January 14, 2009 - Risk Management of Remote Deposit Capture - The
Federal Financial Institutions Examination Council has issued the
attached guidance, "Risk Management of Remote Deposit Capture," to
assist financial institutions in identifying risks in their remote
deposit capture systems and evaluating the adequacy of controls and
applicable risk management practices. The guidance addresses the
necessary elements of an RDC risk management process - risk
identification, assessment, and mitigation - and the measurement and
monitoring of residual risk exposure.
Clock ticking for gas stations to pump up data security - Visa
requiring encryption of debit card PINs on new pumps now, existing
ones by July 2010 - Lower gas prices aren't the only thing that's
new at the pumps these days. Data encryption tools are also becoming
part of the picture.
Data Breaches Booming - The Identity Theft Resource Center says
reported data breaches increased by 47% from 2007 to 2008. In a down
year, data breaches went up, again. In 2008, according to the
Identity Theft Resource Center, there were 656 reported data
breaches, an increase of 47% from the 2007 total of 446.
TJX hacker gets 30-year prison sentence - A Ukrainian man was
recently sentenced to 30 years in prison by a Turkish court on
charges of cybercrime, according to reports.
CWE/SANS TOP 25 Most Dangerous Programming Errors - Experts Announce
Agreement on the 25 Most Dangerous Programming Errors - In
Washington, DC, experts from more than 30 US and international cyber
security organizations jointly released the consensus list of the 25
most dangerous programming errors that lead to security bugs and
that enable cyber espionage and cyber crime.
Financial firms' data security found wanting - New PwC research
urges increased vigilance - Over half of global financial firms have
no accurate record of where customer and employee data is collected,
transmitted or stored, according to new research from consultancy
GAO - Continued Efforts Needed to Address Significant Weaknesses at
Paris Hilton's website infects users with data-stealing trojan -
Paris Hilton apparently has not fallen out of favor with
cybercriminals. Months after the celebrity and hotel heiress'
Sidekick phone and Facebook profile were hacked, attackers now have
turned to her official website to spread malware and steal data.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
CheckFree warns 5 million customers after hack - It's not sure how
many customers may have been exposed to malware - CheckFree Corp.
and some of the banks that use its electronic bill payment service
are notifying more than 5 million customers that criminals took
control of several of the company's Internet domains and redirected
customer traffic to a malicious Web site hosted in the Ukraine.
Hack forces Twitter into 'full security review' - Analysts say
breach could could force IT to rethink its use of the microblogging
tool - Twitter Inc. has launched a comprehensive review of the
defenses in its popular social network and microblogging service
after hackers hijacked the accounts of several high-profile users.
Mysterious credit card charge may have hit millions of users -
Several Internet complaint boards are filled with comments from
credit card customers from coast to coast who have noticed a
mysterious charge for about 25 cents on their statements.
FBI investigating U of R identity theft - The FBI is now
investigating a security breach at the University of Rochester. The
university is still trying to figure out how all the information was
copied. Personal information for 450 current and former U of R
students was stolen from a university database.
Local credit card numbers stolen - Two men are in custody and under
investigation by the FBI in an identity theft scheme that victimized
2,500 Cache County residents, Smithfield police officials said.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Truth in Lending Act (Regulation Z)
The commentary to regulation Z was amended recently to clarify that
periodic statements for open-end credit accounts may be provided
electronically, for example, via remote access devices. The
regulations state that financial institutions may permit customers
to call for their periodic statements, but may not require them to
do so. If the customer wishes to pick up the statement and the plan
has a grace period for payment without imposition of finance
charges, the statement, including a statement provided by electronic
means, must be made available in accordance with the "14-day rule,"
requiring mailing or delivery of the statement not later than 14
days before the end of the grace period.
Provisions pertaining to advertising of credit products should be
carefully applied to an on-line system to ensure compliance with the
regulation. Financial institutions advertising open-end or
closed-end credit products on-line have options. Financial
institutions should ensure that on-line advertising complies with
the regulations. For on-line advertisements that may be deemed to
contain more than a single page, financial institutions should
comply with the regulations, which describe the requirements for
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC interagency Information
SECURITY CONTROLS -
PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS (Part 2 of
Physical security for distributed IS, particularly LANs that are
usually PC - based, is slightly different than for mainframe
platforms. With a network there is often no centralized computer
room. In addition, a network often extends beyond the local
premises. There are certain components that need physical security.
These include the hardware devices and the software and data that
may be stored on the file servers, PCs, or removable media (tapes
and disks). As with more secure IS environments, physical network
security should prevent unauthorized personnel from accessing LAN
devices or the transmission of data. In the case of wire - transfer
clients, more extensive physical security is required.
Physical protection for networks as well as PCs includes power
protection, physical locks, and secure work areas enforced by
security guards and authentication technologies such as magnetic
badge readers. Physical access to the network components (i.e.,
files, applications, communications, etc.) should be limited to
those who require access to perform their jobs. Network workstations
or PCs should be password protected and monitored for workstation
Network wiring requires some form of protection since it does not
have to be physically penetrated for the data it carries to be
revealed or contaminated. Examples of controls include using a
conduit to encase the wiring, avoiding routing through publicly
accessible areas, and avoiding routing networking cables in close
proximity to power cables. The type of wiring can also provide a
degree of protection; signals over fiber, for instance, are less
susceptible to interception than signals over copper cable.
Capturing radio frequency emissions also can compromise network
security. Frequency emissions are of two types, intentional and
unintentional. Intentional emissions are those broadcast, for
instance, by a wireless network. Unintentional emissions are the
normally occurring radiation from monitors, keyboards, disk drives,
and other devices. Shielding is a primary control over emissions.
The goal of shielding is to confine a signal to a defined area. An
example of shielding is the use of foil-backed wallboard and window
treatments. Once a signal is confined to a defined area, additional
controls can be implemented in that area to further minimize the
risk that the signal will be intercepted or changed.
the top of the newsletter
IT SECURITY QUESTION:
1. Determine whether physical security for
information technology equipment and operations is coordinated with
that of other institution organizations.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Examination Procedures (Part 3 of 3)
E. Ascertain areas of risk associated with the financial
institution's sharing practices (especially those within Section 13
and those that fall outside of the exceptions ) and any weaknesses
found within the compliance management program. Keep in mind any
outstanding deficiencies identified in the audit for follow-up when
completing the modules.
F. Based on the results of the foregoing initial procedures and
discussions with management, determine which procedures if any
should be completed in the applicable module, focusing on areas of
particular risk. The selection of procedures to be employed depends
upon the adequacy of the institution's compliance management system
and level of risk identified. Each module contains a series of
general instruction to verify compliance, cross-referenced to cites
within the regulation.
Additionally, there are cross-references to a more comprehensive
checklist, which the examiner may use if needed to evaluate
compliance in more detail.
G. Evaluate any additional information or documentation discovered
during the course of the examination according to these procedures.
Note that this may reveal new or different sharing practices
necessitating reapplication of the Decision Trees and completion of
additional or different modules.
H. Formulate conclusions.
1) Summarize all findings.
2) For violation(s) noted, determine the cause by identifying
weaknesses in internal controls, compliance review, training,
management oversight, or other areas.
3) Identify action needed to correct violations and weaknesses
in the institution's compliance system, as appropriate.
4) Discuss findings with management and obtain a commitment
for corrective action.