FYI - Banks Resuming Operations in Hurricane-Affected Areas Chairman to Tour Areas Hit by Storm, Meet with State Banking Commissioners - Most banks in the areas affected by Hurricane Katrina are operating and providing financial services to customers and non-customers, according to the FDIC, which has now been able to contact all of the 280 institutions in the area. www.fdic.gov/news/news/press/2005/pr8805.html 

FYI - The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them) - An exclusive look at how the hackers called TITAN RAIN are stealing U.S. secrets. http://www.time.com/time/magazine/printout/0,8816,1098961,00.html

FYI - Integrating IT Controls and Sarbanes-Oxley - To implement Sarbanes-Oxley effectively, IT and accounting functions need to work together closely. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5648

FYI - SEC may fine Morgan Stanley $10 million over e-mail - The Securities and Exchange Commission is threatening to fine Morgan Stanley more than $10 million for failing to keep e-mails in a number of cases the agency brought against the brokerage firm.
The fine, if levied, would be one of the biggest monetary penalties ever paid.  http://news.com.com/2102-1030_3-5844536.html?tag=st.util.print

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 4 of 5)

PROCEDURES TO ADDRESS SPOOFING - Spoofing Incident Response

To respond to spoofing incidents effectively, bank management should establish structured and consistent procedures.  These procedures should be designed to close fraudulent Web sites, obtain identifying information from the spoofed Web site to protect customers, and preserve evidence that may be helpful in connection with any subsequent law enforcement investigations.

Banks can take the following steps to disable a spoofed Web site and recover customer information.  Some of these steps will require the assistance of legal counsel.

*  Communicate promptly, including through written communications, with the Internet service provider (ISP) responsible for hosting the fraudulent Web site and demand that the suspect Web site be shutdown;
*  Contact the domain name registrars promptly, for any domain name involved in the scheme, and demand the disablement of the domain names;
*  Obtain a subpoena from the clerk of a U.S. District Court directing the ISP to identify the owners of the spoofed Web site and to recover customer information in accordance with the Digital Millennium Copyright Act;
*  Work with law enforcement; and
*  Use other existing mechanisms to report suspected spoofing activity.

The following are other actions and types of legal documents that banks can use to respond to a spoofing incident:

*  Banks can write letters to domain name registrars demanding that the incorrect use of their names or trademarks cease immediately;
*  If these demand letters are not effective, companies with registered Internet names can use the Uniform Domain Name Dispute Resolution Process (UDRP) to resolve disputes in which they suspect that their names or trademarks have been illegally infringed upon.  This process allows banks to take action against domain name registrars to stop a spoofing incident.  However, banks must bear in mind that the UDRP can be relatively time-consuming.  For more details on this process see http://www.icann.org/udrp/udrp-policy-24oct99.htm; and
*  Additional remedies may be available under the federal Anti-Cybersquatting Consumer Protection Act (ACCPA) allowing thebank to initiate immediate action in federal district court under section 43(d) of the Lanham Act, 15 USC 1125(d).  Specifically, the ACCPA can provide for rapid injunctive relief without the need to demonstrate a similarity or likelihood of confusion between the goods or services of the parties.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT

Action Summary -Financial institutions must maintain an ongoing information security risk assessment program that effectively

1)  Gathers data regarding the information and technology assets of the organization, threats to those assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements;

2)  Analyzes the probability and impact associated with the known threats and vulnerabilities to its assets; and

3) Prioritizes the risks present due to threats and vulnerabilities to determine the appropriate level of training, controls, and testing necessary for effective mitigation.

Return to the top of the newsletter

IT SECURITY QUESTION:  A. AUTHENTICATION AND ACCESS CONTROLS - Access Rights Administration

6. Determine that, where appropriate and feasible, programs do not run with greater access to other resources than necessary.  Programs to consider include application programs, network administration programs (e.g., DNS), and other programs.

7. Compare the access control rules establishment and assignment processes to the access control policy for consistency.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

40.  Does the institution provide at least one initial, annual, and revised notice, as applicable, to joint consumers? [§9(g)]

VISTA - Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b).  The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and testing focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.