Internet Banking News

December 7, 2008

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - To USB or not to USB, well not in the DoD - what do you do? - The DOD issued orders that USB drives and other removable devices are no longer to be used. Through autorun features and the presence of some nasty malware the decision was made to prohibit the use of the devices in an attempt to contain a malware outbreak.
http://isc.sans.org/diary.html?storyid=5384
http://www.scmagazineus.com/Militarys-ban-of-USB-thumb-drives-highlights-security-risks/article/121326/?DCMP=EMC-SCUS_Newswire
http://www.nextgov.com/nextgov/ng_20081124_5509.php

FYI - Massachusetts extends compliance deadline on new data-encryption rules - Economic woes prompt state to give companies more time to meet data security regulations - Companies that have to comply with tough new regulations mandating the use of encryption and other security controls for protecting the personal data of Massachusetts residents are being given more time to do so. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121018&source=rss_topic17

FYI - Computer virus quarantines London Hospital for second day - IT staff at three major London hospitals have spent a second day struggling to restore IT systems following a major computer virus outbreak. http://www.theregister.co.uk/2008/11/19/hospital_computer_virus_shutdown_update/

FYI - Network Security Breaches Plague NASA - Repeated attacks from abroad on NASA computers and Web sites are causing consternation among officials and stirring national security concerns. http://www.businessweek.com/print/magazine/content/08_48/b4110072404167.htm

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Police officers among BNP members listed on web - The entire membership list of the British National party has been posted on the internet, identifying thousands of people as secret supporters of the far right and exposing many to the risk of dismissal from work, disciplinary action or vilification.
http://www.guardian.co.uk/politics/2008/nov/19/bnp-names-web-police-security
http://www.timesonline.co.uk/tol/news/uk/article5183833.ece

FYI - Obama's cell phone records breached - A number of Verizon Wireless employees accessed and viewed President-elect Barack Obama's personal cell phone account without authorization, Verizon Wireless President and CEO, Lowell McAdam said in a statement. http://www.scmagazineus.com/Obamas-cell-phone-records-breached/article/121376/?DCMP=EMC-SCUS_Newswire

FYI - Verizon cans workers who snooped Obama's cell phone, CNN reports Verizon Wireless has fired an undisclosed number of employees who snooped into the cell phone records of President-elect Barack Obama earlier this year, according to a report by cable news channel CNN. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121346&source=rss_topic17

FYI - London Hospital back online after computer virus shutdown - Computer systems at three major London hospitals are largely back online on Friday morning, three days after a major computer virus outbreak forced staff to disconnect the network. http://www.theregister.co.uk/2008/11/21/barts_mytob_recovery/

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the FDIC's Supervisory Policy on Identity Theft. (Part 4 of 6)

Supervisory Action

As a result of guidelines issued by the FDIC, together with other federal agencies, financial institutions are required to develop and implement a written program to safeguard customer information, including the proper disposal of consumer information (Security Guidelines).5 The FDIC considers this programmatic requirement to be one of the foundations of identity theft prevention. In guidance that became effective on January 1, 2007, the federal banking agencies made it clear that they expect institutions to use stronger and more reliable methods to authenticate the identity of customers using electronic banking systems. Moreover, the FDIC has also issued guidance stating that financial institutions are expected to notify customers of unauthorized access to sensitive customer information under certain circumstances. The FDIC has issued a number of other supervisory guidance documents articulating its position and expectations concerning identity theft. Industry compliance with these expectations will help to prevent and mitigate the effects of identity theft.

Risk management examiners trained in information technology (IT) and the requirements of the Bank Secrecy Act (BSA) evaluate a number of aspects of a bank's operations that raise identity theft issues. IT examiners are well-qualified to evaluate whether banks are incorporating emerging IT guidance into their Identity Theft Programs and GLBA 501(b) Information Security Programs; responsibly overseeing service provider arrangements; and taking action when a security breach occurs. In addition, IT examiners will consult with BSA examiners during the course of an examination to ensure that the procedures institutions employ to verify the identity of new customers are consistent with existing laws and regulations to prevent financial fraud, including identity theft.

