FYI - This week, I am attending
the Information Security and Risk Management Conference sponsored by
the Information Systems Audit and Control Association (ISACA) being
held at Caesars Place in Las Vegas. I look forward to meeting
any of you that will also be in attendance.
DuPont sues Chinese scientist for trade-secret theft - Hong Meng
accused of stealing data on thin-screen tech to help rivals - For
the second time in less than three years, a research scientist at
DuPont has been accused of misappropriating trade secrets from the
company and attempting to use them to build competing products in
ISPs asked to cut off malware-infected PCs - Voluntary code of
conduct puts onus on service providers. The Internet Industry
Association (IIA) has drafted a new code of conduct that suggests
Internet Service Providers (ISPs) contact, and in some cases
disconnect, customers that have malware-infected computers.
Bill to bolster California breach law awaits governor - A new Senate
bill in California, which seeks to complement the state's
trailblazing SB-1386 data breach disclosure bill, is ready for Gov.
Arnold Schwarzenegger's signature.
911 center official guilty of official misconduct - The former
director of a 911 emergency dispatch center in Kane County has
pleaded guilty to charges that he used a criminal background search
TJX ringleader pleads guilty - One of the leaders of an
international ring of credit card thieves on Friday pleaded guilty
to multiple federal charges, including conspiracy, computer fraud,
access device fraud and identity theft.
SANS finds pros overlooking dangers of client, web apps - Most
organizations are stuck in the past, applying a disproportionate
amount of focus on patching operating systems than on systems posing
the greatest risk, according to a report released by the SANS
New York Times inadvertently sold ad space to hackers - Attackers
appearing to be advertising for an internet phone company switched
their tactics over the weekend and began offering rogue anti-virus
programs to readers of the The New York Times website, the newspaper
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Intelligence Analyst Charged With Hacking Top Secret, Anti-Terror
Program - An analyst at a Defense Department spy satellite agency
faces federal hacking charges after allegedly poking around in a
top-secret system used in a classified terrorism investigation
involving the FBI and the U.S. Army.
EmailPrintText SizeHackers breach Warrick Co. bank accounts - Cyber
thieves have recently hacked their way into dozens of online bank
accounts in Warrick County.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by the Basel
Committee on Bank Supervision.
Principle 5: Banks should ensure that appropriate measures are in
place to protect the data integrity of e-banking transactions,
records and information.
Data integrity refers to the assurance that information that is
in-transit or in storage is not altered without authorization.
Failure to maintain the data integrity of transactions, records and
information can expose banks to financial losses as well as to
substantial legal and reputational risk.
The inherent nature of straight-through processes for e-banking may
make programming errors or fraudulent activities more difficult to
detect at an early stage. Therefore, it is important that banks
implement straight-through processing in a manner that ensures
safety and soundness and data integrity.
As e-banking is transacted over public networks, transactions are
exposed to the added threat of data corruption, fraud and the
tampering of records. Accordingly, banks should ensure that
appropriate measures are in place to ascertain the accuracy,
completeness and reliability of e-banking transactions, records and
information that is either transmitted over Internet, resident on
internal bank databases, or transmitted/stored by third-party
service providers on behalf of the bank. Common practices used to
maintain data integrity within an e-banking environment include the
transactions should be conducted in a manner that makes them highly
resistant to tampering throughout the entire process.
2) E-banking records
should be stored, accessed and modified in a manner that makes them
highly resistant to tampering.
transaction and record-keeping processes should be designed in a
manner as to make it virtually impossible to circumvent detection of
4) Adequate change
control policies, including monitoring and testing procedures,
should be in place to protect against any e-banking system changes
that may erroneously or unintentionally compromise controls or data
5) Any tampering with
e-banking transactions or records should be detected by transaction
processing, monitoring and record keeping functions.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
Information security is an integrated process that reduces
information security risks to acceptable levels. The entire process,
including testing, is driven by an assessment of risks. The greater
the risk, the greater the need for the assurance and validation
provided by effective information security testing.
In general, risk increases with system accessibility and the
sensitivity of data and processes. For example, a high-risk system
is one that is remotely accessible and allows direct access to
funds, fund transfer mechanisms, or sensitive customer data.
Information only Web sites that are not connected to any internal
institution system or transaction capable service are lower-risk
systems. Information systems that exhibit high risks should be
subject to more frequent and rigorous testing than low-risk systems.
Because tests only measure the security posture at a point in time,
frequent testing provides increased assurance that the processes
that are in place to maintain security over time are functioning.
A wide range of tests exists. Some address only discrete controls,
such as password strength. Others address only technical
configuration, or may consist of audits against standards. Some
tests are overt studies to locate vulnerabilities. Other tests can
be designed to mimic the actions of attackers. In many situations,
management may decide to perform a range of tests to give a complete
picture of the effectiveness of the institution's security
processes. Management is responsible for selecting and designing
tests so that the test results, in total, support conclusions about
whether the security control objectives are being met.
Return to the top of the
3. Determine if cryptographic key controls are adequate.
! Identify where cryptographic keys are stored.
! Review security where keys are stored and when they are used
(e.g., in a hardware module).
! Review cryptographic key distribution mechanisms to secure
the keys against unauthorized disclosure, theft, and diversion.
! Verify that two persons are required for a cryptographic key
to be used, where appropriate.
! Review audit and security reports that review the adequacy
of cryptographic key controls.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
27. If each joint consumer may
opt out separately, does the institution permit:
a. one joint consumer to opt out on behalf of all of the joint
b. the joint consumers to notify the institution in a single
response; [§7(d)(5)] and
c. each joint consumer to opt out either for himself or herself,
and/or for another joint consumer? [§7(d)(5)]