Energy Efficiency of the FDIC's Virginia Square Facility and
Information Technology Data Center - As outlined in our engagement letter,our objective was to evaluate the Corporation's efforts to
conserve energy in its operations of the Virginia Square facility,
including the Student Residence Center and Information Technology
(IT) data center and identify opportunities to further conserve
energy and/or reduce utility costs.
Independent Evaluation of the FDIC's Information Security
Program-2008 - Audit Results - In general, with respect to the
information technology systems and common controls reviewed, KPMG
found that the related program and operational controls demonstrated
effectiveness while management and technical controls warranted
Banks, credit unions scramble in wake of Heartland breach - Several
have begun reporting fraud associated with exposed cards - In the
first real indication of the scope of the recently disclosed data
breach at Heartland Payment Systems Inc., banks and credit unions
from Washington to Maine have begun to reissue thousands of credit
and debit cards over the past few days.
Cybercrime cost firms $1 trillion globally - Data theft and breaches
from cybercrime may have cost businesses as much as $1 trillion
globally in lost intellectual property and expenditures for
repairing the damage last year, according to a new study from
Educators see secure coding training challenges, improvements -
College-level courses designed to train aspiring application
developers in the latest secure coding practices are generally hard
to find, but professors that run two of the most prestigious
security training programs in the United States say course offerings
are improving and students are lining up to take them.
GAO - Further Actions Needed to Address Risks to Bank Secrecy Act
GAO - Federal Information System Controls Audit Manual (FISCAM).
Stimulus bill includes protection for digital health care records -
A portion of the $818 billion stimulus bill that was passed this
week by the U.S. House calls for computerizing all health records in
five years, but the legislation also contains stringent privacy and
security controls to protect this online data.
U.S. Veteran Affairs Department settles data breach case - The U.S.
Department of Veterans Affairs (VA) has settled a class-action
lawsuit resulting from a massive data breach that left 26.5 million
active duty troops and veterans open to the risk of identity theft.
Three hospital worm infection dubbed 'substantive failure' - A worm
attack that forced three London hospitals to shut down their
computer networks late last year was entirely avoidable and
represented a major failing by the organizations' IT staff,
according to an independent review of the incident.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Austin road sign warns motorists of zombies - An Austin road sign
meant to warn motorists about road conditions instead read: "The end
is near! Caution! Zombies ahead!"
Hackers get into government jobs site - The database that stores
users' information for the federal government's jobs Web site, USAJobs, has been hacked. Some account data, including user IDs,
passwords, e-mail addresses, names and phone numbers was taken,
according to an alert posted on the site.
Techwatch weathers DDoS extortion attack - Techwatch is back online
following a sustained denial of service attack that left the digital
TV news site unavailable for two days earlier this week. The botnet-powered
assault was accompanied by blackmail demands posted on the site's
forum through compromised zombie machines. These threatening
messages claimed the site was being carpetbombed with spurious
traffic generated through a 9,000 strong botnet of compromised
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
TRUTH IN SAVINGS ACT (REG DD)
Financial institutions that advertise deposit products and services
on-line must verify that proper advertising disclosures are made in
accordance with all provisions of the regulations. Institutions
should note that the disclosure exemption for electronic media does
not specifically address commercial messages made through an
institution's web site or other on-line banking system. Accordingly,
adherence to all of the advertising disclosure requirements is
Advertisements should be monitored for recency, accuracy, and
compliance. Financial institutions should also refer to OSC
regulations if the institution's deposit rates appear on third party
web sites or as part of a rate sheet summary. These types of
messages are not considered advertisements unless the depository
institution, or a deposit broker offering accounts at the
institution, pays a fee for or otherwise controls the publication.
Disclosures generally are required to be in writing and in a form
that the consumer can keep. Until the regulation has been reviewed
and changed, if necessary, to allow electronic delivery of
disclosures, an institution that wishes to deliver disclosures
electronically to consumers, would supplement electronic disclosures
with paper disclosures.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
ENCRYPTION KEY MANAGEMENT
Since security is primarily based on the encryption keys, effective
key management is crucial. Effective key management systems are
based on an agreed set of standards, procedures, and secure methods
! Generating keys for different cryptographic systems and different
! Generating and obtaining public keys;
! Distributing keys to intended users, including how keys should be
activated when received;
! Storing keys, including how authorized users obtain access to
! Changing or updating keys including rules on when keys should be
changed and how this will be done;
! Dealing with compromised keys;
! Revoking keys and specifying how keys should be withdrawn or
! Recovering keys that are lost or corrupted as part of business
! Archiving keys;
! Destroying keys;
! Logging the auditing of key management - related activities; and
! Instituting defined activation and deactivation dates, limiting
the usage period of keys.
Secure key management systems are characterized by the following
! Key management is fully automated (e.g. personnel do not have the
opportunity to expose a key or influence the key creation).
! No key ever appears unencrypted.
! Keys are randomly chosen from the entire key space, preferably by
! Key - encrypting keys are separate from data keys. No data ever
appears in clear text that was encrypted using a key - encrypting
key. (A key - encrypting key is used to encrypt other keys, securing
them from disclosure.)
! All patterns in clear text are disguised before encrypting.
! Keys with a long life are sparsely used. The more a key is used,
the greater the opportunity for an attacker to discover the key.
! Keys are changed frequently. The cost of changing keys rises
linearly while the cost of attacking the keys rises exponentially.
Therefore, all other factors being equal, changing keys increases
the effective key length of an algorithm.
! Keys that are transmitted are sent securely to well -
! Key generating equipment is physically and logically secure from
construction through receipt, installation, operation, and removal
Return to the top of the
4. Determine whether information processing and
communications devices and transmissions are appropriately protected
against physical attacks perpetrated by individuals or groups, as
well as against environmental damage and improper maintenance.
Consider the use of halon gas, computer encasing, smoke alarms,
raised flooring, heat sensors, notification sensors, and other
protective and detective devices.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 3 of 3)
C. Opt Out Right
1) Review the financial institution's opt out notices. An opt
out notice may be combined with the institution's privacy notices.
Regardless, determine whether the opt out notices:
a. Are clear and conspicuous (§§3(b) and 7(a)(1));
b. Accurately explain the right to opt out (§7(a)(1));
c. Include and adequately describe the three required items of
information (the institution's policy regarding disclosure of
nonpublic personal information, the consumer's opt out right, and
the means to opt out) (§7(a)(1)); and
d. Describe how the institution treats joint consumers
(customers and those who are not customers), as applicable (§7(d)).
2) Through discussions with management, review of the
institution's policies and procedures, and a sample of electronic or
written records where available, determine if the institution has
adequate procedures in place to provide the opt out notice and
comply with opt out directions of consumers (customers and those who
are not customers), as appropriate. Assess the following:
a. Timeliness of delivery (§10(a)(1));
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the consumer agrees; or as a necessary step
of a transaction) (§9).
c. Reasonableness of the opportunity to opt out (the time
allowed to and the means by which the consumer may opt out) (§§10(a)(1)(iii),
d. Adequacy of procedures to implement and track the status of
a consumer's (customers and those who are not customers) opt out
direction, including those of former customers (§7(e), (f), (g)).