|
R. Kinney Williams
& Associates
|
Internet Banking
News
|
|
September 24, 2006
|
Does
Your Financial Institution need an affordable Internet security
penetration-vulnerability test?
Our clients in 41 states rely on
VISTA
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
compliance with
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
focuses on
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
http://www.internetbankingaudits.com/. |
FYI - Wells Fargo
discloses another data breach - It's the fifth incident in less than
three years - In a replay of similar incidents over the past three
years, Wells Fargo & Co. this week began again to notify people
about the potential compromise of their personal information.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002944&source=NLT_FIN&nlid=56
FYI - BoI to refund
phishing victims - Bank of Ireland has agreed to compensate victims
of a recent phishing scam, backtracking from its earlier position.
The bank had initially refused to refund victims, who lost about
€160,000 to scammers after receiving the fake emails. However,
reports in the Irish Independent on Tuesday indicate that the bank
has since had a change of heart.
http://www.theregister.co.uk/2006/09/06/boi_refunds_phishing_victims/print.html
FYI - IRS Gives Away
$318 Million Because Of Bungled Software Upgrade - The Internal
Revenue Service issued more than $318 million in refunds on phony
returns last year because of a botched software project, a
government report released last week said. http://www.techweb.com/wire/192501772
and
http://www.treas.gov/tigta/auditreports/2006reports/200620108fr.pdf
FYI - Calif. police
probe computer breach in Schwarzenegger's office - The incident
involves a digital recording leaked to the Los Angeles Times - The
California Highway Patrol (CHP) is investigating the apparent
hacking of a computer in Gov. Arnold Schwarzenegger's office.
http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/09/11/MNG8KL3A051.DTL&type=printable
FYI - Chase trashes
tapes with client info - Chase Card Services says it's notifying
more than two and a-half (m) million Circuit City credit card
holders that computer tapes containing their personal information
were mistakenly thrown in the trash.
http://news.moneycentral.msn.com/provider/providerarticle.asp?feed=AP&Date=20060907&ID=6002314
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 5 of 10)
B. RISK MANAGEMENT TECHNIQUES
Introduction
Management must effectively plan, implement, and monitor the
financial institution's weblinking relationships. This includes
situations in which the institution has a third-party service
provider create, arrange, or manage its website. There are several
methods of managing a financial institution's risk exposure from
third-party weblinking relationships. The methods adopted to manage
the risks of a particular link should be appropriate to the level of
risk presented by that link as discussed in the prior section.
Planning Weblinking Relationships
In general, a financial institution planning the use of weblinks
should review the types of products or services and the overall
website content made available to its customers through the
weblinks. Management should consider whether the links support the
institution's overall strategic plan. Tools useful in planning
weblinking relationships include:
1) due diligence with respect to third parties to which the
financial institution is considering links; and
2) written agreements with significant third parties.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
Booklet.
ENCRYPTION - HOW ENCRYPTION WORKS
In general, encryption functions by taking data and a variable,
called a "key," and processing those items through a fixed algorithm
to create the encrypted text. The strength of the encrypted text is
determined by the entropy, or degree of uncertainty, in the key and
the algorithm. Key length and key selection criteria are important
determinants of entropy. Greater key lengths generally indicate more
possible keys. More important than key length, however, is the
potential limitation of possible keys posed by the key selection
criteria. For instance, a 128-bit key has much less than 128 bits of
entropy if it is selected from only certain letters or numbers. The
full 128 bits of entropy will only be realized if the key is
randomly selected across the entire 128-bit range.
The encryption algorithm is also important. Creating a mathematical
algorithm that does not limit the entropy of the key and testing the
algorithm to ensure its integrity are difficult. Since the strength
of an algorithm is related to its ability to maximize entropy
instead of its secrecy, algorithms are generally made public and
subject to peer review. The more that the algorithm is tested by
knowledgeable worldwide experts, the more the algorithm can be
trusted to perform as expected. Examples of public algorithms are
AES, DES and Triple DES, HSA - 1, and RSA.
Return to the top of the
newsletter
IT SECURITY
QUESTION:
E. PHYSICAL
SECURITY
3. Determine whether:
• Authorization for physical access to critical or sensitive
information - processing facilities is granted according to an
appropriate process;
• Authorizations are enforceable by appropriate preventive,
detective, and corrective controls; and
• Authorizations can be revoked in a practical and timely manner.
Return to the top of
the newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
16. If the institution provides a short-form initial privacy notice
according to §6(d)(1), does the short-form initial notice:
a. conform to the definition of "clear and conspicuous"; [§6(d)(2)(i)]
b. state that the institution's full privacy notice is available
upon request; [§6(d)(2)(ii)] and
c. explain a reasonable means by which the consumer may obtain the
notice? [§6(d)(2)(iii)]
(Note: the institution is not required to deliver the full
privacy notice with the shortform initial notice. [§6(d)(3)])
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
please visit
http://www.internetbankingaudits.com/internal_testing.htm. |
|
| PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at examiner@yennik.com if we
can be of assistance. |
|