FYI - Scam Foiled, Internet Vulnerabilities Revealed - Since our warning about a phone and e-mail scam last Friday we have learned that dozens of people fell for it and lost thousands of dollars. Tennessee Valley Federal Credit Union has been able to follow the electronic trails to the crooks since we first brought you the story last week. http://www.newschannel9.com/articles/internet_14598___article.html/computers_people.html

FYI - DOD expands encryption mandate - New policy requires military to protect all sensitive data on mobile devices - The Defense Department has tightened its rules for protecting sensitive but unclassified information. In what likely is the first time in government, DOD's chief information officer, John Grimes, is requiring DOD to encrypt all sensitive but unclassified data stored on mobile devices. http://www.fcw.com/article103467-08-13-07-Print

FYI - OMB security mandates pile up - Agencies say the most onerous policy requires them to log database extracts - Agency officials say they are struggling to keep up with new security policies that the Office of Management and Budget has issued in a steady stream since June 2006, after a Veterans Affairs Department employee lost personal data on 26.5 million veterans and their families. http://www.fcw.com/article103460-08-13-07-Print

FYI - 'Hackers' deface UN site - "Hackers" defaced the United Nations Web site early Sunday with messages accusing the U.S. and Israel of killing children. As of late afternoon, some sections, including the area devoted to Secretary General Ban Ki-Moon, remained offline. http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9030318

FYI - Post-TJX breach, corporations must protect data wherever it goes - While companies tend to focus on protecting the network perimeter, more are finding that internal threats are just as problematic. Responsible security is no longer just about protecting the network perimeter. Database security should be considered a best practice for corporations and a security requirement that no CIO should ignore. http://www.scmagazine.com/us/news/article/731515/post-tjx-breach-corporations-protect-data-wherever-goes/

MISSING COMPUTERS/DATA

FYI - Computers containing 10,000 SSNs are stolen - Students, staff and alumni are at risk of identity theft - Social Security numbers for over 10,000 current and former students, faculty and staff were compromised last month following the theft of two University computers, officials said. http://www.yaledailynews.com/articles/view/21093

FYI - Patton IDs at risk after loss of data - The names and Social Security numbers of nearly 300 registry nurses at Patton State Hospital are at risk after the loss of a thumb-sized computer flash drive. An employee violated policy by storing the information on the flash drive to help registry nurses process their monthly time sheets. http://www.sbsun.com/news/ci_6569478

FYI - Merrill Lynch ID Theft May Affect 33,000 Employees - A "major identity-theft incident" has occurred at brokerage giant Merrill Lynch that may affect more than 30,000 employees, CNBC's Charlie Gasparino reported.
http://www.cnbc.com/id/20162588
http://www.reuters.com/article/fundsFundsNews/idUSN0723295420070807

FYI - First Response issues ID theft alert after burglary - First Response Finance has warned thousands of UK customers to be wary of suspicious transactions on their accounts following the theft of storage discs from the finance firm's offices near Manchester. http://www.theregister.co.uk/2007/08/07/first_response/print.html

FYI - Terrorist database stolen in raid was encrypted, police confirm - Thieves have stolen a computer database from a company that specialises in gathering evidence from mobile phone networks to help police track suspected terrorists. http://www.scmagazine.com/uk/news/article/731274/terrorist-database-stolen-raid-encrypted-police-confirm/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 3 of 10)

A. RISK DISCUSSION

Reputation Risk

Customers may be confused about whether the financial institution or a third party is supplying the product, service, or other website content available through the link. The risk of customer confusion can be affected by a number of factors:

• nature of the third-party product or service;
• trade name of the third party; and
• website appearance.

Nature of Product or Service

When a financial institution provides links to third parties that sell financial products or services, or provide information relevant to these financial products and services, the risk is generally greater than if third parties sell non-financial products and services due to the greater potential for customer confusion. For example, a link from a financial institution's website to a mortgage bank may expose the financial institution to greater reputation risk than a link from the financial institution to an online clothing store.

