Internet Banking News

August 27, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - The Federal Financial Institutions Examination Council member agencies today released a frequently asked questions document to aid in the implementation of the interagency guidance on Authentication in an Internet Banking Environment issued October 12, 2005.
Press Release: www.ffiec.gov/press/pr081506.htm
Press Release: www.occ.treas.gov/ftp/bulletin/2006-35.doc
Press Release: www.ots.treas.gov/docs/7/776036.html
Press Release: www.ncua.gov/news/press_releases/2006/JR06-0815.pdf
Press Release: www.ots.treas.gov/docs/7/776036.html

FYI - NCUA - Letter to Credit Unions 06-CU-13 - Authentication for Internet Based Services. www.ncua.gov/letters/2006/CU/06-CU-13.doc

FYI - Matrix Bancorp Announces Personal Computer Theft; Starts Aggressive Program to Protect Customers Against Identity Theft - Matrix Bancorp, Inc. announced that two laptop computers, both the property of Matrix Capital Bank, were stolen from its headquarters building in downtown Denver, Colorado. The computers, one of which contains certain proprietary information regarding Matrix Capital Bank and some of its customers, are strong-password protected and the information on them is fully encrypted. http://denver.dbusinessnews.com/shownews.php?newsid=87862&type_news=latest

FYI - Probe continues in City Hall theft - Hattiesburg police continue to search for leads in a June break-in at City Hall that resulted in the theft of computers and other devices containing sensitive personal data on thousands of city workers and contractors. http://www.hattiesburgamerican.com/apps/pbcs.dll/article?AID=/20060805/NEWS01/608050305&SearchID=73253128429173

FYI - Security Breach at Toyota Plant - A security breach at the Toyota plant was being investigated Thursday after a laptop computer containing personal information for more than a thousand people was stolen. http://www.woai.com/news/local/story.aspx?content_id=db231cd9-22cb-4335-9256-6cae88476600

FYI - WSU computers tampered with - Someone gained unauthorized access to three computers in Wichita State University's College of Fine Arts box office and to a server in the psychology department, the university said. The box-office computers contained credit card information for about 2,000 patrons. The server held data regarding about 40 applicants to a doctoral program. http://www.kansas.com/mld/kansas/news/local/15177587.htm

FYI - Organizations and individuals are still leaving critical data on disks later sold on through online auctions and computer fairs, according to a new study. The research carried out by BT, the University of Glamorgan in Wales and Edith Cowan University in Australia found payroll information, mobile telephone numbers, copies of invoices, employee names and photos, IP addresses, network information, illicit audio and video files, financial details including bank and credit card accounts on hard drives purchased from a number of sources. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060814/577355/

FYI - UK bank details sold in Nigeria - People should wipe the hard drive before they give away their old PC - Bank account details belonging to thousands of Britons are being sold in West Africa for less than Ł20 each, the BBC's Real Story programme has found. http://news.bbc.co.uk/2/hi/business/4790293.stm

FYI - Old hard drives yield dark secrets - A quick wipe won't remove the data - Companies and individuals aren't bothering to destroy data on hard drives before disposing of them, according to a BT-funded report by Glamorgan University. http://www.vnunet.com/vnunet/news/2162173/old-hard-drives-yield-dark

FYI - Two IT execs at Ohio University fired after data breaches - Two top IT officials at Ohio University (OU) who were suspended in June in connection with data security breaches at the school in recent months were fired. In a statement, the Athens, Ohio-based school announced that Tom Reid, the university's director of communication network services, and Todd Acheson, the manager of Internet and systems for the school, were dismissed in the wake of the breaches -- including one that exposed personal information on 137,000 alumni. http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9002206

FYI - Three workers depart AOL after privacy uproar - Two AOL employees have been fired, and its chief technology officer is resigning, after the release of Web search data from thousands of AOL members prompted widespread criticism of the company. http://news.com.com/2102-1030_3-6107830.html?tag=st.util.print

Return to the top of the newsletter

WEB SITE COMPLIANCE - We begin this week reviewing the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 1 of 10)

A. RISK DISCUSSION

Introduction

A significant number of financial institutions regulated by the financial institution regulatory agencies (Agencies) maintain sites on the World Wide Web. Many of these websites contain weblinks to other sites not under direct control of the financial institution. The use of weblinks can create certain risks to the financial institution. Management should be aware of these risks and take appropriate steps to address them. The purpose of this guidance is to discuss the most significant risks of weblinking and how financial institutions can mitigate these risks.

