FYI - Hathaway advocates for direct White House role on cybersecurity - Says federal government isn't 'organized appropriately' to address cyberthreats - Endorsing a viewpoint that's been gaining currency in the security industry, President Obama's acting senior director for cyberspace Wednesday called for a more direct White House role in coordinating national cybersecurity efforts. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9132000&source=rss_topic17

FYI - NSA has no wish to control cybersecurity - Answering his agency's critics and a myriad of news reports, the director of the National Security Agency stated on Tuesday that the agency does not want to control the nation's cybersecurity efforts. http://www.securityfocus.com/brief/951

FYI - Researchers turn Conficker's own P2P protocol against itself - Ron Bowes join forces to detect infected PCs by chatting with worm over P2P - Security researchers have updated a free tool that sniffs out the notorious Conficker worm on infected PCs by using the same peer-to-peer (P2P) protocol the malware relies on to communicate with its hacker masters. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9131983&source=NLT_PM

FYI - Law enforcement cybercrime successes - The FBI has made cybercrime one of its top three priorities, and currently has full time cyber officers deployed in 60 countries, Shawn Henry, assistant director for the agency's Cyber Division, said at the RSA conference. http://www.scmagazineus.com/RSA-Law-enforcement-cybercrime-successes/article/131299/?DCMP=EMC-SCUS_Newswire

FYI - Ramifications of converging physical and IT security - Companies should consider merging physical and information security into a converged program -- it might be challenging but it will be worth it, Ronald Woerner, security compliance manager at online brokerage TD Ameritrade, said. http://www.scmagazineus.com/RSA-Ramifications-of-converging-physical-and-IT-security/article/131276/?DCMP=EMC-SCUS_Newswire

FYI - Bank Nixes Use of Social Networking Sites in Hiring Process - You won't find Amegy Bank of Texas CEO Paul B. Murphy Jr. uploading new profile pictures onto Facebook or linking Twitter feeds to a MySpace page. Murphy, who heads the 87-branch, Houston-based bank, isn't personally involved in the brave new world of social networking Web sites, but he certainly knows what they are. And thanks to his lawyer, his bank is successfully navigating the legal land mines they can contain. http://www.law.com/jsp/ihc/PubArticleFriendlyIHC.jsp?id=1202429840060

FYI - PCI DSS compliance for firewalls: It doesn't have to be complex - The Payment Card Industry Data Security Standard (PCI DSS) has placed considerable pressure on retail industry IT security teams. Although there are various categories of "pressures," from a high level they could be broken down into two: security and compliance. Not only do security teams have to create a secure environment, they must also prove it. http://www.scmagazineus.com/PCI-DSS-compliance-for-firewalls-It-doesnt-have-to-be-complex/article/131543/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Botnet infects thousands of government computers - Researchers at Finjan Software Inc. reported today the discovery of a new botnet of nearly 2 million infected computers - many of them in U.S. government networks. http://fcw.com/Articles/2009/04/22/RSA-botnet.aspx

FYI - Unencrypted laptop with 1 million SSNs stolen from state - The Oklahoma Department of Human Services (DHS) is notifying more than one million state residents that their personal data was stored on an unencrypted laptop that was stolen from an agency employee. http://www.scmagazineus.com/Unencrypted-laptop-with-1-million-SSNs-stolen-from-state/article/131333/?DCMP=EMC-SCUS_Newswire

FYI - Ex-federal IT worker charged in alleged identity theft scam - Former IT analyst at Federal Reserve arrested with brother for using stolen data to get loans - A former IT analyst at the Federal Reserve Bank of New York and his brother were arrested Friday on charges that they took out loans using stolen information, including sensitive personal data about employees at the bank.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9132110&source=rss_null17
http://www.scmagazineus.com/Former-Federal-Reserve-Bank-IT-worker-charged-with-ID-theft/article/131455/?DCMP=EMC-SCUS_Newswire

FYI - MI6 scrapped major drug operation after data loss - Serious Organised Crime Agency publicises loss 3 years later - MI6 had to abandon a multimillion pound covert anti-drugs operation after it lost a memory stick containing the project's top secret information. http://www.vnunet.com/vnunet/news/2241156/mi6-scraps-operation-loss

FYI - Burglars hit landmark Ventura Boulevard office building - Several business owners in the landmark Chateau Office Building in Woodland Hills said they were taken aback by the brazenness of the theft. Scores of computers are stolen from at least 60 businesses in the complex. The machines contained sensitive legal documents, credit card numbers and the tax data of thousands of people, police said. http://www.latimes.com/news/local/la-me-heist26-2009apr26,0,7638865.story

FYI - Stolen NHS laptop has records of 1,400 Scots - The personal details and medical records of nearly 1,400 people from across Scotland were stolen during a break-in at the north-east's biggest hospital. http://www.pressandjournal.co.uk/Article.aspx/1186347/?UserKey= 
 
Return to the top of the newsletter

WEB SITE COMPLIANCE - Expedited Funds Availability Act (Regulation CC)

Generally, the rules pertaining to the duty of an institution to make deposited funds available for withdrawal apply in the electronic financial services environment. This includes rules on fund availability schedules, disclosure of policy, and payment of interest. Recently, the FRB published a commentary that clarifies requirements for providing certain written notices or disclosures to customers via electronic means. Specifically, the commentary to the regulations states that a financial institution satisfies the written exception hold notice requirement, and the commentary to the regulations states that a financial institution satisfies the general disclosure requirement by sending an electronic version that displays the text and is in a form that the customer may keep. However, the customer must agree to such means of delivery of notices and disclosures. Information is considered to be in a form that the customer may keep if, for example, it can be downloaded or printed by the customer. To reduce compliance risk, financial institutions should test their programs' ability to provide disclosures in a form that can be downloaded or printed.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

PERSONNEL SECURITY

Security personnel allow legitimate users to have system access necessary to perform their duties. Because of their internal access levels and intimate knowledge of financial institution processes, authorized users pose a potential threat to systems and data. Employees, contractors, or third - party employees can exploit their legitimate computer access for malicious, fraudulent, or economic reasons. Additionally, the degree of internal access granted to some users increases the risk of accidental damage or loss of information and systems. Risk exposures from internal users include:

! Altering data,
! Deleting production and back up data,
! Crashing systems,
! Destroying systems,
! Misusing systems for personal gain or to damage the institution,
! Holding data hostage, and
! Stealing strategic or customer data for corporate espionage or fraud schemes.

BACKGROUND CHECKS AND SCREENING

Financial institutions should verify job application information on all new employees. The sensitivity of a particular job or access level may warrant additional criminal background and credit checks. Institutions should verify that contractors are subject to similar screening procedures. Typically, the minimum verification considerations include:

! Character references;
! Confirmation of prior experience, academic record, and professional qualifications; and
! Confirmation of identity from government issued identification.

After employment, managers should remain alert to changes in employees' personal circumstances that could increase incentives for system misuse or fraud.

Return to the top of the newsletter

IT SECURITY QUESTION:   APPLICATION SECURITY

6. Determine whether appropriate warning banners are displayed when applications are accessed.

7. Determine whether appropriate logs are maintained and available to support incident detection and response efforts.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

6)  Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices at least annually (that is, at least once in any period of 12 consecutive months) to all customers, throughout the customer relationship? ['5(a)(1)and (2)]
(Note: annual notices are not required for former customers. ['5(b)(1)and (2)])