FYI - Ahold USA pension
data lost when laptop disappears - The laptop went missing after
being checked in for a flight - A laptop computer containing the
names and personal information of an undisclosed number of retirees
of grocery store chain Ahold USA disappeared last month after it was
placed in checked baggage on a commercial U.S. flight and the bag
was lost by the airline.
FYI - Lost IRS laptop
stored employee fingerprints - Hundreds notified they are at risk of
ID theft, including some applicants - A laptop computer containing
fingerprints of Internal Revenue Service employees is missing,
MSNBC.com has learned.
FYI - Computers Stolen
in Ohio with 72,000 Medicaid Subscribers' Personal Info - Laptop
computers with personal information on 72,000 Ohio Medicaid
recipients were stolen from a private managed care agency in Ohio,
according to an Associated Press account. Officials with Buckeye
Community Health Plan notified authorities that four computers were
stolen from their Columbus office.
FYI - YMCA laptop with
65,000 members' information stolen - YMCA officials announced that a
laptop computer was stolen last week containing personal information
for more than 65,000 members in Rhode Island, including members of
the YMCA of Greater Providence and branches in Woonsocket,
Smithfield and Pawtucket.
FYI - UK employees at
risk for identity theft - The potential of identity theft has become
a nagging fear for 1,300 current and former University of Kentucky
employees after the university notified them that their personal
information, including Social Security numbers, was inadvertently
accessible to the public for 19 days last month.
FYI - Couple's
Supposedly Destroyed Hard Drive Purchased In Chicago - A year ago,
Henry and Roma Gerbus took their computer to Best Buy in Springfield
Township to have its hard drive replaced. Henry Gerbus said Best Buy
assured him the computer's old hard drive -- loaded with personal
information -- would be destroyed.
FYI - Credit unions,
small banks see more phishing attacks - Attacks against small banks
and credit unions remained on the rise last month, according to a
recent fraud report from RSA Security.
FYI - Two-thirds fail to
guard against mobile threat - Two-thirds of IT professionals fail to
include mobile devices in their security policies, according to a
FYI - IM attacks on the
rise in May - The number of instant messaging (IM) attacks increased
by 500 percent in May, Postini reported this week.
FYI - Another federal
breach exposes employee records - The Energy Department disclosed to
Congress on Friday that it suffered a security breach from a hacker
in September that compromised 1,500 personnel records.
FYI - CPA group says
hard drive with data on 330,000 members missing - 'We are looking at
it as a missing shipment; that doesn't mean it's lost,' says a FedEx
spokesman - Adding to the lengthening list of organizations
reporting data compromises, the American Institute of Certified
Public Accountants (AICPA) today confirmed that a computer hard
drive containing the unencrypted names, addresses and Social
Security numbers of nearly all of its 330,000 members has been
missing since February.
FYI - Stolen computer
server sparks ID theft fears - Nearly 1 million prospective AIG
customers could be at risk - A thief recently stole a computer
server belonging to a major U.S. insurance company, and company
officials now fear that the personal data of nearly 1 million people
could be at risk, insurance industry sources tell NBC News.
FYI - Visa says ATM breach may
have exposed data - Visa USA on Tuesday confirmed an ATM security
breakdown has exposed more consumers to potential mischief, the
latest in a long line of lapses that have illuminated the often
flimsy controls over the personal information entrusted to
businesses, schools and government agencies.
FYI - Feds Pump Up Intellectual
Property Protection Efforts - Department of Justice opens up 12 new
offices to fight cybercrimes. The U.S. Department of Justice has
fulfilled or exceeded all recommendations made by an intellectual
property task force in October 2004, including new computer crime
investigations units in 12 cities, Attorney General Alberto Gonzales
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our series on the FFIEC Authentication in an Internet
Banking Environment. (Part 5 of
Monitoring and Reporting
Monitoring systems can determine if unauthorized access to computer
systems and customer accounts has occurred. A sound authentication
system should include audit features that can assist in the
detection of fraud, money laundering, compromised passwords, or
other unauthorized activities. The activation and maintenance of
audit logs can help institutions to identify unauthorized
activities, detect intrusions, reconstruct events, and promote
employee and user accountability. In addition, financial
institutions should report suspicious activities to appropriate
regulatory and law enforcement agencies as required by the Bank
Financial institutions should rely on multiple layers of control to
prevent fraud and safeguard customer information. Much of this
control is not based directly upon authentication. For example, a
financial institution can analyze the activities of its customers to
identify suspicious patterns. Financial institutions also can rely
on other control methods, such as establishing transaction dollar
limits that require manual intervention to exceed a preset limit.
Adequate reporting mechanisms are needed to promptly inform security
administrators when users are no longer authorized to access a
particular system and to permit the timely removal or suspension of
user account access. Furthermore, if critical systems or processes
are outsourced to third parties, management should ensure that the
appropriate logging and monitoring procedures are in place and that
suspected unauthorized activities are communicated to the
institution in a timely manner. An independent party (e.g., internal
or external auditor) should review activity reports documenting the
security administrators' actions to provide the necessary checks and
balances for managing system security.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION -
Firewall Policy (Part 1 of 3)
A firewall policy states management's expectations for how the
firewall should function and is a component of the overall security
policy. It should establish rules for traffic coming into and going
out of the security domain and how the firewall will be managed and
updated. Therefore, it is a type of security policy for the
firewall, and forms the basis for the firewall rules. The firewall
selection and the firewall policy should stem from the ongoing
security risk assessment process. Accordingly, management needs to
update the firewall policy as the institution's security needs and
the risks change. At a minimum, the policy should address:
! Firewall topology and architecture,
! Type of firewall(s) being utilized,
! Physical placement of the firewall components,
! Monitoring firewall traffic,
! Permissible traffic (generally based on the premise that all
traffic not expressly allowed is denied, detailing which
applications can traverse the firewall and under what exact
circumstances such activities can take place),
! Firewall updating,
! Coordination with intrusion detection and response mechanisms,
! Responsibility for monitoring and enforcing the firewall policy,
! Protocols and applications permitted,
! Regular auditing of a firewall's configuration and testing of the
firewall's effectiveness, and
! Contingency planning.
Financial institutions should also appropriately train and manage
their staffs to ensure the firewall policy is implemented properly.
Alternatively, institutions can outsource the firewall management,
while ensuring that the outsourcer complies with the institution's
specific firewall policy.
Return to the top of the
C. HOST SECURITY
11. Determine whether appropriate notification is
made of authorized use, through banners or other means.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
4) Does the institution provide initial notice after
establishing a customer relationship only if:
a. the customer relationship is not established at the
customer's election; [§4(e)(1)(i)] or
b. to do otherwise would substantially delay the customer's
transaction (e.g. in the case of a telephone application), and the
customer agrees to the subsequent delivery? [§4 (e)(1)(ii)]
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,