|
R. Kinney Williams
& Associates
|
Internet Banking
News
|
|
December 3, 2006
|
Does
Your Financial Institution need an affordable Internet security
penetration-vulnerability test?
Our clients in 41 states rely on
VISTA
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
compliance with
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
focuses on
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
http://www.internetbankingaudits.com/. |
FYI - Media exec charged
with computer break-in - He broke into corporate network after
dismissal, prosecutors say - A former Source Media Inc. executive
was charged with hacking into the company's computer system three
years after he was dismissed, and tipping off employees whose jobs
were in jeopardy, prosecutors said.
http://www.msnbc.msn.com/id/15739188/
FYI - Guidance Software
settles with FTC - A computer forensics firm has settled Federal
Trade Commission (FTC) charges that it failed to protect private
customer data, including that of IT security professionals, when
hackers hijacked its network last year.
http://news.com.com/2102-7350_3-6136165.html?tag=st.util.print
and
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20061120/605457/
FYI - Man used MP3
player to hack ATMs - Parsons plugged his MP3 player into the back
of free standing cash machines and was able to use it to read data
about customers' cards. That data could then be used to 'clone'
cards and use them for bogus purchases.
http://www.theregister.co.uk/2006/11/18/mp3_player_atm_hack/print.html
MISSING COMPUTERS/DATA
FYI - IRS Latest Federal
Agency to Lose Laptops - According to documents obtained by WTOP
through the Freedom of Information Act, between 2002 and 2006
year-to-date, the agency charged with collecting taxes and
protecting taxpayers' personal information had 478 laptops either
lost or stolen.
http://www.wtopnews.com/index.php?nid=428&sid=975026
FYI - Stolen laptop
leaves Nationwide red-faced - FSA probes data loss... The theft of a
laptop containing Nationwide Building Society customer information
is being probed by the Financial Services Authority (FSA). The
laptop was stolen from an employee's house in a burglary in August.
http://software.silicon.com/security/0,39024888,39164041,00.htm
FYI - Data on thousands
of college students stolen - State education officials say personal
information on thousands of college students is on a laptop computer
stolen from Connors State College in Warner. Connors President
Donnie Nero says the laptop has been recovered and a Connors State
student is under investigation.
http://www.kten.com/global/story.asp?s=5679797&ClientType=Printable
FYI - Hackers Steal Data
From Landis Lab - A hacker stole data from computers at the French
anti-doping lab where tests are being challenged by American cyclist
Floyd Landis, police said.
http://www.washingtonpost.com/wp-dyn/content/article/2006/11/14/AR2006111400389_pf.html
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Truth in Lending Act (Regulation Z)
The commentary to regulation Z was amended recently to clarify that
periodic statements for open-end credit accounts may be provided
electronically, for example, via remote access devices. The
regulations state that financial institutions may permit customers
to call for their periodic statements, but may not require them to
do so. If the customer wishes to pick up the statement and the plan
has a grace period for payment without imposition of finance
charges, the statement, including a statement provided by electronic
means, must be made available in accordance with the "14-day rule,"
requiring mailing or delivery of the statement not later than 14
days before the end of the grace period.
Provisions pertaining to advertising of credit products should be
carefully applied to an on-line system to ensure compliance with the
regulation. Financial institutions advertising open-end or
closed-end credit products on-line have options. Financial
institutions should ensure that on-line advertising complies with
the regulations. For on-line advertisements that may be deemed to
contain more than a single page, financial institutions should
comply with the regulations, which describe the requirements for
multiple-page advertisements.
CLIENTS - You will find the following
related regulations at:
http://www.fdic.gov/regulations/laws/rules/6500-1600.html#6500226.5
http://www.fdic.gov/regulations/laws/rules/6500-1650.html#6500226.16
http://www.fdic.gov/regulations/laws/rules/6500-1700.html#6500226.24
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC interagency Information Security
Booklet.
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE -
SOFTWARE DEVELOPMENT AND ACQUISITION
Outsourced Development
Many financial institutions outsource software development to third
parties. Numerous vendor management issues exist when outsourcing
software development. The vendor management program established by
management should address the following:
! Verifying credentials and contracting only with reputable
providers;
! Evaluating the provider's secure development environment,
including background checks on its employees and code development
and testing processes;
! Obtaining fidelity coverage;
! Requiring signed nondisclosure agreements to protect the financial
institution's rights to source code and customer data as
appropriate;
! Establishing security requirements, acceptance criterion, and test
plans;
! Reviewing and testing source code for security vulnerabilities,
including covert channels or backdoors that might obscure
unauthorized access into the system;
! Restricting any vendor access to production source code and
systems and monitoring their access to development systems; and
! Performing security tests to verify that the security requirements
are met before implementing the software in production.
Return to the top of the
newsletter
IT SECURITY
QUESTION:
G. APPLICATION SECURITY
3. Determine if appropriate message authentication takes
place.
CLIENTS - The complete Information
Security Booklet can be found at http://www.ffiec.gov/ffiecinfobase/booklets/information_secruity/information_security.pdf.
Return to the top of
the newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
28. Does the institution refrain from
requiring all joint consumers to opt out before implementing any opt
out direction with respect to the joint account? [§7(d)(4)]
29. Does the institution comply with a consumer's direction to opt
out as soon as is reasonably practicable after receiving it? [§7(e)]
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
please visit
http://www.internetbankingaudits.com/internal_testing.htm. |
|
| PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at examiner@yennik.com if we
can be of assistance. |
|