FYI - Online scammers
pose as execs in 'spear-phishing' - That e-mail may not be from the
CEO - Online criminals trying to pry passwords and other sensitive
information out of companies have started using phony e-mails that
look as if they were sent from powerful executives of the targeted
FYI - This appears to be
the new pre-examination Information Technology Examination Officer's
Questionnaire announced recently by FDIC.
FYI - Finnish security
exec arrested over bank hack - The data security chief at the
Helsinki branch of financial services firm GE Money has been
arrested on suspicion of conspiracy to steal €200,000 from the
firm's online bank account. The 26 year-old allegedly copied
passwords and e- banking software onto a laptop used by accomplices
to siphon off money from an unnamed bank.
FYI - Air Force
investigates data breach - Personal details on more than 33,000
officers compromised - The U.S. Air Force is notifying more than
33,000 officers that their personal data has been breached by a
malicious hacker. The hacker used a legitimate user's ID and
password to access personal information on the officers contained in
the Assignment Management System.
FYI - Lloyd's
underwriters to cover legal risks arising from open-source use -
Lloyd's of London syndicates are poised to underwrite the use of
open source software by users who are worried about being sued by
proprietary software makers claiming their software patents have
FYI - Credit card makers
forced to scrutinize security - Visa is responsible for ensuring
that all the big retailers, data processors and banks that directly
hook into its network meet its security requirements. But it is
the job of the member banks to make sure that the merchants and data
processors they hire follow Visa's rules. http://news.com.com/2102-1029_3-5842959.html?tag=st.util.print
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation
and Response Guidance for Web Site Spoofing Incidents (Part 3 of
PROCEDURES TO ADDRESS SPOOFING - Information
After a bank has determined that it is the target of a spoofing
incident, it should collect available information about the attack
to enable an appropriate response. The information that is
collected will help the bank identify and shut down the fraudulent
Web site, determine whether customer information has been obtained,
and assist law enforcement authorities with any investigation.
Below is a list of useful information that a bank can collect. In
some cases, banks will require the assistance of information
technology specialists or their service providers to obtain this
* The means by which the bank became aware that it was the target
of a spoofing incident (e.g., report received through Website, fax,
* Copies of any e-mails or documentation regarding other forms of
communication (e.g., telephone calls, faxes, etc.) that were used to
direct customers to the spoofed Web sites;
* Internet Protocol (IP) addresses for the spoofed Web sites along
with identification of the companies associated with the IP
* Web-site addresses (universal resource locator) and the
registration of the associated domain names for the spoofed site;
* The geographic locations of the IP address (city, state, and
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
Booklet. This booklet is required reading for anyone
involved in information systems security, such as the Network Administrator,
Information Security Officer, members of the IS Steering Committee,
and most important your outsourced network security consultants.
Your outsourced network security consultants can receive the
"Internet Banking News" by completing the subscription for
There is no charge for the e-newsletter.
AND RESPONSIBILITIES (2 of 2)
Senior management should enforce its security program by clearly
communicating responsibilities and holding appropriate individuals
accountable for complying with these requirements. A central
authority should be responsible for establishing and monitoring the
security program. Security management responsibilities, however, may
be distributed throughout the institution from the IT department to
various lines of business depending on the institution's size,
complexity, culture, nature of operations, and other factors. The
distribution of duties should ensure an appropriate segregation of
duties between individuals or organizational groups.
Senior management also has the responsibility to ensure integration
of security controls throughout the organization. To support
integration, senior management should
1) Ensure the security
process is governed by organizational policies and practices that
are consistently applied,
2) Require that data
with similar criticality and sensitivity characteristics be
protected consistently regardless of where in the organization it
3) Enforce compliance
with the security program in a balanced and consistent manner across
the organization, and
Coordinate information security with physical security.
Senior management should make decisions regarding the acceptance of
security risks and the performance of risk mitigation activities
using guidance approved by the board of directors.
Employees should know, understand, and be held accountable for
fulfilling their security responsibilities. Institutions should
define these responsibilities in their security policy. Job
descriptions or contracts should specify any additional security
responsibilities beyond the general policies. Financial institutions
can achieve effective employee awareness and understanding through
security training, employee certifications of compliance, self -
assessments, audits, and monitoring.
Management also should consider the roles and responsibilities of
external parties. Technology service providers (TSPs), contractors,
customers, and others who have access to the institution's systems
and data should have their security responsibilities clearly
delineated and documented in contracts.
the top of the newsletter
IT SECURITY QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
- Access Rights Administration
5. Evaluate the
effectiveness and timeliness with which changes in access control
privileges are implemented and the effectiveness of supporting
policies and procedures.
• Review procedures and controls in place and determine whether
access control privileges are promptly eliminated when they are no
longer needed. Include former employees, and temporary access for remote
access and contract workers in the review.
• Assess the procedures and controls in place to change, when
appropriate, access control privileges (e.g., changes in job
responsibility and promotion).
• Determine whether access rights expire after a predetermined
period of inactivity.
• Review and assess the effectiveness of a formal review process
to periodically review the access rights to assure all access rights
are proper. Determine
whether necessary changes made as a result of that review.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
39. Does the institution use an appropriate means to ensure
that notices may be retained or obtained later, such as:
a. hand-delivery of a printed copy of the notice; [§9(e)(2)(i)]
b. mailing a printed copy to the last known address of the customer;
c. making the current privacy notice available on the institution's
web site (or via a link to the notice at another site) for the
customer who agrees to receive the notice at the web site? [§9(e)(2)(iii)]
VISTA - Does
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
testing focuses on
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit