FYI - Brit pair convicted for high-tech bank heist gone bad - Two men have been convicted for trying to steal £229m from the London branch of a Japanese bank in an elaborate, high-tech scheme that would have been Britain's biggest bank heist. http://www.theregister.co.uk/2009/03/04/botched_international_bank_heist/

FYI - Obama names Kundra federal CIO - The administration's newly appointed federal chief information officer, Vivek Kundra, said today he plans to make the massive volumes of government data that isn't sensitive available to the public through a new Web site. With more data available to the public, he said more participant would be helping to solve the nation's difficult challenges. http://fcw.com/articles/2009/03/05/kundra-federal-cio.aspx

FYI - Are you addicted to pen testing? - The industry is ablaze with web application security mania. Organizations should also be alert to latent agendas and be wary of consultants who might use pen tests purely as a means of driving the sale of technologies. http://www.scmagazineus.com/Are-you-addicted-to-pen-testing/article/128343/?DCMP=EMC-SCUS_Newswire

FYI - Data breaches hit 7.5 percent of all U.S. adults - Financial fraud last year caused 7.5 percent of all adults in the United States to lose money, largely because of data breaches. http://www.scmagazineus.com/Gartner-Data-breaches-hit-75-percent-of-all-US-adults/article/128281/?DCMP=EMC-SCUS_Newswire

FYI - Federal cybersecurity director quits, complains of NSA role - Rod Beckstrom quit the post after less than a year - In a move that highlights differences over who should be in charge of national cybersecurity efforts, the director of a federal office set up to protect civilian, military and intelligence networks has submitted his resignation after less than a year in the job. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9129218&source=rss_topic17

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Spotify user details compromised in major hack - Online music service warns its million-plus users to change their passwords - Online music service Spotify has become the latest web firm to suffer a major hack, after revealing yesterday that criminals may have accessed user registration details. http://www.vnunet.com/vnunet/news/2237872/spotify-hacked

FYI - Unencrypted police memory stick lost - A memory stick containing information on hundreds of police investigations has been lost in Edinburgh. http://www.scmagazineuk.com/Unencrypted-police-memory-stick-lost/article/128429/

FYI - Two banks confirms card fraud from Bottle Domains hack - One bank has confirmed fraud on some of the credit-cards whose details were stolen in the theft of up to 60,000 customers records from Bottle Domains. And another has confirmed it is watching a list of card accounts at risk, a list sent to it by the Australian Federal Police. http://www.thesheet.com/nl05_news_selected.php?act=2&stream=1&selkey=7963&hlc=2&hlw=

Return to the top of the newsletter

WEB SITE COMPLIANCE - Reserve Requirements of Depository Institutions (Regulation D)

Pursuant to the withdrawal and transfer restrictions imposed on savings deposits, electronic transfers, electronic withdrawals (paid electronically) or payments to third parties initiated by a depositor from a personal computer are included as a type of transfer subject to the six transaction limit imposed on passbook savings and MMDA accounts.

Institutions also should note that, to the extent stored value or other electronic money represents a demand deposit or transaction account, the provisions of Regulation D would apply to such obligations. 

Consumer Leasing Act (Regulation M)

The regulation provides examples of advertisements that clarify the definition of an advertisement under Regulation M. The term advertisement includes messages inviting, offering, or otherwise generally announcing to prospective customers the availability of consumer leases, whether in visual, oral, print, or electronic media. Included in the examples are on-line messages, such as those on the Internet. Therefore, such messages are subject to the general advertising requirements.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE

Financial institution system development, acquisition, and maintenance functions should incorporate agreed upon security controls into software prior to development and implementation. Management should integrate consideration of security controls into each phase of the system development process. For the purposes of this section, system development could include the internal development of customized systems, the creation of database systems, or the acquisition of third-party developed software. System development could include long-term projects related to large mainframe-based software projects with legacy source code or rapid Web-based software projects using fourth-generation programming. In all cases, institutions need to prioritize security controls appropriately.

SOFTWARE DEVELOPMENT AND ACQUISITION

Security Requirements

Financial institutions should develop security control requirements for new systems, system revisions, or new system acquisitions. Management will define the security control requirements based on their risk assessment process evaluating the value of the information at risk and the potential impact of unauthorized access or damage. Based on the risks posed by the system, management may use a defined methodology for determining security requirements, such as ISO 15408, the Common Criteria.23 Management may also refer to published, widely recognized industry standards as a baseline for establishing their security requirements. A member of senior management should document acceptance of the security requirements for each new system or system acquisition, acceptance of tests against the requirements, and approval for implementing in a production environment.

Development projects should consider automated controls for incorporation into the application and the need to determine supporting manual controls. Financial institutions can implement appropriate security controls with greater cost effectiveness by designing them into the original software rather than making subsequent changes after implementation. When evaluating purchased software, financial institutions should consider the availability of products that have either been independently evaluated or received security accreditation through financial institution or information technology-related industry groups.

Return to the top of the newsletter

IT SECURITY QUESTION:

F. PERSONNEL SECURITY

5. Determine if employees have an available and reliable mechanism to promptly report security incidents, weaknesses, and software malfunctions.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Redisclosure of nonpublic personal information received from a nonaffiliated financial institution outside of Sections 14 and 15.

A. Through discussions with management and review of the institution's procedures, determine whether the institution has adequate practices to prevent the unlawful redisclosure of the information where the institution is the recipient of nonpublic personal information (§11(b)). 

B. Select a sample of data received from nonaffiliated financial institutions and shared with others to evaluate the financial institution's compliance with redisclosure limitations.

1.  Verify that the institution's redisclosure of the information was only to affiliates of the financial institution from which the information was obtained or to the institution's own affiliates, except as otherwise allowed in the step b below (§11(b)(1)(i) and (ii)).

2.  If the institution shares information with entities other than those under step a above, verify that the institution's information sharing practices conform to those in the nonaffiliated financial institution's privacy notice (§11(b)(1)(iii)).

3.  Also, review the procedures used by the institution to ensure that the information sharing reflects the opt out status of the consumers of the nonaffiliated financial institution (§§10, 11(b)(1)(iii)).