|
FYI -
Computer Software Due Diligence Guidance on Developing an
Effective Computer Software Evaluation Program to Assure Quality and
Regulatory Compliance - The FDIC is issuing guidance to financial
institutions on performing proper due diligence when selecting
computer software or a service provider. This due diligence includes
making sure that the software or service provider is compliant with
applicable laws, including the Bank Secrecy Act, which includes the
USA PATRIOT Act.
www.fdic.gov/news/news/financial/2004/fil12104.html
FYI - Data-recovery
Plans Can Avert Disaster - In today's technology-dependent
businesses, even small disruptions can render highly sophisticated
machinery and information technology systems ineffective. Without a
disaster-recovery plan, disruption-tolerant solutions, and data
backups, there isn't much that an organization can do when disaster
strikes.
http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5562
FYI - A German
antivirus-software company has broken off its partnership with
firewall firm SecurePoint because of SecurePoint's decision to hire
Sven Jaschan, the alleged creator of the Sasser virus.
http://news.zdnet.com/2102-1009_22-5453166.html?tag=printthis
FYI - Banks prepare for
ATM cyber crime - An international group of law enforcement and
financial industry associations hopes to prevent a new type of bank
robbery before it gets off the ground: cyber attacks against
automated teller machines.
http://www.securityfocus.com/printable/news/9903
FYI - The Fed learns
from experience - Every cyberattack is a classroom. That's the view
of the Federal Reserve. To protect the Reserve's IT
infrastructure, the systems team searches for lessons to be gleaned
from each attack, said Mary Ann Emerson, the Federal Reserve Board's
IT director.
http://www.gcn.com/vol1_no1/daily-updates/27859-1.html
FYI - The Worst Case
Scenario - A recent case in the Queens Bench in London illustrates
the need for just such a handbook for the IT security environment,
particularly as it applies to insurance policies that are supposed
to protect you from loss of electronic information.
http://www.securityfocus.com/printable/columnists/276
FYI - Net banking gains
popularity, study says - The number of Americans turning to the
Internet for personal banking at least some of the time has risen to
40 percent from 23 percent two years ago, according to a new study.
http://news.com.com/Net+banking+gains+popularity%2C+study+says/2100-1038_3-5456228.html?tag=cd.top
FYI -
Electronic Fund Transfers: Proposed Amendments to Regulation
E Concerning Payroll Cards - This bulletin transmits proposed
amendments to Regulation E concerning payroll cards. Under these
amendments, the term "account" would include a payroll card account;
additional guidance on electronic check conversions would be
provided; banks would be allowed to issue multiple replacement
access cards; the rules concerning preauthorized EFTs would be
amended; the "four walls rule" would be clarified; and, if an ATM
operator does not always charge for a particular transaction on its
ATMs, it would be allowed to provide notice on these ATMs that a fee
"may be" charged.
Press Release:
www.occ.treas.gov/ftp/bulletin/2004-52.txt
Attachment:
www.occ.treas.gov/fr/fedregister/69fr55996.pdf
FYI
-
Reports on the disclosure of fees that a depository
institution may impose when a customer chooses to secure a
point-of-sale debit transaction by providing a personal
identification number. Discusses the prevalence of PIN fees; the
degree of compliance by depository institutions with current
disclosure requirements; the adequacy of existing disclosures and
the likely benefits and costs of new requirements for disclosure
statements; and the feasibility of real-time disclosure.
www.federalreserve.gov/boarddocs/rptcongress/posdebit2004.pdf
Return to the top of the
newsletter
INTERNET
COMPLIANCE -
Fair
Housing Act
A financial institution that advertises on-line credit products that
are subject to the Fair Housing Act must display the Equal Housing
Lender logotype and legend or other permissible disclosure of its
nondiscrimination policy if required by rules of the institution's
regulator.
