03/03/2003
We are in the process of initiating a customer ID program using "passwords" when a customer calls in requesting a bank balance. We have always been careful when giving out information requiring some type of info from their account. However, with theft identity a serious problem and with our bank expanding into other markets, we want to implement a better program. How have other banks handled the initial set up of an ID program? Should a customer submit a signed form with a password listed by mail if they live out of town? How do banks handle customers who have forgotten their passwords?
02/17/2003
An issue has come up a couple times in the recent past: Our customers are sending emails directly to our employees, especially our commercial customers. The emails are not encrypted or password protected and they often contain non-public information - loan requests, updates on rent rolls, financial information on their company. Our customers want us to communicate in email form. We offer email that is encrypted via our Internet banking product. However, the lenders are telling me that their customers will not go through the inconvenience of logging in to Internet banking to communicate. Our Privacy Policy does extend beyond the minimum requirements of GLB; we opted to include commercial customers under the privacy blanket. Our E:Banking Policy does not address communication of non public information via email (incoming or outgoing). Does anyone have a practical solution to this growing concern?
01/06/2003
Are there any requirements or criteria for Penetration testing? Can we perform the penetration testing ourselves? If we hire a third party vendor, should we require documentation saying they are authorized by the Regulators to perform the tests or that the testing will meet certain standards? Does the penetration testing requirement only apply to wired network or do we have to have penetration testing on the wireless as well?
01/06/2003
Our entire WAN is wireless. Are there any guidelines that state we have to have RADIUS, 3DES, WEP, or any other security measure in place? We have measures in place, just want to see what's required.
01/06/2003
What are the specific requirements regarding the use of an Intrusion Detection System? Can we just check the log files of my PIX and verify that no unusual traffic has been logged? Or do we have to have an actual IDS in place that that alerts us via email, and /or pager in case of attack? We have 4 branch offices, of which 3 are connected to the main office via a wireless connection. We also have 4 home users that are connected via wireless connections. Do we have to have an IDS system for both the internet connection and the wireless connections?
08/06/2001
What kind of pre-employment screening should we do on prospective new employees? What are we required to do? What do you think of psychological testing?Are there particular questions you would recommend we ask all prospective bank employees?
08/06/2001
We recently had a situation where a bank employee's live-in boyfriend was threatening to kill her. To make a long story short, we had to close the branch one afternoon because it looked like that was where he was going to turn up. If we keep this employee, it's likely the situation will surface again. Did we handle it the correct way? Can we terminate the employee to get rid of the problem?
08/06/2001
We've seen an increase in counterfeit checks, especially corporate accounts. What sources are there for tracking this activity?
08/06/2001
In this month’s Wired magazine, they mention “360-Degree Feedback” and say that it is a new trend in job performance reviews in which employees get critiques from peers, subordinates and clients, as well as their superiors. Do you think this is a more fair way to evaluate employees? Are there any downsides to it? What if we use this feedback to determine whether a raise or promotion should be granted? How do we guard against unreliable feedback from someone who might have an ax to grind?
06/04/2001
Does anyone have guidance for what should be the penalty for violation of your in-house virus protection policy? For example, our policy says employees can’t bring software from home and install it, but occasionally someone will do it anyway.
Pages