R. Kinney Williams & Associates®
R. Kinney Williams
& Associates

Internet Banking News

December 19, 2004
With more than 40 years auditing only financial institutions, my experience to test your Internet connection for vulnerabilities and understand your IT operation is unmatched.  Visit http://www.internetbankingaudits.com/ for more detailed information.

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


GRAY GHOST - Because of scheduling problems, I was not able to go on the annual horseback ride to northern New Mexico this year.  I was able to go on a cattle roundup this summer, and Gray Ghost was moved into new living quarters.  I posted some pictures that I hope you enjoy during the Christmas season at http://www.yennik.com/pictures/index.htm.


FYI - "The Top 10 Reasons Why Users Should Not Have Local Admin Rights." This was a fun discussion on the NTSYSADMIN list that I thought was useful for all of us: (Found on http://www.w2knews.com)

Allows Malware to really *REALLY* hose the PC if it gets hit
Allows users to mess up their settings royally
Administrative nightmare to manage
Must spend more time ghosting machines because of 10, 9, and 8
Users get rather pissy about the loss of data stemming from 7
Any corporate software and mail policy can be easily broken
They can undermine anything administratively done to their machines
With only minor creativity in phrasing, local admin rights can easily violate Sarbanes-Oxley and other pseudo-security legislation
Users can load any software, even illegal stuff...
Makes corporate security people laugh so hard, they can't effectively do their jobs

FYI - Court Says Interior Dept. Can Stay Online - The U.S. Interior Department can keep its computers connected to the Internet despite the fact that payments owed to American Indians are vulnerable to hackers, an appeals court ruled. http://www.reuters.com/newsArticle.jhtml?storyID=6992188

FYI - Australia Government launches anti-cyberterrorism campaign - The government is seeking help from the IT community to help identify and plug vulnerabilities in Australia's critical infrastructure to protect citizens from cyber terrorism. Attorney-General Philip Ruddock announced the government was going to spend more than AU$8 million on the Computer Network Vulnerability Assessment (CNVA) program, which will identify and plug any security vulnerabilities in the "computer networks and systems that support the provision of essential services to Australians." http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39168444-2000061744t-10000005c

FYI - S'pore pushes business continuity, disaster recovery standard - A new certification program has been developed in Singapore to help raise the quality of business continuity and disaster recovery services, and establish the island-state as a key destination for high-end business process outsourcing services. http://asia.cnet.com/news/security/printfriendly.htm?AT=39203480-39037064t-39000005c

FYI - Tech firms, FBI to fight phishing - A group of Internet companies and law-enforcement agencies said Wednesday that they will work together to track down online scam artists who pose as banks and other legitimate businesses, a practice known as phishing.
http://news.com.com/Tech+firms%2C+FBI+to+fight+phishing/2100-7348_3-5485212.html?tag=cd.top

FYI - Lowe's Hardware Hacker Gets Nine Years - One of three Michigan men who hacked into the national computer system of Lowe's hardware stores and tried to steal customers' credit card information was sentenced Wednesday to nine years in federal prison.
http://news.yahoo.com/news?tmpl=story&cid=562&u=/ap/20041215/ap_on_hi_te/hacking_charges_1&printer=1 


Return to the top of the newsletter

INTERNET COMPLIANCE - Disclosures/Notices (Part 2 of 2)

In those instances where an electronic form of communication is permissible by regulation, to reduce compliance risk institutions should ensure that the consumer has agreed to receive disclosures and notices through electronic means. Additionally, institutions may want to provide information to consumers about the ability to discontinue receiving disclosures through electronic means, and to implement procedures to carry out consumer requests to change the method of delivery. Furthermore, financial institutions advertising or selling non-deposit investment products through on-line systems, like the Internet, should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.

INSURANCE  (Part 1 of 2)

Insurance coverage is rapidly evolving to meet the growing number of security-related threats. Coverage varies by insurance company, but currently available insurance products may include coverage for the following risks:

! Vandalism of financial institution Web sites,
! Denial - of - service attacks,
! Loss of income,
! Computer extortion associated with threats of attack or disclosure of data,
! Theft of confidential information,
! Privacy violations,
! Litigation (breach of contract),
! Destruction or manipulation of data (including viruses),
! Fraudulent electronic signatures on loan agreements,
! Fraudulent instructions through e - mail,
! Third - party risk from companies responsible for security of financial institution systems or information,
! Insiders who exceed system authorization, and
! Incident response costs related to the use of negotiators, public relations consultants, security and computer forensic consultants, programmers, replacement systems, etc.

Financial institutions can attempt to insure against these risks through existing blanket bond insurance coverage added on to address specific threats. It is important that financial institutions understand the extent of coverage and the requirements governing the reimbursement of claims. For example, financial institutions should understand the extent of coverage available in the event of security breaches at a third - party service provider. In such a case, the institution may want to consider contractual requirements that require service providers to maintain adequate insurance to cover security incidents.

When considering supplemental insurance coverage for security incidents, the institution should assess the specific threats in light of the impact these incidents will have on its financial, operational, and reputation risk profiles. Obviously, when a financial institution contracts for additional coverage, it should ensure that it is aware of and prepared to comply with any required security controls both at inception of the coverage and over the term of the policy.


Return to the top of the newsletter

IT SECURITY QUESTION: 
ENCRYPTION

1. Review the information security risk assessment and identify those items and areas classified as requiring encryption.

2. Evaluate the appropriateness of the criteria used to select the type of encryption/cryptographic algorithms.

!  Consider if cryptographic algorithms are both publicly known and widely accepted (e.g. RSA, SHA, Triple DES, Blowfish, Twofish, etc.) or banking industry standard algorithms.
!  Note the basis for choosing key sizes (e.g., 40-bit, 128-bit) and key space.
!  Identify management's understanding of cryptography and expectations of how it will be used to protect data.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Redisclosure of nonpublic personal information received from a nonaffiliated financial institution outside of Sections 14 and 15.

A. Through discussions with management and review of the institution's procedures, determine whether the institution has adequate practices to prevent the unlawful redisclosure of the information where the institution is the recipient of nonpublic personal information (§11(b)). 

B. Select a sample of data received from nonaffiliated financial institutions and shared with others to evaluate the financial institution's compliance with redisclosure limitations.

1.  Verify that the institution's redisclosure of the information was only to affiliates of the financial institution from which the information was obtained or to the institution's own affiliates, except as otherwise allowed in the step b below (§11(b)(1)(i) and (ii)).

2.  If the institution shares information with entities other than those under step a above, verify that the institution's information sharing practices conform to those in the nonaffiliated financial institution's privacy notice (§11(b)(1)(iii)).

3.  Also, review the procedures used by the institution to ensure that the information sharing reflects the opt out status of the consumers of the nonaffiliated financial institution (§§10, 11(b)(1)(iii)).  

IN CLOSING
- The FFIEC interagency Internet guidelines require financial institution web sites to comply with consumer compliance, advertising, notifications, weblinking, and other federal regulations.  We have identified 17 federal regulations and over 130 issues that relate to an institution's web site.  We also verify weblinks for functionality and appropriateness.  As a former bank examiner with over 40 year experience, we audit web sites following the FFIEC Internet guidelines for financial institutions across the country.  Visit http://www.bankwebsiteaudits.com and learn how we can assist your financial institution.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated