FYI - Consumers can scan
bank deposits at home - Online banking service provider CheckFree
Corp. is rolling out technology that could mean consumers will no
longer have to go to a bank branch to deposit checks.
Interagency Statement on Pandemic Planning Guidance for Minimizing a
Pandemic's Potential Adverse Effects - The Federal Financial
Institutions Examination Council has issued the attached
"Interagency Statement on Pandemic Planning" (Statement) identifying
actions that financial institutions should take to minimize the
potential adverse effects of a pandemic.
Internet outages overseas prompt business continuity awareness -
Major internet disruptions occurring today across the Middle East
and parts of Asia and Africa after two undersea cables were sliced
should prompt global businesses of all sizes to review their
business continuity and disaster recovery strategies, experts said.
Symantec says network availability biggest concern for IT managers -
How organizations define IT risk is expanding, according to
Symantec's second IT Risk Management Report, which also indicates
that concerns about network availability have become foremost in the
minds of those responsible for managing enterprise networks.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Swedish plods cuff remote-access robbery ring - Swedish crooks
almost managed to rob a bank using remote access gear attached to a
computer, according to reports. The movie-style ploy was foiled only
at the last minute by an alert employee unplugging the kit,
according to local prosecutors and cops.
Data breaches probed at New Jersey Blue Cross, Georgetown - Stolen
laptop had personal data on 300,000 health plan members; swiped disk
had data on 38,000 - Companies are paying a lot of attention to
securing their networks against malicious attackers and other
threats, but some still lag in implementing similar measures for
protecting data on desktops, laptops and portable storage devices.
Wake EMS Laptop is Missing - Wake County Emergency Medical Services
officials waited eight days to file a formal report on the suspected
theft of a laptop containing names, addresses and Social Security
numbers of as many as 850 patients transported by county ambulances.
38,000 Social Security Numbers Potentially Exposed After Theft - A
hard drive containing the Social Security numbers of nearly 40,000
Georgetown students, alumni, faculty and staff was reported stolen
from the office of Student Affairs on Jan. 3, potentially exposing
thousands of students to identity theft.
LimeWire led to data breach: N.L. justice minister - A popular
file-sharing program exposed the private details of more than 150
people over the internet earlier this month, the Newfoundland and
Labrador government said.
Hackers breach Davidson Companies client database - The Davidson
Companies, a Montana-based financial-services firm, said this week
that one of its databases, containing the names and Social Security
numbers of 226,000 current and past clients, was illegally accessed
"by a third party through a sophisticated network intrusion."
Doctor Loses Flash Drive With Patient Information - Parents with
fertility problems know that it's a very private struggle. Couples
often don't even tell close friends or relatives they're having
trouble having a baby. That's why the loss of patient information at
the University of Minnesota's Reproductive Medicine Center has
leaders there especially worried.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Fund Transfer Act, Regulation E (Part 2 of 2)
Additionally, the regulations clarifies that a written authorization
for preauthorized transfers from a consumer's account includes an
electronic authorization that is not signed, but similarly
authenticated by the consumer, such as through the use of a security
code. According to the
Official Staff Commentary (OSC,) an example of a consumer's
authorization that is not in the form of a signed writing but is,
instead, "similarly authenticated," is a consumer's
authorization via a home banking system.
To satisfy the regulatory requirements, the institution must
have some means to identify the consumer (such as a security code)
and make a paper copy of the authorization available (automatically
or upon request). The
text of the electronic authorization must be displayed on a computer
screen or other visual display that enables the consumer to read the
communication from the institution. Only the consumer may authorize
the transfer and not, for example, a third-party merchant on behalf
of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A
financial institution may receive correspondence through an
electronic medium concerning an unauthorized transaction, loss, or
theft of an access device. Therefore,
the institution should ensure that controls are in place to review
these notifications and also to ensure that an investigation is
initiated as required.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
INFORMATION SECURITY RISK ASSESSMENT
ANALYZE INFORMATION (1 of 2)
The information gathered is used to characterize the system, to
identify and measure threats to the system and the data it contains
and transmits, and to estimate the likelihood that a threat will
take action against the system or data.
System characterization articulates the understanding of the system,
including the boundaries of the system being assessed, the system's
hardware and software, and the information that is stored,
processed, and transmitted. Since operational systems may have
changed since they were last documented, a current review of the
system should be performed. Developmental systems, on the other
hand, should be analyzed to determine their key security rules and
attributes. Those rules and attributes should be documented as part
of the systems development lifecycle process. System
characterization also requires the cross-referencing of
vulnerabilities to current controls to identify those that mitigate
specific threats, and to assist in highlighting the control areas
that should be improved.
A key part of system characterization is the ranking of data and
system components according to their sensitivity and importance to
the institution's operations. Additionally, consistent with the
GLBA, the ranking should consider the potential harm to customers of
unauthorized access and disclosure of customer non - public personal
information. Ranking allows for a reasoned and measured analysis of
the relative outcome of various attacks, and the limiting of the
analysis to sensitive information or information and systems that
may materially affect the institution's condition and operations.
Threats are identified and measured through the creation and
analysis of threat scenarios. Threat scenarios should be
comprehensive in their scope (e.g., they should consider reasonably
foreseeable threats and possible attacks against information and
systems that may affect the institution's condition and operations
or may cause data disclosures that could result in substantial harm or inconvenience to customers).
They should consider the potential effect and likelihood for failure
within the control environment due to non-malicious or malicious
events. They should also be coordinated with business continuity
planning to include attacks performed when those plans are
implemented. Non-malicious scenarios typically involve accidents
related to inadequate access controls and natural disasters.
Malicious scenarios, either general or specific, typically involve a
motivated attacker (i.e., threat) exploiting a vulnerability to gain
access to an asset to create an outcome that has an impact.
An example of a general malicious threat scenario is an unskilled
attacker using a program script to exploit a vulnerable
Internet-accessible Web server to extract customer information from
the institution's database. Assuming the attacker's motivation is to
seek recognition from others, the attacker publishes the
information, causing the financial institution to suffer damage to
its reputation. Ultimately, customers are likely to be victims of
the top of the newsletter
IT SECURITY QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
3. Evaluate the effectiveness of password and shared secret
administration for employees and customers considering the
complexity of the processing environment and type of information
• Confidentiality of passwords and shared secrets (whether only
known to the employee/customer);
• Maintenance of confidentiality through reset procedures;
• The frequency of required changes (for applications, the user
should make any changes from the initial password issued on
enrollment without any other user's intervention);
• Password composition in terms of length and type of characters
(new or changed passwords should result in a password whose strength
and reuse agrees with the security policy);
• The strength of shared secret authentication mechanisms;
• Restrictions on duplicate shared secrets among users (No
restrictions should exist); and
• The extent of authorized access (e.g., privileged access, single
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
15. If the institution provides a short-form initial privacy notice
with the opt out notice, does the institution do so only to
consumers with whom the institution does not have a customer