This week I am attending the ISACA North America Computer Audit,
Control and Security (CACS) Conference being held in Las Vegas,
Nevada. If you are attending the conference, I look forward to
seeing you. If you are not able to attend this conference, you
may want to attend the ISACA Network Security Conference being held
September 8-10, 2008 in Las Vegas, Nevada -
FYI - Black Hat SEO,
part two: SEOwN3d!!1 - As search engine optimizers played fast and
loose, a reaction from the search engine companies became
inevitable. Now SEOs are forced to choose hats: black or white.
(Part two in a series.)
FYI - The New E-spionage
Threat - A BusinessWeek probe of rising attacks on America's most
sensitive computer networks uncovers startling security gaps.
FYI - Call centre crook
helped steal £33,000 - A CALL centre worker has been jailed for
helping to siphon £33,500 from customers' accounts through his job
at a Royal Bank of Scotland contact centre.
FYI - 50 000 patients'
IDs sold - A man who worked in the admissions department at a
prestigious Manhattan hospital has been charged with stealing and
selling information on nearly 50 000 patients.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI - WellPoint patient
information exposed - Personal information, possibly including
Social Security numbers and medical and pharmaceutical records, was
exposed through a data breach at WellPoint, a large health benefits
FYI - Insurance records
of 71,000 Ga. families made public - Private records of up to 71,000
Georgia families who are members of health insurance programs for
the poor or working poor were accidentally made available on the
Internet for several days, and some of the data may have been viewed
by unauthorized people, Tampa-based WellCare Health Plans Inc. said.
FYI - More school
computers hacked - Williamsville warns staff about data theft -
Several current and former Williamsville North High School students
are believed to have broken into the school district's computer
system last month and copied secure files that included the personal
information and Social Security numbers of school employees,
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
continue the series regarding
FDIC Supervisory Insights regarding
Programs. (2of 12)
of an Incident Response Program
A bank's ability to respond to security incidents in a planned and
coordinated fashion is important to the success of its information
security program. While IRPs are important for many reasons, three
are highlighted in this article.
First, though incident prevention is important, focusing solely on
prevention may not be enough to insulate a bank from the effects of
a security breach. Despite the industry's efforts at identifying and
correcting security vulnerabilities, every bank is susceptible to
weaknesses such as improperly configured systems, software
vulnerabilities, and zero-day exploits. Compounding the
problem is the difficulty an organization experiences in sustaining
a "fully secured" posture. Over the long term, a large amount of
resources (time, money, personnel, and expertise) is needed to
maintain security commensurate with all potential vulnerabilities.
Inevitably, an organization faces a point of diminishing returns
whereby the extra resources applied to incident prevention bring a
lesser amount of security value. Even the best information security
program may not identify every vulnerability and prevent every
incident, so banks are best served by incorporating formal incident
response planning to complement strong prevention measures. In the
event management's efforts do not prevent all security incidents
(for whatever reason), IRPs are necessary to reduce the sustained
damage to the bank.
Second, regulatory agencies have recognized the value of IRPs and
have mandated that certain incident response requirements be
included in a bank's information security program. In March 2001,
the FDIC, the Office of the Comptroller of the Currency (OCC), the
Office of Thrift Supervision (OTS), and the Board of Governors of
the Federal Reserve System (FRB) (collectively, the Federal bank
regulatory agencies) jointly issued guidelines establishing
standards for safeguarding customer information, as required by the
Gramm-Leach-Bliley Act of 1999. These standards require banks
to adopt response programs as a security measure. In April 2005, the
Federal bank regulatory agencies issued interpretive guidance
regarding response programs. This additional guidance
describes IRPs and prescribes standard procedures that should be
included in IRPs. In addition to Federal regulation in this area, at
least 32 states have passed laws requiring that individuals be
notified of a breach in the security of computerized personal
information. Therefore, the increased regulatory attention
devoted to incident response has made the development of IRPs a
Finally, IRPs are in the best interests of the bank. A
well-developed IRP that is integrated into an overall information
security program strengthens the institution in a variety of ways.
Perhaps most important, IRPs help the bank contain the damage
resulting from a security breach and lessen its downstream effect.
Timely and decisive action can also limit the harm to the bank's
reputation, reduce negative publicity, and help the bank identify
and remedy the underlying causes of the security incident so that
mistakes are not destined to be repeated.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Access Rights Administration (4 of 5)
The access rights process programs the
system to allow the users only the access rights they were granted.
Since access rights do not automatically expire or update, periodic
updating and review of access rights on the system is necessary.
Updating should occur when an individual's business needs for
system use changes. Many job changes can result in an expansion or
reduction of access rights. Job events that would trigger a removal
of access rights include transfers, resignations, and terminations.
Institutions should take particular care to remove promptly the
access rights for users who have remote access privileges, and those
who administer the institution's systems.
Because updating may not always be accurate, periodic review of user
accounts is a good control to test whether the access right removal
processes are functioning, and whether users exist who should have
their rights rescinded or reduced. Financial institutions should
review access rights on a schedule commensurate with risk.
Access rights to new software and hardware present a unique problem.
Typically, hardware and software are installed with default users,
with at least one default user having full access rights. Easily
obtainable lists of popular software exist that identify the default
users and passwords, enabling anyone with access to the system to
obtain the default user's access. Default user accounts should
either be disabled, or the authentication to the account should be
changed. Additionally, access to these default accounts should
be monitored more closely than other accounts.
Sometimes software installs with a default account that allows
anonymous access. Anonymous access is appropriate, for instance,
where the general public accesses an informational web server.
Systems that allow access to or store sensitive information,
including customer information, should be protected against
the top of the newsletter
IT SECURITY QUESTION:
B. NETWORK SECURITY
the adequacy and accuracy of the network architecture.
a) Obtain a schematic overview of the financial institution's
b) Review procedures for maintaining current information,
including inventory reporting of
how new hardware are added and old hardware is removed.
c) Review audit and security reports that assess the accuracy
of network architectureschematics and identify unreported systems.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
27. If each joint consumer may
opt out separately, does the institution permit:
a. one joint consumer to opt out on behalf of all of the joint
b. the joint consumers to notify the institution in a single
response; [§7(d)(5)] and
c. each joint consumer to opt out either for himself or herself,
and/or for another joint consumer? [§7(d)(5)]