FYI - This week September 19, I am attending the Network Security Conference sponsored by the Information Systems Audit and Control Association (ISACA) being held at Caesars Place in Las Vegas.  I look forward to meeting any of you that will also be in attendance. 

FYI - Federal Bank, Thrift and Credit Union Regulatory Agencies Provide Brochure with Information on Internet "Phishing" - The federal bank, thrift and credit union agencies today announced the publication of a brochure with information to help consumers identify and combat a new type of Internet scam known as "phishing." www.occ.treas.gov/toolkit/newsrelease.aspx?JNR=1&Doc=CYVFS1NN.xml 

FYI - Safeguarding IT against the next Katrina - IT managers nationwide should take a cue from Hurricane Katrina's destructive power and develop disaster-recovery plans to safeguard their computer systems against catastrophe, security experts advise. http://news.com.com/2102-7350_3-5844041.html?tag=st.util.print

FYI - Indian call center worker arrested - New Delhi Police have arrested a call center worker for alleged theft of personal customer information that the firm was handling for its clients. http://news.com.com/2102-7348_3-5852487.html?tag=st.util.print

FYI - Hacking fears bog down online banking growth - The number of people who turn to the Internet for personal banking isn't growing--but those who are already hooked on such services are using them more often, a new survey has shown. http://news.com.com/2102-1038_3-5851061.html?tag=st.util.print

FYI - Agencies, OMB pushing security requirements through contracts - As the new CIO of the Housing and Urban Development Department, Lisa Schlosser is on a mission to improve the agency's cybersecurity, and one of her first steps is to put language in all vendor contracts requiring minimum baseline standards. http://www.gcn.com/vol1_no1/daily-updates/36876-1.html

FYI - A New York data breach law will take effect in mid-December. New York. The 19th state to pass a data breach notification law, would allow no exceptions. The New York law makes no exception for small data breaches or breaches unlikely to result in identity theft. http://www.infoworld.com/article/05/09/02/HNcongressdata_1.html

FYI - Low Employee Awareness Is Putting Organizations At Risk of Internet Attacks - Spyware is the No. 1 concern of IT managers in the U.S. according to a new survey. Mention the words "security breach," "spyware," or "Trojan worm" followed by "system failure" or "e-mail malfunction" and many IT administrators will run toward the nearest exit or roll their eyes while taking a deep, long breath. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5647

FYI - VoIP adoption helping drive security appliance market - Many businesses implementing Voice over Internet Protocol (VoIP) plan to replace their security appliances to address security issues associated with the emerging technology, according to market-research firm In-Stat. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=dedf3357-0073-40ef-aeae-e3620c68e039&newsType=Latest%20News&s=n

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 5 of 5)

PROCEDURES TO ADDRESS SPOOFING - Contact the OCC and Law Enforcement Authorities

If a bank is the target of a spoofing incident, it should promptly notify its OCC supervisory office and report the incident to the FBI and appropriate state and local law enforcement authorities.  Banks can also file complaints with the Internet Fraud Complaint Center (see http://www.ifccfbi.gov/), a partnership of the FBI and the National White Collar Crime Center.

In order for law enforcement authorities to respond effectively to spoofing attacks, they must be provided with information necessary to identify and shut down the fraudulent Web site and to investigate and apprehend the persons responsible for the attack.  The data discussed under the "Information Gathering" section should meet this need.

In addition to reporting to the bank's supervisory office and law enforcement authorities, there are other less formal mechanisms that a bank can use to report these incidents and help combat fraudulent activities.  For example, banks can use "Digital Phishnet" (http://www.digitalphishnet.com/), which is a joint initiative of industry and law enforcement designed to support apprehension of perpetrators of phishing-related crimes, including spoofing.  Members of Digital Phishnet include ISPs, online auction services, financial institutions, and financial service providers.  The members work closely with the FBI, Secret Service, U.S. Postal Inspection Service, Federal Trade Commission (FTC), and several electronic crimes task forces around the country to assist in identifying persons involved in phishing-type crimes.

Finally, banks can forward suspicious e-mails to the FTC at spam@uce.gov.  For more information on how the FTC can assist in combating phishing and spoofing, see http://www.consumer.gov/idtheft.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT

OVERVIEW

The quality of security controls can significantly influence all categories of risk. Traditionally, examiners and bankers recognize the direct impact on operational/transaction risk from incidents related to fraud, theft, or accidental damage. Many security weaknesses, however, can directly increase exposure in other risk areas. For example, the GLBA introduced additional legal/compliance risk due to the potential for regulatory noncompliance in safeguarding customer information. The potential for legal liability related to customer privacy breaches may present additional risk in the future. Effective application access controls can reduce credit and market risk by imposing risk limits on loan officers or traders. If a trader were to exceed the intended trade authority, the institution may unknowingly assume additional market risk exposure.

A strong security program reduces levels of reputation and strategic risk by limiting the institution's vulnerability to intrusion attempts and maintaining customer confidence and trust in the institution. Security concerns can quickly erode customer confidence and potentially decrease the adoption rate and rate of return on investment for strategically important products or services. Examiners and risk managers should incorporate security issues into their risk assessment process for each risk category. Financial institutions should ensure that security risk assessments adequately consider potential risk in all business lines and risk categories.

Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity, and availability of information and information systems. An adequate assessment identifies the value and sensitivity of information and system components and then balances that knowledge with the exposure from threats and vulnerabilities. A risk assessment is a necessary pre-requisite to the formation of strategies that guide the institution as it develops, implements, tests, and maintains its information systems security posture. An initial risk assessment may involve a significant one-time effort, but the risk assessment process should be an ongoing part of the information security program.

Risk assessments for most industries focus only on the risk to the business entity. Financial institutions should also consider the risk to their customers' information. For example, section 501(b) of the GLBA requires financial institutions to 'protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer."

Return to the top of the newsletter

IT SECURITY QUESTION:  A. AUTHENTICATION AND ACCESS CONTROLS - Access Rights Administration

8. Determine if users are aware of the authorized uses of the system.

• Do internal users receive a copy of the authorized-use policy, appropriate training, and signify understanding and agreement before usage rights are granted?

• Is contractor usage appropriately detailed and controlled through the contract?

• Do customers and Web site visitors either explicitly agree to usage terms or are provided a disclosure, as appropriate?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

41. Does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as permitted under §§13-15, unless:

a.  it has provided the consumer with an initial notice; [§10(a)(1)(i)]

b.  it has provided the consumer with an opt out notice; [§10(a)(1)(ii)]

c.  it has given the consumer a reasonable opportunity to opt out before the disclosure; [§10(a)(1)(iii)] and

d.  the consumer has not opted out? [§10(a)(1)(iv)]

(Note: this disclosure limitation applies to consumers as well as to customers [§10(b)(1)], and to all nonpublic personal information regardless of whether collected before or after receiving an opt out direction. [§10(b)(2)])

VISTA - Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b).  The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and testing focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.