FYI - ICBA Free Data Breach Toolkit Available - In light of the recent data breach at payments processor Heartland Systems, ICBA and Visa developed a communications toolkit to help community banks answer customers’ questions following a breach of credit and debit card account information. An important online resource, the free comprehensive guide offers ICBA members customizable materials, including cardholder letters, statement inserts, FAQs and media statements. Requires ICBA membership - http://www.icba.org/publications/visa.cfm?ItemNumber=37529

FYI - Electronic Health Records - GAO - DOD's and VA's Sharing of Information Could Benefit from Improved Management.
Release - http://www.gao.gov/cgi-bin/getrpt?GAO-09-268
Highlights - http://www.gao.gov/highlights/d09268high.pdf

FYI - Rogue contractor admits Oz gov hack attacks - An Australian has admitted causing AUS$1m in damage after hacking into the computer systems of the Northern Territory Government and deleting records of thousands of civil servants. http://www.theregister.co.uk/2009/01/26/rogue_contractor_nt_gov_hacking/

FYI - Law Enforcement Closing In On Heartland Breach Perpetrator - DoJ reportedly pinpoint location of cybercriminal outside North America - The Secret Service has identified the prime suspect in the Heartland Payment Systems security breach, and the case has been turned over to the U.S. Department of Justice, according to a news report. http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=212902316&cid

FYI - President Obama's cybersecurity plan released - While campaigning, President Obama addressed the importance of cybersecurity. On Wednesday, he made good on at least some of his promises when his administration posted to the White House website an outline for protecting the nation's homeland security. The strategy includes a six-step plan to safeguard information networks. http://www.scmagazineus.com/President-Obamas-cybersecurity-plan-released/article/126252/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - MoD admits 440 computer data devices have been lost or stolen in the past year - The Ministry of Defence admitted yesterday that 217 of its laptops, 47 desk-top computers, 80 hard drives and 96 memory sticks were lost or stolen during 2008, despite a high-profile security crackdown launched last summer. The latest figures mean more than 1640 of the department's computers and other information devices have gone missing in the past five years. http://www.theherald.co.uk/news/other/display.var.2484537.0.MoD_admits_440_computer_data_devices_have_been_lost_or_stolen_in_the_past_year.php

FYI - Conficker seizes city's hospital network - Network-wide update ban invites worm infection - Staff at hospitals across Sheffield are battling a major computer worm outbreak after managers turned off Windows security updates for all 8,000 PCs on the vital network, The Register has learned. It's been confirmed that more than 800 computers have been infected with self-replicating Conficker code. Insiders at Sheffield Teaching Hospitals Trust said they suspect many more machines are affected but have not been reported to IT. http://www.theregister.co.uk/2009/01/20/sheffield_conficker/

FYI - Payment processor Heartland reports breach - Heartland Payment Systems, which processes payroll and credit card payments for more than 250,000 businesses, reported Tuesday that consumer credit card data was exposed in what may be the largest security breach ever.
http://news.cnet.com/8301-1009_3-10146275-83.html?part=rss&subj=news&tag=2547-1009_3-0-20

FYI - Debit-card processor claims data breach part of bigger fraud - Company found evidence of malicious software that compromised card data on its network - Heartland Payment Systems, the Princeton, N.J.-based provider of credit and debit processing, payment and check management services, today disclosed that it has been the victim of a data breach. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9126345&source=rss_topic17

FYI - Clerical error foiled Sumitomo bank hack - The largest near heist in banking history failed because the men accused of trying to carry it out didn't properly fill in a single field in an electronic transfer form. This is one of the extraordinary details that have emerged in the trial of three men accused of having tried in September and October 2004 to rob Japan's Sumitomo Mitsui bank of an eye-watering £229 million ($318 million at today's exchange) from inside its office, in the City of London.
http://www.networkworld.com/news/2009/012209-clerical-error-foiled-sumitomo-bank.html
http://www.timesonline.co.uk/tol/news/uk/crime/article5563001.ece

FYI - NZ man finds US army files on MP3 playerJanuary 26, 2009 - A New Zealand man has found confidential United States military files on an MP3 player he bought at an op shop in the US. http://news.theage.com.au/breaking-news-world/nz-man-finds-us-army-files-on-mp3-player-20090126-7pxt.html

FYI - Spammers hack into Government jobs website - The NSW Government website used to advertise public service jobs has been hacked into and the perpetrators have spammed the Government's database of job seekers with phony vacancies in an effort to steal personal data and possibly to spread viruses. http://www.smh.com.au/news/technology/security/id-theft-alert-as-job-site-hacked/2009/01/26/1232818299147.html

