FYI - Disabled Middle
East Cables Under Repair - Two out of the three communications lines
could be up and running this weekend as the network operator looks
at alternate cable routes through the Mediterranean. Repairs are
underway to the undersea communications cables that have been cut in
recent days, according to company and media reports.
FYI - Lilly's $1 Billion
E-Mailstrom - A secret memo meant for a colleague lands in a Times
reporter's in-box. One of its outside lawyers at Philadelphia-based
Pepper Hamilton had mistakenly emailed confidential information on
the talks to Times reporter Alex Berenson instead of Bradford
Berenson, her co-counsel at Sidley Austin.
FYI - Conn. police
sergeant charged with computer crime - A Hartford, Conn., police
sergeant has been charged with a computer crime after he allegedly
disclosed information from a national law enforcement database to a
FYI - PCI council
streamlines merchant self-assessment - A swifter assessment process
may soon await merchants and service providers trying to demonstrate
compliance with Payment Card Industry (PCI) standards.
FYI - ID theft instances
down, cost per incident up - Despite a nationwide decline, identity
theft is still a major concern of consumers because criminals have
become more creative in how they steal personal information,
according to a report released by Javelin Strategy and Research.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI - Soccer league's
online shoppers get kicked by security breach - A series of SQL
injection attacks on servers hosted by a third-party service
provider has compromised the personal data of an unspecified number
of individuals who had shopped on Major League Soccer's MLSgear.com
FYI - Memorial Hospital
loses laptop containing sensitive employee data - Memorial Hospital
has notified employees that it has lost a laptop containing the
personal information of 4,300 full- and part-time employees and
FYI - Deputy fired for
looking up personal information - Two employees from the Collier
County Sheriff's Office are out of a job after looking up personal
information about other deputies, their families and even an FBI
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Requirements of Depository Institutions (Regulation D)
Pursuant to the withdrawal and transfer restrictions imposed on
savings deposits, electronic transfers, electronic withdrawals (paid
electronically) or payments to third parties initiated by a
depositor from a personal computer are included as a type of
transfer subject to the six transaction limit imposed on passbook
savings and MMDA accounts.
Institutions also should note that, to the extent stored value or
other electronic money represents a demand deposit or transaction
account, the provisions of Regulation D would apply to such
Consumer Leasing Act (Regulation M)
The regulation provides examples of advertisements that clarify the
definition of an advertisement under Regulation M. The term
advertisement includes messages inviting, offering, or otherwise
generally announcing to prospective customers the availability of
consumer leases, whether in visual, oral, print, or electronic
media. Included in the examples are on-line messages, such as those
on the Internet. Therefore, such messages are subject to the general
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
INFORMATION SECURITY RISK ASSESSMENT
ANALYZE INFORMATION (2 of 2)
Since specific scenarios can become too numerous for financial
institutions to address individually, various techniques are used to
generalize and extend the scenarios. For instance, one technique
starts with a specific scenario and looks at additional damage that
could occur if the attacker had different knowledge or motivation.
This technique allows the reviewers to see the full extent of risk
that exists from a given vulnerability. Another technique aggregates
scenarios by high-value system components.
Scenarios should consider attacks against the logical security,
physical security, and combinations of logical and physical attacks.
In addition, scenarios could consider social engineering, which
involves manipulation of human trust by an attacker to obtain access
to computer systems. It is often easier for an attacker to obtain
access through manipulation of one or more employees than to perform
a logical or physical intrusion.
The risk from any given scenario is a function of the probability of
the event occurring and the impact on the institution. The
probability and impact are directly influenced by the financial
institution's business profile, the effectiveness of the financial
institution's controls, and the relative strength of controls when
compared to other industry targets.
The probability of an event occurring is reflected in one of two
ways. If reliable and timely probability data is available,
institutions can use it. Since probability data is often limited,
institutions can assign a qualitative probability, such as frequent,
occasional, remote, and improbable.
Frequently, TSPs perform some or all of the institution's
information processing and storage. Reliance on a third party for
hosting systems or processing does not remove the institution's
responsibility for securing the information. It does change how the
financial institution will fulfill its role. Accordingly, risk
assessments should evaluate the sensitivity of information
accessible to or processed by TSPs, the importance of the processing
conducted by TSPs, communications between the TSP's systems and the
institution, contractually required controls, and the testing of
those controls. Additional vendor management guidance is contained
in the FFIEC's statement on "Risk Management of Outsourced
Technology Services," dated November 28, 2000.
the top of the newsletter
IT SECURITY QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
4. Determine if all authenticators (e.g., passwords, shared secrets)
are protected while in storage and during transmission to prevent
• Identify processes and areas where authentication information
may be available in clear text and evaluate the effectiveness of
compensating risk management controls.
• Identify the encryption used and whether one-way hashes are
employed to secure the clear text from anyone, authorized or
unauthorized, who accesses the authenticator storage area.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
16. If the institution provides a short-form initial privacy notice
according to §6(d)(1), does the short-form initial notice:
a. conform to the definition of "clear and conspicuous"; [§6(d)(2)(i)]
b. state that the institution's full privacy notice is available
upon request; [§6(d)(2)(ii)] and
c. explain a reasonable means by which the consumer may obtain the
(Note: the institution is not required to deliver the full
privacy notice with the shortform initial notice. [§6(d)(3)])