R. Kinney Williams
October 8, 2006
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
FYI - State CIO, CISO
Speak About National Survey - The National Association of State
Chief Information Officers (NASCIO) has released the findings of
summer survey of State Chief Information Security Officers (CISO).
According to NASCIO, results of the survey -- A Current View of
State CISO: A national Survey Assessment -- "indicate that the state
CISO position has become highly prevalent and is evolving into a
state IT security policy and strategy leader."
FYI - New Jersey Lawyers
File Identity Theft Class Action Against Bank of America - The New
Jersey law firms of Pellettieri, Rabstein & Altman and Lynch Keefe
Bartels filed a complaint against Bank of America today in New
Jersey Superior Court, Law Division, Mercer County, on behalf of
Trenton resident Cindy Jones. The attorneys announced their
intention to seek class action status to represent other identity
theft victims as well against financial services giant Bank of
America for damages resulting from the theft of tens of thousands of
customer information files.
FYI - ATM Maker Readies
Anti-Hack Patch - The maker of a popular line of automated teller
machines is planning a software upgrade that forces operators to
change a default administrative pass code, after a surveillance tape
showed a high-tech thief successfully hacking one of its ATMs in a
Virginia gas station. While 60 percent of companies monitor and
secure email, nine out of ten organizations lack any security
structure for IM, according to researchers from Symantec.
FYI - Keep an eye on
employee IM use - Safe instant messenger (IM) use in the workplace
is dependent on enforcement of company regulations and monitoring
new threats, researched major security firm recommended this week.
FYI - Survey shows 40
percent of organizations experienced a breach last year - A survey
conducted today at Interop New York 2006 found that 40 percent of
those polled worked for organizations that experienced at least one
security breach within the past 12 months.
FYI - Banks rated for ID
theft - Bank of America, JP Morgan Chase and Washington Mutual rate
highest for consumer ID theft protection. Looking for a bank that
protects well against identity theft? Bank of America, JP Morgan
Chase and Washington Mutual are your best bets, according to a new
FYI - Erlanger
employees' names, identification lost - Thousands of Erlanger
hospital employees' names and personal identifying information
stored electronically disappeared from a locked office on Sept. 15,
and employees are hearing about the loss in letters sent to their
homes this weekend, hospital officials said. According to the
letters, sent Friday afternoon to about 4,150 current and former
employees thought to be affected and about 2,050 current employees
who were not, the names and accompanying personal information were
stored on a USB storage device, also known as a "jump drive."
FYI - Many U.S. Workers
Favor E-Mail Monitoring, Research Shows - Despite the implied
submission of personal privacy, most workers at U.S.-based companies
believe that their employers should be allowed to monitor electronic
communications to help protect against misuse of sensitive data.
FYI - Personal
Information Stolen From DePaul Hospital - Your NewsChannel 3 has
learned that someone has stolen two computers from the Radiation
Therapy department at DePaul Medical Center in Norfolk. This affects
a little more that 100 patients of the Radiation Therapy department.
FYI - Commerce reports
loss of more than 1,100 laptops over 5 years - An agencywide review
at the Commerce Department turned up more than a thousand missing or
stolen laptops over the last five years, with hundreds containing
the personal information of American citizens. In response to a
congressional request and public inquiries, Commerce found that of
30,000-plus laptops inventoried across the department's 15
organizations since 2001, 1,137 had been lost or stolen. Of these,
249 contained personally identifiable information, with varying
levels of security ranging from simple passwords to full encryption.
FYI - Thousands of GE
Employees Could be at Risk of ID Theft - There is news that
thousands of current and former GE employees could be at risk for
identity theft. A company employee's laptop computer was recently
stolen from his locked hotel room while he was traveling on
FYI - Computers with
patient data stolen from Nagasaki hospital - Six notebook computers
with data on about 9,000 patients have been stolen from Nagasaki
University Hospital of Medicine and Dentistry in Nagasaki, a
university official said. The data contained names, gender, dates of
birth, and diagnoses of people who visited the hospital's hematology
division since the early 1990s, the official said.
FYI - KRA computers
stolen - Burglars entered the heavily guarded Kenya Revenue
Authority (KRA) offices at Times Tower and stole computers
containing crucial information. The computers were taken from the
14th floor, which houses the income tax section.
FYI - Missing Computers
At CU-Boulder Contained I.D. Information, Investigation Is Underway
- The Leeds School of Business at the University of Colorado at
Boulder has issued letters to a number of students whose names and
other information were stored on two computers that were found to be
missing during the school's move to temporary quarters last May.
