Internet Banking News

December 5, 2004
With more than 40 years auditing only financial institutions, my experience to test your Internet connection for vulnerabilities and understand your IT operation is unmatched. Visit http://www.internetbankingaudits.com/ for more detailed information.

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

FYI - Petco settles with FTC over cyber security gaffe - Pet supply retailer Petco Animal Supplies Inc. will be on a short cybersecurity leash for the next 20 years to settle a Federal Trade Commission action over a security hole on it's e-commerce site that may have left as many as 500,000 customer credit card numbers exposed to hackers. http://www.securityfocus.com/printable/news/9957

FYI - FTC Alleges Mortgage Companies Failed to Protect Customers' Personal Information - As part of a nationwide compliance sweep, the Federal Trade Commission has charged two mortgage companies with violating the agency's Gramm-Leach-Bliley (GLB) Safeguards Rule by not having reasonable protections for customers' sensitive personal and financial information. http://rismedia.com/index.php/article/articleprint/8396/-1/1/

FYI - Eight best practices for disaster recovery - Given the number of blackouts, hurricanes and other disasters that have come our way over the past few years, many CIOs are wisely reexamining their disaster recovery strategies. Executive Council members share some of their tried-and-true methods. http://www.computerworld.com/printthis/2004/0,4814,97620,00.html

FYI - Verisign: Better Hackers Behind Attack Boom - Security events in the third quarter jumped 150 percent over the same period last year, fueled by more sophisticated hackers writing better code who are more interested in dollars than creating computer disasters, said Internet security firm VeriSign Tuesday. http://www.techweb.com/article/printableArticle.jhtml?articleID=53200186&site_section=700028

FYI - Colombian bank launches biometric ATM - Bank customers in Colombia now have the option of using their fingerprints to withdraw cash from ATMs. http://news.com.com/Colombian+bank+launches+biometric+ATM/2100-7348_3-5469902.html?tag=cd.top

Return to the top of the newsletter

INTERNET COMPLIANCE - Non-Deposit Investment Products

Financial institutions advertising or selling non-deposit investment products on-line should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

BUSINESS CONTINUITY CONSIDERATIONS

Events that trigger the implementation of a business continuity plan may have significant security considerations. Depending on the event, some or all of the elements of the security environment may change. Different people may be involved in operations, at a different physical location, using similar but different machines and software which may communicate over different communications lines. Depending on the event, different tradeoffs may exist between availability, integrity, confidentiality, and accountability, with a different appetite for risk on the part of management.

Business continuity plans should be reviewed as an integral part of the security process. Risk assessments should consider the changing risks that appear in business continuity scenarios and the different security posture that may be established. Strategies should consider the different risk environment and the degree of risk mitigation necessary to protect the institution in the event the continuity plans must be implemented. The implementation should consider the training of appropriate personnel in their security roles, and the implementation and updating of technologies and plans for back - up sites and communications networks. Testing these security considerations should be integrated with the testing of business continuity plan implementations.

Return to the top of the newsletter

IT SECURITY QUESTION: SERVICE PROVIDER OVERSIGHT-SECURITY

1. Determine if contracts contain security requirements that at least meet the objectives of the Section 501(b) GLBA security guidelines and contain nondisclosure language regarding specific requirements.

2. Determine whether the institution has assessed the service provider's ability to meet contractual security requirements.

3. Determine whether appropriate controls exist over the substitution of personnel on the institution's projects and services.

4. Determine whether appropriate security testing is required and performed on any code, system, or service delivered under the contract.

5. Determine whether appropriate reporting of security incidents is required under the contract.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties only under Sections 14 and/or 15.

Note: This module applies only to customers.

A. Disclosure of Nonpublic Personal Information

1) Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party.

a. Compare the data shared and with whom the data were shared to ensure that the institution accurately states its information sharing practices and is not sharing nonpublic personal information outside the exceptions.

B. Presentation, Content, and Delivery of Privacy Notices

1) Obtain and review the financial institution's initial and annual notices, as well as any simplified notice that the institution may use. Note that the institution may only use the simplified notice when it does not also share nonpublic personal information with affiliates outside of Section 14 and 15 exceptions. Determine whether or not these notices:

a. Are clear and conspicuous (зз3(b), 4(a), 5(a)(1));

b. Accurately reflect the policies and practices used by the institution (зз4(a), 5(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

c. Include, and adequately describe, all required items of information (з6).

2) Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written customer records where available, determine if the institution has adequate procedures in place to provide notices to customers, as appropriate. Assess the following:

a) Timeliness of delivery (зз4(a), 4(d), 4(e), 5(a)); and

b. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the customer agrees; or as a necessary step of a transaction) (з9) and accessibility of or ability to retain the notice (з9(e)).

IN CLOSING - The FFIEC interagency Internet guidelines require financial institution web sites to comply with consumer compliance, advertising, notifications, weblinking, and other federal regulations. We have identified 17 federal regulations and over 130 issues that relate to an institution's web site. We also verify weblinks for functionality and appropriateness. As a former bank examiner with over 40 year experience, we audit web sites following the FFIEC Internet guidelines for financial institutions across the country. Visit http://www.bankwebsiteaudits.com and learn how we can assist your financial institution.