|
R. Kinney Williams
& Associates
|
Internet Banking
News
|
|
December 17, 2006
|
Does
Your Financial Institution need an affordable Internet security
penetration-vulnerability test?
Our clients in 41 states rely on
VISTA
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
compliance with
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
focuses on
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
http://www.internetbankingaudits.com/. |
FYI -
GAO - Credit Unions: Greater Transparency Needed on Who Credit
Unions Serve and on Senior Executive Compensation.
Report - http://www.gao.gov/cgi-bin/getrpt?GAO-07-29
Highlights -
http://www.gao.gov/highlights/d0729high.pdf
FYI -
Pick up the tab by texting - Forgot your credit card? Don't have
cash on you? No worries--just use your cell phone to pay the bill.
That's what some folks in Boulder, Colo., can do if they sign up for
an account with a Boulder-based start-up called Feed Tribes.
http://news.com.com/2102-1039_3-6139451.html?tag=st.util.print
FYI -
New E-Discovery Rules Benefit Some Firms - Companies that help
businesses track and search their e-mails and other electronic data
are experiencing a surge of interest in the wake of federal rule
changes that clarify requirements to produce such evidence in
lawsuits.
http://news.yahoo.com/s/ap/20061201/ap_on_hi_te/storing_e_mails
MISSING COMPUTERS/DATA
FYI -
Kaiser members warned of possible data theft - In yet another
instance of laptop theft potentially endangering personal data,
Kaiser Permanente Colorado is notifying some 38,000 members of a
possible breach of their private health information.
http://news.com.com/2061-10789_3-6139167.html
FYI -
Linkin Park fan hacks phone data - A woman is accused of using a
computer at a national laboratory to hack into a cell phone
company's Web site to get a number for Chester Bennington, lead
singer of the Grammy-winning rock group Linkin Park.
http://news.yahoo.com/s/ap/20061124/ap_en_mu/people_linkin_park
FYI -
Personal data at risk after Pa. DOT robbery - Thieves stole
computers containing information on nearly 11,400 customers -
Thieves stole equipment from a driver's license center and got away
with computers containing personal information on more than 11,000
people, state officials said.
http://www.msnbc.msn.com/id/15974532/
FYI -
Credit Bureau Security Breached - TransUnion Credit Bureau is
investigating who was able to get into their database and illegally
download hundreds of people's personal information. The victims are
now being told they'll have to monitor their credit report every
month to make sure no one is abusing their identity.
http://www.kxan.com/Global/story.asp?S=5752352&nav=menu73_2
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Record Retention
Record retention provisions apply to electronic delivery of
disclosures to the same extent required for non-electronic delivery
of information. For example, if the web site contains an
advertisement, the same record retention provisions that apply to
paper-based or other types of advertisements apply. Copies of such
advertisements should be retained for the time period set out in the
relevant regulation. Retention of electronic copies is acceptable.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
Booklet.
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST
AND USER EQUIPMENT ACQUISITION AND MAINTENANCE
System Patches
Software support should incorporate a process to update and
patch operating system and application software for new
vulnerabilities. Frequently, security vulnerabilities are discovered
in operating systems and other software after deployment. Vendors
often issue software patches to correct those vulnerabilities.
Financial institutions should have an effective monitoring process
to identify new vulnerabilities in their hardware and software.
Monitoring involves such actions as the receipt and analysis of
vendor and governmental alerts and security mailing lists. Once
identified, secure installation of those patches requires a process
for obtaining, testing, and installing the patch.
Patches make direct changes to the software and configuration of
each system to which they are applied. They may degrade system
performance. Also, patches may introduce new vulnerabilities, or
reintroduce old vulnerabilities. The following considerations can
help ensure patches do not compromise the security of systems:
! Obtain the patch from a known, trusted source;
! Verify the integrity of the patch through such means as
comparisons of cryptographic hashes to ensure the patch obtained is
the correct, unaltered patch;
! Apply the patch to an isolated test system and verify that the
patch (1) is compatible with other software used on systems to which
the patch will be applied, (2) does not alter the system's security
posture in unexpected ways, such as altering log settings, and (3)
corrects the pertinent vulnerability;
! Back up production systems prior to applying the patch;
! Apply the patch to production systems using secure methods, and
update the cryptographic checksums of key files as well as that
system's software archive;
! Test the resulting system for known vulnerabilities;
! Update the master configurations used to build new systems;
! Create and document an audit trail of all changes; and
! Seek additional expertise as necessary to maintain a secure
computing environment.
Return to the top of the
newsletter
IT SECURITY
QUESTION:
APPLICATION SECURITY
5.
Determine whether re-establishment of any session after interruption
requires normal user identification, authentication, and
authorization.
Return to the top of
the newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
32. When a customer relationship
ends, does the institution continue to apply the customer's opt
out direction to the nonpublic personal information collected
during, or related to, that specific customer relationship (but not
to new relationships, if any, subsequently established by that
customer)? [§7(g)(2)]
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
please visit
http://www.internetbankingaudits.com/internal_testing.htm. |
|
| PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at examiner@yennik.com if we
can be of assistance. |
|