NIST issues final draft of IT security controls - The National
Institute of Standards and Technology has released the final public
draft of recommended security controls for federal systems, a
fine-tuned version of a document that will become a mandatory
Federal Information Processing Standard by the end of the year.
Ex-AOL employee pleads guilty in spam case - A former AOL software
engineer accused of stealing 92 million screen names has pleaded
guilty to conspiracy and interstate transport of stolen property.
California defense contractor warns employees following computer
theft - Thieves stole several computers containing personal
information on 45,000 current and former shareholders of defense
contractor Science Applications International Corp., which began
alerting those people on Thursday.
Student Installs Device On Teacher's Computer To Sell Tests - A high
school student is facing criminal charges for allegedly hooking a
device up to a teacher's computer to steal test information to sell
to other students, Local 2 reported Tuesday.
Rowling to Potter fans: Watch out for phishing scams - Author J.K.
Rowling is warning Harry Potter fans to watch out for Internet
fraudsters claiming to be selling electronic copies of her latest
wizard saga - they are trying to steal bank and credit card details.
In the latest phishing scam, fans were asked to hand over financial
information to pay for a supposed copy of Harry Potter and the
NIST, NSA create security language - One of the best ways to
strengthen IT security is to make sure all of the systems in an
infrastructure conform to a set of security specifications. But that
is often difficult and time-consuming.
Linux Kernel Security is Lacking - During the disclosure of some
recent vulnerabilities in the Linux kernel, I learned some things
about Linux kernel security that was truly shocking. The way
security in the Linux kernel is handled is broken, and it needs to
be fixed right now.
FYI - Click! Online
banking usage soars - The popularity of online banking continues to
soar, according to a new survey by the Pew Internet & American Life
Project. More than 50 million U.S. adults now bank online, a jump of
47 percent during the past two years.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 5 of 10)
B. RISK MANAGEMENT TECHNIQUES
Management must effectively plan, implement, and monitor the
financial institution's weblinking relationships. This includes
situations in which the institution has a third-party service
provider create, arrange, or manage its website. There are several
methods of managing a financial institution's risk exposure from
third-party weblinking relationships. The methods adopted to manage
the risks of a particular link should be appropriate to the level of
risk presented by that link as discussed in the prior section.
Planning Weblinking Relationships
In general, a financial institution planning the use of weblinks
should review the types of products or services and the overall
website content made available to its customers through the
weblinks. Management should consider whether the links support the
institution's overall strategic plan. Tools useful in planning
weblinking relationships include:
1) due diligence with respect to third parties to which the
financial institution is considering links; and
2) written agreements with significant third parties.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We conclude our series
on the FFIEC interagency Information Security Booklet.
MONITORING AND UPDATING
Financial institutions should evaluate the information gathered to
determine the extent of any required adjustments to the various
components of their security program. The institution will need to
consider the scope, impact, and urgency of any new threat. Depending
on the new threat or vulnerability, the institution will need to
reassess the risk and make changes to its security process (e.g.,
the security strategy, the controls implementation, or the security
Institution management confronts routine security issues and events
on a regular basis. In many cases, the issues are relatively
isolated and may be addressed through an informal or targeted risk
assessment embedded within an existing security control process. For
example, the institution might assess the risk of a new operating
system vulnerability before testing and installing the patch. More
systemic events like mergers, acquisitions, new systems, or system
conversions, however, would warrant a more extensive security risk
assessment. Regardless of the scope, the potential impact and the
urgency of the risk exposure will dictate when and how controls are
the top of the newsletter
IT SECURITY QUESTION:
Determine whether, where appropriate, the system securely links the
receipt of information with the originator of the information and
other identifying information, such as date, time, address, and
other relevant factors.
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
8) Do the initial, annual, and revised privacy notices include
each of the following, as applicable: (Part 1 of 2)
a) the categories of nonpublic personal information that the
institution collects; [§6(a)(1)]
b) the categories of nonpublic personal information that the
institution discloses; [§6(a)(2)]
c) the categories of affiliates and nonaffiliated third
parties to whom the institution discloses nonpublic personal
information, other than parties to whom information is disclosed
under an exception in §14 or §15; [§6(a)(3)]
d) the categories of nonpublic personal information disclosed
about former customers, and the categories of affiliates and
nonaffiliated third parties to whom the institution discloses that
information, other than those parties to whom the institution
discloses information under an exception in §14 or §15; [§6(a)(4)]
IN CLOSING -
The Gramm-Leach-Bliley Act, best practices, and examiners recommend
a security test of your Internet connection.
The Vulnerability Internet Security Test Audit (VISTA)
is an independent external penetration study of
network connection to the Internet that meets the regulatory
We are trained information systems auditors that only work with
financial institutions. As auditors, we provide an independent
review of the vulnerability test results and an audit letter to your
Board of Directors certifying the test results. For more
or email Kinney Williams at