FYI - Contractors to
face same HSPD-12 scrutiny as feds - The Federal Acquisition
Regulation Council today issued an interim rule directing agencies
to require contractors to submit to the same background
investigations federal employees go through under Homeland Security
FYI - Bank Of America
Pushes Anti-Phishing Security Into Northeast - Bank of America said
that it had rolled out its two-way, two-factor SiteKey
authentication scheme to customers in all states but two, nearly
wrapping up an anti-phishing campaign that started in late May,
FYI - Your phone records
are for sale - The Chicago Police Department is warning officers
their cell phone records are available to anyone -- for a price.
Dozens of online services are selling lists of cell phone calls,
raising security concerns among law enforcement and privacy experts.
FYI - IM and P2P threats
reach 'critical levels' - The number of security threats propagating
via instant messenger and peer-to-peer networks increased last year
by more than 2,200 percent over 2004, newly published research has
FYI - Customer IDs
Stolen From Bahamas Hotel - Bank account, credit card, and social
security numbers for as many as 55,000 customers was stolen from a
database. Travelers who stayed at the upmarket Atlantis Resort in
the Bahamas should keep a close eye on their bank statements in the
months ahead. The hotel has admitted to an apparent database
break-in in which personal information for 55,000 guests may have
been stolen, including credit card and bank account numbers.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
FDIC" Logo - When is it required?
The FDIC believes that every bank's home page is to some extent an
advertisement. Accordingly, bank web site home pages should contain
the official advertising statement unless the advertisement is
subject to exceptions such as advertisements for loans, securities,
trust services and/or radio or television advertisements that do not
exceed thirty seconds.
Whether subsidiary web pages require the official advertising
statement will depend upon the content of the particular page.
Subsidiary web pages that advertise deposits must contain the
official advertising statement.
Conversely, subsidiary web pages that relate to loans do not
require the official advertising statement.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Token Systems (2 of 2)
Weaknesses in token systems relate to theft of the token, ease in
guessing any password generating algorithm within the token, ease of
successfully forging any authentication credential that unlocks the
token, and reverse engineering, or cloning, of the token. Each of
these weaknesses can be addressed through additional control
mechanisms. Token theft generally is protected against by policies
that require prompt reporting and cancellation of the token's
ability to allow access to the system. Additionally, the impact of
token theft is reduced when the token is used in multi - factor
authentication; for instance, the password from the token is paired
with a password known only by the user and the system. This pairing
reduces the risk posed by token loss, while increasing the strength
of the authentication mechanism. Forged credentials are protected
against by the same methods that protect credentials in non - token
systems. Protection against reverse engineering requires physical
and logical security in token design. For instance, token designers
can increase the difficulty of opening a token without causing
irreparable damage, or obtaining information from the token either
by passive scanning or active input/output.
Token systems can also incorporate public key infrastructure, and
Return to the top of the
8. Determine that, where appropriate,
authenticated devices are limited in their ability to access system
resources and to initiate transactions.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Financial Institution Duties ( Part 2 of 6)
Notice Duties to Customers:
In addition to the duties described above, there are several
duties unique to customers. In particular, regardless of whether the
institution discloses or intends to disclose nonpublic personal
information, a financial institution must provide notice to its
customers of its privacy policies and practices at various times.
1) A financial institution must provide an initial notice of
its privacy policies and practices to each customer, not later than
the time a customer relationship is established. Section 4(e) of the
regulations describes the exceptional cases in which delivery of the
notice is allowed subsequent to the establishment of the customer
2) A financial institution must provide an annual notice at
least once in any period of 12 consecutive months during the
continuation of the customer relationship.
3) Generally, new privacy notices are not required for each
new product or service. However, a financial institution must
provide a new notice to an existing customer when the customer
obtains a new financial product or service from the institution, if
the initial or annual notice most recently provided to the customer
was not accurate with respect to the new financial product or
4) When a financial institution does not disclose nonpublic
personal information (other than as permitted under section 14 and
section 15 exceptions) and does not reserve the right to do so, the
institution has the option of providing a simplified notice.