Internet Banking News

December 5, 2010

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and best practices. For more information visit http://www.yennik.com/it-review/.

FYI - Facebook posts cause bank worker to lose layoff payoff? - It is now an accepted wisdom that sharing yourself on Facebook can add to your woes. http://news.cnet.com/8301-17852_3-20023916-71.html

FYI - GAO - Federal Agencies Have Taken Steps to Secure Wireless Networks, but Further Actions Can Mitigate Risk
Release - http://www.gao.gov/products/GAO-11-43
Highlights - http://www.gao.gov/highlights/d1143high.pdf

FYI - What the TSA controversy can teach us about cyberterrorism and transparency - If you think there is nothing personal to gain for public officials who use words like "cyberterrorism" and "Digital Pearl Harbor," think again. http://www.scmagazineus.com/what-the-tsa-controversy-can-teach-us-about-cyberterrorism-and-transparency/article/191570/?DCMP=EMC-SCUS_Newswire

FYI - Can poor data security result in death? - In this case there are life and death considerations. The frightening reality of the worst case scenario is made clear by the Federal Trade Commission's site on Medical Identity Theft: http://www.scmagazineus.com/bad-medicine-can-poor-data-security-result-in-death/article/191624/?DCMP=EMC-SCUS_Newswire

FYI - Delaware, Seattle sites named best cybersecurity resources - The state of Delaware and city of Seattle have won an annual contest recognizing the best state and local government cybersecurity websites. http://www.scmagazineus.com/delaware-seattle-sites-named-best-cybersecurity-resources/article/191639/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - WikiLeaks moves to Amazon servers after DoS attacks - After several denial-of-service (DoS) attacks hit it over the weekend, WikiLeaks is now being hosted by Amazon servers in the U.S. and Ireland, IP traces conducted today revealed. http://www.computerworld.com/s/article/9198418/WikiLeaks_moves_to_Amazon_servers_after_DoS_attacks?taxonomyId=17

FYI - Fake student hacker avoids jail over ID theft scam - A computer hacker who posed as a student and used key-logging software to break into the email accounts of genuine students has been ordered to pay Ł21,000 in compensation and ordered to complete a 200-hour community service order. http://www.theregister.co.uk/2010/11/25/fake_student_hacker_scam/

FYI - Two former students charged in university hack in Mo. - Pair stole data on 90,000 students, faculty, staff and alumni at the Univ. of Central Missouri - Two former students at the University of Central Missouri (UCM) have been indicted by a federal grand jury on charges of breaking into university databases and of stealing and attempting to sell personal data on about 90,000 UCM students, faculty, staff and alumni. Price for the data: $35,000. http://www.computerworld.com/s/article/9197884/Two_former_students_charged_in_university_hack_in_Mo.?taxonomyId=17

FYI - Ford secrets thief caught red handed with stolen blueprints - Was moving to China, now he faces 5 to 6 years in US jail - A veteran auto-plant worker faces an extended spell behind bars after pleading guilty last week to stealing industrial secrets, including design blueprints, from car maker Ford and passing them on to a Chinese rival. http://www.theregister.co.uk/2010/11/23/ford_trade_secrets_thief_jailed/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E (Part 2 of 2)

Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code. According to the Official Staff Commentary (OSC,) an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated," is a consumer's authorization via a home banking system. To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request). The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution. Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.

Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability. A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device. Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INFORMATION SECURITY RISK ASSESSMENT

OVERVIEW

The quality of security controls can significantly influence all categories of risk. Traditionally, examiners and bankers recognize the direct impact on operational/transaction risk from incidents related to fraud, theft, or accidental damage. Many security weaknesses, however, can directly increase exposure in other risk areas. For example, the GLBA introduced additional legal/compliance risk due to the potential for regulatory noncompliance in safeguarding customer information. The potential for legal liability related to customer privacy breaches may present additional risk in the future. Effective application access controls can reduce credit and market risk by imposing risk limits on loan officers or traders. If a trader were to exceed the intended trade authority, the institution may unknowingly assume additional market risk exposure.

A strong security program reduces levels of reputation and strategic risk by limiting the institution's vulnerability to intrusion attempts and maintaining customer confidence and trust in the institution. Security concerns can quickly erode customer confidence and potentially decrease the adoption rate and rate of return on investment for strategically important products or services. Examiners and risk managers should incorporate security issues into their risk assessment process for each risk category. Financial institutions should ensure that security risk assessments adequately consider potential risk in all business lines and risk categories.

Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity, and availability of information and information systems. An adequate assessment identifies the value and sensitivity of information and system components and then balances that knowledge with the exposure from threats and vulnerabilities. A risk assessment is a necessary pre-requisite to the formation of strategies that guide the institution as it develops, implements, tests, and maintains its information systems security posture. An initial risk assessment may involve a significant one-time effort, but the risk assessment process should be an ongoing part of the information security program.

Risk assessments for most industries focus only on the risk to the business entity. Financial institutions should also consider the risk to their customers' information. For example, section 501(b) of the GLBA requires financial institutions to 'protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer."

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

13. If the institution does not disclose nonpublic personal information, and does not reserve the right to do so, other than under exceptions in §14 and §15, does the institution provide a simplified privacy notice that contains at a minimum:

a. a statement to this effect;

b. the categories of nonpublic personal information it collects;

c. the policies and practices the institution uses to protect the confidentiality and security of nonpublic personal information; and

d. a general statement that the institution makes disclosures to other nonaffiliated third parties as permitted by law? [§6(c)(5)]

(Note: use of this type of simplified notice is optional; an institution may always use a full notice.)

IT Security Checklist
Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and best practices. For more information visit http://www.yennik.com/it-review/.