FYI - One of our readers sent us this useful link regarding the
recent pandemic outbreaks.
Texas PI Licensing Amendment - Yesterday on the GCFAmailing list,
Rob Lee forwarded a message about a Texas House Bill that would
amend the language in the Private Investigator Licensing statute
that will affect computer forensic examiners. Some discussion ensued
on the list as the language of the statute is not completely clear
to mere mortals more comfortable converting hex values in master
boot records than they are reading the law.
Obama appoints federal CTO, industry applauds choice - Aneesh
Chopra, Virginia's secretary of technology, will serve as the CTO,
Obama announced Saturday morning at his weekly address, according to
a White House news release.
HHS releases guidance on securing electronic health data - To expand
the use of electronic health records (EHRs), the Health and Human
Services Department (HHS) has issued guidance on technologies and
methods to protect personal electronic health care data.
NSA oversteps relaxed wiretapping laws - A recent investigation into
the National Security Agency's electronic eavesdropping activities
has found that the federal agency exceeded its authority to wiretap
Americans, the New York Times reported this week.
2009 National Collegiate Cyber Defense Competition Champion Crowned
- Top three finalists Baker College, Northeastern University, and
Texas A&M University - Baker College of Flint, Michigan successfully
defended their title as National Collegiate Cyber Defense Champions
by winning the 4th National Collegiate Cyber Defense Competition (NCCDC)
held April 17-19 at the Hilton San Antonio Airport Hotel in San
How the recession is affecting IT spending - Despite the financial
crisis, companies are still putting forth money for IT security
efforts while overall IT spending is less of a priority, according
to a new survey conducted by strategy and business advisory firm
MetroSITE Group, and Pacific Crest Securities, a technology
Intel finds stolen laptops can be costly - A laptop's value is more
than meets the eye. Intel says stolen laptops cost corporate owners
more than $100,000 in some cases, in a study announced Wednesday.
Device identification in online banking is privacy threat, expert
says - A widely used technology to authenticate users when they log
in for online banking may help reduce fraud, but it does so at the
expense of consumer privacy, a civil liberties attorney said during
a panel at the RSA security conference.
Forget Computers, Phone Crime Is Worrying Banks - Computer fraud may
be a big problem for banks today, but the telephone is becoming a
critical tool for fraudsters, bank executives say.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Organized crime focuses on the big score - Information-services
provider Verizon Business released its annual data breach report on
Wednesday, documenting at least 90 confirmed data breaches
compromising 285 million records.
Chinese National Arrested For Source Code Theft - The information
was taken from a New Jersey company that develops, implements, and
supports software for environmental applications. A Chinese citizen
on a work visa in the United States was arrested by the FBI last
week for allegedly revealing proprietary software code owned by his
unidentified U.S. employer to a Chinese government agency.
ICO rules against British Council - Disc loss doh! - The Information
Commissioner's Office (ICO) has found the British Council in breach
of the Data Protection Act after the loss of an unencrypted computer
MySpace insider data breach - While the usual cause of a data breach
at a social-networking site is down to an outsider hacking into the
database, last week's breach at MySpace was attributed to an
employee who gathered the names, social security numbers and other
personal information on a number of his co-workers.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Disclosures/Notices (Part 2 of 2)
In those instances where an electronic form of communication is
permissible by regulation, to reduce compliance risk institutions
should ensure that the consumer has agreed to receive disclosures
and notices through electronic means. Additionally, institutions may
want to provide information to consumers about the ability to
discontinue receiving disclosures through electronic means, and to
implement procedures to carry out consumer requests to change the
method of delivery. Furthermore, financial institutions advertising
or selling non-deposit investment products through on-line systems,
like the Internet, should ensure that consumers are informed of the
risks associated with non-deposit investment products as discussed
in the "Interagency Statement on Retail Sales of Non Deposit
Investment Products." On-line systems should comply with this
Interagency Statement, minimizing the possibility of customer
confusion and preventing any inaccurate or misleading impression
about the nature of the non-deposit investment product or its lack
of FDIC insurance.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST
AND USER EQUIPMENT ACQUISITION AND MAINTENANCE
Software support should incorporate a process to update and
patch operating system and application software for new
vulnerabilities. Frequently, security vulnerabilities are discovered
in operating systems and other software after deployment. Vendors
often issue software patches to correct those vulnerabilities.
Financial institutions should have an effective monitoring process
to identify new vulnerabilities in their hardware and software.
Monitoring involves such actions as the receipt and analysis of
vendor and governmental alerts and security mailing lists. Once
identified, secure installation of those patches requires a process
for obtaining, testing, and installing the patch.
Patches make direct changes to the software and configuration of
each system to which they are applied. They may degrade system
performance. Also, patches may introduce new vulnerabilities, or
reintroduce old vulnerabilities. The following considerations can
help ensure patches do not compromise the security of systems:
! Obtain the patch from a known, trusted source;
! Verify the integrity of the patch through such means as
comparisons of cryptographic hashes to ensure the patch obtained is
the correct, unaltered patch;
! Apply the patch to an isolated test system and verify that the
patch (1) is compatible with other software used on systems to which
the patch will be applied, (2) does not alter the system's security
posture in unexpected ways, such as altering log settings, and (3)
corrects the pertinent vulnerability;
! Back up production systems prior to applying the patch;
! Apply the patch to production systems using secure methods, and
update the cryptographic checksums of key files as well as that
system's software archive;
! Test the resulting system for known vulnerabilities;
! Update the master configurations used to build new systems;
! Create and document an audit trail of all changes; and
! Seek additional expertise as necessary to maintain a secure
Return to the top of the
Determine whether re-establishment of any session after interruption
requires normal user identification, authentication, and
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
5) When the subsequent delivery of a privacy notice is
permitted, does the institution provide notice after establishing a
customer relationship within a reasonable time? [§4(e)]