FYI - Banks Make Theft
Easy for Phishers - Attackers take advantage of customer
conveniences to create fake bank cards. U.S. banks are putting
customer convenience ahead of security and, in the process, making
it much easier for online "phishers" to create counterfeit bank
cards.
http://www.pcworld.com/news/article/0,aid,122079,00.asp
http://news.com.com/2102-7349_3-5815141.html?tag=st.util.print
FYI - UK police want new
computer powers - The UK Association of Chief Police Officers (ACPO)
has called for new powers to allow police to tackle rogue websites,
and make withholding encryption keys a criminal offence.
http://www.techworld.com/security/news/index.cfm?NewsID=4106
FYI - One In Four
Identity Theft Victims Never Fully Recover - Making things right
after a stolen identity can take months and cost thousands, a survey
of identity theft victims reported. Worse, in more than one in four
cases, victims haven't been able to completely restore their good
name.
http://www.techweb.com/wire/security/166402606
FYI - Whistle-Blower
Faces FBI Probe - The FBI is investigating a computer security
researcher for criminal conduct after he revealed that critical
routers supporting the internet and many networks have a serious
software flaw that could allow someone to crash or take control of
them.
http://www.wired.com/news/print/0,1294,68356,00.html
FYI - Remote Computer
Security Enhances Virtual Private Network Safety - As more
organizations take advantage of virtual private networks that
facilitate remote access to corporate resources, internal auditors
need to ensure organizations are taking the necessary steps to
protect against external attacks.
http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5615
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Expedited Funds Availability Act
(Regulation CC)
Generally, the rules pertaining to the duty of an institution to
make deposited funds available for withdrawal apply in the
electronic financial services environment. This includes rules on
fund availability schedules, disclosure of policy, and payment of
interest. Recently, the FRB published a commentary that clarifies
requirements for providing certain written notices or disclosures to
customers via electronic means. Specifically, the commentary to the
regulations states that a financial institution satisfies the
written exception hold notice requirement, and the commentary to the
regulations states that a financial institution satisfies the
general disclosure requirement by sending an electronic version that
displays the text and is in a form that the customer may keep.
However, the customer must agree to such means of delivery of
notices and disclosures. Information is considered to be in a form
that the customer may keep if, for example, it can be downloaded or
printed by the customer. To reduce compliance risk, financial
institutions should test their programs' ability to provide
disclosures in a form that can be downloaded or printed.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
begin our series on the FFIEC interagency Information Security
Booklet. This booklet is required reading for anyone
involved in information systems security, such as the Network Administrator,
Information Security Officer, members of the IS Steering Committee,
and most important your outsourced network security consultants.
Your outsourced network security consultants can receive the
"Internet Banking News" by completing the subscription for
at https://yennik.com/newletter_page.htm.
There is no charge for the e-newsletter.
SECURITY OBJECTIVES
Information security enables a financial institution to meet its
business objectives by implementing business systems with due
consideration of information technology (IT) - related
risks to the organization, business and trading partners, technology
service providers, and customers. Organizations meet this goal by
striving to accomplish the following objectives.
1) Availability - The
ongoing availability of systems addresses the processes, policies,
and controls used to ensure authorized users have prompt access to
information. This objective protects against intentional or
accidental attempts to deny legitimate users access to information
and/or systems.
2) Integrity of Data or
Systems - System and data integrity relate to the processes,
policies, and controls used to ensure information has not been
altered in an unauthorized manner and that systems are free from
unauthorized manipulation that will compromise accuracy,
completeness, and reliability.
3) Confidentiality of
Data or Systems - Confidentiality covers the processes, policies,
and controls employed to protect information of customers and the
institution against unauthorized access or use.
4) Accountability -
Clear accountability involves the processes, policies, and controls
necessary to trace actions to their source. Accountability directly
supports non-repudiation, deterrence, intrusion prevention,
intrusion detection, recovery, and legal admissibility of records.
5) Assurance -
Assurance addresses the processes, policies, and controls used to
develop confidence that technical and operational security measures
work as intended. Assurance levels are part of the system design and
include availability, integrity, confidentiality, and
accountability. Assurance highlights the notion that secure systems
provide the intended functionality while preventing undesired
actions.
Appropriate security controls are necessary for financial
institutions to challenge potential customer or user claims that
they did not initiate a transaction. Financial institutions can
accomplish this by achieving both integrity and accountability to
produce what is known as non-repudiation. Non-repudiation occurs
when the financial institution demonstrates that the originators who
initiated the transaction are who they say they are, the recipient
is the intended counter party, and no changes occurred in transit or
storage. Non-repudiation can reduce fraud and promote the legal
enforceability of electronic agreements and transactions. While
non-repudiation is a goal and is conceptually clear, the manner in
which non-repudiation can be achieved for electronic systems in a
practical, legal sense may have to wait for further judicial
clarification.
Return to
the top of the newsletter
IT SECURITY QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
- Access
Rights Administration
1. Evaluate
the adequacy of policies and procedures for authentication and
access controls to manage effectively the risks to the financial
institution.
• Evaluate the processes that management uses to define access
rights and privileges (e.g., software and/or hardware systems
access) and determine if they are based upon business need
requirements.
• Review processes that assign rights and privileges and ensure
that they take into account and provide for adequate segregation of
duties.
• Determine if access rights are the minimum necessary for
business purposes. If greater access rights are permitted, determine
why the condition exists and identify any mitigating issues or
compensating controls.
• Ensure that access to operating systems is based on either a
need-to-use or an event-by-event basis.
Return to the top of
the newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
36. Does the institution use a reasonable means for delivering
the notices, such as:
a. hand-delivery of a printed copy; [§9(b)(1)(i)]
b. mailing a printed copy to the last known address of the consumer;
[§9(b)(1)(ii)]
c. for the consumer who conducts transactions electronically,
clearly and conspicuously posting the notice on the institution's
electronic site and requiring the consumer to acknowledge receipt as
a necessary step to obtaining a financial product or service; [§9(b)(1)(iii)]
or
d. for isolated transactions, such as ATM transactions, posting the
notice on the screen and requiring the consumer to acknowledge
receipt as a necessary step to obtaining the financial product or
service? [§9(b)(1)(iv)]
(Note: insufficient or unreasonable means of delivery include:
exclusively oral notice, in person or by telephone; branch or office
signs or generally published advertisements; and electronic mail to
a customer who does not obtain products or services electronically.
[§9 (b)(2)(i) and (ii), and (d)])
VISTA - Does
{custom4} need an affordable Internet security
penetration-vulnerability test?
Our clients in 41 states rely on
VISTA
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
compliance with
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
testing focuses on
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
http://www.internetbankingaudits.com/. |