This week, I am attending the Network Security
Conference sponsored by the Information Systems Audit and Control
Association (ISACA) being held at Caesars Place in Las Vegas. I look forward to
meeting any of you that will also be in attendance.
FYI - From September 24
through October 12, The Financial Banking Information Infrastructure
Committee (FBIIC) and the Financial Services Sector Coordinating
Council (FSSCC) will be conducting a pandemic flu exercise for the
financial services sector in the United States. The exercise is
sponsored by the US Department of the Treasury and the Securities
Industry and Financial Markets Association.
FYI - How the IT
department can prep for the courtroom - There has been a steady
increase in corporate litigation over the past decade, and those
legal proceedings are having an unforeseen impact on IT managers.
This trend has been accelerated by the recent changes in the Federal
Rules of Civil Procedure (FRCP).
FYI - Mobile Workers
Think Security Is IT's Job, Study Reveals - Workers on the go are
opening suspicious e-mails and hijacking neighbors' wireless
connections, but 73% put the security responsibility on the IT
FYI - Unencrypted
networks threaten data security - Open data traffic offering easy
access to hackers - Almost 40 per cent of UK organisations admit to
protecting less than a quarter of their network traffic.
FYI - Monster shuts down
rogue server after data breach - Rogue server was used to gather
personal details of job seekers, who were then sent e-mails with
links to malicious software - Monster Worldwide, whose job-hunting
sites suffered a massive data breach caused by hackers, has shut
down a rogue server that had been used to gather personal details of
FYI - Wells Fargo
recovering from computer crash - Wells Fargo is recovering from a
systems outage that took down banking services.
FYI - Are data breach
lawsuits just tilting at windmills? Personal data stolen? Go ahead,
sue -- see what it gets you - The United States Court of Appeals for
the Seventh Circuit on Thursday rejected a proposed class-action
lawsuit against Evansville, Ind.-based Old National Bancorp (ONB)
over a 2005 data-breach incident.
FYI - Security Manager's
Journal: Security Crashes Into Productivity - Our manager didn't
tell users that they could have laptops, but she's the one who has
to tell them that they can't. Security can sometimes come crashing
up against productivity, and when it does, security must prevail.
That's because my state agency is a maintainer of records covered by
HIPAA rules. One blunder, and we're front-page news. Not on my
FYI - Federal Security
Officers Say Telecommuting Is Safe, But Want Better Mobile Security
- A study reports that 83% of federal CISOs have strong interest in
mobile endpoint certification for compliance with the Federal
Information Security Management Act.
FYI - First California,
now New York lets pensioner info slip - A laptop containing data on
New York pensioners is missing - First, California's state pension
fund office admitted to accidentally printing out Social Security
numbers (SSNs) in the address pane of brochures it mailed out to
some 485,000 retirees.
FYI - Personal data for
35,000 vets stolen - Personal records including addresses and Social
Security numbers of more than 35,000 veterans and their families
were stolen this month from the offices of a POW support
organization in Texas, officials announced.
FYI - Breach puts
information in perilRelated Links - Someone hacked into computers at
three Oklahoma law enforcement agencies and may have stolen private
information meant only for police use, the state Department of
Public Safety announced.
FYI - Web worker stole
100,000 users' details - A Cable & Wireless employee was yesterday
identified to Contractor UK as having stolen the personal details of
100,000 broadband customers who used the popular Bulldog service.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 5 of 10)
B. RISK MANAGEMENT TECHNIQUES
Management must effectively plan, implement, and monitor the
financial institution's weblinking relationships. This includes
situations in which the institution has a third-party service
provider create, arrange, or manage its website. There are several
methods of managing a financial institution's risk exposure from
third-party weblinking relationships. The methods adopted to manage
the risks of a particular link should be appropriate to the level of
risk presented by that link as discussed in the prior section.
Planning Weblinking Relationships
In general, a financial institution planning the use of weblinks
should review the types of products or services and the overall
website content made available to its customers through the
weblinks. Management should consider whether the links support the
institution's overall strategic plan. Tools useful in planning
weblinking relationships include:
1) due diligence with respect to third parties to which the
financial institution is considering links; and
2) written agreements with significant third parties.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue the series
from the FDIC "Security Risks Associated with the
Potentially, the open architecture of the Internet can allow those
with specific knowledge and tools to alter or modify data during a
transmission. Data integrity could also be compromised within the
data storage system itself, both intentionally and unintentionally,
if proper access controls are not maintained. Steps must be taken to
ensure that all data is maintained in its original or intended form.
Essential in electronic commerce is the need to verify that a
particular communication, transaction, or access request is
legitimate. To illustrate, computer systems on the Internet are
identified by an Internet protocol (IP) address, much like a
telephone is identified by a phone number. Through a variety of
techniques, generally known as "IP spoofing" (i.e.,
impersonating), one computer can actually claim to be another.
Likewise, user identity can be misrepresented as well. In fact, it
is relatively simple to send email which appears to have come
from someone else, or even send it anonymously. Therefore,
authentication controls are necessary to establish the identities of
all parties to a communication.
the top of the newsletter
IT SECURITY QUESTION:
Regulations - ensuring compliance:
a. Does the IT department have the current regulatory IT press
releases and bulletins?
b. Is the IT department following the intent of the regulatory IT
press releases and bulletins?
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 2 of 3)
B. Presentation, Content, and Delivery of Privacy Notices
1) Review the financial institution's initial, annual and
revised notices, as well as any short-form notices that the
institution may use for consumers who are not customers. Determine
whether or not these notices:
a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1),
b. Accurately reflect the policies and practices used by the
institution (§§4(a), 5(a)(1), 8(a)(1)). Note, this includes
practices disclosed in the notices that exceed regulatory
c. Include, and adequately describe, all required items of
information and contain examples as applicable (§6). Note that if
the institution shares under Section 13 the notice provisions for
that section shall also apply.
2) Through discussions with management, review of the
institution's policies and procedures, and a sample of electronic or
written consumer records where available, determine if the
institution has adequate procedures in place to provide notices to
consumers, as appropriate. Assess the following:
a. Timeliness of delivery (§§4(a), 7(c), 8(a)); and
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the consumer agrees; or as a necessary step
of a transaction) (§9).
c. For customers only, review the timeliness of
delivery (§§4(d), 4(e), 5(a)), means of delivery of annual notice
(§9(c)), and accessibility of or ability to retain the notice (§9(e)).