A New Cyber-Security Breach - Bank of America says at least 1.2
million federal employee credit card accounts may be exposed to
theft or hacking - In the financial world's latest cyber-identity
crisis, Bank of America today is warning the holders of at least 1.2
million of its federal employee credit card accounts that a major
security breach may have left their account information exposed to
theft or hacking, according to a senior U.S. official and Bank
Getting Patches Under Control - Software both enables and limits the
performance of an organization's computer systems. When software
fails or performs poorly, it impacts business operations and leaves
the organization open to attack or damage. With most products
containing millions of lines of programming code, plenty of things
can go wrong, and they are not always accidental.
FYI - VeriSign's Unified
Authentication software will be used to protect online
business-banking services. - Bank of America has tapped VeriSign
Inc.'s Unified Authentication encryption software to safeguard
applications used by business customers to access online banking
services. The system employs two-factor authentication, a method
that requires two forms of ID, such as a password, token, or smart
card, in order to gain access to online services.
FYI - Digital
Information Rights Need Tech-Savvy Courts - Opinion: The courts need
to recognize that in the information age, virtual privacy and
physical privacy don't have the same boundaries.
FYI - Davis questions
security of Treasury Web site - Rep. Tom Davis (R-Va.), chairman of
the House Government Reform Committee, wrote today to Van Zeck, the
Treasury Department's commissioner of the Public Debt, to express
concern over the safety and security of personal information
collected on the
www.treasurydirect.gov Web site, which enables
people to purchase government savings bonds electronically. Treasury
received a D+ on the 2004 federal computer security scorecard Davis'
committee released yesterday.
FYI - Researchers find
security flaw in SHA-1 algorithm - Security experts are warning that
a security flaw has been found in a powerful data encryption
algorithm, dubbed SHA-1, by a team of scientists from Shandong
University in China. The three scientists are circulating a paper
within the cryptographic research community that describes
successful tests of a technique that could speed up how fast SHA-1
could be compromised.
FYI - Citibank Tries
On-Screen Keyboard To Foil Phishers - The U.K. division of global
giant Citibank has introduced an on-screen "keyboard" for its online
banking customers in an attempt to foil some types identity theft.
FYI - Payroll site
closes on security worries - Online payroll service provider PayMaxx
shuttered its automated W-2 site on Wednesday after a researcher
claimed that two security holes had exposed data on more than 25,000
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 7 of 10)
B. RISK MANAGEMENT TECHNIQUES
Planning Weblinking Relationships
If a financial institution receives compensation from a third
party as the result of a weblink to the third-party's website, the
financial institution should enter into a written agreement with
that third party in order to mitigate certain risks. Financial
institutions should consider that certain forms of business
arrangements, such as joint ventures, can increase their risk. The
financial institution should consider including contract provisions
to indemnify itself against claims by:
1) dissatisfied purchasers of third-party products or
2) patent or trademark holders for infringement by the third
3) persons alleging the unauthorized release or compromise of
their confidential information, as a result of the third-party's
The agreement should not include any provision obligating the
financial institution to engage in activities inconsistent with the
scope of its legally permissible activities. In addition, financial
institutions should be mindful that various contract provisions,
including compensation arrangements, may subject the financial
institution to laws and regulations applicable to insurance,
securities, or real estate activities, such as RESPA, that establish
broad consumer protections.
In addition, the agreement should include conditions for terminating
the link. Third parties, whether they provide services directly to
customers or are merely intermediaries, may enter into bankruptcy,
liquidation, or reorganization during the period of the agreement.
The quality of their products or services may decline, as may the
effectiveness of their security or privacy policies. Also
potentially just as harmful, the public may fear or assume such a
decline will occur. The financial institution will limit its risks
if it can terminate the agreement in the event the service provider
fails to deliver service in a satisfactory manner.
Some weblinking agreements between a financial institution and a
third party may involve ancillary or collateral information-sharing
arrangements that require compliance with the Privacy Regulations.
For example, this may occur when a financial institution links to
the website of an insurance company with which the financial
institution shares customer information pursuant to a joint
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our coverage of the FDIC's "Guidance
on Managing Risks Associated With Wireless Networks and Wireless
Security should not be compromised when offering wireless
financial services to customers or deploying wireless internal
networks. Financial institutions should carefully consider the risks
of wireless technology and take appropriate steps to mitigate those
risks before deploying either wireless networks or applications. As
wireless technologies evolve, the security and control features
available to financial institutions will make the process of risk
mitigation easier. Steps that can be taken immediately in wireless
1) Establishing a minimum set of security requirements for
wireless networks and applications;
2) Adopting proven security policies and procedures to address
the security weaknesses of the wireless environment;
3) Adopting strong encryption methods that encompass
end-to-end encryption of information as it passes throughout the
4) Adopting authentication protocols for customers using
wireless applications that are separate and distinct from those
provided by the wireless network operator;
5) Ensuring that the wireless software includes appropriate
audit capabilities (for such things as recording dropped
6) Providing appropriate training to IT personnel on network,
application and security controls so that they understand and can
respond to potential risks; and
9) Performing independent security testing of wireless network
and application implementations.
the top of the newsletter
IT SECURITY QUESTION:
a. Is the core application in-house or outsourced to a data center?
b. What type of network configuration is used?
c. What are the servers' operating systems?
d. What are the workstations' operating systems?
e. Is there a telephone-banking server?
f. Is there a server hosting Internet banking?
g. Are there system logs maintained and reviewed regularly?
h. Are there modem connections to the network?
i. Is a modem log maintained?
j. Is there IT job descriptions?
k. Is there an anti-virus program on all workstations and is the
l. Are there software license agreements for all software?
m. Does the IT department program applications?
n. Are programming requirements outsourced? Vender?
o. Are unauthorized programs such as screen savers prohibited?
p. Does the Board of Directors annually approval the IT policies?
q. If individual computers are not backed up, is important data
saved to network server?
r. Are stand-alone computers with critical data backed up?
s. Are there written IT procedures?
t. Are there network activity reports?
u. Does the personnel manual inform personnel of the Bank's policies
and acceptable computer use?
v. Is a network problem log maintained?
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
9) Does the institution list the following categories of
nonpublic personal information that it collects, as applicable:
a) information from the consumer; [§6(c)(1)(i)]
b) information about the consumer's transactions with the
institution or its affiliates; [§6(c)(1)(ii)]
c) information about the consumer's transactions with
nonaffiliated third parties; [§6(c)(1)(iii)] and
d) information from a consumer reporting agency? [§6(c)(1)(iv)]
IN CLOSING -
The Gramm-Leach-Bliley Act, best practices, and examiners recommend
a security test of your Internet connection.
The Vulnerability Internet Security Test Audit (VISTA)
is an independent external penetration study of
network connection to the Internet that meets the regulatory
We are trained information systems auditors that only work with
financial institutions. As auditors, we provide an independent
review of the vulnerability test results and an audit letter to your
Board of Directors certifying the test results. For more
or email Kinney Williams at