FYI - IT managers under pressure to weaken Web security policy - IT professionals are under pressure from upper level executives to open the floodgates to the latest Web-based platforms, relaxing Web security policy, according to a new survey of 1,300 IT managers. http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1356896,00.html#

FYI - GAO report finds security lagging at federal agencies - Twenty-three of the 24 major U.S. government agencies contain weaknesses in their information security programs, potentially placing sensitive data at risk to exposure, according to a government report issued this week. http://www.scmagazineus.com/GAO-report-finds-security-lagging-at-federal-agencies/article/137221/

FYI - U.S. National Archives offers reward for missing hard drive - The U.S. National Archives on Wednesday said it is offering a $50,000 reward for information leading to the recovery of a missing hard drive that contains personal information of former Clinton administration staff and visitors. http://news.cnet.com/8301-1009_3-10246004-83.html?part=rss&subj=news&tag=2547-1009_3-0-20

FYI - Spam accounted for 90 percent of all email in May - Spam is back on the rise, according to Symantec's MessageLabs monthly report. The report concluded that in May, the percentage of junk mail jumped 5.1 percent to 90.4 percent. http://www.scmagazineus.com/Spam-accounted-for-90-percent-of-all-email-in-May/article/137486/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Army's stolen laptop sparks 'embarrassing' security scare - An army laptop said to contain the personal details of serving soldiers and their families sparked a security scare after it was stolen from a car parked near an Edinburgh barracks. http://news.scotsman.com/scotland/Army39s-stolen--laptop-sparks.5283785.jp

FYI - Lotto winners' info stolen - A former Texas lottery worker was arrested while training for a new job Tuesday - his fourth with the state - and charged with illegally "possessing" personal information on 140 lottery winners and employees, including their names and Social Security numbers.  http://www.chron.com/disp/story.mpl/front/6434281.html

FYI - Bank worker's theft plan foiled - A SHEFFIELD bank worker whose plans to steal £1.2m from banks were foiled when police used a scouting handbook to crack his secret code has been jailed for more than three years. http://www.thestar.co.uk/news/Bank-worker39s-theft-plan-foiled.5298549.jp

FYI - NHS 'loses' thousands of medical records - Information watchdog orders overhaul after 140 security breaches in just four months - The personal medical records of tens of thousands of people have been lost by the NHS in a series of grave data security leaks. Between January and April this year, 140 security breaches were reported within the NHS - more than the total number from inside central Government and all local authorities combined. http://www.independent.co.uk/news/uk/politics/nhs-loses-thousands-of-medical-records-1690398.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Legal and Reputational Risk Management 

To protect banks against business, legal and reputation risk, e-banking services must be delivered on a consistent and timely basis in accordance with high customer expectations for constant and rapid availability and potentially high transaction demand. The bank must have the ability to deliver e-banking services to all end-users and be able to maintain such availability in all circumstances. Effective incident response mechanisms are also critical to minimize operational, legal and reputational risks arising from unexpected events, including internal and external attacks, that may affect the provision of e-banking systems and services. To meet customers' expectations, banks should therefore have effective capacity, business continuity and contingency planning. Banks should also develop appropriate incident response plans, including communication strategies, that ensure business continuity, control reputation risk and limit liability associated with disruptions in their e-banking services.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

LOGGING AND DATA COLLECTION (Part 1 of 2)

Financial institutions should take reasonable steps to ensure that sufficient data is collected from secure log files to identify and respond to security incidents and to monitor and enforce policy compliance. Appropriate logging controls ensure that security personnel can review and analyze log data to identify unauthorized access attempts and security violations, provide support for personnel actions, and aid in reconstructing compromised systems.

An institution's ongoing security risk assessment process should evaluate the adequacy of the system logging and the type of information collected. Security policies should address the proper handling and analysis of log files. Institutions have to make risk-based decisions on where and when to log activity. The following data are typically logged to some extent including

! Inbound and outbound Internet traffic,
! Internal network traffic,
! Firewall events,
! Intrusion detection system events,
! Network and host performance,
! Operating system access (especially high - level administrative or root access),
! Application access (especially users and objects with write - and execute privileges), and
! Remote access.

Return to the top of the newsletter

IT SECURITY QUESTION:  SOFTWARE DEVELOPMENT AND ACQUISITION

8. Inquire about the method used to test the newly developed or acquired software for vulnerabilities.

!   For source code reviews, inquire about standards used, the capabilities of the reviewers, and the results of the reviews.
!  If source code reviews are not performed, inquire about alternate actions taken to test the software for covert channels, backdoors, and other security issues.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

9)  Does the institution list the following categories of nonpublic personal information that it collects, as applicable:

a)  information from the consumer; [§6(c)(1)(i)]

b)  information about the consumer's transactions with the institution or its affiliates; [§6(c)(1)(ii)]

c)  information about the consumer's transactions with nonaffiliated third parties; [§6(c)(1)(iii)] and

d)  information from a consumer reporting agency? [§6(c)(1)(iv)]