R. Kinney Williams & Associates®
R. Kinney Williams
& Associates

Internet Banking News

October 3, 2004
With more than 40 years auditing only financial institutions, my experience to test your Internet connection for vulnerabilities and understand your IT operation is unmatched.  Visit http://www.internetbankingaudits.com/ for more detailed information.

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - Technology changes leave IT security playing catch up - The arrival of new waves of technology over the next five years will render existing information security measures obsolete and increase security risks in both new and legacy environments, industry experts have warned. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=8bbfeadb-a88f-4045-84c3-ecf86e8dd771&newsType=Latest%20News

FYI - Will 'bounty' scheme stop spammers? - The US Federal Trade Commission is considering offering bounties of as much as $250,000 on spammers in an attempt to bring more of them to justice. http://www.silicon.com/research/specialreports/thespamreport/0,39025001,39124098,00.htm

FYI - Ex-Teledata employee pleads guilty in massive ID theft case - He was involved in a bid to steal the identities of up to 30,000 people - A former help desk employee at Teledata Communications Inc. pleaded guilty yesterday in a massive scheme to steal the identities of up to 30,000 people, according to U.S. Attorney David Kelley. http://www.computerworld.com/printthis/2004/0,4814,95941,00.html

FYI - 4 tips for a strong defense - Agency efforts to tighten system security have evolved in recent months from documenting weaknesses to deploying security safeguards, said experts familiar with federal programs. http://www.fcw.com/fcw/articles/2004/0920/pol-4tips-09-20-04.asp

FYI - Viruses keep on growing - The volume of worms and viruses is increasing, but the rate of successful attacks has dropped, according to a new report from Symantec.
The antivirus company's biannual Internet Security Threat Report found that 4,496 new Windows viruses and worms were released between January and June, up more than 4.5 times from the same period last year. But the daily volume of actual attacks decreased in the first six months of 2004, Symantec said.
http://news.com.com/2102-7349_3-5374399.html?tag=st.util.print

FYI - OCC Chief Counsel Spotlights Challenges and Opportunities Presented By New Home Mortgage Disclosure Act Reporting Requirements - Chief Counsel and First Senior Deputy Comptroller Julie L. Williams told bankers today that new Home Mortgage Disclosure Act reporting requirements present challenges, but also offer banks an opportunity to grow and enhance their business.
Press Release: www.occ.treas.gov/scripts/newsrelease.aspx?Doc=57CJ340Z.xml 
Attachment: http://www.occ.treas.gov/ftp/release/2004-90a.pdf 
 
FYI - Internet Porn Gets A New Banker - South Jordan, Utah, just south of Salt Lake City, is an otherwise forgettable suburb. Other than the fact that it's the home of the Jordan River Utah Temple, which boasts the largest capacity of any Mormon church in the world, there isn't much else going on. South Jordan has another claim to fame the Chamber of Commerce is probably less eager to boast about: It's the hometown of what has likely become the largest U.S. processor of credit cards used to purchase Internet porn.
http://www.forbes.com/technology/2004/09/27/cz_sl_0927ibill.html?partner=rss

Return to the top of the newsletter

INTERNET COMPLIANCE - TRUTH IN SAVINGS ACT (REG DD)

Financial institutions that advertise deposit products and services on-line must verify that proper advertising disclosures are made in accordance with all provisions of the regulations. Institutions should note that the disclosure exemption for electronic media does not specifically address commercial messages made through an institution's web site or other on-line banking system. Accordingly, adherence to all of the advertising disclosure requirements is required.

Advertisements should be monitored for recency, accuracy, and compliance. Financial institutions should also refer to OSC regulations if the institution's deposit rates appear on third party web sites or as part of a rate sheet summary. These types of messages are not considered advertisements unless the depository institution, or a deposit broker offering accounts at the institution, pays a fee for or otherwise controls the publication.

Disclosures generally are required to be in writing and in a form that the consumer can keep. Until the regulation has been reviewed and changed, if necessary, to allow electronic delivery of disclosures, an institution that wishes to deliver disclosures electronically to consumers, would supplement electronic disclosures with paper disclosures.
Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

 INTRUSION DETECTION AND RESPONSE

A maxim of security is "prevention is ideal, but detection is a must."  Security systems must both restrict access and protect against the failure of those access restrictions. When those systems fail, however, an intrusion occurs and the only remaining protection is a detection - and - response capability. The earlier an intrusion is detected, the greater the institution's ability to mitigate the risk posed by the intrusion. Financial institutions should have a capability to detect and react to an intrusion into their information systems.

INTRUSION DETECTION

Preparation for intrusion detection generally involves identifying data flows to monitor for clues to an intrusion, deciding on the scope and nature of monitoring, implementing that monitoring, and establishing a process to analyze and maintain custody over the resulting information. Additionally, legal requirements may include notifications of users regarding the monitoring and the extent to which monitoring must be performed as an ordinary part of ongoing operations.

Adequate preparation is a key prerequisite to detection. The best intrusion detection systems will not identify an intrusion if they are not located to collect the relevant data, do not analyze correct data, or are not configured properly. Even if they detect an intrusion, the information gathered may not be usable by law enforcement if proper notification of monitoring and preservation of data integrity has not taken place.

Return to the top of the newsletter

IT SECURITY QUESTION:  INTRUSION DETECTION AND RESPONSE

1. Identify controls used to detect and respond to unauthorized activities.

!  Review the schematic of the information technology systems for common intrusion detection systems.
!  Review security procedures for daily and periodic report monitoring to identify unauthorized or unusual activities.
!  Identify IT architectural design and intrusion detection systems that increase management's confidence that security is maintained (e.g., through the use of routers, host-based security, data segregation and information flows).
Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Objectives 

1. To assess the quality of a financial institution's compliance management policies and procedures for implementing the privacy regulation, specifically ensuring consistency between what the financial institution tells consumers in its notices about its policies and practices and what it actually does.

2. To determine the reliance that can be placed on a financial institution's internal controls and procedures for monitoring the institution's compliance with the privacy regulation.

3. To determine a financial institution's compliance with the privacy regulation, specifically in meeting the following requirements:

a)  Providing to customers notices of its privacy policies and practices that are timely, accurate, clear and conspicuous, and delivered so that each customer can reasonably be expected to receive actual notice; 
b)  Disclosing nonpublic personal information to nonaffiliated third parties, other than under an exception, after first meeting the applicable requirements for giving consumers notice and the right to opt out; 
c)  Appropriately honoring consumer opt out directions; 
d)  Lawfully using or disclosing nonpublic personal information received from a nonaffiliated financial institution; and
e)  Disclosing account numbers only according to the limits in the regulations.

4. To initiate effective corrective actions when violations of law are identified, or when policies or internal controls are deficient.

IN CLOSING - The FFIEC interagency Internet guidelines require financial institution web sites to comply with consumer compliance, advertising, notifications, weblinking, and other federal regulations.  We have identified 17 federal regulations and over 130 issues that relate to an institution's web site.  We also verify weblinks for functionality and appropriateness.  As a former bank examiner with over 40 year experience, we audit web sites following the FFIEC Internet guidelines for financial institutions across the country.  Visit http://www.bankwebsiteaudits.com and learn how we can assist your financial institution.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated