Internet Banking News

September 19, 2004

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

FYI - Perimeter security is changing fast - Most security solutions today are built around attempting to protect the vulnerability of the PC and, or the server, by attempting to keep "bad" things outside of the network security perimeter. But, with the changing and disappearing perimeter - security now needs to be intrinsic in every system and for every user. http://www.scmagazine.com/features/index.cfm?fuseaction=featureDetails&newsUID=19fbd87f-59bd-4e7f-a2e4-c981290fba5d

FYI - The Government Accountability Office (GAO) - Electronic Government: Federal Agencies Continue to Invest in Smart Card Technology.
Report: http://www.gao.gov/cgi-bin/getrpt?GAO-04-948
Highlights: http://www.gao.gov/highlights/d04948high.pdf

FYI - FEA security, privacy profile issued - The Office of Management and Budget today gave agencies a how-to guide to make sure security and privacy are incorporated across all lines of business. http://www.gcn.com/vol1_no1/daily-updates/27147-1.html

FYI - Hackers hijack federal computers - Hundreds of powerful computers at the Defense Department and U.S. Senate were hijacked by hackers who used them to send spam e-mail, federal authorities say. http://www.usatoday.com/tech/news/computersecurity/2004-08-30-cyber-crime_x.htm

FYI - XML Web services security best practices - The rise of internetworking was fueled by the use of network-level security technologies such as SSL, IPSec and firewall filtering to create a secure perimeter around an enterprise network. http://zdnet.com.com/2102-1105_2-5345253.html?tag=printthis

Return to the top of the newsletter

INTERNET COMPLIANCE - Advertisements

Generally, Internet web sites are considered advertising by the regulatory agencies. In some cases, the regulations contain special rules for multiple-page advertisements. It is not yet clear what would constitute a single "page" in the context of the Internet or on-line text. Thus, institutions should carefully review their on-line advertisements in an effort to minimize compliance risk.

In addition, Internet or other systems in which a credit application can be made on-line may be considered "places of business" under HUD's rules prescribing lobby notices. Thus, institutions may want to consider including the "lobby notice," particularly in the case of interactive systems that accept applications.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SERVICE PROVIDER OVERSIGHT

Many financial institutions outsource some aspect of their operations. Although outsourcing arrangements often provide a cost - effective means to support the institution's technology needs, the ultimate responsibility and risk rests with the institution. Financial institutions are required under Section 501(b) of the GLBA to ensure service providers have implemented adequate security controls to safeguard customer information. Supporting interagency guidelines require institutions to:

! Exercise appropriate due diligence in selecting service providers,
! Require service providers by contract to implement appropriate security controls to comply with the guidelines, and
! Monitor service providers to confirm that they are maintaining those controls when indicated by the institution's risk assessment.

Financial institutions should implement these same precautions in all TSP relationships based on the level of access to systems or data for safety and soundness reasons, in addition to the privacy requirements.

Financial institutions should determine the following security considerations when selecting or monitoring a service provider:
! Service provider references and experience,
! Security expertise of TSP personnel,
! Background checks on TSP personnel,
! Contract assurances regarding security responsibilities and controls,
! Nondisclosure agreements covering the institution's systems and data,
! Ability to conduct audit coverage of security controls or provisions for reports of security testing from independent third parties, and
! Clear understanding of the provider's security incidence response policy and assurance that the provider will communicate security incidents promptly to the institution when its systems or data were potentially compromised.

Return to the top of the newsletter

IT SECURITY QUESTION: BUSINESS CONTINUITY-SECURITY

2. Determine if substitute processing facilities and systems undergo similar testing as production facilities and systems.

3. Determine if appropriate access controls and physical controls have been considered and planned for the former production system and networks when processing is transferred to a substitute facility.

4. Determine if the intrusion detection and response plan considers the resource availability and facility and systems changes that may exist when substitute facilities are placed in use.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 6 of 6)

Redisclosure and Reuse Limitations on Nonpublic Personal Information Received:

If a financial institution receives nonpublic personal information from a nonaffiliated financial institution, its disclosure and use of the information is limited.

A) For nonpublic personal information received under a section 14 or 15 exception, the financial institution is limited to:

     1) Disclosing the information to the affiliates of the financial institution from which it received the information;

     2) Disclosing the information to its own affiliates, who may, in turn, disclose and use the information only to the extent that the financial institution can do so; and

     3) Disclosing and using the information pursuant to a section 14 or 15 exception (for example, an institution receiving information for account processing could disclose the information to its auditors).

B) For nonpublic personal information received other than under a section 14 or 15 exception, the recipient's use of the information is unlimited, but its disclosure of the information is limited to:

     1) Disclosing the information to the affiliates of the financial institution from which it received the information;

     2) Disclosing the information to its own affiliates, who may, in turn disclose the information only to the extent that the financial institution can do so; and

     3) Disclosing the information to any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which it received the information. For example, an institution that received a customer list from another financial institution could disclose the list (1) in accordance with the privacy policy of the financial institution that provided the list, (2) subject to any opt out election or revocation by the consumers on the list, and (3) in accordance with appropriate exceptions under sections 14 and 15.

IN CLOSING - The FFIEC interagency Information Security Booklet, the regulators are requiring financial institutions to have at least an annual independent penetration test. Did you know that there are over 3,700 known vulnerabilities with approximately 25 new vulnerabilities added every week, and that 99% of unauthorized intrusions resulted from known vulnerabilities? We can provide you with an independent penetration testing to help protect {custom4} from unauthorized external access. For more information, please visit our web site at http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.