GAO - FDIC Sustains Progress but Needs to Improve Configuration
Management of Key Financial Systems.
Lawmakers See Cyber Threats to Electrical Grid - The U.S. electrical
grid remains vulnerable to cyber attacks that could cripple the
economy, and the organization responsible for regulating electrical
suppliers doesn't appear to be serious about fixing the problems,
some U.S. lawmakers said.
LendingTree sued over data breach - At least two lawsuits have been
filed against LendingTree in response to a data breach that occurred
between October 2006 and early 2008. The breach reportedly was
caused by former employees who shared passwords with mortgage
lenders, providing access to loan and personal information of
Most Retailer Breaches Are Not Disclosed - While nearly half of U.S.
retailers have been hit with some kind of information security
attack, only a small percentage of them have actually reported
breaches to their customers, research company Gartner reports.
Bank customers file lawsuit over security breach - Several customers
of Peoples United Bank of Bridgeport have filed a lawsuit over the
loss of data tapes containing their personal information by the Bank
of New York Mellon Corp.
State officials try to determine scope of bank breach - Connecticut
Gov. M. Jodi Rell announced on Friday that she is directing the
state consumer protection commissioner to issue another two
subpoenas in connection to the lost Bank of New York Mellon backup
tape, which contained the unencrypted personal information of an
estimated 4.5 million customers.
TJX staffer sacked after talking about security problems - A TJX
employee has been fired for discussing the company's information
security issues - A low-level TJX employee has lost his job for
speaking in public about information security problems he uncovered
while working for the company.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Bank of N.Y. works with Conn. on security breach - Connecticut
Attorney General Richard Blumenthal asked the Bank of New York
Mellon Wednesday to explain how it lost computer tapes containing
the information of more than 4 million customers.
OKC buyer finds sensitive information on server - The Oklahoma
Corporation Commission is removing hard drives from all surplus
computer equipment after a server containing the names and Social
Security numbers of thousands of residents was sold at an auction
BoI laptops had other banks' details - Four laptops stolen from Bank
of Ireland contained details of accounts held by 1,500 customers at
other banks, including AIB, Ulster Bank and National Irish Bank.
UF warns patients of security breach - University of Florida
officials will be notifying about 1,900 patients of a UF plastic
surgeon that their private health information might have been
breached after the information was managed and disposed of
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series
regarding FDIC Supervisory Insights regarding
Response Programs. (8 of 12)
During the containment phase, the institution should
generally implement its predefined procedures for responding
to the specific incident (note that containment procedures
are a required minimum component). Additional
containment-related procedures some banks have successfully
incorporated into their IRPs are discussed below.
Establish notification escalation procedures.
If senior management is not already part of the
incident response team, banks may want to consider
developing procedures for notifying these individuals when
the situation warrants. Providing the appropriate executive
staff and senior department managers with information about
how containment actions will affect business operations or
systems and including these individuals in the
decision-making process can help minimize undesirable
business disruptions. Institutions that have experienced
incidents have generally found that the management
escalation process (and resultant communication flow) was
not only beneficial during the containment phase, but also
proved valuable during the later phases of the incident
Document details, conversations, and actions.
Retaining documentation is an important component
of the incident response process. Documentation can come in
a variety of forms, including technical reports generated,
actions taken, costs incurred, notifications provided, and
conversations held. This information may be useful to
external consultants and law enforcement for investigative
and legal purposes, as well as to senior management for
filing potential insurance claims and for preparing an
executive summary of the events for the board of directors
or shareholders. In addition, documentation can assist
management in responding to questions from its primary
Federal regulator. It may be helpful during the incident
response process to centralize this documentation for
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Token Systems (2 of 2)
Weaknesses in token systems relate to theft of the token, ease in
guessing any password generating algorithm within the token, ease of
successfully forging any authentication credential that unlocks the
token, and reverse engineering, or cloning, of the token. Each of
these weaknesses can be addressed through additional control
mechanisms. Token theft generally is protected against by policies
that require prompt reporting and cancellation of the token's
ability to allow access to the system. Additionally, the impact of
token theft is reduced when the token is used in multi - factor
authentication; for instance, the password from the token is paired
with a password known only by the user and the system. This pairing
reduces the risk posed by token loss, while increasing the strength
of the authentication mechanism. Forged credentials are protected
against by the same methods that protect credentials in non - token
systems. Protection against reverse engineering requires physical
and logical security in token design. For instance, token designers
can increase the difficulty of opening a token without causing
irreparable damage, or obtaining information from the token either
by passive scanning or active input/output.
Token systems can also incorporate public key infrastructure, and
Return to the top of the
8. Determine that, where appropriate,
authenticated devices are limited in their ability to access system
resources and to initiate transactions.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
35. Does the institution deliver
the privacy and opt out notices, including the short-form notice, so
that the consumer can reasonably be expected to receive actual
notice in writing or, if the consumer agrees, electronically? [§9(a)]