The risk of customer confusion with respect to links to firms selling financial products is greater for two reasons. First, customers are more likely to assume that the linking financial institution is providing or endorsing financial products rather than non-financial products. Second, products and services from certain financial institutions often have special regulatory features and protections, such as federal deposit insurance for qualifying deposits. Customers may assume that these features and protections also apply to products that are acquired through links to third-party providers, particularly when the products are financial in nature.

When a financial institution links to a third party that is providing financial products or services, management should consider taking extra precautions to prevent customer confusion. For example, a financial institution linked to a third party that offers nondeposit investment products should take steps to prevent customer confusion specifically with respect to whether the institution or the third party is offering the products and services and whether the products and services are federally insured or guaranteed by the financial institution.

Financial institutions should recognize, even in the case of non-financial products and services, that customers may have expectations about an institution's due diligence and its selection of third parties to which the financial institution links its website. Should customers experience dissatisfaction as a result of poor quality products or services, or loss as a result of their transactions with those companies, they may consider the financial institution responsible for the perceived deficiencies of the seller.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - This concludes our coverage of  the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Part III. Risks Associated with Both Internal Wireless Networks and Wireless Internet Devices

Evolution and Obsolescence

As the wireless technologies available today evolve, financial institutions and their customers face the risk of current investments becoming obsolete in a relatively short time. As demonstrated by the weaknesses in WEP and earlier versions of WAP and the changes in standards for wireless technologies, wireless networking as a technology may change significantly before it is considered mature. Financial institutions that invest heavily in components that may become obsolete quickly may feel the cost of adopting an immature technology.

Controlling the Impact of Obsolescence

Wireless internal networks are subject to the same types of evolution that encompass the computing environment in general. Key questions to ask a vendor before purchasing a wireless internal network solution include:

1)  What is the upgrade path to the next class of network?
2)  Do the devices support firmware (Flash) upgrades for security patches and upgrades?
3)  How does the vendor distribute security information and patches?

The financial institution should also consider the evolving standards of the wireless community. Before entering into an expensive implementation, the institution should research when the next major advances in wireless are likely to be released. Bank management can then make an informed decision on whether the implementation should be based on currently available technology or a future implementation based on newer technology.

The potential obsolescence of wireless customer access can be controlled in other ways. As the financial institution designs applications that are to be delivered through wireless devices, they should design the application so that the business logic is not tied to a particular wireless technology. This can be accomplished by placing the majority of the business logic on back-end or mid-tier servers that are independent of the wireless application server. The wireless application server then becomes a connection point between the customer and the transactions performed. As the institution decides to upgrade or replace the application server, the business logic can remain relatively undisturbed.

Return to the top of the newsletter

IT SECURITY QUESTION:  On-going IT security training:

a. Are new employees trained in computer security?
b. Is continuous computer security training provided users?
c. Has executive management attended a computer security conference?
d. Has the Network Administrator received training regarding security issues involving the servers and the network?
e. Has the IT Security Officer received training regarding IT security issues?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Procedures (Part 3 of 3)

E. Ascertain areas of risk associated with the financial institution's sharing practices (especially those within Section 13 and those that fall outside of the exceptions ) and any weaknesses found within the compliance management program. Keep in mind any outstanding deficiencies identified in the audit for follow-up when completing the modules.

F. Based on the results of the foregoing initial procedures and discussions with management, determine which procedures if any should be completed in the applicable module, focusing on areas of particular risk. The selection of procedures to be employed depends upon the adequacy of the institution's compliance management system and level of risk identified. Each module contains a series of general instruction to verify compliance, cross-referenced to cites within the regulation. 
Additionally, there are cross-references to a more comprehensive checklist, which the examiner may use if needed to evaluate compliance in more detail.

G. Evaluate any additional information or documentation discovered during the course of the examination according to these procedures. Note that this may reveal new or different sharing practices necessitating reapplication of the Decision Trees and completion of additional or different modules.

H. Formulate conclusions.

1)  Summarize all findings.

2)  For violation(s) noted, determine the cause by identifying weaknesses in internal controls, compliance review, training, management oversight, or other areas.

3)  Identify action needed to correct violations and weaknesses in the institution's compliance system, as appropriate.

4)  Discuss findings with management and obtain a commitment for corrective action.