R. Kinney Williams & Associates®
R. Kinney Williams
& Associates

Internet Banking News

April 18, 2004

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


ANNOUNCEMENT - R. Kinney Williams & Associates is pleased to announce that we perform intranet-internal penetration testing in addition to our popular external-Internet testing.  To keep your cost affordable, we install our pre-programmed scanner box on your network.  To maintain the independent testing required by the examiners, we control the scanner box programming and testing procedures.  For more information, please visit http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.

FYI - Fair Credit Reporting Medical Information Regulations - On December 4, 2003, the President signed into law the FACT Act, which amends the FCRA. Pub. L. 108-159, 117 Stat. 1952. In general, the FACT Act contains provisions designed to enhance the ability of consumers to combat identity theft, increase the accuracy of consumer reports, and allow consumers to exercise greater control regarding the type and amount of marketing solicitations they receive. Section 411 of the FACT Act limits the ability of creditors to obtain or use, of consumer reporting agencies to disclose, and of affiliates to share medical information .
NCUA  www.ncua.gov/news/proposed_regs/Proposed717.pdf
FRB  http://www.federalreserve.gov/boarddocs/press/foiadocs/2004/20040413/default.pdf

FYI  - NCUA - Controlling the Assault of Non-Solicited Pornography and Marketing Act - The purpose of this letter is to inform Credit Unions that the sending of information by electronic mail, including marketing information initiated by the credit union or a third party, may trigger compliance requirements recently established by the Controlling the Assault of Non-Solicited Pornography and Marketing Act.  www.ncua.gov/ref/reg_alerts/2004/04-RA-07.pdf

FYI  - Hackers hit supercomputing giants - Hackers have broken into some of the world's most powerful computer clusters in recent weeks in an apparently coordinated cyberattack targeting research and academic institutions.  http://www.cnn.com/2004/TECH/internet/04/15/hackers.supercomputers.ap/index.html

FYI - Teller pleads guilty to fraud - He drove a Lincoln Navigator, a Lexus and a Volkswagen Jetta. He had put down a deposit on a Mercedes Benz at a dealership in Colorado.  http://www.wyomingnews.com/news/more.asp?StoryID=101987

Return to the top of the newsletter

INTERNET COMPLIANCENon-Deposit Investment Products

Financial institutions advertising or selling non-deposit investment products on-line should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products."  On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.
Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS (Part 1 of 2)

Hardware and software located in a user department are often less secure than that located in a computer room. Distributed hardware and software environments (e.g., local area networks or LANs) that offer a full range of applications for small financial institutions as well as larger organizations are commonly housed throughout the organization, without special environmental controls or raised flooring. In such situations, physical security precautions are often less sophisticated than those found in large data centers, and overall building security becomes more important. Internal control procedures are necessary for all hardware and software deployed in distributed, and less secure, environments. The level of security surrounding any IS hardware and software should depend on the sensitivity of the data that can be accessed, the significance of applications processed, the cost of the equipment, and the availability of backup equipment.

Because of their portability and location in distributed environments, PCs often are prime targets for theft and misuse. The location of PCs and the sensitivity of the data and systems they access determine the extent of physical security required. For PCs in unrestricted areas such as a branch lobby, a counter or divider may provide the only barrier to public access. In these cases, institutions should consider securing PCs to workstations, locking or removing disk drives, and using screensaver passwords or automatic timeouts. Employees also should have only the access to PCs and data they need to perform their job. The sensitivity of the data processed or accessed by the computer usually dictates the level of control required. The effectiveness of security measures depends on employee awareness and enforcement of these controls.

An advantage of PCs is that they can operate in an office environment, providing flexible and informal operations. However, as with larger systems, PCs are sensitive to environmental factors such as smoke, dust, heat, humidity, food particles, and liquids. Because they are not usually located within a secure area, policies should be adapted to provide protection from ordinary contaminants.

Other environmental problems to guard against include electrical power surges and static electricity. The electrical power supply in an office environment is sufficient for a PC's requirements. However, periodic fluctuations in power (surges) can cause equipment damage or loss of data. PCs in environments that generate static electricity are susceptible to static electrical discharges that can cause damage to PC components or memory.
Return to the top of the newsletter

IT SECURITY QUESTION:

D. USER EQUIPMENT SECURITY (E.G. WORKSTATION, LAPTOP, HANDHELD)

7. Determine whether systems are protected against malicious software such as Trojan horses, viruses, and worms.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

41. Does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as permitted under §§13-15, unless:

a.  it has provided the consumer with an initial notice; [§10(a)(1)(i)]

b.  it has provided the consumer with an opt out notice; [§10(a)(1)(ii)]

c.  it has given the consumer a reasonable opportunity to opt out before the disclosure; [§10(a)(1)(iii)] and

d.  the consumer has not opted out? [§10(a)(1)(iv)]

(Note: this disclosure limitation applies to consumers as well as to customers [§10(b)(1)], and to all nonpublic personal information regardless of whether collected before or after receiving an opt out direction. [§10(b)(2)])

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated