FYI - Cyber crime booms in
2004 - 2004 saw the appearance of real phone viruses - The last 12
months have seen a dramatic growth in almost every security threat
that plague Windows PCs.
FYI - Blood bank fears
ID heist - More than 100,000 people who donated to a California
blood bank may have parted with more than plasma.
FYI - Feds limited on
digital signatures - Federal officials received a reminder this week
not to deviate from a list of acceptable vendors when buying digital
FYI - Google's search
for security - When the Santy.A worm started spreading on Tuesday,
Mikko Hypponen knew he had a way to stop the worm in its tracks. The
only problem: He had trouble finding the right people to talk to at
Google. The Santy worm used the search engine to select potential
FYI - Security workers
praise Sarbanes-Oxley - Many security workers feel that government
regulations aimed at protecting IT networks from threats are
working, according to new survey.
FYI - Who else had your bank
account number? Financial firms often recycle them, Bay Area man
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Guidance on Safeguarding Customers Against E-Mail and
Internet-Related Fraudulent Schemes (Part 2 of 3)
Risks Associated With E-Mail and Internet-Related Fraudulent
Internet-related fraudulent schemes present a substantial risk to
the reputation of any financial institution that is impersonated or
spoofed. Financial institution customers and potential customers may
mistakenly perceive that weak information security resulted in
security breaches that allowed someone to obtain confidential
information from the financial institution. Potential negative
publicity regarding an institution's business practices may cause a
decline in the institution's customer base, a loss in confidence or
In addition, customers who fall prey to e-mail and Internet-related
fraudulent schemes face real and immediate risk. Criminals will
normally act quickly to gain unauthorized access to financial
accounts, commit identity theft, or engage in other illegal acts
before the victim realizes the fraud has occurred and takes action
to stop it.
Educating Financial Institution Customers About E-Mail and
Internet-Related Fraudulent Schemes
Financial institutions should consider the merits of educating
customers about prevalent e-mail and Internet-related fraudulent
schemes, such as phishing, and how to avoid them. This may be
accomplished by providing customers with clear and bold statement
stuffers and posting notices on Web sites that convey the following
! A financial institution's Web page should never be accessed
from a link provided by a third party. It should only be accessed by
typing the Web site name, or URL address, into the Web browser or by
using a "book mark" that directs the Web browser to the financial
institution's Web site.
! A financial institution should not be sending e-mail
messages that request confidential information, such as account
numbers, passwords, or PINs. Financial institution customers should
be reminded to report any such requests to the institution.
! Financial institutions should maintain current Web site
certificates and describe how the customer can authenticate the
institution's Web pages by checking the properties on a secure Web
To explain the red flags and risks of phishing and identity theft,
financial institutions can refer customers to or use resources
distributed by the Federal Trade Commission (FTC), including the
following FTC brochures:
! "How Not to Get Hooked by the ‘Phishing' Scam," published in
July 2003, which is available at:
! "ID Theft: When Bad Things Happen to Your Good Name,"
published in September 2002, which is available at:
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We continue our series
on the FFIEC interagency Information Security Booklet.
SECURITY TESTING - TESTING CONCEPTS AND APPLICATION
Measurement and Interpretation of Test Results.
Institutions should design tests to produce results that are logical
and objective. Results that are reduced to metrics are potentially
more precise and less subject to confusion, as well as being more
readily tracked over time. The interpretation and significance of
test results are most useful when tied to threat scenarios.
Traceability. Test results that indicate an unacceptable risk in an
institution's security should be traceable to actions subsequently
taken to reduce the risk to an acceptable level.
Thoroughness. Institutions should perform tests sufficient to
provide a high degree of assurance that their security plan,
strategy and implementation is effective in meeting the security
objectives. Institutions should design their test program to draw
conclusions about the operation of all critical controls. The scope
of testing should encompass all systems in the institution's
production environment and contingency plans and those systems
within the institution that provide access to the production
Frequency. Test frequency should be based on the risk that
critical controls are no longer functioning. Factors to consider
include the nature, extent, and results of prior tests, the value
and sensitivity of data and systems, and changes to systems,
policies and procedures, personnel, and contractors. For example,
network vulnerability scanning on highrisk systems can occur at
least as frequently as significant changes are made to the network.
the top of the newsletter
IT SECURITY QUESTION:
Determine if cryptographic keys expire and are replaced at
appropriate time intervals.
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
2) Does the institution provide a clear and conspicuous notice
that accurately reflects its privacy policies and practices to all
consumers, who are not customers, before any nonpublic
personal information about the consumer is disclosed to a
nonaffiliated third party, other than under an exception in §§14
or 15? [§4(a)(2)]?