FYI - Justice says no to
private PCs for telework - Because of security concerns, the Justice
Department now forbids all employees from using their private PCs or
digital assistants to access agency e-mail or other files, the
department's top information security officer has said.
FYI - Mobile Phones Help
Secure Online Banking - Bank of America's optional SafePass service
works with customers' mobile phones to improve security for online
banking. Bank of America Corp. customers can now use their mobile
phones to make online banking more secure.
FYI - Expert do's and
don'ts for dealing with data breaches - A data breach victim shares
his advice for addressing leakage incidents, while another expert
highlights the missteps taken by TJX in dealing with its information
FYI - Hard times on the
HIPAA front - A trio of ugly situations means painful publicity for
lazy or sloppy organizations - It's been a week of bad news for lazy
or sloppy health care organizations. An employee fired after a
security breach of protected health information filed a wrongful
termination suit against his former employer, and it may have merit
because of poor policies.
FYI - Stolen Bank Data
Fetches Big Bucks Online - Security vendor Symantec says the hacker
underground pays best for stolen bank account details. Stolen bank
account numbers are commanding the highest price in an underground
trade of personal details stolen by hackers, according to a survey
released Monday by security vendor Symantec Corp.
FYI - Fears rise over
online banking problems - Many of Northern Rock's customers accused
the bank of restricting access to its website to slow down the
billions of pounds being withdrawn from the bank. Northern Rock's
system repeatedly crashed over the weekend. Once customers could get
online many found it took repeated attempts to conduct their
FYI - Names, contact
info on 6M TD Ameritrade customers compromised - But financial
information, Social Security numbers are safe - Brokerage firm TD
Ameritrade Holding Corp. today disclosed that the names, addresses,
phone numbers and "miscellaneous trading" information of potentially
all of its more than 6 million retail and institutional customers
have been compromised by an intrusion into one of its databases.
FYI - GAO - Information
Security: Sustained Management Commitment and Oversight Are Vital to
Resolving Long-standing Weaknesses at the Department of Veterans
FYI - Computers stolen
from welfare office - Two computers containing the mental health
histories of more than 300,000 medical-assistance recipients were
stolen from a state Public Welfare Department office last month, a
spokesman for Gov. Ed Rendell confirmed.
FYI - Gander Mountain
Announces Possible Theft of Pennsylvania Store Computer; Customers
of the PA Store Could Be Affected - Gander Mountain Company
announced that computer equipment, containing certain customer
transaction information relating to a single store in Pennsylvania,
is missing and may have been stolen.
FYI - Conn. gov decries
loss of banking data - A computer tape stolen in Ohio in June
contained banking data on Connecticut state agencies, making the
security breach more serious than previously thought, Gov. M. Jodi
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 8 of 10)
B. RISK MANAGEMENT TECHNIQUES
Implementing Weblinking Relationships
The strategy that financial institutions choose when
implementing weblinking relationships should address ways to avoid
customer confusion regarding linked third-party products and
services. This includes disclaimers and disclosures to limit
customer confusion and a customer service plan to address confusion
when it occurs.
Disclaimers and Disclosures
Financial institutions should use clear and conspicuous webpage
disclosures to explain their limited role and responsibility with
respect to products and services offered through linked third-party
websites. The level of detail of the disclosure and its prominence
should be appropriate to the harm that may ensue from customer
confusion inherent in a particular link. The institution might post
a disclosure stating it does not provide, and is not responsible
for, the product, service, or overall website content available at a
third-party site. It might also advise the customer that its privacy
polices do not apply to linked websites and that a viewer should
consult the privacy disclosures on that site for further
information. The conspicuous display of the disclosure, including
its placement on the appropriate webpage, by effective use of size,
color, and graphic treatment, will help ensure that the information
is noticeable to customers. For example, if a financial institution
places an otherwise conspicuous disclosure at the bottom of its
webpage (requiring a customer to scroll down to read it), prominent
visual cues that emphasize the information's importance should point
the viewer to the disclosure.
In addition, the technology used to provide disclosures is
important. While many institutions may simply place a disclaimer
notice on applicable webpages, some institutions use
"pop-ups," or intermediate webpages called
"speedbumps," to notify customers they are leaving the
institution's website. For the reasons described below, financial
institutions should use speedbumps rather than pop-ups if they
choose to use this type of technology to deliver their online
A "pop up" is a screen generated by mobile code, for
example Java or Active X, when the customer clicks on a particular
hyperlink. Mobile code is used to send small programs to the user's
browser. Frequently, those programs cause unsolicited messages to
appear automatically on a user's screen. At times, the programs may
be malicious, enabling harmful viruses or allowing unauthorized
access to a user's personal information. Consequently, customers may
reconfigure their browsers or install software to block disclosures
delivered via mobile codes.
