|
FYI -
FBI adds to wiretap wish list
-
A far-reaching proposal
from the FBI would require all broadband Internet providers,
including cable modem and DSL companies, to rewire their networks to
support easy wiretapping by police.
http://news.com.com/2102-1028_3-5172948.html?tag=st.util.print
FYI
- Hosting company reveals hacks, citing disclosure law -
Citing California's security breach
disclosure law, Texas-based Allegiance Telecom notified 4,000 Web
hosting customers of a recent computer intrusion that exposed their
usernames and passwords, in a case that experts say illustrates the
security sunshine law's national influence.
http://www.securityfocus.com/printable/news/8240
FYI
- USB Tokens Smaller, Cheaper,
More Secure - USB authentication tokens are back, and they're
better than ever. http://www.internetweek.com/story/showArticle.jhtml?articleID=18312205
FYI
- School officials:
13-year-old hacker wiped out school records from computer system
-
A middle
school student hacked into a server that stored records for a
computerized student reading program and deleted the files.
Article:
http://www.morningjournal.com/site/news.cfm?newsid=11111924&BRD=1699&PAG=461&dept_id=46371&rfi=6
Follow-up:
http://www.morningjournal.com/site/news.cfm?BRD=1699&dept_id=46368&newsid=11117845&PAG=461&rfi=9
FYI
- SANS Institute's Alan Paller
talks about fighting back hackers -
He laid out the seven most common and dangerous kinds of security
attacks.
http://www.computerworld.com/printthis/2004/0,4814,90955,00.html
FYI
- For the third time since December 2001, a federal district
court ordered the Department of the Interior to disconnect its
computer systems from the Internet due to pervasive security
weaknesses.
http://www.indiantrust.com/index.cfm?FuseAction=PressReleases.ViewDetail&PressRelease_id=102&Month=3&Year=2004
FYI
- GAO - Information Security: Technologies to Secure Federal
Systems.
http://www.gao.gov/cgi-bin/getrpt?GAO-04-467
Highlights -
http://www.gao.gov/highlights/d04467high.pdf
Return to the top of the
newsletter
INTERNET
COMPLIANCE - Reserve
Requirements of Depository Institutions (Regulation D)
Pursuant to the withdrawal and transfer restrictions imposed on
savings deposits, electronic transfers, electronic withdrawals (paid
electronically) or payments to third parties initiated by a
depositor from a personal computer are included as a type of
transfer subject to the six transaction limit imposed on passbook
savings and MMDA accounts.
Institutions also should note that, to the extent stored value or
other electronic money represents a demand deposit or transaction
account, the provisions of Regulation D would apply to such
obligations.
Consumer Leasing Act (Regulation M)
The regulation provides examples of advertisements that clarify the
definition of an advertisement under Regulation M. The term
advertisement includes messages inviting, offering, or otherwise
generally announcing to prospective customers the availability of
consumer leases, whether in visual, oral, print, or electronic
media. Included in the examples are on-line messages, such as those
on the Internet. Therefore, such messages are subject to the general
advertising requirements.
Return to the top of the
newsletter
INFORMATION SYSTEMS SECURITY
- We
continue our series on the FFIEC interagency Information Security
Booklet.
SECURITY
CONTROLS - IMPLEMENTATION - APPLICATION
ACCESS
(Part 2 of 2)
Institution management should consider a number of issues regarding
application-access control. Many of these issues could also apply to
oversight of operating system access:
! Implementing a robust authentication method consistent with the
criticality and sensitivity of the application. Historically, the
majority of applications have relied solely on user IDs and
passwords, but increasingly applications are using other forms of
authentication. Multi-factor authentication, such as token and PKI-based
systems coupled with a robust enrollment process, can reduce the
potential for unauthorized access.
! Maintaining consistent processes for assigning new user access,
changing existing user access, and promptly removing access to
departing employees.
! Communicating and enforcing the responsibilities of programmers
(including TSPs and vendors), security administrators, and business
line owners for maintaining effective application-access control.
Business line managers are responsible for the security and privacy
of the information within their units. They are in the best position
to judge the legitimate access needs of their area and should be
held accountable for doing so. However, they require support in the
form of adequate security capabilities provided by the programmers
or vendor and adequate direction and support from security
administrators.
! Monitoring existing access rights to applications to help ensure
that users have the minimum access required for the current business
need. Typically, business application owners must assume
responsibility for determining the access rights assigned to their
staff within the bounds of the AUP. Regardless of the process for
assigning access, business application owners should periodically
review and approve the application access assigned to their staff.
! Setting time-of-day or terminal limitations for some applications
or for the more sensitive functions within an application. The
nature of some applications requires limiting the location and
number of workstations with access. These restrictions can support
the implementation of tighter physical access controls.
! Logging access and events.
! Easing the administrative burden of managing access rights by
utilizing software that supports group profiles. Some financial
institutions manage access rights individually and it often leads to
inappropriate access levels. By grouping employees with similar
access requirements under a common access profile (e.g., tellers,
loan operations, etc.), business application owners and security
administrators can better assign and oversee access rights. For
example, a teller performing a two-week rotation as a proof operator
does not need year-round access to perform both jobs. With group
profiles, security administrators can quickly reassign the employee
from a teller profile to a proof operator profile. Note that group
profiles are used only to manage access rights; accountability for
system use is maintained through individuals being assigned their
own unique identifiers and authenticators.
Return to the top of the
newsletter
IT SECURITY
QUESTION:
D. USER EQUIPMENT SECURITY
(E.G. WORKSTATION, LAPTOP, HANDHELD)
3. Determine whether adequate inspection for, and
removal of, unauthorized hardware and software takes place.
Return to the top of the
newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
37. For annual notices only, if the institution does not
employ one of the methods described in question 36, does the
institution employ one of the following reasonable means of
delivering the notice such as:
a. for the customer who uses the institution's web site to access
products and services electronically and who agrees to receive
notices at the web site, continuously posting the current privacy
notice on the web site in a clear and conspicuous manner; [§9(c)(1)]
or
b. for the customer who has requested the institution refrain from
sending any information about the customer relationship, making
copies of the current privacy notice available upon customer
request? [§9(c)(2)] |
