Scam Foiled, Internet Vulnerabilities Revealed - Since our warning
about a phone and e-mail scam last Friday we have learned that
dozens of people fell for it and lost thousands of dollars.
Tennessee Valley Federal Credit Union has been able to follow the
electronic trails to the crooks since we first brought you the story
DOD expands encryption mandate - New policy requires military to
protect all sensitive data on mobile devices - The Defense
Department has tightened its rules for protecting sensitive but
unclassified information. In what likely is the first time in
government, DOD's chief information officer, John Grimes, is
requiring DOD to encrypt all sensitive but unclassified data stored
on mobile devices.
OMB security mandates pile up - Agencies say the most onerous policy
requires them to log database extracts - Agency officials say they
are struggling to keep up with new security policies that the Office
of Management and Budget has issued in a steady stream since June
2006, after a Veterans Affairs Department employee lost personal
data on 26.5 million veterans and their families.
'Hackers' deface UN site - "Hackers" defaced the United Nations Web
site early Sunday with messages accusing the U.S. and Israel of
killing children. As of late afternoon, some sections, including the
area devoted to Secretary General Ban Ki-Moon, remained offline.
FYI - Post-TJX breach,
corporations must protect data wherever it goes - While companies
tend to focus on protecting the network perimeter, more are finding
that internal threats are just as problematic. Responsible security
is no longer just about protecting the network perimeter. Database
security should be considered a best practice for corporations and a
security requirement that no CIO should ignore.
Computers containing 10,000 SSNs are stolen - Students, staff and
alumni are at risk of identity theft - Social Security numbers for
over 10,000 current and former students, faculty and staff were
compromised last month following the theft of two University
computers, officials said.
Patton IDs at risk after loss of data - The names and Social
Security numbers of nearly 300 registry nurses at Patton State
Hospital are at risk after the loss of a thumb-sized computer flash
drive. An employee violated policy by storing the information on the
flash drive to help registry nurses process their monthly time
Merrill Lynch ID Theft May Affect 33,000 Employees - A "major
identity-theft incident" has occurred at brokerage giant Merrill
Lynch that may affect more than 30,000 employees, CNBC's Charlie
First Response issues ID theft alert after burglary - First Response
Finance has warned thousands of UK customers to be wary of
suspicious transactions on their accounts following the theft of
storage discs from the finance firm's offices near Manchester.
Terrorist database stolen in raid was encrypted, police confirm -
Thieves have stolen a computer database from a company that
specialises in gathering evidence from mobile phone networks to help
police track suspected terrorists.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 3 of 10)
Customers may be confused about whether the financial institution or
a third party is supplying the product, service, or other website
content available through the link. The risk of customer confusion
can be affected by a number of factors:
- nature of the
third-party product or service;
- trade name of the third
- website appearance.
Nature of Product or
When a financial institution provides links to third parties that
sell financial products or services, or provide information relevant
to these financial products and services, the risk is generally
greater than if third parties sell non-financial products and
services due to the greater potential for customer confusion. For
example, a link from a financial institution's website to a mortgage
bank may expose the financial institution to greater reputation risk
than a link from the financial institution to an online clothing
The risk of customer confusion with respect to links to firms
selling financial products is greater for two reasons. First,
customers are more likely to assume that the linking financial
institution is providing or endorsing financial products rather than
non-financial products. Second, products and services from certain
financial institutions often have special regulatory features and
protections, such as federal deposit insurance for qualifying
deposits. Customers may assume that these features and protections
also apply to products that are acquired through links to
third-party providers, particularly when the products are financial
When a financial institution links to a third party that is
providing financial products or services, management should consider
taking extra precautions to prevent customer confusion. For example,
a financial institution linked to a third party that offers
nondeposit investment products should take steps to prevent customer
confusion specifically with respect to whether the institution or
the third party is offering the products and services and whether
the products and services are federally insured or guaranteed by the
Financial institutions should recognize, even in the case of
non-financial products and services, that customers may have
expectations about an institution's due diligence and its selection
of third parties to which the financial institution links its
website. Should customers experience dissatisfaction as a result of
poor quality products or services, or loss as a result of their
transactions with those companies, they may consider the financial
institution responsible for the perceived deficiencies of the
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - This
concludes our coverage of the FDIC's "Guidance
on Managing Risks Associated With Wireless Networks and Wireless
Part III. Risks Associated with Both Internal Wireless Networks and
Wireless Internet Devices
Evolution and Obsolescence
As the wireless technologies available today evolve, financial
institutions and their customers face the risk of current
investments becoming obsolete in a relatively short time. As
demonstrated by the weaknesses in WEP and earlier versions of WAP
and the changes in standards for wireless technologies, wireless
networking as a technology may change significantly before it is
considered mature. Financial institutions that invest heavily in
components that may become obsolete quickly may feel the cost of
adopting an immature technology.
Controlling the Impact of Obsolescence
Wireless internal networks are subject to the same types of
evolution that encompass the computing environment in general. Key
questions to ask a vendor before purchasing a wireless internal
network solution include:
1) What is the upgrade path to the next class of network?
2) Do the devices support firmware (Flash) upgrades for
security patches and upgrades?
3) How does the vendor distribute security information and
The financial institution should also consider the evolving
standards of the wireless community. Before entering into an
expensive implementation, the institution should research when the
next major advances in wireless are likely to be released. Bank
management can then make an informed decision on whether the
implementation should be based on currently available technology or
a future implementation based on newer technology.
The potential obsolescence of wireless customer access can be
controlled in other ways. As the financial institution designs
applications that are to be delivered through wireless devices, they
should design the application so that the business logic is not tied
to a particular wireless technology. This can be accomplished by
placing the majority of the business logic on back-end or mid-tier
servers that are independent of the wireless application server. The
wireless application server then becomes a connection point between
the customer and the transactions performed. As the institution
decides to upgrade or replace the application server, the business
logic can remain relatively undisturbed.
the top of the newsletter
IT SECURITY QUESTION:
a. Are new employees trained in computer security?
b. Is continuous computer security training provided users?
c. Has executive management attended a computer security conference?
d. Has the Network Administrator received training regarding
security issues involving the servers and the network?
e. Has the IT Security Officer received training regarding IT
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Examination Procedures (Part 3 of 3)
E. Ascertain areas of risk associated with the financial
institution's sharing practices (especially those within Section 13
and those that fall outside of the exceptions ) and any weaknesses
found within the compliance management program. Keep in mind any
outstanding deficiencies identified in the audit for follow-up when
completing the modules.
F. Based on the results of the foregoing initial procedures and
discussions with management, determine which procedures if any
should be completed in the applicable module, focusing on areas of
particular risk. The selection of procedures to be employed depends
upon the adequacy of the institution's compliance management system
and level of risk identified. Each module contains a series of
general instruction to verify compliance, cross-referenced to cites
within the regulation.
Additionally, there are cross-references to a more comprehensive
checklist, which the examiner may use if needed to evaluate
compliance in more detail.
G. Evaluate any additional information or documentation discovered
during the course of the examination according to these procedures.
Note that this may reveal new or different sharing practices
necessitating reapplication of the Decision Trees and completion of
additional or different modules.
H. Formulate conclusions.
1) Summarize all findings.
2) For violation(s) noted, determine the cause by identifying
weaknesses in internal controls, compliance review, training,
management oversight, or other areas.
3) Identify action needed to correct violations and weaknesses
in the institution's compliance system, as appropriate.
4) Discuss findings with management and obtain a commitment
for corrective action.