In contrast, an intermediate webpage, or "speedbump,"
alerts the customer to the transition to the third-party website.
Like a pop-up, a speedbump is activated when the customer clicks on
a particular weblink. However, use of a speedbump avoids the
problems of pop-up technology, because the speedbump is not
generated externally using mobile code, but is created within the
institution's operating system, and cannot be disabled by the
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue the series
from the FDIC "Security Risks Associated with the
Logical Access Controls
primary concern in controlling system access is the safeguarding of
user IDs and passwords. The
Internet presents numerous issues to consider in this regard.
Passwords can be obtained through deceptive "spoofing"
techniques such as redirecting users to false Web sites where
passwords or user names are entered, or creating shadow copies of
Web sites where attackers can monitor all activities of a user. Many
"spoofing" techniques are hard to identify and guard against,
especially for an average user, making authentication processes an
important defense mechanism.
unauthorized or unsuspected acquisition of data such as passwords,
user IDs, e-mail addresses, phone numbers, names, and
addresses, can facilitate an attempt at unauthorized access to a
system or application. If passwords and user IDs are a derivative of
someone's personal information, malicious parties could use the
information in software programs specifically designed to generate
possible passwords. Default files on a computer, sometimes called
"cache" files, can automatically retain images of such data
received or sent over the Internet, making them a potential target
for a system intruder.
Security Flaws and Bugs / Active Content Languages
in software and hardware design also represent an area of concern.
Security problems are often identified after the release of a new
product, and solutions to correct security flaws commonly contain
flaws themselves. Such vulnerabilities are usually widely
publicized, and the identification of new bugs is constant. These
bugs and flaws are often serious enough to compromise system
integrity. Security flaws and exploitation guidelines are also
frequently available on hacker Web sites. Furthermore, software
marketed to the general public may not contain sufficient security
controls for financial institution applications.
Newly developed languages and technologies present similar security
concerns, especially when dealing with network software or active
content languages which allow computer programs to be attached to
Web pages (e.g., Java, ActiveX). Security flaws identified in Web
browsers (i.e., application software used to navigate the Internet)
have included bugs which, theoretically, may allow the installation
of programs on a Web server, which could then be used to back into
the bank's system. Even if new technologies are regarded as secure,
they must be managed properly. For example, if controls over active
content languages are inadequate, potentially hostile and malicious
programs could be automatically downloaded from the Internet and
executed on a system.
Viruses / Malicious Programs
Viruses and other malicious programs pose a threat to systems or
networks that are connected to the Internet, because they may be
downloaded directly. Aside from causing destruction or damage to
data, these programs could open a communication link with an
external network, allowing unauthorized system access, or even
initiating the transmission of data.
the top of the newsletter
IT SECURITY QUESTION:
Backup operations: (Part 2 of 2)
f. Are duplicate backup tapes kept on premises in a secure location
with restricted access?
g. Have the backup tapes been recently tested to ensure that the
backup procedures work?
h. Overall, will the backup procedures provide reasonable assurance
that the data can be reconstruction of customer data in a timely
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 13, and 14 and/or 15 but not outside of these
exceptions (Part 2 of 2)
B. Presentation, Content, and Delivery of Privacy Notices
1) Review the financial institution's initial and annual
privacy notices. Determine whether or not they:
a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1));
b. Accurately reflect the policies and practices used by the
institution (§§4(a), 5(a)(1)). Note, this includes practices
disclosed in the notices that exceed regulatory requirements; and
c. Include, and adequately describe, all required items of
information and contain examples as applicable (§§6, 13).
2) Through discussions with management, review of the
institution's policies and procedures, and a sample of electronic or
written consumer records where available, determine if the
institution has adequate procedures in place to provide notices to
consumers, as appropriate. Assess the following:
a. Timeliness of delivery (§4(a)); and
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the consumer agrees; or as a necessary step
of a transaction) (§9).
c. For customers only, review the timeliness of delivery (§§4(d),
4(e), and 5(a)), means of delivery of annual notice §9(c)), and
accessibility of or ability to retain the notice (§9(e)).