Are you ready for your IT examination?
The Weekly IT Security Review
provides a checklist of the IT security issues covered in the
FFIEC IT Examination Handbook, which will prepare you for the IT
information and to subscribe visit
NHS top culprit as UK data breaches exceed 1,000 - More than 1,000
security breaches involving the loss of personal data have now been
reported to the Information Commissioner's Office, with the list
topped by the NHS, the privacy watchdog said.
Top threat to U.S. power grid - Cyber attacks, pandemics and
electromagnetic disturbances are the three top "high impact" risks
to the U.S. and Canadian power-generation grids, according to a
report from the North American Electric Reliability Corp. (NERC).
Nato warns of strike against cyber attackers - NATO is considering
the use of military force against enemies who launch cyber attacks
on its member states.
Appeals court absolves firm that exposed man's SSN - No harm, no
foul - A man whose social security number and other personal data
were exposed by a company that processed his job application has no
legal claims because no actual damage resulted from the privacy
breach, a federal appeals court has ruled.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Using Windows for a Day Cost Mac User $100,000 - He normally only
accessed his company's online bank account from his trusty Mac
laptop. Then one day this April while he was home sick, he found
himself needing to authorize a transfer of money out of his firm's
account. Trouble was, he'd left his Mac at work. So he decided to
log in to the company's bank account using his wife's Windows PC.
Welsh medical practice hit by ICO after losing unencrypted memory
stick - The Information Commissioner's Office (ICO) has found
Lampeter Medical Practice in Ceredigion, Wales, to be in breach of
the Data Protection Act after it lost an unencrypted memory stick
containing the personal details of 8,000 patients.
Digital River sues over data breach - The company suspects that
hackers in India stole valuable marketing data during an upgrade of
its computers in Eden Prairie.
Insurer says it's not liable for University of Utah's $3.3M data
breach - In lawsuit, Colorado Casualty says its policies do not
obligate coverage - The University of Utah's attempts to be
reimbursed for the more than $3.3 million it spent on a 2008 data
breach caused by a third-party service provider could be delayed
because of a recent lawsuit.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 4 of 10)
A. RISK DISCUSSION
If the third party has a name similar to that of the financial
institution, there is an increased likelihood of confusion for the
customer and increased exposure to reputation risk for the financial
institution. For example, if customers access a similarly named
broker from the financial institution's website, they may believe
that the financial institution is providing the brokerage service or
that the broker's products are federally insured.
The use of frame technology and other similar technologies may
confuse customers about which products and services the financial
institution provides and which products and services third parties,
including affiliates, provide. If frames are used, when customers
link to a third-party website through the institution-provided link,
the third-party webpages open within the institution's master
webpage frame. For example, if a financial institution provides
links to a discount broker and the discount broker's webpage opens
within the institution's frame, the appearance of the financial
institution's logo on the frame may give the impression that the
financial institution is providing the brokerage service or that the
two entities are affiliated. Customers may believe that their funds
are federally insured, creating potential reputation risk to the
financial institution in the event the brokerage service should fail
or the product loses value.
The compliance risk to an institution linking to a third-party's
website depends on several factors. These factors include the nature
of the products and services provided on the third-party's website,
and the nature of the institution's business relationship with the
third party. This is particularly true with respect to compensation
arrangements for links. For example, a financial institution that
receives payment for offering advertisement-related weblinks to a
settlement service provider's website should carefully consider the
prohibition against kickbacks, unearned fees, and compensated
referrals under the Real Estate Settlement Procedures Act (RESPA).
The financial institution has compliance risk as well as reputation
risk if linked third parties offer less security and privacy
protection than the financial institution. Third-party sites may
have less secure encryption policies, or less stringent policies
regarding the use and security of their customer's information. The
customer may be comfortable with the financial institution's
policies for privacy and security, but not with those of the linked
third party. If the third-party's policies and procedures create
security weaknesses or apply privacy standards that permit the third
party to release confidential customer information, customers may
blame the financial institution.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our review of the OCC Bulletin about
Infrastructure Threats and Intrusion Risks. This week we review
Intrusion Response Policies and Procedures.
Management should establish, document, and review the policies and
procedures that guide the bank's response to information system
intrusions. The review should take place at least annually, with
more frequent reviews if the risk exposure warrants them.
Policies and procedures should address the following:
1. The priority and sequence of actions to respond to an intrusion.
Actions should address the containment and elimination of an
intrusion and system restoration. Among other issues, containment
actions include a determination of which business processes must
remain operational, which systems may be disconnected as a
precaution, and how to address authentication compromises (e.g.,
revealed passwords) across multiple systems.
2. Gathering and retaining intrusion information, as discussed
3. The employee's authority to act, whether by request or by
pre-approval, and the process for escalating the intrusion response
to progressively higher degrees of intensity and senior management
4. Availability of necessary resources to respond to intrusions.
Management should ensure that contact information is available for
those that are responsible for responding to intrusions.
5. System restoration tools and techniques, including the
elimination of the intruder's means of entry and back doors, and the
restoration of data and systems to the pre-intrusion state.
6. Notification and reporting to operators of other affected
systems, users, regulators, incident response organizations, and law
enforcement. Guidelines for filing a Suspicious Activity Report for
suspected computer related crimes are discussed below, and in OCC
Advisory Letter 97-9, "Reporting Computer Related Crimes" (November
7. Periodic testing, as discussed below.
8. Staff training resources and requirements.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Examination Procedures (Part 2 of 3)
B. Use the information gathered from step A to work through the
"Privacy Notice and Opt Out Decision Tree." Identify which module(s)
of procedures is (are) applicable.
C. Use the information gathered from step A to work through the
Reuse and Redisclosure and Account Number Sharing Decision Trees, as
necessary (Attachments B & C). Identify which module is applicable.
D. Determine the adequacy of the financial institution's internal
controls and procedures to ensure compliance with the privacy
regulation as applicable. Consider the following:
1) Sufficiency of internal policies and procedures, and controls,
including review of new products and services and controls over
servicing arrangements and marketing arrangements;
2) Effectiveness of management information systems, including the
use of technology for monitoring, exception reports, and
standardization of forms and procedures;
3) Frequency and effectiveness of monitoring procedures;
4) Adequacy and regularity of the institution's training program;
5) Suitability of the compliance audit program for ensuring that:
a) the procedures address all regulatory provisions as
b) the work is accurate and comprehensive with respect to the
institution's information sharing practices;
c) the frequency is appropriate;
d) conclusions are appropriately reached and presented to
e) steps are taken to correct deficiencies and to follow-up on
previously identified deficiencies; and
6) Knowledge level of management and personnel.