Internet Banking News

August 20, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Barclays to tighten web security - Barclays plans to issue card readers to online banking customers to provide two-factor authentication - High street bank Barclays plans to issue hand-held card readers to all of its 1.6 million active online banking customers to tighten security and combat identity theft. http://www.vnunet.com/computing/news/2161570/barclays-issue-card-readers

FYI - Belhaven College data stolen - Employees warned identity theft possible - A laptop computer stolen last month from a Belhaven College employee contained names and Social Security numbers of college employees, leaving them vulnerable to identity theft. http://www.clarionledger.com/apps/pbcs.dll/article?AID=/20060802/NEWS/608020375

FYI - Agency says laptop with client information stolen - The West Virginia Division of Rehabilitation Services is warning clients that one of its laptop computers containing their personal information has been stolen. The information includes clients' names, addresses, Social Security numbers and telephone numbers. http://www.dailymail.com/news/News/2006080217/

FYI - Poly heist risks identity thefts - Current and former students advised to put fraud alerts on credit reports; thefts of Social Security numbers have happened before - Cal Poly has notified 3,020 current and former students that their names and Social Security numbers were on a laptop computer stolen earlier this month from a physics professor's San Luis Obispo home. http://www.sanluisobispo.com/mld/sanluisobispo/news/15169992.htm

FYI - Agencies push to meet IT security deadline - Federal information security officials are struggling to comply with the June 23 Office of Management and Budget mandate requiring agencies to improve the security of personally identifiable information by Aug. 7. The memorandum, signed by OMB Deputy Director for Management Clay Johnson, was in response to a recent rash of data breaches reported across the government. http://www.govexec.com/story_page.cfm?articleid=34713&printerfriendlyVers=1&

FYI - Laptop thefts pose real gov't data risk - Lost or stolen? The distinction matters. A Freedom of Information enquiry by silicon.com has uncovered the number of laptops stolen from key UK government departments over the past year, raising questions and concerns about sensitive data falling into the wrong hands. The worst affected department was the Ministry of Defence. It reported 21 laptops were stolen between July 2005 and July 2006. http://www.silicon.com/publicsector/0,3800010409,39161159,00.htm

FYI - Mobile phones leak from UK government - And desktops, PDAs and projectors as well - A recent Freedom of Information (FoI) enquiry by silicon.com into lost devices within the UK government has revealed how many mobile phones have gone astray in a number of departments, as well as unearthing some more unusual losses. http://www.silicon.com/publicsector/0,3800010409,39161167,00.htm

FYI - NCUA - Board Member Hyland Outlines IT Issues at CUNA's Technology Council - Speaking today before 150 IT professionals attending CUNA's Technology Council conference, Board Member Gigi Hyland underscored the crucial role of IT professionals as strategic partners in assuring that credit unions thrive in the future. Among the topics discussed were upcoming requirements to deploy multifactor authentication, as well as data security, plastic card fraud, and ID theft. www.ncua.gov/news/press_releases/2006/MA06-0804.htm

FYI - The Federal Reserve Bank of Dallas will host Directo a México Seminars throughout the Eleventh Federal Reserve District in September and October 2006. These seminars will provide an opportunity for financial institutions to learn more about our Directo a México service, through which institutions can send FedACH® payments to Mexico. http://dallasfed.org/news/banking/06directo.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We conclude our series on the FFIEC Authentication in an Internet Banking Environment. (Part 13 of 13) Next week we will begin our series on the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."

Customer Verification Techniques

Customer verification is a related but separate process from that of authentication. Customer verification complements the authentication process and should occur during account origination. Verification of personal information may be achieved in three ways:

• Positive verification to ensure that material information provided by an applicant matches information available from trusted third party sources. More specifically, a financial institution can verify a potential customer's identity by comparing the applicant's answers to a series of detailed questions against information in a trusted database (e.g., a reliable credit report) to see if the information supplied by the applicant matches information in the database. As the questions become more specific and detailed, correct answers provide the financial institution with an increasing level of confidence that the applicant is who they say they are.

• Logical verification to ensure that information provided is logically consistent (e.g., do the telephone area code, ZIP code, and street address match).

• Negative verification to ensure that information provided has not previously been associated with fraudulent activity. For example, applicant information can be compared against fraud databases to determine whether any of the information is associated with known incidents of fraudulent behavior. In the case of commercial customers, however, the sole reliance on online electronic database comparison techniques is not adequate since certain documents (e.g., bylaws) needed to establish an individual's right to act on a company's behalf are not available from databases. Institutions still must rely on traditional forms of personal identification and document validation combined with electronic verification tools.

Another authentication method consists of the financial institution relying on a third party to verify the identity of the applicant. The third party would issue the applicant an electronic credential, such as a digital certificate, that can be used by the applicant to prove his/her identity. The financial institution is responsible for ensuring that the third party uses the same level of authentication that the financial institution would use itself.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - PHYSICAL SECURITY

The confidentiality, integrity, and availability of information can be impaired through physical access and damage or destruction to physical components. Conceptually, those physical security risks are mitigated through zone-oriented implementations. Zones are physical areas with differing physical security requirements. The security requirements of each zone are a function of the sensitivity of the data contained or accessible through the zone and the information technology components in the zone. For instance, data centers may be in the highest security zone, and branches may be in a much lower security zone. Different security zones can exist within the same structure. Routers and servers in a branch, for instance, may be protected to a greater degree than customer service terminals. Computers and telecommunications equipment within an operations center will have a higher security zone than I/O operations, with the media used in those equipment stored at yet a higher zone.

The requirements for each zone should be determined through the risk assessment. The risk assessment should include, but is not limited to, the following threats:

! Aircraft crashes
! Chemical effects
! Dust
! Electrical supply interference
! Electromagnetic radiation
! Explosives
! Fire
! Smoke
! Theft/Destruction
! Vibration/Earthquake
! Water
! Wireless emissions
! Any other threats applicable based on the entity's unique geographical location, building configuration, neighboring entities, etc.

Return to the top of the newsletter

IT SECURITY QUESTION:

D. USER EQUIPMENT SECURITY (E.G. WORKSTATION, LAPTOP, HANDHELD)

5. Determine whether adequate policies and procedures govern the destruction of sensitive data on machines that are taken out of service, and that those policies and procedures are consistently followed by appropriately trained personnel.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

11. Does the institution list the following categories of affiliates and nonaffiliated third parties to whom it discloses information, as applicable, and a few examples to illustrate the types of the third parties in each category:

a. financial service providers; [§6(c)(3)(i)]

b. non-financial companies; [§6(c)(3)(ii)] and

c. others? [§6(c)(3)(iii)]

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test. With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network. For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.