FYI - The Federal
Financial Institutions Examination Council member agencies today
released a frequently asked questions document to aid in the
implementation of the interagency guidance on Authentication in an
Internet Banking Environment issued October 12, 2005.
NCUA - Letter to Credit Unions 06-CU-13 -
Authentication for Internet Based Services.
FYI - Matrix Bancorp
Announces Personal Computer Theft; Starts Aggressive Program to
Protect Customers Against Identity Theft - Matrix Bancorp, Inc.
announced that two laptop computers, both the property of Matrix
Capital Bank, were stolen from its headquarters building in downtown
Denver, Colorado. The computers, one of which contains certain
proprietary information regarding Matrix Capital Bank and some of
its customers, are strong-password protected and the information on
them is fully encrypted.
FYI - Probe continues in
City Hall theft - Hattiesburg police continue to search for leads in
a June break-in at City Hall that resulted in the theft of computers
and other devices containing sensitive personal data on thousands of
city workers and contractors.
FYI - Security Breach at
Toyota Plant - A security breach at the Toyota plant was being
investigated Thursday after a laptop computer containing personal
information for more than a thousand people was stolen.
FYI - WSU computers
tampered with - Someone gained unauthorized access to three
computers in Wichita State University's College of Fine Arts box
office and to a server in the psychology department, the university
said. The box-office computers contained credit card information for
about 2,000 patrons. The server held data regarding about 40
applicants to a doctoral program.
FYI - Organizations and
individuals are still leaving critical data on disks later sold on
through online auctions and computer fairs, according to a new
study. The research carried out by BT, the University of Glamorgan
in Wales and Edith Cowan University in Australia found payroll
information, mobile telephone numbers, copies of invoices, employee
names and photos, IP addresses, network information, illicit audio
and video files, financial details including bank and credit card
accounts on hard drives purchased from a number of sources.
FYI - UK bank details
sold in Nigeria - People should wipe the hard drive before they give
away their old PC - Bank account details belonging to thousands of
Britons are being sold in West Africa for less than £20 each, the
BBC's Real Story programme has found.
FYI - Old hard drives
yield dark secrets - A quick wipe won't remove the data - Companies
and individuals aren't bothering to destroy data on hard drives
before disposing of them, according to a BT-funded report by
FYI - Two IT execs at Ohio
University fired after data breaches - Two top IT officials at Ohio
University (OU) who were suspended in June in connection with data
security breaches at the school in recent months were fired. In a
statement, the Athens, Ohio-based school announced that Tom Reid,
the university's director of communication network services, and
Todd Acheson, the manager of Internet and systems for the school,
were dismissed in the wake of the breaches -- including one that
exposed personal information on 137,000 alumni.
FYI - Three workers depart AOL
after privacy uproar - Two AOL employees have been fired, and its
chief technology officer is resigning, after the release of Web
search data from thousands of AOL members prompted widespread
criticism of the company.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
begin this week reviewing the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques." (Part
1 of 10)
A. RISK DISCUSSION
A significant number of financial institutions regulated by the
financial institution regulatory agencies (Agencies) maintain sites
on the World Wide Web. Many of these websites contain weblinks to
other sites not under direct control of the financial institution.
The use of weblinks can create certain risks to the financial
institution. Management should be aware of these risks and take
appropriate steps to address them. The purpose of this guidance is
to discuss the most significant risks of weblinking and how
financial institutions can mitigate these risks.
When financial institutions use weblinks to connect to third-party
websites, the resulting association is called a "weblinking
relationship." Financial institutions with weblinking
relationships are exposed to several risks associated with the use
of this technology. The most significant risks are reputation
risk and compliance risk.
Generally, reputation risk arises when a linked third party
adversely affects the financial institution's customer and, in turn,
the financial institution, because the customer blames the financial
institution for problems experienced. The customer may be under a
misimpression that the institution is providing the product or
service, or that the institution recommends or endorses the
third-party provider. More specifically, reputation risk could arise
in any of the following ways:
- customer confusion in distinguishing whether the financial
institution or the linked third party is offering products and
- customer dissatisfaction with the quality of products or
services obtained from a third party; and
- customer confusion as to whether certain regulatory
protections apply to third-party products or services.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION - DATA CENTER SECURITY
When selecting a site for the most important information systems
components, one major objective is to limit the risk of exposure
from internal and external sources. The selection process should
include a review of the surrounding area to determine if it is
relatively safe from exposure to fire, flood, explosion, or similar
environmental hazards. Outside intruders can be deterred through the
use of guards, fences, barriers, surveillance equipment, or other
similar devices. Since access to key information system hardware and
software should be limited, doors and windows must be secure.
Additionally, the location should not be identified or advertised by
signage or other indicators.
Detection devices, where applicable, should be utilized to prevent
theft and safeguard the equipment. They should provide continuous
coverage. Detection devices have two purposes - to alarm when a response is necessary and to support
subsequent forensics. The alarm capability is only useful when a
response will occur. Some intruder detection devices available
! Switches that activate an alarm when an electrical circuit is
! Light and laser beams, ultraviolet beams and sound or vibration
detectors that are invisible to the intruder, and ultrasonic and
radar devices that detect movement in a room; and
! Closed-circuit television that allows visual observation and
recording of actions.
Risks from environmental threats can be addressed somewhat through
devices such as halon gas, smoke alarms, raised flooring, heat
sensors, and the like.
Physical security devices frequently need preventive maintenance to
function properly. Maintenance logs are one control the institution
can use to determine whether the devices are appropriately
maintained. Periodic testing of the devices provides assurance that
they are operating correctly.
Security guards should be properly instructed about their duties.
The employees who access secured areas should have proper
identification and authorization to enter the area. All visitors
should sign in and wear proper IDs so that they can be identified
easily. Security guards should be trained to restrict the removal of
assets from the premises and to record the identity of anyone
removing assets. Consideration should be given to implementing a
specific and formal authorization process for the removal of
hardware and software from premises.
The following security zones should have access restricted to a need
! Operations center
! Uninterrupted power supply
! Telecommunications equipment
! Media library
CABINET AND VAULT SECURITY
Protective containers are designed to meet either fire-resistant or
burglar-resistant standards. Labels describing expected tolerance
levels are usually attached to safes and vault doors. An institution
should select the tolerance level based on the sensitivity and
importance of the information being protected.
Return to the top of the
D. USER EQUIPMENT SECURITY
(E.G. WORKSTATION, LAPTOP, HANDHELD)
6. Determine whether appropriate workstations are
deactivated after a period of inactivity through screen saver
passwords, server time-outs, powering down, or other means.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
12. Does the institution make the following disclosures regarding
service providers and joint marketers to whom it discloses nonpublic
personal information under §13:
a. as applicable, the
same categories and examples of nonpublic personal information
disclosed as described in paragraphs (a)(2) and (c)(2) of section
six (6) (see questions 8b and 10); and [§6(c)(4)(i)]
b. that the third party is a service provider that performs
marketing on the institution's behalf or on behalf of the
institution and another financial institution; [§6(c)(4)(ii)(A)] or
c. that the third party is a financial institution with which the
institution has a joint marketing agreement? [§6(c)(4)(ii)(B)]
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,