FYI - Monster.com Reports Theft of User Data - Monster.com is advising its users to change their passwords after data including e-mail addresses, names and phone numbers were stolen from its database. http://www.pcworld.com/businesscenter/article/158270/monstercom_reports_theft_of_user_data.html

FYI - Encrypted staff data disc lost - A computer data disk containing personal details of around 2,000 members of British Council staff has been lost. The loss, involving names, national insurance numbers, salary and bank account details of the Council's UK staff, is the latest in a string of cases of official information going astray in recent months. http://www.channel4.com/news/articles/science_technology/encrypted+staff+data+disc+lost/2910732

Return to the top of the newsletter

WEB SITE COMPLIANCE - Record Retention

Record retention provisions apply to electronic delivery of disclosures to the same extent required for non-electronic delivery of information. For example, if the web site contains an advertisement, the same record retention provisions that apply to paper-based or other types of advertisements apply. Copies of such advertisements should be retained for the time period set out in the relevant regulation. Retention of electronic copies is acceptable. 

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 5 of 10)

B. RISK MANAGEMENT TECHNIQUES

Introduction

Management must effectively plan, implement, and monitor the financial institution's weblinking relationships. This includes situations in which the institution has a third-party service provider create, arrange, or manage its website. There are several methods of managing a financial institution's risk exposure from third-party weblinking relationships. The methods adopted to manage the risks of a particular link should be appropriate to the level of risk presented by that link as discussed in the prior section.

Planning Weblinking Relationships

In general, a financial institution planning the use of weblinks should review the types of products or services and the overall website content made available to its customers through the weblinks. Management should consider whether the links support the institution's overall strategic plan. Tools useful in planning weblinking relationships include:

1)  due diligence with respect to third parties to which the financial institution is considering links; and

2)  written agreements with significant third parties.

FYI CLIENTS - The complete statement on Weblinking: Identifying Risks and Risk Management Techniques can be found at http://www.fdic.gov/news/news/financial/2003/fil0330a.html.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

ENCRYPTION - HOW ENCRYPTION WORKS

In general, encryption functions by taking data and a variable, called a "key," and processing those items through a fixed algorithm to create the encrypted text. The strength of the encrypted text is determined by the entropy, or degree of uncertainty, in the key and the algorithm. Key length and key selection criteria are important determinants of entropy. Greater key lengths generally indicate more possible keys. More important than key length, however, is the potential limitation of possible keys posed by the key selection criteria. For instance, a 128-bit key has much less than 128 bits of entropy if it is selected from only certain letters or numbers. The full 128 bits of entropy will only be realized if the key is randomly selected across the entire 128-bit range.

The encryption algorithm is also important. Creating a mathematical algorithm that does not limit the entropy of the key and testing the algorithm to ensure its integrity are difficult. Since the strength of an algorithm is related to its ability to maximize entropy instead of its secrecy, algorithms are generally made public and subject to peer review. The more that the algorithm is tested by knowledgeable worldwide experts, the more the algorithm can be trusted to perform as expected. Examples of public algorithms are AES, DES and Triple DES, HSA - 1, and RSA.

Return to the top of the newsletter

IT SECURITY QUESTION:

E. PHYSICAL SECURITY

3. Determine whether:
• Authorization for physical access to critical or sensitive information - processing facilities is granted according to an appropriate process;
• Authorizations are enforceable by appropriate preventive, detective, and corrective controls; and
• Authorizations can be revoked in a practical and timely manner.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13).  (Part 2 of 3)

B. Presentation, Content, and Delivery of Privacy Notices 

1)  Review the financial institution's initial, annual and revised notices, as well as any short-form notices that the institution may use for consumers who are not customers. Determine whether or not these notices:

a.  Are clear and conspicuous (§§3(b), 4(a), 5(a)(1), 8(a)(1));

b.  Accurately reflect the policies and practices used by the institution (§§4(a), 5(a)(1), 8(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

c.  Include, and adequately describe, all required items of information and contain examples as applicable (§6). Note that if the institution shares under Section 13 the notice provisions for that section shall also apply.

2)  Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written consumer records where available, determine if the institution has adequate procedures in place to provide notices to consumers, as appropriate. Assess the following:

a.  Timeliness of delivery (§§4(a), 7(c), 8(a)); and

b.  Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§9).

c.  For customers only, review the timeliness of delivery (§§4(d), 4(e), 5(a)), means of delivery of annual notice (§9(c)), and accessibility of or ability to retain the notice (§9(e)).