FYI - Critical Elements
of Information Security Program Success - The challenges of
implementing an effective information security program are broad and
diverse. To address these challenges the Information Systems Audit
and Control Association (ISACA) sponsored an international focus
group and survey, which resulted in this report, to identify the
elements that impact information security program success.
FYI - 2005 worst year
for breaches of computer security - Data breaches disclosed at
Marriott International, Ford Motor, ABN Amro Mortgage Group and
Sam's Club this month capped what computer experts call the worst
year ever for known computer-security breaches.
FYI - Government Web
sites are keeping an eye on you - Dozens of federal agencies are
tracking visits to U.S. government Web sites in violation of
long-standing rules designed to protect online privacy, a CNET
News.com investigation shows.
FYI - FBI Recruiting
Information Technology Personnel -The FBI recently launched a
recruitment campaign aimed at hiring a large number of Information
Technology (IT) Professionals. These candidates will work with some
of the most cutting-edge technology available in the world, to
operate and maintain a robust, secure FBI global information
technology (IT) infrastructure environment.
FYI - Marriott Says
Customer Data Missing - The company's time-sharing division has
notified customers that backup tapes are missing with personal
data--including Social Security, bank account, and credit-card
FYI - H&R Block blunder
exposes consumer data - Some consumers may be dismayed to find their
Social Security numbers printed on unsolicited packages from H&R
Block, the result of a recent labeling blunder at the company.
FYI - Bank tape lost with data
on 90,000 customers - People's Bank in Connecticut said the tape was
lost in transit - A computer tape from a Connecticut bank containing
personal data on 90,000 customers was lost in transit recently, the
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Role Of Consumer Compliance In Developing And Implementing
Electronic Services from FDIC:
When violations of the consumer protection laws regarding a
financial institution's electronic services have been cited,
generally the compliance officer has not been involved in the
development and implementation of the electronic services.
Therefore, it is suggested that management and system
designers consult with the compliance officer during the development
and implementation stages in order to minimize compliance risk.
The compliance officer should ensure that the proper controls
are incorporated into the system so that all relevant compliance
issues are fully addressed. This
level of involvement will help decrease an institution's compliance
risk and may prevent the need to delay deployment or redesign
programs that do not meet regulatory requirements.
The compliance officer should develop a compliance risk profile as a
component of the institution's online banking business and/or
technology plan. This
profile will establish a framework from which the compliance officer
and technology staff can discuss specific technical elements that
should be incorporated into the system to ensure that the online
system meets regulatory requirements.
For example, the compliance officer may communicate with the
technology staff about whether compliance disclosures/notices on a
web site should be indicated or delivered by the use of
"pointers" or "hotlinks" to ensure that required
disclosures are presented to the consumer. The compliance officer can also be an ongoing resource to
test the system for regulatory compliance.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Token Systems (1 of 2)
Token systems typically authenticate the token and assume that the
user who was issued the token is the one requesting access. One
example is a token that generates dynamic passwords every X seconds.
When prompted for a password, the user enters the password generated
by the token. The token's password - generating system is
identical and synchronized to that in the system, allowing the
system to recognize the password as valid. The strength of this
system of authentication rests in the frequent changing of the
password and the inability of an attacker to guess the seed and
password at any point in time.
Another example of a token system uses a challenge/response
mechanism. In this case, the user identifies him/herself to the
system, and the system returns a code to enter into the password -
generating token. The token and the system use identical logic and
initial starting points to separately calculate a new password. The
user enters that password into the system. If the system's
calculated password matches that entered by the user, the user is
authenticated. The strengths of this system are the frequency of
password change and the difficulty in guessing the challenge, seed,
Other token methods involve multi - factor authentication, or the
use of more than one authentication method. For instance, an ATM
card is a token. The magnetic strip on the back of the card contains
a code that is recognized in the authentication process. However,
the user is not authenticated until he or she also provides a PIN,
or shared secret. This method is two - factor, using both something
the user has and something the user knows. Two - factor
authentication is generally stronger than single - factor
authentication. This method can allow the institution to
authenticate the user as well as the token.
Return to the top of the
7. Determine whether network users are
authenticated, and that the type and nature of the authentication
(user and machine) is supported by the risk assessment.
Access should only be provided where specific authorization
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Financial Institution Duties ( Part 1 of 6)
The regulations establish specific duties and limitations for a
financial institution based on its activities. Financial
institutions that intend to disclose nonpublic personal information
outside the exceptions will have to provide opt out rights to their
customers and to consumers who are not customers. All financial
institutions have an obligation to provide an initial and annual
notice of their privacy policies to their customers. All financial
institutions must abide by the regulatory limits on the disclosure
of account numbers to nonaffiliated third parties and on the
redisclosure and reuse of nonpublic personal information received
from nonaffiliated financial institutions.
A brief summary of financial institution duties and limitations
appears below. A more complete explanation of each appears in the
Notice and Opt Out Duties to Consumers:
If a financial institution intends to disclose nonpublic
personal information about any of its consumers (whether or not they
are customers) to a nonaffiliated third party, and an exception does
not apply, then the financial institution must provide to the
1) an initial notice of its privacy policies;
2) an opt out notice (including, among other things, a
reasonable means to opt out); and
3) a reasonable opportunity, before the financial institution
discloses the information to the nonaffiliated third party, to opt
The financial institution may not disclose any nonpublic personal
information to nonaffiliated third parties except under the
enumerated exceptions unless these notices have been provided and
the consumer has not opted out. Additionally, the institution must
provide a revised notice before the financial institution begins to
share a new category of nonpublic personal information or shares
information with a new category of nonaffiliated third party in a
manner that was not described in the previous notice.
Note that a financial institution need not comply with the initial
and opt-out notice requirements for consumers who are not customers
if the institution limits disclosure of nonpublic personal
information to the exceptions.