that required for legitimate business needs. Management should obtain signed confidentiality agreements before granting new employees and contractors access to information technology systems.

JOB DESCRIPTIONS

Job descriptions, employment agreements, and policy awareness acknowledgements increase accountability for security. Management can communicate general and specific security roles and responsibilities for all employees within their job descriptions. Management should expect all employees, officers, and contractors to comply with security and acceptable use policies and protect the institution's assets, including information. The job descriptions for security personnel should describe the systems and processes they will protect and the control processes for which they are responsible. Management can take similar steps to ensure contractors and consultants understand their security responsibilities as well.

TRAINING

Financial institutions need to educate users regarding their security roles and responsibilities. Training should support security awareness and should strengthen compliance with the security policy. Ultimately, the behavior and priorities of senior management heavily influence the level of employee awareness and policy compliance, so training and the commitment to security should start with senior management. Training materials would typically review the acceptable - use policy and include issues like desktop security, log - on requirements, password administration guidelines, etc. Training should also address social engineering, and the policies and procedures that protect against social engineering attacks. Many institutions integrate a signed security awareness agreement along with periodic training and refresher courses.

Return to the top of the newsletter

IT SECURITY QUESTION: SOFTWARE DEVELOPMENT AND ACQUISITION

1. Inquire about how security requirements are determined for software, whether internally developed or acquired from a vendor.

2. Determine whether management appropriately considers either following a recognized security standard development process, or reference to widely recognized industry standards.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

6. Does the institution provide an annual privacy notice to each customer whose loan the institution owns the right to service? [§§5(c), 4(c)(2)]