Internet Banking News

November 19, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Better coordination of cybersecurity R&D needed - The federal government has to do a better job of coordinating research and development on cybersecurity issues and needs to improve its information sharing and collaboration efforts on the topic, according to a just-released report by the Government Accountability Office. http://www.gcn.com/online/vol1_no1/42465-1.html?topic=security

FYI - BT reviews security after exchange break in - Vandals disconnect 35,000 phone lines - BT is reviewing security at thousands of telephone exchanges across the country after a Birmingham exchange was vandalised at the weekend, causing 35,000 phone lines to be cut. http://networks.silicon.com/telecoms/0,39024659,39163726,00.htm

FYI - Level 3 floored by robbery - Level 3, the supposedly secure back bone provider, has lost all services at its Braham Street data centre thanks to a robbery. http://www.theregister.co.uk/2006/11/01/level3_robbery/print.html

FYI - Hackers break into water system network - Pennsylvania breach occurred via compromised laptop - An infected laptop PC gave hackers access to computer systems at a Harrisburg, Pa., water treatment plant earlier this month. The plant's systems were accessed in early October after an employee's laptop computer was compromised via the Internet and then used as an entry point to install a computer virus and spyware on the plant's computer system, according to a report by ABC News. http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9004659

FYI - Janesville student expelled for hacking into computers - A high school student has been expelled after being accused of hacking into the computer system and causing outages over two weeks last month. The student at Craig High School has been banned from district schools, said superintendent Tom Evert. http://www.bradenton.com/mld/bradenton/15863962.htm

MISSING COMPUTERS/DATA

FYI - Another VA breach affects 1,600 veterans from New York system - The Department of Veterans Affairs (VA) is again warning veterans their identity may be at risk following the theft of an unencrypted laptop from the agency's New York Harbor Healthcare System. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20061106/602715/

FYI - Taken Los Alamos drives held secrets - U.S. government officials said sensitive and classified documents were among the files on portable drives taken from Los Alamos National Laboratory. http://www.upi.com/NewsTrack/view.php?StoryID=20061104-063805-7735r

FYI - 'Scrubbed' laptop had data on 6,000 Utahns - More than 6,000 people who worked for Intermountain Healthcare's central urban region in 1999 have learned that a file listing their Social Security numbers was briefly for sale - for $20. The good news, according to Intermountain, is the man who unknowingly bought the data didn't compromise anyone. And steps have been taken to see it never happens again. http://deseretnews.com/dn/print/1,1442,650203974,00.html

FYI - Starbucks loses laptops with worker data - Starbucks Corp. said Friday it had lost track of four laptop computers, two of which had private information on about 60,000 current and former U.S. employees and fewer than 80 Canadian workers and contractors. http://www.centredaily.com/mld/centredaily/business/15923874.htm?template=contentModules/printstory.jsp

FYI - PC with personal information of 1.4 million Colorado residents stolen - A Denver company today offered $10,000 for information leading to the recovery of a stolen PC containing a government database with the personal information of 1.4 million Colorado citizens. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20061109/603079/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Equal Credit Opportunity Act (Regulation B)

The regulations clarifies the rules concerning the taking of credit applications by specifying that application information entered directly into and retained by a computerized system qualifies as a written application under this section. If an institution makes credit application forms available through its on-line system, it must ensure that the forms satisfy the requirements.

The regulations also clarify the regulatory requirements that apply when an institution takes loan applications through electronic media. If an applicant applies through an electronic medium (for example, the Internet or a facsimile) without video capability that allows employees of the institution to see the applicant, the institution may treat the application as if it were received by mail.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION

Development and Support

Development and support activities should ensure that new software and software changes do not compromise security. Financial institutions should have an effective application and system change control process for developing, implementing, and testing changes to internally developed software and purchased software. Weak change control procedures can corrupt applications and introduce new security vulnerabilities. Change control considerations relating to security include the following:

! Restricting changes to authorized users,
! Reviewing the impact changes will have on security controls,
! Identifying all system components that are impacted by the changes,
! Ensuring the application or system owner has authorized changes in advance,
! Maintaining strict version control of all software updates, and
! Maintaining an audit trail of all changes.

Changes to operating systems may degrade the efficiency and effectiveness of applications that rely on the operating system for interfaces to the network, other applications, or data. Generally, management should implement an operating system change control process similar to the change control process used for application changes. In addition, management should review application systems following operating system changes to protect against a potential compromise of security or operational integrity.

When creating and maintaining software, separate software libraries should be used to assist in enforcing access controls and segregation of duties. Typically, separate libraries exist for development, test, and production.

Return to the top of the newsletter

IT SECURITY QUESTION:

G. APPLICATION SECURITY

1. Determine if operational software storage, program source, object libraries and load modules are appropriately secured against unauthorized access.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

25. Does the institution permit each of the joint consumers in a joint relationship to opt out? [§7(d)(2)]

26. Does the opt out notice to joint consumers state that either:

a. the institution will consider an opt out by a joint consumer as applying to all associated joint consumers; [§7(d)(2)(i)] or

b. each joint consumer is permitted to opt out separately? [§7(d)(2)(ii)]

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test. With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network. For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.