FYI - I am back in the
office. This past week I attended the ISACA North America Computer
Audit, Control and Security Conference. It was good seeing old
friends and meeting new ones.
FYI - Mobile banking gaining
traction among younger customers - Most Americans are still hesitant
about banking with their cell phones and PDAs, but young people are
increasingly coming around to the idea of mobile banking, according
to a new survey.
FYI - Stung by hackers, grocer
encrypts customer data - The supermarket chain Hannaford Bros. Co.
has spent millions of dollars on additional security measures since
last month's revelation that hackers may have accessed up to 4.2
million credit and debit card numbers, it said.
FYI - GAO - Federal Agencies
Face Challenges in Managing E-Mail.
FYI - NIST seeks comments on
revision of risk management framework - Print this Email this
Purchase a Reprint Link to this page The National Institute of
Standards and Technology has released a second draft of Special
Publication 800-39, titled "Managing Risk from Information Systems:
An Organizational Perspective," for public comment.
FYI - A new study conducted by
the Ponemon Institute shows that consumers are dissatisfied with the
notification process used by companies following a data breach
affecting their personal information. Sponsored by ID Experts, the
Consumer's Report Card on Data Breach Notification revealed 63
percent of survey respondents said notification letters they
received offered no direction on the steps the consumer should take
to protect their personal information.
FYI - Pirates of the web -
Employers must face the fact that much of this shopping takes place
from the office. Two years ago, BusinessWeek reported that 58
percent of people do most of their online shopping at work, and I'm
sure not much has changed since then. At the same time online
retailers celebrate, so do online criminals.
FYI - Security Manager's
Journal: Enough of being the bad guy - Security issues have a higher
profile than they did a few short years ago, but too often, security
managers still end up looking like the bad guy when they delay a
project's go-live date.
FYI - The legal implications of
the PCI data security standard - While starting off as "just" an
information security standard, the Payment Card Industry Data
Security Standard, v. 1.1 ("PCI" or "PCI Standard") now presents
serious legal challenges and risk for retailers. The PCI framework
currently operates like a law without courts or regulators.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI - University of Miami admits
to stolen medical records - The University of Miami disclosed on
Friday that one of its storage vendors lost a number of back-up
tapes containing the personal information of more than two million
Health data missing - HealthAlliance
computer lost - The healthcare system Central New England
HealthAlliance has sent letters to 384 patients notifying them that
their personal information, including Social Security numbers and
health insurance information, may be vulnerable because a hand-held
computer used by a home health nurse is missing.
FYI - The 10.000 web sites
infection mystery solved - Back in January there were multiple
reports about a large number of web sites being compromised and
FYI - Coding error exposes sex
offender personal data - A software security researcher has
exploited a flaw in the sex offender registry webpage operated by
the Oklahoma Department of Corrections.
Grandmother robbed by card conmen -
Margaret Anderson had #1,000 taken from her account - A grandmother
has told how she cried when she found her bank account had been
stripped bare when she tried to take out money at an Edinburgh ATM.
Data theft involving 10,000 bank
records - Sensitive information regarding 10,000 Bank of Ireland
customers has been stolen. The Data Protection Commissioner, Billy
Hawkes, has told RTI News he is investigating the disappearance of
Return to the top of the
WEB SITE COMPLIANCE - We
continue the series regarding FDIC Supervisory Insights regarding
Response Programs. (3of 12)
Elements of an Incident Response Program
Although the specific content of an IRP will differ among financial
institutions, each IRP should revolve around the minimum procedural
requirements prescribed by the Federal bank regulatory agencies.
Beyond this fundamental content, however, strong financial
institution management teams also incorporate industry best
practices to further refine and enhance their IRP. In general, the
overall comprehensiveness of an IRP should be commensurate with an
institution's administrative, technical, and organizational
The minimum required procedures addressed in the April 2005
interpretive guidance can be categorized into two broad areas:
"reaction" and "notification." In general, reaction procedures are
the initial actions taken once a compromise has been identified.
Notification procedures are relatively straightforward and involve
communicating the details or events of the incident to interested
parties; however, they may also involve some reporting
requirements. Below lists the minimum required procedures of an IRP
as discussed in the April 2005 interpretive guidance.
Develop reaction procedures for:
1) assessing security incidents that have occurred;
2) identifying the customer information and information systems that
have been accessed or misused; and
3)containing and controlling the security incident.
Establish notification procedures for:
1) the institution's primary Federal regulator;
2) appropriate law enforcement agencies (and filing Suspicious
Activity Reports [SARs], if necessary); and
3) affected customers.
Return to the top of the
INFORMATION TECHNOLOGY SECURITY - We continue our series
on the FFIEC interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Access Rights Administration (5 of 5)
The access rights process also constrains user activities through an
acceptable - use policy (AUP). Users who can access internal systems
typically are required to agree to an AUP before using a system. An
AUP details the permitted system uses and user activities and the
consequences of noncompliance. AUPs can be created for all
categories of system users, from internal programmers to customers.
An AUP is a key control for user awareness and administrative
policing of system activities. Examples of AUP elements for internal
network and stand - alone users include:
! The specific access devices that can be used to access the
! Hardware and software changes the user can make to their access
! The purpose and scope of network activity;
! Network services that can be used, and those that cannot be used;
! Information that is allowable and not allowable for transmission
using each allowable service;
! Bans on attempting to break into accounts, crack passwords, or
! Responsibilities for secure operation; and
! Consequences of noncompliance.
Depending on the risk associated with the access, authorized
internal users should generally receive a copy of the policy and
appropriate training, and signify their understanding and agreement
with the policy before management grants access to the system.
Customers may be provided with a Web site disclosure as their AUP.
Based on the nature of the Web site, the financial institution may
require customers to demonstrate knowledge of and agreement to abide
by the terms of the AUP. That evidence can be paper based or
Authorized users may seek to extend their activities beyond what is
allowed in the AUP, and unauthorized users may seek to gain access
to the system and move within the system. Network security controls
provide the protection necessary to guard against those threats.
Return to the top of the newsletter
IT SECURITY QUESTION:
2. Evaluate controls that are in place to install new or change
existing network infrastructure and to prevent unauthorized
connections to the financial institution's network.
Review network architecture policies and procedures to establish
new, or change existing, network connections and equipment.
Identify controls used to prevent unauthorized deployment of
network connections and equipment.
Review the effectiveness and timeliness of controls used to
prevent and report unauthorized network connections and equipment.
Return to the top of the
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions. When
you answer the question each week, you will help ensure compliance
with the privacy regulations.
28. Does the institution refrain from
requiring all joint consumers to opt out before implementing any opt
out direction with respect to the joint account? ['7(d)(4)]
29. Does the institution comply with a consumer's direction to opt
out as soon as is reasonably practicable after receiving it? ['7(e)]