The Federal Financial Institutions Examination Council
released an updated Business Continuity Planning Booklet, which
replaces the version issued in March 2003. The Business Continuity
Planning Booklet is one of 12 that, in total, comprise the FFIEC IT
Press Release :
FYI - Password-stealing
hackers infect thousands of Web pages - McAfee is warning of a
widespread Web attack aimed at gamers that has infected more than
10,000 Web pages - Hackers looking to steal passwords used in
popular online games have infected more than 10,000 Web pages in
FYI - Pacemakers
Vulnerable To Hacking - Three medical schools demonstrate the
wireless dangers that can disturb an implantable cardioverter
defibrillator like the Medtronic Maximo DR. Implantable medical
devices like pacemakers seem secure, buried within one's body. But a
team of researchers have demonstrated that's not the case.
FYI - Four UK men
accused of AU$475m bank heist - Four British men -- including a man
believed to be a lord -- have been accused of trying to steal around
AU$475.47 million by hacking into a Japanese bank's computer system,
the Serious Organised Crime Agency (SOCA) said over the weekend.
FYI - Breach of Britney
Spears patient data highlights health care security shortfalls -
Reports this week that the UCLA Medical Center has moved to fire 13
employees and suspended six others for unauthorized access to
confidential medical records of pop star Britney Spears is a sign
that training and regulations may not be working in some hospitals,
experts told SCMagazineUS.com.
FYI - Experts try to
make sense of Hannaford data breach - As the dust settles from one
of the largest data breaches since TJX, few fresh details emerged
one day after Hannaford Bros. supermarket chain revealed that
intruders stole some 4.2 million credit and debit card numbers from
its computer systems.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI - Harvard grad
students hit in computer intrusion - Approximately 10,000 may have
been affected - Harvard University's Graduate School of Arts and
Sciences (GSAS) is notifying about 10,000 people that their personal
information may have been compromised as a result of a computer
intrusion that was discovered in February.
FYI - Police suffer
memory loss - A POLICE memory stick containing confidential
information about offenders known to the police has been found by a
member of the public.
FYI - HealthNow data
goes missing as laptop vanishes - HealthNow members may be at risk -
HealthNow New York has alerted 40,000 members in Western and
Northeastern New York that they may be at risk for identity theft,
after a former employee's laptop computer went missing with
confidential information several months ago.
FYI - Breach Exposes
4.2M Credit, Debit Cards - East Coast Data Breach Exposes 4.2
Million Accounts, Causes 1,800 Known Cases of Fraud - A security
breach at an East Coast supermarket chain exposed more than 4
million card numbers and led to 1,800 cases of fraud, the Hannaford
Bros. grocery chain announced.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
(Part 1 of 2)
Several regulations require disclosures and notices to be given at
specified times during a financial transaction. For example, some
regulations require that disclosures be given at the time an
application form is provided to the consumer. In this situation,
institutions will want to ensure that disclosures are given to the
consumer along with any application form. Institutions may
accomplish this through various means, one of which may be through
the automatic presentation of disclosures with the application form.
Regulations that allow disclosures/notices to be delivered
electronically and require institutions to deliver disclosures in a
form the customer can keep have been the subject of questions
regarding how institutions can ensure that the consumer can "keep"
the disclosure. A consumer using certain electronic devices, such as
Web TV, may not be able to print or download the disclosure. If
feasible, a financial institution may wish to include in its on-line
program the ability for consumers to give the financial institution
a non-electronic address to which the disclosures can be mailed.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
INFORMATION SECURITY STRATEGY (2
particular approach should consider: (1) policies, standards, and
procedures; (2) technology and architecture; (3) resource
dedication; (4) training; and (5) testing.
For example, an institution's management may be assessing the proper
strategic approach to intrusion detection for an Internet
environment. Two potential approaches were identified for
evaluation. The first approach uses a combination of network and
host intrusion detection sensors with a staffed monitoring center.
The second approach consists of daily access log review. The former
alternative is judged much more capable of detecting an attack in
time to minimize any damage to the institution and its data, albeit
at a much greater cost. The added cost is entirely appropriate when
customer data and institution processing capabilities are exposed to
an attack, such as in an Internet banking environment. The latter
approach may be appropriate when the primary risk is reputational
damage, such as when the only information being protected is an
information-only Web site, and the Web site is not connected to
other financial institution systems.
Strategies should consider the layering of controls. Excessive
reliance on a single control could create a false sense of
confidence. For example, a financial institution that depends solely
on a firewall can still be subject to numerous attack methodologies
that exploit authorized network traffic. Financial institutions
should design multiple layers of security controls and testing to
establish several lines of defense between the attacker and the
asset being attacked. To successfully attack the data, each layer
must be penetrated. With each penetration, the probability of
detecting the attacker increases.
Policies are the primary embodiment of strategy, guiding decisions
made by users, administrators, and managers, and informing those
individuals of their security responsibilities. Policies also
specify the mechanisms through which responsibilities can be met,
and provide guidance in acquiring, configuring, and auditing
information systems. Key actions that contribute to the success of a
security policy are:
1) Implementing through
ordinary means, such as system administration procedures and
acceptable - use policies;
2) Enforcing policy
through security tools and sanctions;
3) Delineating the
areas of responsibility for users, administrators, and managers;
4) Communicating in a
clear, understandable manner to all concerned;
5) Obtaining employee
certification that they have read and understood the policy;
flexibility to address changes in the environment; and
7) Conducting annually
a review and approval by the board of directors.
the top of the newsletter
IT SECURITY QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
10. Determine whether PKI (Public Key Infrastructure)-based
• Securely issue and update keys,
• Securely unlock the secret key,
• Provide for expiration of keys at an appropriate time period,
• Ensure the certificate is valid before acceptance,
• Update the list of revoked certificates at an appropriate
• Employ appropriate measures to protect private and root keys, and
• Appropriately log use of the root key.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
21. Does the institution provide the
consumer with the following information about the
right to opt out:
a. all the categories of nonpublic personal information that the
institution discloses or reserves the right to disclose; [§7(a)(2)(i)(A)]
b. all the categories of nonaffiliated third parties to whom the
information is disclosed; [§7(a)(2)(i)(A)];
c. that the consumer has the right to opt out of the disclosure of
that information; [§7(a)(2)(i)(A)] and
d. the financial products or services that the consumer obtains to
which the opt out direction would apply? [§7(a)(2)(i)(B)]