More laptops mean greater security risk to taxpayers - Last month's
theft of a state laptop computer containing confidential information
on 106,000 Connecticut taxpayers has highlighted concerns about
security for the state government's increasing numbers of laptops.
New computer security guides available - The National Institute of
Standards and Technology has updated its security guidelines for
dealing with active content, providing an overview for active
content and mobile code in use today and laying out a framework for
making security decisions about its use within an organization.
Common Vulnerability Scoring System:
Guidelines on Active Content and Mobile Code - draft:
Stolen Computers Contain Patient Information - Execs at the
health-care services company are unsure how much identifying
information was contained on the patients documented in the missing
machines. Health-care services company, McKesson, is alerting
thousands of its patients that their personal information is at risk
after two of its computers were stolen from an office.
Pfizer Employees at Risk for Identity Theft - In July Pfizer
discovered a data breach that took place last year, informed
employees only recently. Pfizer Inc. appears to be having an
especially hard time of late keeping its employee data secure.
Stolen Hopkins computer is returned - Lawyer, who learned location
from client, returned property - A stolen computer containing the
personal records of 5,783 patients with cancer was returned to Johns
Hopkins Hospital over the weekend, a hospital spokesman said.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 7 of 10)
B. RISK MANAGEMENT TECHNIQUES
Planning Weblinking Relationships
If a financial institution receives compensation from a third
party as the result of a weblink to the third-party's website, the
financial institution should enter into a written agreement with
that third party in order to mitigate certain risks. Financial
institutions should consider that certain forms of business
arrangements, such as joint ventures, can increase their risk. The
financial institution should consider including contract provisions
to indemnify itself against claims by:
1) dissatisfied purchasers of third-party products or
2) patent or trademark holders for infringement by the third
3) persons alleging the unauthorized release or compromise of
their confidential information, as a result of the third-party's
The agreement should not include any provision obligating the
financial institution to engage in activities inconsistent with the
scope of its legally permissible activities. In addition, financial
institutions should be mindful that various contract provisions,
including compensation arrangements, may subject the financial
institution to laws and regulations applicable to insurance,
securities, or real estate activities, such as RESPA, that establish
broad consumer protections.
In addition, the agreement should include conditions for terminating
the link. Third parties, whether they provide services directly to
customers or are merely intermediaries, may enter into bankruptcy,
liquidation, or reorganization during the period of the agreement.
The quality of their products or services may decline, as may the
effectiveness of their security or privacy policies. Also
potentially just as harmful, the public may fear or assume such a
decline will occur. The financial institution will limit its risks
if it can terminate the agreement in the event the service provider
fails to deliver service in a satisfactory manner.
Some weblinking agreements between a financial institution and a
third party may involve ancillary or collateral information-sharing
arrangements that require compliance with the Privacy Regulations.
For example, this may occur when a financial institution links to
the website of an insurance company with which the financial
institution shares customer information pursuant to a joint
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue the series
from the FDIC "Security Risks Associated with the
System Architecture and
The Internet can facilitate
unchecked and/or undesired access to internal systems, unless
systems are appropriately designed and controlled. Unwelcome system
access could be achieved through IP spoofing techniques, where an
intruder may impersonate a local or internal system and be granted
access without a password. If access to the system is based only on
an IP address, any user could gain access by masquerading as a
legitimate, authorized user by "spoofing" the user's
address. Not only could any user of that system gain access to the
targeted system, but so could any system that it trusts.
Improper access can also result from other technically permissible
activities that have not been properly restricted or secured. For
example, application layer protocols are the standard sets of rules
that determine how computers communicate across the Internet.
Numerous application layer protocols, each with different functions
and a wide array of data exchange capabilities, are utilized on the
Internet. The most familiar, Hyper Text Transfer Protocol (HTTP),
facilitates the movement of text and images. But other types of
protocols, such as File Transfer Protocol (FTP), permit the
transfer, copying, and deleting of files between computers. Telnet
protocol actually enables one computer to log in to another.
Protocols such as FTP and Telnet exemplify activities which may be
improper for a given system, even though the activities are within
the scope of the protocol architecture.
The open architecture of the Internet also makes it easy for system
attacks to be launched against
systems from anywhere in the world. Systems can even be accessed and
then used to launch attacks against other systems. A typical attack
would be a denial of service attack, which is intended to bring down
a server, system, or application. This might be done by overwhelming
a system with so many requests that it shuts down. Or, an attack
could be as simple as accessing and altering a Web site, such as
changing advertised rates on certificates of deposit.
Security Scanning Products
A number of software programs exist which run automated security
scans against Web servers, firewalls, and internal networks. These
programs are generally very effective at identifying weaknesses that
may allow unauthorized system access or other attacks against the
system. Although these products are marketed as security tools to
system administrators and information systems personnel, they are
available to anyone and may be used with malicious intent. In some
cases, the products are freely available on the Internet.
the top of the newsletter
IT SECURITY QUESTION:
Backup operations: (Part 1 of 2)
a. Is the network backed up? Rotation?
b. Is the core application backed up? Rotation?
c. Are backup tapes stored off premises? Distance?
d. Are backup tapes taken off premises after the backup is finished?
e. Are backup tapes kept in the computer room?
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 13=, 14, and/or 15 but outside of these
exceptions (Part 1 of 2)
A. Disclosure of Nonpublic Personal Information
1) Select a sample of third party relationships with
nonaffiliated third parties and obtain a sample of data shared
between the institution and the third party. The sample should
include a cross-section of relationships but should emphasize those
that are higher risk in nature as determined by the initial
procedures. Perform the following comparisons to evaluate the
financial institution's compliance with disclosure limitations.
a. Compare the data shared and with whom the data were shared
to ensure that the institution accurately categorized its
information sharing practices and is not sharing nonpublic personal
information outside the exceptions (§§13, 14, 15).
b. Compare the categories of data shared and with whom the
data were shared to those stated in the privacy notice and verify
that what the institution tells consumers in its notices about its
policies and practices in this regard and what the institution
actually does are consistent (§§10, 6).
2) Review contracts with nonaffiliated third parties that
perform services for the financial institution not covered by the
exceptions in section 14 or 15. Determine whether the contracts
adequately prohibit the third party from disclosing or using the
information other than to carry out the purposes for which the
information was disclosed. Note that the "grandfather"
provisions of Section 18 apply to certain of these contracts. (§13(a)).