The brochure for the Information Security and
Risk Management Conference being held 28-30 September 2009 in
Las Vegas, Nevada came out this week. This is a great conference that I highly recommend.
For more information and to register, please go to
Criminal network to trade botnets and malware uncovered -
Researchers at a web security firm have discovered what they term
the latest milestone in the evolving cybercriminal underground: a
one-stop-shop for hackers.
Security expert wants feds to recruit volunteer pen testers - One
white-hat security researcher wants to legalize the hacking of
federal government and military websites. But before you call for
Jeremiah Grossman, CTO and founder of application security firm
WhiteHat Security, to stand trial for treason, there's one caveat:
These hackers have to report any vulnerabilities they find and
promise not to break or steal anything.
Nevada Mandates PCI Standard - Nevada has recently passed a law
mandating PCI compliance for companies accepting payment cards that
do business in the state. It is scheduled to go into effect on
January 1st, 2010.
Appeal to constitutional court over 'hacker clauses' inadmissible -
The German Federal Constitutional Court has ruled that legislation
criminalising the use of hacking software, which has now been in
force for two years, is compatible with the German constitution.
Heartland CEO commended for data breach response - Heartland Payment
Systems Inc. CEO Robert Carr is getting high marks from some
analysts for his response so far to a massive data breach discovered
at the credit- and debit-card payment processor early this year.
TJX settles over breach with 41 states for $9.75 million - In a move
to close the door on the largest reported retail data breach in
history, TJX announced Tuesday that it has settled with 41 states
who were probing the discount merchant's data security practices.
CISOs worried about insiders, data breaches - Eighty percent of
CISOs believe their company's own employees and contractors are the
greatest threat to company data, according to a new study conducted
by security vendor NetWitness and audit-and-information-security
training company MIS Training Institute.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
75,000 customers' bank details on stolen Bord Gais laptop - Just
days after 15 laptops went missing from Health Service Executive (HSE)
offices in Co Roscommon, it has now emerged that details of 75,000
Bord Gáis customers were contained on one of four laptops stolen a
fortnight ago from the offices of Bord Gáis.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by the Basel
Committee on Bank Supervision.
Risk management principles (Part 2 of 2)
The Committee recognizes that banks will need to develop risk
management processes appropriate for their individual risk profile,
operational structure and corporate governance culture, as well as
in conformance with the specific risk management requirements and
policies set forth by the bank supervisors in their particular
jurisdiction(s). Further, the numerous e-banking risk management
practices identified in this Report, while representative of current
industry sound practice, should not be considered to be
all-inclusive or definitive, since many security controls and other
risk management techniques continue to evolve rapidly to keep pace
with new technologies and business applications.
This Report does not attempt to dictate specific technical solutions
to address particular risks or set technical standards relating to
e-banking. Technical issues will need to be addressed on an on-going
basis by both banking institutions and various standards-setting
bodies as technology evolves. Further, as the industry continues to
address e-banking technical issues, including security challenges, a
variety of innovative and cost efficient risk management solutions
are likely to emerge. These solutions are also likely to address
issues related to the fact that banks differ in size, complexity and
risk management culture and that jurisdictions differ in their legal
and regulatory frameworks.
For these reasons, the Committee does not believe that a "one
size fits all" approach to e-banking risk management is
appropriate, and it encourages the exchange of good practices and
standards to address the additional risk dimensions posed by the
e-banking delivery channel. In keeping with this supervisory
philosophy, the risk management principles and sound practices
identified in this Report are expected to be used as tools by
national supervisors and implemented with adaptations to reflect
specific national requirements where necessary, to help promote safe
and secure e-banking activities and operations.
The Committee recognizes that each bank's risk profile is different
and requires a risk mitigation approach appropriate for the scale of
the e-banking operations, the materiality of the risks present, and
the willingness and ability of the institution to manage these
risks. These differences imply that the risk management principles
presented in this Report are intended to be flexible enough to be
implemented by all relevant institutions across jurisdictions.
National supervisors will assess the materiality of the risks
related to e-banking activities present at a given bank and whether,
and to what extent, the risk management principles for e-banking
have been adequately met by the bank's risk management framework.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
INTRUSION DETECTION AND RESPONSE
A maxim of security is "prevention is ideal, but detection is a
must." Security systems must both restrict access and protect
against the failure of those access restrictions. When those systems
fail, however, an intrusion occurs and the only remaining protection
is a detection - and - response capability. The earlier an intrusion
is detected, the greater the institution's ability to mitigate the
risk posed by the intrusion. Financial institutions should have a
capability to detect and react to an intrusion into their
Preparation for intrusion detection generally involves identifying
data flows to monitor for clues to an intrusion, deciding on the
scope and nature of monitoring, implementing that monitoring, and
establishing a process to analyze and maintain custody over the
resulting information. Additionally, legal requirements may include
notifications of users regarding the monitoring and the extent to
which monitoring must be performed as an ordinary part of ongoing
Adequate preparation is a key prerequisite to detection. The best
intrusion detection systems will not identify an intrusion if they
are not located to collect the relevant data, do not analyze correct
data, or are not configured properly. Even if they detect an
intrusion, the information gathered may not be usable by law
enforcement if proper notification of monitoring and preservation of
data integrity has not taken place.
Return to the top of the
INTRUSION DETECTION AND RESPONSE
1. Identify controls used to detect and respond to unauthorized
! Review the schematic of the information technology systems
for common intrusion detection systems.
! Review security procedures for daily and periodic report
monitoring to identify unauthorized or unusual activities.
! Identify IT architectural design and intrusion detection
systems that increase management's confidence that security is
maintained (e.g., through the use of routers, host-based security,
data segregation and information flows).
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
13. If the institution does not disclose nonpublic personal
information, and does not reserve the right to do so, other than
under exceptions in §14 and §15, does the institution provide a
simplified privacy notice that contains at a minimum:
a. a statement to this effect;
b. the categories of nonpublic personal information it collects;
c. the policies and practices the institution uses to protect the
confidentiality and security of nonpublic personal information; and
d. a general statement that the institution makes disclosures to
other nonaffiliated third parties as permitted by law? [§6(c)(5)]
(Note: use of this type of simplified notice is optional; an
institution may always use a full notice.)