Home Mortgage Disclosure Act (Regulation C)
The regulations clarify that applications accepted through
electronic media with a video component (the financial institution
has the ability to see the applicant) must be treated as "in
person" applications. Accordingly, information about these
applicants' race or national origin and sex must be collected. An
institution that accepts applications through electronic media
without a video component, for example, the Internet or facsimile,
may treat the applications as received by mail.
Return to the top of the
newsletter
INFORMATION SYSTEMS SECURITY
- We
continue our series on the FFIEC interagency Information Security
Booklet.
INTRUSION DETECTION AND RESPONSE
INTRUSION RESPONSE (Part 2 of 2)
Successful implementation of any response policy and
procedure requires the assignment of responsibilities and training.
Some organizations formalize the response organization with the
creation of a computer security incident response team (CSIRT). The
CSIRT is typically tasked with performing, coordinating, and
supporting responses to security incidents. Due to the wide range of
non-technical issues that are posed by an intrusion, typical CSIRT
membership includes individuals with a wide range of backgrounds and
expertise, from many different areas within the institution. Those
areas include management, legal, public relations, as well as
information technology. Other organizations may outsource some of
the CSIRT functions, such as forensic examinations. When CSIRT
functions are outsourced, institutions should ensure that their
institution's policies are followed by the service provider and
confidentiality of data and systems are maintained.
Institutions can assess best the adequacy of their preparations
through testing.
While containment strategies between institutions can vary, they
typically contain the following broad elements:
! Isolation of compromised systems, or enhanced monitoring of
intruder activities;
! Search for additional compromised systems;
! Collection and preservation of evidence; and
! Communication with effected parties, the primary regulator, and
law enforcement.
Restoration strategies should address the following:
! Elimination of an intruder's means of access;
! Restoration of systems, programs and data to known good state;
! Filing of a Suspicious Activity Report (Guidelines for filing are
included in individual agency guidance); and
! Communication with effected parties.
Return to the top of the
newsletter
IT SECURITY
QUESTION:
INTRUSION DETECTION AND RESPONSE
18. Determine if the information disclosure policy addresses the
appropriate regulatory reporting requirements.
19. Determine if the security policy provides for a provable chain
of custody for the preservation of potential evidence through such
mechanisms as a detailed action and decision log indicating who made
each entry.
20. Determine if the policy requires all compromised systems to be
restored before reactivation, through either rebuilding with
verified good media or verification of software cryptographic
checksums.
21. Determine whether all participants in intrusion detection and
responses are trained adequately in the intrusion detection and
response policies, their roles, and the procedures they should take
to implement the policies.
Return to the top of the
newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 13, and 14 and/or 15 but not outside of these
exceptions (Part 2 of 2)
B. Presentation, Content, and Delivery of Privacy Notices
1) Review the financial institution's initial and annual
privacy notices. Determine whether or not they:
a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1));
b. Accurately reflect the policies and practices used by the
institution (§§4(a), 5(a)(1)). Note, this includes practices
disclosed in the notices that exceed regulatory requirements; and
c. Include, and adequately describe, all required items of
information and contain examples as applicable (§§6, 13).
2) Through discussions with management, review of the
institution's policies and procedures, and a sample of electronic or
written consumer records where available, determine if the
institution has adequate procedures in place to provide notices to
consumers, as appropriate. Assess the following:
a. Timeliness of delivery (§4(a)); and
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the consumer agrees; or as a necessary step
of a transaction) (§9).
c. For customers only, review the timeliness of delivery (§§4(d),
4(e), and 5(a)), means of delivery of annual notice §9(c)), and
accessibility of or ability to retain the notice (§9(e)).
IN CLOSING - The FFIEC interagency
Internet guidelines require financial institution web sites to comply
with consumer compliance, advertising, notifications, weblinking, and other federal
regulations. We have identified 17 federal regulations and over 130 issues
that relate to an institution's web site. We also verify weblinks for
functionality and appropriateness. As a former bank examiner with
over 40 year experience, we audit web sites following the FFIEC Internet
guidelines for financial institutions across the country. Visit
http://www.bankwebsiteaudits.com
and learn how we can assist your financial institution. |
