FYI - Information Technology Risk Management Program - New Information Technology Examination Procedures - The FDIC has updated its risk-focused information technology examination procedures for FDIC-supervised financial institutions.  http://www.fdic.gov/news/news/financial/2005/fil8105.html

FYI - Fraud Hotline - Guidance on Implementing a Fraud Hotline - The FDIC is providing guidance to financial institutions on implementing a fraud hotline to minimize potential and actual fraud risks as part of a bank's governance and enterprise risk management program. www.fdic.gov/news/news/financial/2005/fil8005.html 

FYI - Kutztown 13 Face Felony Charges - They're being called the Kutztown 13 -- a group of high schoolers charged with felonies for bypassing security with school-issued laptops, downloading forbidden internet goodies and using monitoring software to spy on district administrators. http://www.wired.com/news/print/0,1294,68480,00.html

FYI - A closed-loop change management process allows internal auditors and IT administrators to detect and review changes made to the organization's IT infrastructure and their impacts in real-time. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5641

FYI - Intranets are gun with safety off - Companies put themselves at risk by holding and passing too much sensitive information on their company intranets, a new report suggests. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=58fd20f2-5457-484b-9583-2e8c49c15981&newsType=Latest%20News&s=n

FYI - Community Reinvestment Act - Final Rule - On August 2, 2005, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the Board of Governors of the Federal Reserve System jointly published in the Federal Register a final rule revising their Community Reinvestment Act regulations.
Press Release: www.occ.treas.gov/ftp/bulletin/2005-28.txt 
Attachment: www.occ.treas.gov/fr/fedregister/70fr44256.pdf 

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 2 of 5)

PROCEDURES TO ADDRESS SPOOFING - Detection

Banks can improve their ability to detect spoofing by monitoring appropriate information available inside the bank and by searching the Internet for illegal or unauthorized use of bank names and trademarks.  The following is a list of possible indicators of Web-site spoofing:

*  E-mail messages returned to bank mail servers that were not originally sent by the bank.  In some cases, these e-mails may contain links to spoofed Web sites;
*  Reviews of Web-server logs can reveal links to suspect Web addresses indicating that the bank's Web site is being copied or that other malicious activity is taking place;
*  An increase in customer calls to call centers or other bank personnel, or direct communications from consumer reporting spoofing activity.

Banks can also detect spoofing by searching the Internet for identifiers associated with the bank such as the name of a company or bank.  Banks can use available search engines and other tools to monitor Web sites, bulletin boards, news reports, chat rooms, newsgroups, and other forums to identify usage of a specific company or bank name.  The searches may uncover recent registrations of domain names similar to the bank's domain name before they are used to spoof the bank's Web site.  Banks can conduct this monitoring in-house or can contract with third parties who provide monitoring services.

Banks can encourage customers and consumers to assist in the identification process by providing prominent links on their Web pages or telephone contact numbers through which customers and consumers can report phishing or other fraudulent activities.

Banks can also train customer-service personnel to identify and report customer calls that may stem from potential Web-site attacks.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants.  Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm.  There is no charge for the e-newsletter. 

ROLES AND RESPONSIBILITIES (1 of 2)

Information security is the responsibility of everyone at the institution, as well as the institution's service providers and contractors. The board, management, and employees all have different roles in developing and implementing an effective security process. The board of directors is responsible for overseeing the development, implementation, and maintenance of the institution's information security program. Oversight requires the board to provide management with guidance and receive reports on the effectiveness of management's response. The board should approve written information security policies and the information security program at least annually. The board should provide management with its expectations and requirements for:

1)  Central oversight and coordination,
2)  Areas of responsibility,
3)  Risk measurement,
4)  Monitoring and testing,
5)  Reporting, and
6)  Acceptable residual risk.

Senior management's attitude towards security affects the entire organization's commitment to security. For example, the failure of a financial institution president to comply with security policies could undermine the entire organization's commitment to security.

Senior management should designate one or more individuals as information security officers. Security officers should be responsible and accountable for security administration. At a minimum, they should directly manage or oversee risk assessment, development of policies, standards, and procedures, testing, and security reporting processes. Security officers should have the authority to respond to a security event by ordering emergency actions to protect the financial institution and its customers from an imminent loss of information or value. They should have sufficient knowledge, background, and training, as well as an organizational position, to enable them to perform their assigned tasks.

Return to the top of the newsletter

IT SECURITY QUESTION:  A. AUTHENTICATION AND ACCESS CONTROLS - Access Rights Administration

3. Determine whether employee's levels of online access (blocked, read-only, update, override, etc.) match current job responsibilities.

4. Determine that administrator or root privilege access is appropriately monitored, where appropriate.

* Management may choose to further categorize types of administrator/root access based upon a risk assessment. Categorizing this type of access can be used to identify and monitor higher-risk administrator and root access requests that should be promptly reported.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

38. For customers only, does the institution ensure that the initial, annual, and revised notices may be retained or obtained later by the customer in writing, or if the customer agrees, electronically? [§9(e)(1)]

VISTA - Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b).  The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and testing focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.