|
July 15, 2001
FYI - Specially Designated Nationals and Blocked
Persons - On June 27, 2001, the Department of the Treasury's Office of
Foreign Assets Control (OFAC) amended its listing of specially designated
nationals and blocked persons by adding names of persons who threaten
international stabilization efforts in the Western Balkans.
www.fdic.gov/news/news/financial/2001/fil0162.html
INTERNET COMPLIANCE - The Role Of Consumer Compliance In Developing
And Implementing Electronic Services from FDIC:
When violations of the consumer protection laws regarding a financial
institution's electronic services have been cited, generally the
compliance officer has not been involved in the development and
implementation of the electronic services. Therefore, it is suggested that
management and system designers consult with the compliance officer during
the development and implementation stages in order to minimize compliance
risk. The compliance officer should ensure that the proper controls are
incorporated into the system so that all relevant compliance issues are
fully addressed. This level of involvement will help decrease an
institution's compliance risk and may prevent the need to delay deployment
or redesign programs that do not meet regulatory requirements.
The compliance officer should develop a compliance risk profile as a
component of the institution's online banking business and/or technology
plan. This profile will establish a framework from which the compliance
officer and technology staff can discuss specific technical elements that
should be incorporated into the system to ensure that the online system
meets regulatory requirements. For example, the compliance officer may
communicate with the technology staff about whether compliance
disclosures/notices on a web site should be indicated or delivered by the
use of "pointers" or "hotlinks" to ensure that
required disclosures are presented to the consumer. The compliance officer
can also be an ongoing resource to test the system for regulatory
compliance.
INTERNET SECURITY - We continue the series from the FDIC
"Security Risks Associated with the Internet" about the primary
technical and procedural security measures necessary to properly govern
access control and system security.
Firewalls - Data Transmission and Types of Firewalls
Data traverses the Internet in units referred to as packets. Each packet
has headers which contain information for delivery, such as where the
packet is from, where it is going, and what application it contains. The
varying firewall techniques examine the headers and either permit or deny
access to the system based on the firewall's rule configuration.
There are different types of firewalls that provide various levels of
security. For instance, packet filters, sometimes implemented as screening
routers, permit or deny access based solely on the stated source and/or
destination IP address and the application (e.g., FTP). However, addresses
and applications can be easily falsified, allowing attackers to enter
systems. Other types of firewalls, such as circuit-level gateways and
application gateways, actually have separate interfaces with the internal
and external (Internet) networks, meaning no direct connection is
established between the two networks. A relay program copies all data from
one interface to another, in each direction. An even stronger firewall, a
stateful inspection gateway, not only examines data packets for IP
addresses, applications, and specific commands, but also provides security
logging and alarm capabilities, in addition to historical comparisons with
previous transmissions for deviations from normal context.
Implementation
When evaluating the need for firewall technology, the potential costs
of system or data compromise, including system failure due to attack,
should be considered. For most financial institution applications, a
strong firewall system is a necessity. All information into and out of the
institution should pass through the firewall. The firewall should also be
able to change IP addresses to the firewall IP address, so no inside
addresses are passed to the outside. The possibility always exists that
security might be circumvented, so there must be procedures in place to
detect attacks or system intrusions. Careful consideration should also be
given to any data that is stored or placed on the server, especially
sensitive or critically important data.
IN CLOSING - The E-mail Banking News is in an html format for easier
viewing. If you have any problems viewing the newsletter, please let
us know.
|
