FYI - More laptops mean greater security risk to taxpayers - Last month's theft of a state laptop computer containing confidential information on 106,000 Connecticut taxpayers has highlighted concerns about security for the state government's increasing numbers of laptops. http://www.nhregister.com/site/news.cfm?newsid=18777364&BRD=1281&PAG=461&dept_id=590581&rfi=6

FYI - New computer security guides available - The National Institute of Standards and Technology has updated its security guidelines for dealing with active content, providing an overview for active content and mobile code in use today and laying out a framework for making security decisions about its use within an organization.
Press release: http://www.gcn.com/online/vol1_no1/44972-1.html
Common Vulnerability Scoring System: http://csrc.nist.gov/publications/nistir/ir7435/NISTIR-7435.pdf
Guidelines on Active Content and Mobile Code - draft: http://csrc.nist.gov/publications/drafts/sp800-28-rev2/Draft-SP800-28v2.pdf

MISSING COMPUTERS/DATA

FYI - Stolen Computers Contain Patient Information - Execs at the health-care services company are unsure how much identifying information was contained on the patients documented in the missing machines. Health-care services company, McKesson, is alerting thousands of its patients that their personal information is at risk after two of its computers were stolen from an office. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201804872

FYI - Pfizer Employees at Risk for Identity Theft - In July Pfizer discovered a data breach that took place last year, informed employees only recently. Pfizer Inc. appears to be having an especially hard time of late keeping its employee data secure. http://www.pcworld.com/article/id,136828-c,networksecurity/article.html

FYI - Stolen Hopkins computer is returned - Lawyer, who learned location from client, returned property - A stolen computer containing the personal records of 5,783 patients with cancer was returned to Johns Hopkins Hospital over the weekend, a hospital spokesman said. http://www.baltimoresun.com/news/health/bal-computer0904,0,500185.story

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 7 of 10)

B. RISK MANAGEMENT TECHNIQUES

Planning Weblinking Relationships

Agreements

If a financial institution receives compensation from a third party as the result of a weblink to the third-party's website, the financial institution should enter into a written agreement with that third party in order to mitigate certain risks. Financial institutions should consider that certain forms of business arrangements, such as joint ventures, can increase their risk. The financial institution should consider including contract provisions to indemnify itself against claims by:

1)  dissatisfied purchasers of third-party products or services;

2)  patent or trademark holders for infringement by the third party; and

3)  persons alleging the unauthorized release or compromise of their confidential information, as a result of the third-party's conduct.

The agreement should not include any provision obligating the financial institution to engage in activities inconsistent with the scope of its legally permissible activities. In addition, financial institutions should be mindful that various contract provisions, including compensation arrangements, may subject the financial institution to laws and regulations applicable to insurance, securities, or real estate activities, such as RESPA, that establish broad consumer protections.

In addition, the agreement should include conditions for terminating the link. Third parties, whether they provide services directly to customers or are merely intermediaries, may enter into bankruptcy, liquidation, or reorganization during the period of the agreement. The quality of their products or services may decline, as may the effectiveness of their security or privacy policies. Also potentially just as harmful, the public may fear or assume such a decline will occur. The financial institution will limit its risks if it can terminate the agreement in the event the service provider fails to deliver service in a satisfactory manner.

Some weblinking agreements between a financial institution and a third party may involve ancillary or collateral information-sharing arrangements that require compliance with the Privacy Regulations.  For example, this may occur when a financial institution links to the website of an insurance company with which the financial institution shares customer information pursuant to a joint marketing agreement.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

System Architecture and Design

The Internet can facilitate unchecked and/or undesired access to internal systems, unless systems are appropriately designed and controlled. Unwelcome system access could be achieved through IP spoofing techniques, where an intruder may impersonate a local or internal system and be granted access without a password. If access to the system is based only on an IP address, any user could gain access by masquerading as a legitimate, authorized user by "spoofing" the user's address. Not only could any user of that system gain access to the targeted system, but so could any system that it trusts. 

Improper access can also result from other technically permissible activities that have not been properly restricted or secured. For example, application layer protocols are the standard sets of rules that determine how computers communicate across the Internet. Numerous application layer protocols, each with different functions and a wide array of data exchange capabilities, are utilized on the Internet. The most familiar, Hyper Text Transfer Protocol (HTTP), facilitates the movement of text and images. But other types of protocols, such as File Transfer Protocol (FTP), permit the transfer, copying, and deleting of files between computers. Telnet protocol actually enables one computer to log in to another. Protocols such as FTP and Telnet exemplify activities which may be improper for a given system, even though the activities are within the scope of the protocol architecture. 

The open architecture of the Internet also makes it easy for system attacks to be launched  against systems from anywhere in the world. Systems can even be accessed and then used to launch attacks against other systems. A typical attack would be a denial of service attack, which is intended to bring down a server, system, or application. This might be done by overwhelming a system with so many requests that it shuts down. Or, an attack could be as simple as accessing and altering a Web site, such as changing advertised rates on certificates of deposit. 

Security Scanning Products 

A number of software programs exist which run automated security scans against Web servers, firewalls, and internal networks. These programs are generally very effective at identifying weaknesses that may allow unauthorized system access or other attacks against the system. Although these products are marketed as security tools to system administrators and information systems personnel, they are available to anyone and may be used with malicious intent. In some cases, the products are freely available on the Internet.

Return to the top of the newsletter

IT SECURITY QUESTION:  Backup operations: (Part 1 of 2)

a. Is the network backed up? Rotation?
b. Is the core application backed up? Rotation?
c. Are backup tapes stored off premises? Distance?
d. Are backup tapes taken off premises after the backup is finished?
e. Are backup tapes kept in the computer room?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 13=, 14, and/or 15 but outside of these exceptions (Part 1 of 2)

A. Disclosure of Nonpublic Personal Information

1)  Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the financial institution's compliance with disclosure limitations.

a.  Compare the data shared and with whom the data were shared to ensure that the institution accurately categorized its information sharing practices and is not sharing nonpublic personal information outside the exceptions (§§13, 14, 15).

b.  Compare the categories of data shared and with whom the data were shared to those stated in the privacy notice and verify that what the institution tells consumers in its notices about its policies and practices in this regard and what the institution actually does are consistent (§§10, 6).

2)  Review contracts with nonaffiliated third parties that perform services for the financial institution not covered by the exceptions in section 14 or 15. Determine whether the contracts adequately prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed. Note that the "grandfather" provisions of Section 18 apply to certain of these contracts. (§13(a)).