Internet Banking News

November 27, 2005

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Rainbow warriors crack password hashes - A trio of entrepreneurial hackers hope to do for the business of password cracking what Google did for search and, in the process, may remove the last vestiges of security from many password systems. http://www.theregister.co.uk/2005/11/10/password_hashes/

FYI - Teachers to get training on web security - Teachers throughout Ireland are to receive internet and IT security training throughout November and early December through specially organised workshops organised by the National Centre for Technology in Education (NCTE). http://www.siliconrepublic.com/news/news.nv?storyid=single5655

FYI - Bank customers willing to pay for online security - Americans are ready to shell out additional fees for greater protection of their online transactions and bank accounts, a new consumer poll has indicated. http://news.com.com/2102-1029_3-5946634.html?tag=st.util.print

FYI - Vital data often stored on unsecured devices: Survey - One in three mobile computers and smart phones is not protected with a password or security lock, even though they contain PIN codes and sensitive information, a survey showed today. http://www.computerworld.com/printthis/2005/0,4814,106209,00.html

FYI - Consumers Flog Firms That Lose Data - Consumers severely punish corporations that lose their data, with a majority willing to terminate their accounts with the guilty companies, a pair of surveys said. http://www.techweb.com/wire/173602532

FYI - Keyloggers: Weapon of choice for hackers - Keylogging is quickly becoming the favorite technique of hackers looking for financial gain, data released this week claimed. http://www.scmagazine.com/us/news/article/527807/?s=nus

FYI - Employee gadgets pose security risk to companies - The many gadgets carried around by workers today pose a real security risk to organizations and require action, session attendees at a security conference agreed. http://news.com.com/2102-1029_3-5954642.html?tag=st.util.print

Return to the top of the newsletter

WEB SITE COMPLIANCE - Record Retention

Record retention provisions apply to electronic delivery of disclosures to the same extent required for non-electronic delivery of information. For example, if the web site contains an advertisement, the same record retention provisions that apply to paper-based or other types of advertisements apply. Copies of such advertisements should be retained for the time period set out in the relevant regulation. Retention of electronic copies is acceptable.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

Access Rights Administration (3 of 5)

System devices, programs, and data are system resources. Each system resource may need to be accessed by other system resources and individuals in order for work to be performed. Access beyond the minimum required for work to be performed exposes the institution's systems and information to a loss of confidentiality, integrity, and availability. Accordingly, the goal of access rights administration is to identify and restrict access to any particular system resource to the minimum required for work to be performed. The financial institution's security policy should address access rights to system resources and how those rights are to be administered.

Management and information system administrators should critically evaluate information system access privileges and establish access controls to prevent unwarranted access. Access rights should be based upon the needs of the applicable user or system resource to carry out legitimate and approved activities on the financial institution's information systems. Policies, procedures, and criteria need to be established for both the granting of appropriate access rights and for the purpose of establishing those legitimate activities. Formal access rights administration for users consists of four processes:

! An enrollment process to add new users to the system;

! An authorization process to add, delete, or modify authorized user access to operating systems, applications, directories, files, and specific types of information;

! An authentication process to identify the user during subsequent activities; and

! A monitoring process to oversee and manage the access rights granted to each user on the system.

Return to the top of the newsletter

IT SECURITY QUESTION: A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

12. Determine whether appropriate device and session authentication takes place, particularly for remote and wireless machines.

Return to the top of the newsletter

INTERNET PRIVACY - With this issues, we begin our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

On November 12, 1999, President Clinton signed into law the Gramm-Leach-Bliley Act (the "Act"). Title V, Subtitle A of the Act governs the treatment of nonpublic personal information about consumers by financial institutions. Section 502 of the Subtitle, subject to certain exceptions, prohibits a financial institution from disclosing nonpublic personal information about a consumer to nonaffiliated third parties, unless the institution satisfies various notice and opt-out requirements, and provided that the consumer has not elected to opt out of the disclosure. Section 503 requires the institution to provide notice of its privacy policies and practices to its customers. Section 504 authorizes the issuance of regulations to implement these provisions.

Accordingly, on June 1, 2000, the four federal bank and thrift regulators published substantively identical regulations implementing provisions of the Act governing the privacy of consumer financial information. The regulations establish rules governing duties of a financial institution to provide particular notices and limitations on its disclosure of nonpublic personal information, as summarized below.

1) A financial institution must provide a notice of its privacy policies, and allow the consumer to opt out of the disclosure of the consumer's nonpublic personal information, to a nonaffiliated third party if the disclosure is outside of the exceptions in sections 13, 14 or 15 of the regulations.

2) Regardless of whether a financial institution shares nonpublic personal information, the institution must provide notices of its privacy policies to its customers.

3) A financial institution generally may not disclose customer account numbers to any nonaffiliated third party for marketing purposes.

4) A financial institution must follow reuse and redisclosure limitations on any nonpublic personal information it receives from a nonaffiliated financial institution.