VACATION - I will be on vacation this week July 18, 2005.  I am taking the week off to spend with family.  I will be checking emails every evening.

FYI - Attorneys general seek answers from credit card payment company over data exposure - The attorneys general of 44 states demanded that the credit card processor responsible for a breach that exposed 40 million cardholders to possible fraud inform affected consumers about the risk. http://news.findlaw.com/scripts/printer_friendly.pl?page=/ap/o/51/06-29-2005/d583001a47792379.html

FYI - A Support Guide for Wireless Diagnostics and Troubleshooting - Microsoft's article is designed to be a support aid to help diagnose wireless connection and authentication issues. It is meant to provide an advanced level of wireless diagnostics procedures by analyzing tracing logs generated by wireless components in Microsoft Windows XP and Windows Server 2003 to spot common problems and verify basic operation. http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wlansupp.mspx

FYI - FDIC Identity Theft Study Supplement on "Account-Hijacking" Identity Theft - Summary: The FDIC has issued a supplement to its December 14, 2004, study on account-hijacking identity theft.  www.fdic.gov/news/news/financial/2005/fil5905.html

FYI - Threats from Fraudulent Bank Web Sites: Risk Mitigation and Response Guidance for Web Site Spoofing Incidents - Bulletin provides guidance for banks on how to respond to incidents of a Web-site fraud called spoofing and procedures for lowering associated risks. www.occ.treas.gov/ftp/bulletin/2005-24.doc 

FYI - Launch of Two-factor Authentication for Internet Banking - The Hong Kong Monetary Authority (HKMA), the Hong Kong Association of Banks (HKAB) and the Hong Kong Police Force (HKPF) jointly announced the launch of two-factor authentication for Internet banking by the banking industry. http://www.info.gov.hk/hkma/eng/press/2005/20050530e3_index.htm

FYI - Computer Sabotage: An Insider Threat - According to recent research, employees and contractors are perpetrating more cyber security attacks than ever to harm organizations intentionally. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5628

Return to the top of the newsletter

WEB SITE COMPLIANCE - Fair Housing Act

A financial institution that advertises on-line credit products that are subject to the Fair Housing Act must display the Equal Housing Lender logotype and legend or other permissible disclosure of its nondiscrimination policy if required by rules of the institution's regulator.

Home Mortgage Disclosure Act (Regulation C)

The regulations clarify that applications accepted through electronic media with a video component (the financial institution has the ability to see the applicant) must be treated as "in person" applications. Accordingly, information about these applicants' race or national origin and sex must be collected. An institution that accepts applications through electronic media without a video component, for example, the Internet or facsimile, may treat the applications as received by mail.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

Product Certification and Security Scanning Products

Several organizations exist which independently assess and certify the adequacy of firewalls and other computer system related products. Typically, certified products have been tested for their ability to permit and sustain business functions while protecting against both common and evolving attacks.

Security scanning tools should be run frequently by system administrators to identify any new vulnerabilities or changes in the system. Ideally, the scan should be run both with and without the firewall in place so the firewall's protective capabilities can be fully evaluated. Identifying the susceptibility of the system without the firewall is useful for determining contingency procedures should the firewall ever go down. Some scanning tools have different versions with varying degrees of intrusion/attack attempts.

Return to the top of the newsletter

IT SECURITY QUESTION:  Network user access controls: (Part 1 of 2)

a. Is there a written procedure for password administration?
b. If a username is required, does the system automatically enter the username?
c. Is the password length six or greater?
d. Is the use of proper nouns and dictionary words discouraged?
e. Is the password required to include upper and lower case letters, special characters, and numbers?
f. Are passwords required to be changed at least every 30 days?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

32. When a customer relationship ends, does the institution continue to apply the customer's opt out direction to the nonpublic personal information collected during, or related to, that specific customer relationship (but not to new relationships, if any, subsequently established by that customer)? [§7(g)(2)] 

VISTA - Does {custom4} need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b).  The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and testing focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.