|
FYI -
PC viruses spawn $55
billion loss in 2003
-
Trend Micro, the world's
third-largest antivirus software maker, said that computer virus
attacks cost global businesses an estimated $55 billion in damages
in 2003, a sum that is expected to increase this year.
http://news.com.com/2102-7349_3-5142144.html?tag=st_util_print
FYI
- The National Institute of Standards and Technology (NIST)
announced the completion of NIST Special Publication (SP) 800-61,
Computer Security Incident Handling Guide. This
publication seeks to help both established and newly formed incident
response teams respond effectively and efficiently to a variety of
incidents. You will find the publication at
http://www.csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf.
FYI
- Farming out security -
Many companies outsource some or all IT
security responsibilities to a service provider. But IT managers who
have been down this road say it's important to know what to
outsource, what the conditions should be and how to set up the
contract for a successful outcome.
http://www.computerworld.com/printthis/2004/0,4814,89100,00.html
10 Questions to
Ask a Managed Security Service Provider:
http://www.computerworld.com/securitytopics/security/story/0,10801,89101,00.html
FYI
- Security Begins at Home
- Like it or not, your corporate
network will soon be everywhere -- maybe even in some employees'
kitchens or guest bedrooms. It might also reach into airports,
hotels and McDonald's. Accompanying all this extended access,
though, are heightened security risks.
http://www.computerworld.com/printthis/2004/0,4814,89121,00.html
Test Your Knowledge: How Prepared
Are You to Secure Remote Workers?
http://www.computerworld.com/printthis/2004/0,4814,89085,00.html
FYI - FDIC And FBI
Investigating Fraudulent Emails - At approximately 12:00 p.m. (EST)
on January 23, 2004, FDIC Consumer Call Centers in Kansas City,
Missouri, and Washington, D.C., began receiving a large number of
complaints by consumers who received an email that has the
appearance of being sent from the FDIC. The email informs the
recipient that Department of Homeland Security Director Tom Ridge
has advised the FDIC to suspend all deposit insurance on the
recipient’s bank account due to suspected violations of the USA
PATRIOT Act.
www.fdic.gov/news/news/press/2004/pr0604.html
FYI
- Fictitious e-mails to financial institution customers,
fraudulently claiming to be from the OCC and FDIC in an attempt to
obtain sensitive personal and bank account information.
http://www.occ.treas.gov/ftp/alert/2004-2.txt
FYI -
Computer
Theft Forces Visa Card Reissues - The Hapo Credit Union in
Washington State has been forced to reissue Visa credit cards to
several hundred people after a computer was stolen from a Visa USA
contractor.
http://www.infosecnews.com/sgold/news/2004/01/19_03.htm
FYI -
FTC: ID theft on the rise
- Identity theft and fraud cost Americans at least $437 million last
year, as scam artists made themselves at home on the Internet,
according to federal statistics released on Thursday.
http://news.com.com/2100-1029-5145486.html?tag=cd_top
Return to the top of the
newsletter
INTERNET
COMPLIANCE - We continue our review of the FFIEC
interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
B. RISK MANAGEMENT TECHNIQUES
Planning Weblinking Relationships
Agreements
If a financial institution receives compensation from a third
party as the result of a weblink to the third-party's website, the
financial institution should enter into a written agreement with
that third party in order to mitigate certain risks. Financial
institutions should consider that certain forms of business
arrangements, such as joint ventures, can increase their risk. The
financial institution should consider including contract provisions
to indemnify itself against claims by:
1) dissatisfied purchasers of third-party products or
services;
2) patent or trademark holders for infringement by the third
party; and
3) persons alleging the unauthorized release or compromise of
their confidential information, as a result of the third-party's
conduct.
The agreement should not include any provision obligating the
financial institution to engage in activities inconsistent with the
scope of its legally permissible activities. In addition, financial
institutions should be mindful that various contract provisions,
including compensation arrangements, may subject the financial
institution to laws and regulations applicable to insurance,
securities, or real estate activities, such as RESPA, that establish
broad consumer protections.
In addition, the agreement should include conditions for terminating
the link. Third parties, whether they provide services directly to
customers or are merely intermediaries, may enter into bankruptcy,
liquidation, or reorganization during the period of the agreement.
The quality of their products or services may decline, as may the
effectiveness of their security or privacy policies. Also
potentially just as harmful, the public may fear or assume such a
decline will occur. The financial institution will limit its risks
if it can terminate the agreement in the event the service provider
fails to deliver service in a satisfactory manner.
Some weblinking agreements between a financial institution and a
third party may involve ancillary or collateral information-sharing
arrangements that require compliance with the Privacy Regulations.
For example, this may occur when a financial institution links to
the website of an insurance company with which the financial
institution shares customer information pursuant to a joint
marketing agreement.
Return to the top of the
newsletter
INFORMATION SYSTEMS SECURITY
- We
continue our series on the FFIEC interagency Information Security
Booklet.
SECURITY
CONTROLS - IMPLEMENTATION -
NETWORK
ACCESS
Application - Level Firewalls
Application-level firewalls perform application-level screening,
typically including the filtering capabilities of packet filter
firewalls with additional validation of the packet content based on
the application. Application-level firewalls capture and compare
packets to state information in the connection tables. Unlike a
packet filter firewall, an application-level firewall continues to
examine each packet after the initial connection is established for
specific application or services such as telnet, FTP, HTTP, SMTP,
etc. The application-level firewall can provide additional screening
of the packet payload for commands, protocols, packet length,
authorization, content, or invalid headers. Application-level
firewalls provide the strongest level of security, but are slower
and require greater expertise to administer properly.
The primary disadvantages of application - level firewalls are:
! The time required to read and interpret each packet slows network
traffic. Traffic of certain types may have to be split off before
the application level firewall and passed through different access
controls.
! Any particular firewall may provide only limited support for new
network applications and protocols. They also simply may allow
traffic from those applications and protocols to go through the
firewall.
Return to the top of the
newsletter
IT SECURITY
QUESTION:
C. HOST SECURITY
9.
Determine whether logs are sufficient to affix accountability for
host activities and to support intrusion forensics and IDS and are
appropriately secured for a sufficient time period.
Return to the top of the
newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
27. If each joint consumer may
opt out separately, does the institution permit:
a. one joint consumer to opt out on behalf of all of the joint
consumers; [§7(d)(3)]
b. the joint consumers to notify the institution in a single
response; [§7(d)(5)] and
c. each joint consumer to opt out either for himself or herself,
and/or for another joint consumer? [§7(d)(5)] |
