Are you ready for your IT examination?  The Weekly IT Security Review provides a checklist of the IT security issues covered in the FFIEC IT Examination Handbook, which will prepare you for the IT examination.   For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - The Federal Reserve Board announced posting rules for a new same-day automated clearing house service. - The Federal Reserve Banks will be offering an opt-in, same-day settlement service for certain ACH debit payments through the FedACH service effective August 2, 2010. FedACH customers may opt-in to this service by completing a participation agreement. The service will be limited to transactions arising from consumer checks converted to ACH and consumer debit transfers initiated over the Internet and phone. www.federalreserve.gov/newsevents/press/other/20100621a.htm

FYI - Security budgets stable or increasing at financial firms - Despite the Great Recession, information security budgets at financial institutions generally are staying stable, many even have increased, according to a study. http://www.scmagazineus.com/security-budgets-stable-or-increasing-at-financial-firms/article/172793/

FYI - Supreme Court ruling lets employers view worker text messages with reason - Overturns earlier rulings that search violated fourth amendment rights of California police officer - The U.S. Supreme Court today ruled that employers have the right to search through text messages, including personal ones, sent by workers if they have reason to believe that workplace rules are being violated. http://www.computerworld.com/s/article/9178199/Supreme_Court_ruling_lets_employers_view_worker_text_messages_with_reason

FYI - New fraud service serves as repository for stolen data - Microsoft has joined forces with the National Cyber Forensics Training Alliance (NCFTA) to launch a portal designed to immediately alert companies if credentials or credit card numbers belonging to their customers have been discovered online. http://www.scmagazineus.com/new-fraud-service-serves-as-repository-for-stolen-data/article/172716/

FYI - Wanted: Young cyberexperts to defend Internet - Nationwide campaigns to steer youthful techies into careers defending the Internet are gaining steam. http://www.usatoday.com/money/industries/technology/2010-06-21-cybersecurity21_ST_N.htm

FYI - Senior leaders becoming disconnected from security - The boards and senior executives at many organizations are not adequately involved in enterprise privacy and security decisions, according to a report released by researchers at Carnegie Mellon University's CyLab. http://www.scmagazineus.com/senior-leaders-becoming-disconnected-from-security/article/172950/

FYI - World Cup Security Uses Physics To Thwart Hackers - South African physicists working to protect data networks at the World Cup hope to provide something that no goalkeeper can promise: perfect defense. http://www.foxnews.com/scitech/2010/06/21/world-cup-security-uses-physics-thwart-hackers/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Eastern European banks under attack by next-gen crime app - BlackEnergy 2's one-two punch - Banks in Russia and Ukraine are under continued siege by criminal gangs wielding a sophisticated, next-generation exploitation kit that hacks the financial institutions' authentication system and then hits it with a denial-of-service attack. http://www.theregister.co.uk/2010/06/16/blackenergy2_ddos_attacks/

FYI - Google's Wi-Fi snoop nabbed passwords and emails - The Wi-Fi traffic collected by Google's world-roving Street View cars included passwords and email, according to a report citing a preliminary study from the French data protection authority. http://www.theregister.co.uk/2010/06/18/google_street_view_cars_wifi_data_includes_emails_and_passwords/

FYI - Beach schools report computer security breach - A student gained access to a computer file last month containing names, addresses and Social Security numbers of about 16,000 students attending 22 Beach schools, administrators said. http://hamptonroads.com/2010/06/beach-schools-report-computer-security-breach?cid=ltst

FYI - SMBs, individuals being targeted by telephone DoS - If your phone starts ringing of the hook, there is a chance cybercriminals are draining your bank or online trading account at the exact same moment, the FBI warned. http://www.scmagazineus.com/smbs-individuals-being-targeted-by-telephone-dos/article/172962/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 6 of 10)

B. RISK MANAGEMENT TECHNIQUES

Planning Weblinking Relationships

Due Diligence

A financial institution should conduct sufficient due diligence to determine whether it wishes to be associated with the quality of products, services, and overall content provided by third-party sites. A financial institution should consider more product-focused due diligence if the third parties are providing financial products, services, or other financial website content. In this case, customers may be more likely to assume the institution reviewed and approved such products and services. In addition to reviewing the linked third-party's financial statements and its customer service performance levels, a financial institution should consider a review of the privacy and security policies and procedures of the third party.  Also, the financial institution should consider the character of the linked party by considering its past compliance with laws and regulations and whether the linked advertisements might by viewed as deceptive advertising in violation of Section 5 of the Federal Trade Commission Act.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Suspicious Activity Reporting.

National banks are required to report intrusions and other computer crimes to the OCC and law enforcement by filing a Suspicious Activity Report (SAR) form and submitting it to the Financial Crimes Enforcement Network (FinCEN), in accordance with 12 USC 21.11. This reporting obligation exists regardless of whether the institution has reported the intrusion to the information-sharing organizations discussed below. For purposes of the regulation and the SAR form instructions, an "intrusion" is defined as gaining access to the computer system of a financial institution to remove, steal, procure or otherwise affect information or funds of the institution or customers. It also includes actions that damage, disable, or otherwise affect critical systems of the institution. For example, distributed denial of service attaches (DDoS) attacks should be reported on a SAR because they may temporarily disable critical systems of financial institutions. 

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13).  (Part 1 of 3)

Note: Financial institutions whose practices fall within this category engage in the most expansive degree of information sharing permissible. Consequently, these institutions are held to the most comprehensive compliance standards imposed by the Privacy regulation.

A. Disclosure of Nonpublic Personal Information 

1)  Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party both inside and outside of the exceptions. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the financial institution's compliance with disclosure limitations.

a.  Compare the categories of data shared and with whom the data were shared to those stated in the privacy notice and verify that what the institution tells consumers (customers and those who are not customers) in its notices about its policies and practices in this regard and what the institution actually does are consistent (§§10, 6).

b.  Compare the data shared to a sample of opt out directions and verify that only nonpublic personal information covered under the exceptions or from consumers (customers and those who are not customers) who chose not to opt out is shared (§10).

2)  If the financial institution also shares information under Section 13, obtain and review contracts with nonaffiliated third parties that perform services for the financial institution not covered by the exceptions in section 14 or 15. Determine whether the contracts prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed. Note that the "grandfather" provisions of Section 18 apply to certain of these contracts (§13(a)).