The short of this article is that allowing flash applications in facebook/myspace is similar to the security issues we see with running “ajax” in browsers.

The long of the article is that an application is allowed to execute code within the flash environment. Normally, this behavior is limited to the local flash environment so the threat is limited. However, it has recently been discovered that there are ways to reach outside of the environment and access other domains. Aside from the obvious risk, there is the side effect that any attacks executed this way would appear to be perpetrated by the victim’s account rather than the attacker. Myspace and Facebook appear to be acting quickly to resolve the issue.

This brings into question once again the security versus productivity debate. You can prevent access to these sites and thereby sidestep the security risks. However, locking the sites down may result in losing talented individuals to other companies that do allow access to these sites. The only right answer is the answer your organization comes to after appropriate risk assessment.

OFM — Online Financial Management — applications are the next step beyond PFM (personal financial management) programs. For community and mid-market banks and credit unions trying to compete with top-5 national institutions, offering an OFM application on their online banking site can be a huge differentiator. According to Digital Insight’s 2nd Annual Online Financial Management survey, 80% of consumers want to manage their own finances online with their financial institution, an increase from 68% in 2008.

At Digital Insight, we define OFM as applications that expand the PFM concept to also include programs for small business owners such as invoicing, payroll, and preparation of legal forms. This is particularly attractive to the nearly 23 million US small businesses that have less than 5 employees and to the 41% of Americans who run a small business in addition to their main job.[1]

For consumers and small business owners, the key attractions of OFM include aggregation — the ability to manage all their finances and many of their business functions on one Web site with one log in — as well as greater control of their finances with planning and budget management features, and the security of using a site hosted by their financial institution.

In our research with our own OFM products, FinanceWorks^TM and Small Business FinanceWorks^TM, we’ve seen nearly 80% of FW users say the product has made them more likely to stay with their bank or credit union and recommend it to others. FinanceWorks users are 4x more profitable than the average customer, and they hold 30% more outstanding loans. So we view OFM offerings as delivering a significant competitive advantage, especially for mid-market financial institutions trying to compete with huge national firms.

We’re interested in the community’s thoughts on this subject and what your experiences with OFM, if any, have been. For those that offer OFM products to their customers, what are the trends you’re seeing? What motivated you to offer these products? If you’re not offering OFM, are you considering it? If so, how is the evaluation process going? At the BAI Retail Delivery conference? Stop by booth #801 to learn more or visit ofm.financeworks.com.

[1] Digital Insight February 10, 2009 Press Release

But , any organization that recognizes the reduce costs that come from a Central Risk Management Program should also recognize that Continuous Compliance is achieved by installing collaboration into the culture.
http://bit.ly/c21iy

Posted via email

“Stop, think, delete & play hard to get” – This makes it sound so very easy yet many are sucked in by phishing scams – daily.  No matter how tech savvy we are none of us are immune! The “hard to get” email address advice in the article is quite interesting.  The thing is, I have had my email address since college (a longgggg time ago) and changing it now doesn’t sit well with me. Hmmmph…. food for thought. Would love to hear any other great tips!

Ran across this article today on BankInfoSecurity.com and reminded me that we have seen this simple scam recently too. At banks where we have seen this it looks like the phishers are just finding phone numbers in the phone book or local directories, picking a financial institution and calling all the people in the phone book, even if they aren’t the bank’s customers. The call is automated and sounds something like this…

“Hello, we are calling on behalf of (Insert FI Name Here) and want to confirm some recent purchases posted to your account. Will you please type in your PIN and Debit Card number with the 10 Digit keypad…..”

This doesn’t work for many accounts, but all they need to do is have two successful hits and it pays for itself. The calls come from a hosted data center, and can be shut down fairly easily by the FBI, but are rarely tracked back to the fraudsters. The calls are usually shut down within a few hours at no cost to the financial institution, unless some customers fell for it.

1) Private Messages

In our messages section you always had a way to post a message to anyone that had access to the project but now we have a ‘private’ message feature that will allow you to post just to the people that are apart of your company only. We want it to be easy for you to share both public and private documents with your company and clients. Now you can do both!

2)Detailed Email Notifications

We first built email notification to be very cautious of privacy and security with very limited information. But the community has spoken and you told us that you wanted a wee bit more information in those emails so we now give you both abilities. All you have to do is go to the Settings tab of the project your in and check this box. After that all your messages, resolutions, notifications will come with more detailed emails.

We aim to please so please continue to submit your feedback and features!

1)  How much more does this cost? SAME PRICE. Our Continuous Compliance process is just a methodology change.  We are able to keep the process the same cost by proactively addressing risk in Technology Committee Meetings, reviewing low risk areas less than annually and regularly following up with findings (this process usually takes up quite a bit of time during a one week engagement.

2)  Why do you want to be in on Technology Committee meetings?  We would like to participate in these meetings to know what is happening within the environment and proactively address potential risk areas.  For example, if you are going to rollout remote deposit for commercial customers, we can be sure a risk assessment has been conducted, policies approved, etc. before they become ‘findings’.

3)  What do the examiners think about Continuous Compliance?  I’ve spoken with several examiners and a couple of them actually, prefer this process to what we currently do.  They always say the disclaimer, as long as everything that needs to be reviewed annually is done, then they are fine with it.  That is why we will always do the Information Security section and ensuring your policy/procedures are approved annually.

4)  What about reports?  Two things here, we’ll be using RiskKey to manage this process so all of our reports will come out of here.  So we will provide regular reports out of RiskKey to discuss in Technology or Audit Committees.  Next, since we are regularly interacting with clients, all you need to do is just let us know you would like some formal reports for examiners and we can put together the most up-to-date reports,  so if you have addressed risk areas recently, they won’t show up as risk areas in the most up to date reports.

5)  How did you develop the Technology Audit Schedule?  We risk rated the sections based on our last full week type of audit.  This is where we currently see your risk structure as.  We also base it off of industry trends and overall risk structure of the section for all financial institutions.  If you think it is different then let us know.  The timelines to complete audits are negotiable, but risk ratings are not.  For example, we have one client that wants their Website audited annually, even though we said it was a low risk which means it only needs to be reviewed every 18 months. No problem!  We’ll also review sections that have major updates or conversions, so if you change wire systems, we’ll do a wire audit after conversion.

Those are the questions I answer most frequently, but let us know if you have anymore.  We’re here to help!

Posted via email