FYI - Police data details found at dump - Firearms qualifications were included on the disk - A senior police officer has apologized after confidential details of staff were found on a dump in Devon. The details, on a floppy disk, included names, addresses, telephone numbers and ranks of employees of Devon and Cornwall Police. http://news.bbc.co.uk/2/hi/uk_news/england/devon/7160490.stm

FYI - Serious Flash vulns menace at least 10,000 websites - Researchers from Google and a well-known security firm have documented serious vulnerabilities in Adobe Flash content which leave tens of thousands of websites susceptible to attacks that steal the personal details of visitors. http://www.theregister.co.uk/2007/12/21/flash_vulnerability_menace/print.html

FYI - Fed agencies should mount penetration attacks - In the final draft of its upcoming security guidelines for protecting federal information systems, the National Institute of Standards and Technology (NIST) is recommending that federal agencies conduct regular penetration tests to determine whether their networks can be breached. http://www.scmagazineus.com/NIST-Fed-agencies-should-mount-penetration-attacks/article/100210/

FYI - Industry leaders seek Health Info Security Framework - An initiative including health industry leaders and several IT security companies will try to set the bar for security practices applied to electronic-protected health information (EPHI) in an effort to level the playing field between companies sharing sensitive data. http://www.scmagazineus.com/Industry-leaders-seek-Health-Info-Security-Framework/article/100185/

FYI - Federal agency data security bill introduced in U.S. House - Federal cybercrime bill introduced in House - A lawmaker has introduced new legislation that would codify two federal Office of Management and Budget (OMB) memos that order government to institute an array of information security safeguards. http://www.scmagazineus.com/Federal-agency-data-security-bill-introduced-in-US-House/article/100150/

FYI - US Near Bottom of Global Privacy Index - Individual privacy is under threat around the world as governments continue introducing surveillance and information-gathering measures, according to an international rights group. http://ap.google.com/article/ALeqM5jUCU4816Ayh5yaoFRw5YIYNEBqOgD8TTQTSG2

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Missing NY state employee data tapes found - Five computer tapes containing the Social Security numbers, birth dates and other personal information for about 900 employees and retirees are back in the hands of the state Dormitory Authority after going missing for more than a week.
http://www.newsday.com/news/local/wire/newyork/ny-bc-ny--personalinformati1227dec27,0,2523910.story
http://timesunion.com/AspStories/story.asp?storyID=650553&category=&BCCode=&newsdate=12/27/2007

FYI - ID thieves lifted personal info from court Web site - Police say hundreds of people in five states are victims of identity theft after someone lifted their Social Security numbers from a municipal court Web site. http://www.coshoctontribune.com/apps/pbcs.dll/article?AID=/20071222/NEWS01/712220309/1002

Return to the top of the newsletter

WEB SITE COMPLIANCE - Record Retention

Record retention provisions apply to electronic delivery of disclosures to the same extent required for non-electronic delivery of information. For example, if the web site contains an advertisement, the same record retention provisions that apply to paper-based or other types of advertisements apply. Copies of such advertisements should be retained for the time period set out in the relevant regulation. Retention of electronic copies is acceptable. 

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants.  Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm.  There is no charge for the e-newsletter. 

ROLES AND RESPONSIBILITIES (1 of 2)

Information security is the responsibility of everyone at the institution, as well as the institution's service providers and contractors. The board, management, and employees all have different roles in developing and implementing an effective security process. The board of directors is responsible for overseeing the development, implementation, and maintenance of the institution's information security program. Oversight requires the board to provide management with guidance and receive reports on the effectiveness of management's response. The board should approve written information security policies and the information security program at least annually. The board should provide management with its expectations and requirements for:

1)  Central oversight and coordination,
2)  Areas of responsibility,
3)  Risk measurement,
4)  Monitoring and testing,
5)  Reporting, and
6)  Acceptable residual risk.

Senior management's attitude towards security affects the entire organization's commitment to security. For example, the failure of a financial institution president to comply with security policies could undermine the entire organization's commitment to security.

Senior management should designate one or more individuals as information security officers. Security officers should be responsible and accountable for security administration. At a minimum, they should directly manage or oversee risk assessment, development of policies, standards, and procedures, testing, and security reporting processes. Security officers should have the authority to respond to a security event by ordering emergency actions to protect the financial institution and its customers from an imminent loss of information or value. They should have sufficient knowledge, background, and training, as well as an organizational position, to enable them to perform their assigned tasks.

Return to the top of the newsletter

IT SECURITY QUESTION:  A. AUTHENTICATION AND ACCESS CONTROLS - Access Rights Administration

3. Determine whether employee's levels of online access (blocked, read-only, update, override, etc.) match current job responsibilities.

4. Determine that administrator or root privilege access is appropriately monitored, where appropriate.

* Management may choose to further categorize types of administrator/root access based upon a risk assessment. Categorizing this type of access can be used to identify and monitor higher-risk administrator and root access requests that should be promptly reported.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

10)  Does the institution list the following categories of nonpublic personal information that it discloses, as applicable, and a few examples of each, or alternatively state that it reserves the right to disclose all the nonpublic personal information that it collects:

a)  information from the consumer;

b)  information about the consumer's transactions with the institution or its affiliates;

c)  information about the consumer's transactions with nonaffiliated third parties; and

d)  information from a consumer reporting agency? [§6(c)(2)]