FYI - Purdue Notifies
Students of Potential Security Breach - Purdue University is
notifying more than 2,400 people that were students in 2000 that a
computer containing their personal information may have been
accessed remotely by unauthorized people.
FYI - Berry taking
measures to protect students after consultant misplaces data - Berry
College President Dr. Stephen R. Briggs informed the campus
community of a potential security breach this morning.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 7 of 10)
B. RISK MANAGEMENT TECHNIQUES
Planning Weblinking Relationships
If a financial institution receives compensation from a third
party as the result of a weblink to the third-party's website, the
financial institution should enter into a written agreement with
that third party in order to mitigate certain risks. Financial
institutions should consider that certain forms of business
arrangements, such as joint ventures, can increase their risk. The
financial institution should consider including contract provisions
to indemnify itself against claims by:
1) dissatisfied purchasers of third-party products or
2) patent or trademark holders for infringement by the third
3) persons alleging the unauthorized release or compromise of
their confidential information, as a result of the third-party's
The agreement should not include any provision obligating the
financial institution to engage in activities inconsistent with the
scope of its legally permissible activities. In addition, financial
institutions should be mindful that various contract provisions,
including compensation arrangements, may subject the financial
institution to laws and regulations applicable to insurance,
securities, or real estate activities, such as RESPA, that establish
broad consumer protections.
In addition, the agreement should include conditions for terminating
the link. Third parties, whether they provide services directly to
customers or are merely intermediaries, may enter into bankruptcy,
liquidation, or reorganization during the period of the agreement.
The quality of their products or services may decline, as may the
effectiveness of their security or privacy policies. Also
potentially just as harmful, the public may fear or assume such a
decline will occur. The financial institution will limit its risks
if it can terminate the agreement in the event the service provider
fails to deliver service in a satisfactory manner.
Some weblinking agreements between a financial institution and a
third party may involve ancillary or collateral information-sharing
arrangements that require compliance with the Privacy Regulations.
For example, this may occur when a financial institution links to
the website of an insurance company with which the financial
institution shares customer information pursuant to a joint
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
Three types of encryption exist: the cryptographic hash, symmetric
encryption, and asymmetric encryption.
A cryptographic hash reduces a variable - length input to a
fixed-length output. The fixedlength output is a unique
cryptographic representation of the input. Hashes are used to verify
file and message integrity. For instance, if hashes are obtained
from key operating system binaries when the system is first
installed, the hashes can be compared to subsequently obtained
hashes to determine if any binaries were changed. Hashes are also
used to protect passwords from disclosure. A hash, by definition, is
a one - way encryption. An attacker who obtains the password cannot
run the hash through an algorithm to decrypt the password. However,
the attacker can perform a dictionary attack, feeding all possible
password combinations through the algorithm and look for matching
hashes, thereby deducing the password. To protect against that
attack, "salt," or additional bits, are added to the password before
encryption. The addition of the bits means the attacker must
increase the dictionary to include all possible additional bits,
thereby increasing the difficulty of the attack.
Symmetric encryption is the use of the same key and algorithm by the
creator and reader of a file or message. The creator uses the key
and algorithm to encrypt, and the reader uses both to decrypt.
Symmetric encryption relies on the secrecy of the key. If the key is
captured by an attacker either when it is exchanged between the
communicating parties, or while one of the parties uses or stores
the key, the attacker can use the key and the algorithm to decrypt
messages, or to masquerade as a message creator.
Asymmetric encryption lessens the risk of key exposure by using two
mathematically related keys, the private key and the public key.
When one key is used to encrypt, only the other key can decrypt.
Therefore, only one key (the private key) must be kept secret. The
key that is exchanged (the public key) poses no risk if it becomes
known. For instance, if individual A has a private key and publishes
the public key, individual B can obtain the public key, encrypt a
message to individual A, and send it. As long as individual A keeps
his private key secure from discovery, only individual A will be
able to decrypt the message.
Return to the top of the
F. PERSONNEL SECURITY
1. Determine if the institution performs appropriate background
checks on its personnel, during the hiring process and thereafter,
according to the employee's authority over the institution's systems
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
18. If the institution, in its privacy policies, reserves the
right to disclose nonpublic personal information to nonaffiliated
third parties in the future, does the privacy notice include, as
a. categories of nonpublic personal information that the financial
institution reserves the right to disclose in the future, but does
not currently disclose; [§6(e)(1)] and
b. categories of affiliates or nonaffiliated third parties to whom
the financial institution reserves the right in the future to
disclose, but to whom it does not currently disclose, nonpublic
personal information? [§6(e)(2)]
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.