The FDIC has also issued revised examination procedures for the Fair Credit Reporting Act (FCRA), through the auspices of the Federal Financial Institutions Examination Council's (FFIEC) Consumer Compliance Task Force. These procedures are used during consumer compliance examinations and include steps to ensure that institutions comply with the FCRA's fraud and active duty alert provisions. These provisions enable consumers to place alerts on their consumer reports that require users, such as banks, to take additional steps to identify the consumer before new credit is extended. The procedures also include reviews of institutions' compliance with requirements governing the accuracy of data provided to consumer reporting agencies. These requirements include the blocking of data that may be the result of an identity theft. Compliance examiners are trained in the various requirements of the FCRA and ensure that institutions have effective programs to comply with the identity theft provisions. Consumers are protected from identity theft through the vigilant enforcement of all the examination programs, including Risk Management, Compliance, IT and BSA.

The Fair and Accurate Credit Transactions Act directed the FDIC and other federal agencies to jointly promulgate regulations and guidelines that focus on identity theft "red flags" and customer address discrepancies. As proposed, the guidelines would require financial institutions and creditors to establish a program to identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. The proposed joint regulation would require financial institutions and creditors to establish reasonable policies to implement the guidelines, including a provision requiring debit and credit card issuers to assess the validity of a request for a change of address. In addition, the agencies proposed joint regulations that provide guidance regarding reasonable policies and procedures that a user of consumer reports must employ when the user receives a notice of address discrepancy. When promulgated in final form, these joint regulations and guidelines will comprise another element of the FDIC's program to prevent and mitigate identity theft.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - OPERATING SYSTEM ACCESS (Part 2 of 2)

Additional operating system access controls include the following actions:

! Ensure system administrators and security professionals have adequate expertise to securely configure and manage the operating system.
! Ensure effective authentication methods are used to restrict system access to both users and applications.
! Activate and utilize operating system security and logging capabilities and supplement with additional security software where supported by the risk assessment process.
! Restrict operating system access to specific terminals in physically secure and monitored locations.
! Lock or remove external drives from system consoles or terminals residing outside physically secure locations.
! Restrict and log access to system utilities, especially those with data altering capabilities.
! Restrict access to operating system parameters.
! Prohibit remote access to sensitive operating system functions, where feasible, and at a minimum require strong authentication and encrypted sessions before allowing remote support.
! Limit the number of employees with access to sensitive operating systems and grant only the minimum level of access required to perform routine responsibilities.
! Segregate operating system access, where possible, to limit full or root - level access to the system.
! Monitor operating system access by user, terminal, date, and time of access.
! Update operating systems with security patches and using appropriate change control mechanisms.

Return to the top of the newsletter

IT SECURITY QUESTION:

D. USER EQUIPMENT SECURITY (E.G. WORKSTATION, LAPTOP, HANDHELD)

1. Determine whether new workstations are prepared according to documented procedures for secure configuration or replication and that vulnerability testing takes place prior to deployment.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 4 of 6)

Requirements for Notices (continued)

Notice Content. A privacy notice must contain specific disclosures. However, a financial institution may provide to consumers who are not customers a "short form" initial notice together with an opt out notice stating that the institution's privacy notice is available upon request and explaining a reasonable means for the consumer to obtain it. The following is a list of disclosures regarding nonpublic personal information that institutions must provide in their privacy notices, as applicable:

1) categories of information collected;

2) categories of information disclosed;

3) categories of affiliates and nonaffiliated third parties to whom the institution may disclose information;

4) policies with respect to the treatment of former customers' information;

5) information disclosed to service providers and joint marketers (Section 13);

6) an explanation of the opt out right and methods for opting out;

7) any opt out notices the institution must provide under the Fair Credit Reporting Act with respect to affiliate information sharing;

8) policies for protecting the security and confidentiality of information; and

9) a statement that the institution makes disclosures to other nonaffiliated third parties as permitted by law (Sections 14 and 15).