Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT security as
required by the FFIEC's "Interagency Guidelines Establishing
Information Security Standards."
information and to subscribe visit
REMINDER - The ISACA Information Security and
Risk Management Conference is being held September 13-15, 2010
in Las Vegas, Nevada. This is a great conference that I highly
recommend. For more information and to register, please go to
I will the there and look forward to meeting you.
Social Media: Business Benefits and Security, Governance and
Assurance Perspectives - Initiated as a consumer-oriented
technology, social media is increasingly being leveraged as a
powerful, low-cost tool for enterprises to drive business objectives
such as enhanced customer interaction, greater brand recognition and
more effective employee recruitment.
Banking trojans as a weapon of mass destruction - According to
FinCEN, between between January 1 and June 30, 2009, depository
institution (banking) suspicious activity reports characterized as
computer intrusion increased 75 percent, compared to the
corresponding six-month reporting period in 2008.
A hidden world, growing beyond control - The top-secret world the
government created in response to the terrorist attacks of Sept. 11,
2001, has become so large, so unwieldy and so secretive that no one
knows how much money it costs, how many people it employs, how many
programs exist within it or exactly how many agencies do the same
German webcam hack suspect cuffed - An alleged suspect has been
arrested in Germany over allegations that he used malware to hack
into webcams and spy on people.
Colorado warns of major corporate ID theft scam - Colorado's
Secretary of State and other officials are warning the state's
800,000 or so registered businesses to watch out for scammers who
have been forging business identities to make fraudulent purchases
from several big-box retailers in recent months.
GAO - Challenges In Federal Agencies' Use of Web 2.0 Technologies.
Social engineering, No school like old school - Using a pretext call
to obtain a subject's cell phone records or bank account debit card
credit card transactions provided compelling background data for
divorces, established "whodunit" in corporate counter-intelligence
and helped me sort out SODDI stories when it mattered in high-end
fraud and burglary cases.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Mozilla yanks password-stealing Firefox add-on - Mozilla warned
users that a password-stealing add-on slipped into Firefox's
extension gallery more than a month ago had been downloaded nearly
2,000 times before it was detected.
Thieves swipe thousands of laptops from Special Ops contractor in
Hillsborough - On March 6, as many as seven people broke into iGov
Technologies at 9211 Palm River Road and stole 3,000 laptops and
other electronics, according to a search warrant.
Bluetooth at heart of gas station credit-card scam in Southeast -
Thieves are stealing credit-card numbers through skimmers they
secretly installed inside pumps at gas stations throughout the
Southeast, using Bluetooth wireless to transmit stolen card numbers,
according to law enforcement officials.
Employee at Maryland state agency posts client information online -
The personal information of clients of the Maryland Department of
Human Resources (DHR) recently was posted on a third-party website,
where it remained for nearly three months.
Sensitive database compromised at Buena Vista University - A
sensitive database belonging to Buena Vista University in Iowa was
compromised, exposing the information of students and staff.
Hospital files with personal, medical data on 800,000 gone - A data
management firm has lost hospital records, containing a wide array
of personal information, that belonged to hundreds of thousands of
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We finish our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 10 of 10)
B. RISK MANAGEMENT TECHNIQUES
Managing Service Providers
Financial institutions, especially smaller institutions, may
choose to subcontract with a service provider to create, arrange,
and manage their websites, including weblinks. The primary risks for
these financial institutions are the same as for those institutions
that arrange the links directly. However, if a financial institution
uses a set of pre-established links to a large number of entities
whose business policies or procedures may be unfamiliar, it may
increase its risk exposure. This is particularly true in situations
it maintains certain minimum information security standards at all
When a financial institution subcontracts weblinking arrangements to
a service provider, the institution should conduct sufficient due
diligence to ensure that the service provider is appropriately
managing the risk exposure from other parties. Management should
keep in mind that a vendor might establish links to third parties
that are unacceptable to the financial institution. Finally, the
written agreement should contain a regulatory requirements clause in
which the service provider acknowledges that its linking activities
must comply with all applicable consumer protection laws and
Financial institution management should consider weblinking
agreements with its service provider to mitigate significant risks.
These agreements should be clear and enforceable with descriptions
of all obligations, liabilities, and recourse arrangements. These
may include the institution's right to exclude from its site links
the financial institution considers unacceptable. Such contracts
should include a termination clause, particularly if the contract
does not include the ability to exclude websites. Finally, a
financial institution should apply its link monitoring policies
discussed above to links arranged by service providers or other
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our review of the FDIC paper "Risk
Assessment Tools and Practices or Information System Security."
To ensure the security of information systems and data, financial
institutions should have a sound information security program that
identifies, measures, monitors, and manages potential risk exposure.
Fundamental to an effective information security program is ongoing
risk assessment of threats and vulnerabilities surrounding networked
and/or Internet systems. Institutions should consider the various
measures available to support and enhance information security
programs. The appendix to this paper describes certain vulnerability
assessment tools and intrusion detection methods that can be useful
in preventing and identifying attempted external break-ins or
internal misuse of information systems. Institutions should also
consider plans for responding to an information security incident.
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 13, and 14 and/or 15 but not outside of these
exceptions (Part 2 of 2)
B. Presentation, Content, and Delivery of Privacy Notices
1) Review the financial institution's initial and annual
privacy notices. Determine whether or not they:
a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1));
b. Accurately reflect the policies and practices used by the
institution (§§4(a), 5(a)(1)). Note, this includes practices
disclosed in the notices that exceed regulatory requirements; and
c. Include, and adequately describe, all required items of
information and contain examples as applicable (§§6, 13).
2) Through discussions with management, review of the
institution's policies and procedures, and a sample of electronic or
written consumer records where available, determine if the
institution has adequate procedures in place to provide notices to
consumers, as appropriate. Assess the following:
a. Timeliness of delivery (§4(a)); and
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the consumer agrees; or as a necessary step
of a transaction) (§9).
c. For customers only, review the timeliness of delivery
(§§4(d), 4(e), and 5(a)), means of delivery of annual notice §9(c)),
and accessibility of or ability to retain the notice (§9(e)).