Event
Summary
On October
22, the White House and Congress agreed to change outdated US banking laws.
Until this agreement was reached, the White House had promised to veto the banking
reform bill. Details of the compromise are reportedly not yet disclosed. The
new legislation hopes to replace banking laws written during the Depression
era, with up-to-date Year 2000 era banking laws
Currently,
FDIC policy only "encourages" banks to perform information security audits.
If a bank does decide to do an information security audit, the independent security
auditor is hired by the bank which can create a conflict of interest. As well,
today's banks are not qualified to decide which Information Technology consultants
perform quality audits. Just because a consulting house is big name, and well-known,
does not guarantee that they will perform an exhaustive and quality information
security audit. Every consultancy who performs information security audits does
them differently.
The FDIC reviews
these optional audits, and assigns what is called an URSIT rating to the financial
institution. URSIT stands for Uniform Rating System Information Technology and
is an indicator of how well a bank manages its internal information technology
systems, including the security of them. Currently, the FDIC does not have any
procedures on how to assign URSIT ratings, and URSIT ratings are only made available
to the banks board of directors.
Market
Impact
The October
22nd announcement is a clear admission that today's banking laws do little to
take internet banking, and internet banking security into consideration.
When Stephen
White, an information review examiner for the FDIC was asked, " Due to all the
security compromises on government systems, how can you expect the general public
to have faith in the government's ability to monitor information security at
banks?" he responded that today's URSIT ratings are meaningless without facts
to support them.
Clearly some
banking reform and regulations are in dire need. An independent auditor, not
paid by a bank's board of directors, should be auditing all FDIC insured banks.
The FDIC's information security audit should be standardized, and presented
to various private sector security forums for review.
User
Recommendations
Take precautions
when doing internet banking or any financial transactions over the internet.
-
Ask your
bank to see a copy of its Information Security Policy. If they won't let
you see it, there is high probability that they don't have an Information
Security Policy. If they don't have an Information Security Policy, you
can bet that information security, and the security of internet banking,
is not one of their priorities.
-
Ask your
bank who their independent auditor is that performed their last information
security audit. Ask the independent auditor to see their Information Security
Audit Vulnerability Service Level Description (SLD). If they don't have
an Information Security Audit SLD, you can be sure that they are making
up the process as they go along.
-
Make sure
that your browser is SSL enabled. SSL encrypts the transmission of data
from a user's browser, on an application level, back to the transaction
server.