When financial institutions use weblinks to connect to third-party websites, the resulting association is called a "weblinking relationship." Financial institutions with weblinking relationships are exposed to several risks associated with the use of this technology. The most significant risks are reputation risk and compliance risk.

Generally, reputation risk arises when a linked third party adversely affects the financial institution's customer and, in turn, the financial institution, because the customer blames the financial institution for problems experienced. The customer may be under a misimpression that the institution is providing the product or service, or that the institution recommends or endorses the third-party provider. More specifically, reputation risk could arise in any of the following ways:

customer confusion in distinguishing whether the financial institution or the linked third party is offering products and services;
customer dissatisfaction with the quality of products or services obtained from a third party; and
customer confusion as to whether certain regulatory protections apply to third-party products or services.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - DATA CENTER SECURITY

When selecting a site for the most important information systems components, one major objective is to limit the risk of exposure from internal and external sources. The selection process should include a review of the surrounding area to determine if it is relatively safe from exposure to fire, flood, explosion, or similar environmental hazards. Outside intruders can be deterred through the use of guards, fences, barriers, surveillance equipment, or other similar devices. Since access to key information system hardware and software should be limited, doors and windows must be secure. Additionally, the location should not be identified or advertised by signage or other indicators.

Detection devices, where applicable, should be utilized to prevent theft and safeguard the equipment. They should provide continuous coverage. Detection devices have two purposes - to alarm when a response is necessary and to support subsequent forensics. The alarm capability is only useful when a response will occur. Some intruder detection devices available include:

! Switches that activate an alarm when an electrical circuit is broken;
! Light and laser beams, ultraviolet beams and sound or vibration detectors that are invisible to the intruder, and ultrasonic and radar devices that detect movement in a room; and
! Closed-circuit television that allows visual observation and recording of actions.

Risks from environmental threats can be addressed somewhat through devices such as halon gas, smoke alarms, raised flooring, heat sensors, and the like.

Physical security devices frequently need preventive maintenance to function properly. Maintenance logs are one control the institution can use to determine whether the devices are appropriately maintained. Periodic testing of the devices provides assurance that they are operating correctly.

Security guards should be properly instructed about their duties. The employees who access secured areas should have proper identification and authorization to enter the area. All visitors should sign in and wear proper IDs so that they can be identified easily. Security guards should be trained to restrict the removal of assets from the premises and to record the identity of anyone removing assets. Consideration should be given to implementing a specific and formal authorization process for the removal of hardware and software from premises.

The following security zones should have access restricted to a need basis:

! Operations center
! Uninterrupted power supply
! Telecommunications equipment
! Media library

CABINET AND VAULT SECURITY

Protective containers are designed to meet either fire-resistant or burglar-resistant standards. Labels describing expected tolerance levels are usually attached to safes and vault doors. An institution should select the tolerance level based on the sensitivity and importance of the information being protected.

Return to the top of the newsletter

IT SECURITY QUESTION:

D. USER EQUIPMENT SECURITY (E.G. WORKSTATION, LAPTOP, HANDHELD)

6. Determine whether appropriate workstations are deactivated after a period of inactivity through screen saver passwords, server time-outs, powering down, or other means.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

12. Does the institution make the following disclosures regarding service providers and joint marketers to whom it discloses nonpublic personal information under §13:

a. as applicable, the same categories and examples of nonpublic personal information disclosed as described in paragraphs (a)(2) and (c)(2) of section six (6) (see questions 8b and 10); and [§6(c)(4)(i)]

b. that the third party is a service provider that performs marketing on the institution's behalf or on behalf of the institution and another financial institution; [§6(c)(4)(ii)(A)] or

c. that the third party is a financial institution with which the institution has a joint marketing agreement? [§6(c)(4)(ii)(B)]

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test. With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network. For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.