FYI - Qwest threatens
users with $5-per-spam charge - Qwest has added a new clause in its
ISP contract that threatens to charge customers $5 for every spam
message sent by their computer - even if they are not aware of it.
FYI - Symantec owns up
to 'rootkit' - Symantec went public with its own use of rootkit-like
technology this week, offering users a fix and saying the bug posed
only a "low" risk. Norton SystemWorks and SystemWorks Premier both
contain a feature called the Norton "protected recycle bin" inside
the Windows "recycler" directory. Within the bin, there is a
directory called NProtect, hidden from Windows application program
interface, which may not be examined during virus scans.
FYI - U.K. banks off the
hook for Indian data breach - British banks will not face any action
over an alleged data breach in an Indian call center last year, the
U.K.'s data protection watchdog has said.
FYI - More brands
targeted as phishing attacks soar - Phishing attacks reached a new
high at the end of 2005 after growing steadily all year, according
to a study published Wednesday. The number of unique e-mail-based
fraud attacks detected in November 2005 was 16,882, almost double
the 8,975 attacks launched in November 2004, said the report,
published by the Anti-Phishing Working Group, an industry consortium
that provides information on phishing trends.
FYI - Spanish police
arrest Navy hacker - The Spanish Civil Guard has arrested an
18-year-old man suspected of hacking into the computer systems of
the U.S. Naval base.
FYI - From SANS - Privacy Rights
Clearinghouse List of Data Security Breaches - The Privacy Rights
Clearing house has compiled a list of known data security breaches
that have occurred since ChoicePoint's data breach acknowledgment on
February 15, 2005. The list includes the dates the breaches were
reported, the names of the institutions, the types of breach and the
number of individuals affected in each breach.
FYI - Editing tips from the NSA
- Hiding confidential information with black marks works on printed
copy, but not with electronic documents, the National Security
Agency has warned government officials.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
A financial institution that advertises on-line credit products that
are subject to the Fair Housing Act must display the Equal Housing
Lender logotype and legend or other permissible disclosure of its
nondiscrimination policy if required by rules of the institution's
Home Mortgage Disclosure Act (Regulation C)
The regulations clarify that applications accepted through
electronic media with a video component (the financial institution
has the ability to see the applicant) must be treated as "in
person" applications. Accordingly, information about these
applicants' race or national origin and sex must be collected. An
institution that accepts applications through electronic media
without a video component, for example, the Internet or facsimile,
may treat the applications as received by mail.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Public Key Infrastructure (Part 1 of 3)
Public key infrastructure (PKI), if properly implemented and
maintained, may provide a strong means of authentication. By
combining a variety of hardware components, system software,
policies, practices, and standards, PKI can provide for
authentication, data integrity, defenses against customer
repudiation, and confidentiality. The system is based on public key
cryptography in which each user has a key pair - a unique electronic
value called a public key and a mathematically related private key.
The public key is made available to those who need to verify the
The private key is stored on the user's computer or a separate
device such as a smart card. When the key pair is created with
strong encryption algorithms and input variables, the probability of
deriving the private key from the public key is extremely remote.
The private key must be stored in encrypted text and protected with
a password or PIN to avoid compromise or disclosure. The private key
is used to create an electronic identifier called a digital
signature that uniquely identifies the holder of the private key and
can only be authenticated with the corresponding public key.
Return to the top of the
9. Evaluate the
appropriateness of technical controls mediating access between
security domains. Consider:
• Firewall topology and architecture
• Type(s) of firewall(s) being utilized
• Physical placement of firewall components
• Monitoring of firewall traffic
• Firewall updating
• Responsibility for monitoring and updating firewall policy
• Contingency planning
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Financial Institution Duties ( Part 3 of 6)
Requirements for Notices
Clear and Conspicuous. Privacy notices must be clear and
conspicuous, meaning they must be reasonably understandable and
designed to call attention to the nature and significance of the
information contained in the notice. The regulations do not
prescribe specific methods for making a notice clear and
conspicuous, but do provide examples of ways in which to achieve the
standard, such as the use of short explanatory sentences or bullet
lists, and the use of plain-language headings and easily readable
typeface and type size. Privacy notices also must accurately reflect
the institution's privacy practices.
Delivery Rules. Privacy notices must be provided so that each
recipient can reasonably be expected to receive actual notice in
writing, or if the consumer agrees, electronically. To meet this
standard, a financial institution could, for example, (1)
hand-deliver a printed copy of the notice to its consumers, (2) mail
a printed copy of the notice to a consumer's last known address, or
(3) for the consumer who conducts transactions electronically, post
the notice on the institution's web site and require the consumer to
acknowledge receipt of the notice as a necessary step to completing
For customers only, a financial institution must provide the initial
notice (as well as the annual notice and any revised notice) so that
a customer may be able to retain or subsequently access the notice.
A written notice satisfies this requirement. For customers who
obtain financial products or services electronically, and agree to
receive their notices on the institution's web site, the institution
may provide the current version of its privacy notice on its web