This week September 19, I am attending the Network Security
Conference sponsored by the Information Systems Audit and Control
Association (ISACA) being held at Caesars Place in Las Vegas. I look forward to
meeting any of you that will also be in attendance.
Federal Bank, Thrift and Credit Union Regulatory Agencies Provide
Brochure with Information on Internet "Phishing" - The federal bank,
thrift and credit union agencies today announced the publication of
a brochure with information to help consumers identify and combat a
new type of Internet scam known as "phishing."
FYI - Safeguarding IT
against the next Katrina - IT managers nationwide should take a cue
from Hurricane Katrina's destructive power and develop
disaster-recovery plans to safeguard their computer systems against
catastrophe, security experts advise.
FYI - Indian call center
worker arrested - New Delhi Police have arrested a call center
worker for alleged theft of personal customer information that the
firm was handling for its clients.
FYI - Hacking fears bog
down online banking growth - The number of people who turn to the
Internet for personal banking isn't growing--but those who are
already hooked on such services are using them more often, a new
survey has shown.
FYI - Agencies, OMB
pushing security requirements through contracts - As the new CIO of
the Housing and Urban Development Department, Lisa Schlosser is on a
mission to improve the agency's cybersecurity, and one of her first
steps is to put language in all vendor contracts requiring minimum
FYI - A New York data
breach law will take effect in mid-December. New York. The 19th
state to pass a data breach notification law, would allow no
exceptions. The New York law makes no exception for small data
breaches or breaches unlikely to result in identity theft.
Low Employee Awareness Is Putting Organizations At Risk of Internet
Attacks - Spyware is the No. 1 concern of IT managers in the U.S.
according to a new survey. Mention the words "security breach,"
"spyware," or "Trojan worm" followed by "system failure" or "e-mail
malfunction" and many IT administrators will run toward the nearest
exit or roll their eyes while taking a deep, long breath.
FYI - VoIP adoption helping
drive security appliance market - Many businesses implementing Voice
over Internet Protocol (VoIP) plan to replace their security
appliances to address security issues associated with the emerging
technology, according to market-research firm In-Stat.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation
and Response Guidance for Web Site Spoofing Incidents (Part 5 of
PROCEDURES TO ADDRESS SPOOFING - Contact the
OCC and Law Enforcement Authorities
If a bank is the target of a spoofing incident, it should promptly
notify its OCC supervisory office and report the incident to the FBI
and appropriate state and local law enforcement authorities. Banks
can also file complaints with the Internet Fraud Complaint Center
a partnership of the FBI and the National White Collar Crime Center.
In order for law enforcement authorities to respond effectively to
spoofing attacks, they must be provided with information necessary
to identify and shut down the fraudulent Web site and to investigate
and apprehend the persons responsible for the attack. The data
discussed under the "Information Gathering" section should meet this
In addition to reporting to the bank's supervisory office and law
enforcement authorities, there are other less formal mechanisms that
a bank can use to report these incidents and help combat fraudulent
activities. For example, banks can use "Digital Phishnet" (http://www.digitalphishnet.com/),
which is a joint initiative of industry and law enforcement designed
to support apprehension of perpetrators of phishing-related crimes,
including spoofing. Members of Digital Phishnet include ISPs,
online auction services, financial institutions, and financial
service providers. The members work closely with the FBI, Secret
Service, U.S. Postal Inspection Service, Federal Trade Commission
(FTC), and several electronic crimes task forces around the country
to assist in identifying persons involved in phishing-type crimes.
Finally, banks can forward suspicious e-mails to the FTC at
firstname.lastname@example.org. For more
information on how the FTC can assist in combating phishing and
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
INFORMATION SECURITY RISK ASSESSMENT
The quality of security controls can significantly influence all
categories of risk. Traditionally, examiners and bankers recognize
the direct impact on operational/transaction risk from incidents
related to fraud, theft, or accidental damage. Many security
weaknesses, however, can directly increase exposure in other risk
areas. For example, the GLBA introduced additional legal/compliance
risk due to the potential for regulatory noncompliance in
safeguarding customer information. The potential for legal liability
related to customer privacy breaches may present additional risk in
the future. Effective application access controls can reduce credit
and market risk by imposing risk limits on loan officers or traders.
If a trader were to exceed the intended trade authority, the
institution may unknowingly assume additional market risk exposure.
A strong security program reduces levels of reputation and strategic
risk by limiting the institution's vulnerability to intrusion
attempts and maintaining customer confidence and trust in the
institution. Security concerns can quickly erode customer confidence
and potentially decrease the adoption rate and rate of return on
investment for strategically important products or services.
Examiners and risk managers should incorporate security issues into
their risk assessment process for each risk category. Financial
institutions should ensure that security risk assessments adequately
consider potential risk in all business lines and risk categories.
Information security risk assessment is the process used to identify
and understand risks to the confidentiality, integrity, and
availability of information and information systems. An adequate
assessment identifies the value and sensitivity of information and
system components and then balances that knowledge with the exposure
from threats and vulnerabilities. A risk assessment is a necessary
pre-requisite to the formation of strategies that guide the
institution as it develops, implements, tests, and maintains its
information systems security posture. An initial risk assessment may
involve a significant one-time effort, but the risk assessment
process should be an ongoing part of the information security
Risk assessments for most industries focus only on the risk to the
business entity. Financial institutions should also consider the
risk to their customers' information. For example, section 501(b) of
the GLBA requires financial institutions to 'protect against
unauthorized access to or use of customer information that could
result in substantial harm or inconvenience to any customer."
the top of the newsletter
IT SECURITY QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
- Access Rights Administration
8. Determine if users are aware of the authorized uses of the
• Do internal users receive a copy of the authorized-use policy,
appropriate training, and signify understanding and agreement before
usage rights are granted?
• Is contractor usage appropriately detailed and controlled
through the contract?
• Do customers and Web site visitors either explicitly agree to
usage terms or are provided a disclosure, as appropriate?
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
41. Does the institution refrain from disclosing any nonpublic
personal information about a consumer to a nonaffiliated third
party, other than as permitted under §§13-15, unless:
a. it has provided the consumer with an initial notice; [§10(a)(1)(i)]
b. it has provided the consumer with an opt out notice; [§10(a)(1)(ii)]
c. it has given the consumer a reasonable opportunity to opt
out before the disclosure; [§10(a)(1)(iii)] and
d. the consumer has not opted out? [§10(a)(1)(iv)]
(Note: this disclosure limitation applies to consumers as
well as to customers [§10(b)(1)], and to all nonpublic personal
information regardless of whether collected before or after
receiving an opt out direction. [§10(b)(2)])
VISTA - Does
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
testing focuses on
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit