FYI - New Data Privacy Laws Set For Firms - A Nevada law that took effect this month requires all businesses there to encrypt personally-identifiable customer data, including names and credit-card numbers, that are transmitted electronically. http://online.wsj.com/article/SB122411532152538495.html

FYI - ComputraceOne used by Nottingham police to reduce laptop theft - Nottingham's students and community members are to receive software to protect their laptops. Nottinghamshire Police, the Crime and Drugs Partnership and other agencies have provided funding to give out the licenses for ComputraceOne from Absolute Software free of charge in a bid to reduce laptop theft. http://www.scmagazineuk.com/ComputraceOne-used-by-Nottingham-police-to-reduce-laptop-theft/article/119491/

FYI - Court of Appeal orders men to disclose encryption keys - Two men have been told that they cannot rely on their right to silence to refuse to give British police a computer password. http://www.out-law.com/default.aspx?page=9514

FYI - DHS lax on portable device security controls - The Homeland Security Department has not deployed effective controls on portable storage devices that may be attached to its unclassified computer systems, according to an audit report from DHS Inspector General Richard Skinner released today. http://www.fcw.com/online/news/154093-1.html

FYI - National Cybersecurity Initiative R&D effort launched - The government officially has begun to formulate a national research and development agenda for "game-changing ideas" as part of the multiyear, multibillion-dollar, governmentwide effort to secure cyberspace through the Comprehensive National Cybersecurity Initiative (CNCI). http://www.fcw.com/online/news/154063-1.html?type=pf

FYI - GAO - Social Security Numbers Are Widely Available in Bulk and Online Records, but Changes to Enhance Security Are Occurring. http://www.gao.gov/cgi-bin/getrpt?GAO-08-1009R

FYI - Groups want IT security burden to also fall on CFOs - Cybersecurity isn't only an IT problem. Instead a successful response requires all departments to work together, with the CFO coordinating an enterprise-wide effort. So says a new, free guide developed for CFOs wanting to have more of a hand in cyber-risk decisions. http://www.scmagazineus.com/Groups-want-IT-security-burden-to-also-fall-on-CFOs/article/119722/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Data breaches at state, local agencies expose data about millions - Data breaches at state and local government agencies exposed the personal information of nearly 3.8 million Americans in the first three quarters of this year, according to the Privacy Rights Clearinghouse. http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=47396

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 9 of 10)

B. RISK MANAGEMENT TECHNIQUES

Implementing Weblinking Relationships

Customer Service Complaints

Financial institutions should have plans to respond to customer complaints, including those regarding the appropriateness or quality of content, services, or products provided or the privacy and security policies of the third-party site. The plan also should address how the financial institution will address complaints regarding any failures of linked third parties to provide agreed upon products or services.

Monitoring Weblinking Relationships

The financial institution should consider monitoring the activities of linked third parties as a part of its risk management strategy. Monitoring policies and procedures should include periodic content review and testing to ensure that links function properly, and to verify that the levels of services provided by third parties are in accordance with contracts and agreements.  Website content is dynamic, and third parties may change the presentation or content of a website in a way that results in risk to the financial institution's reputation. Periodic review and testing will reduce this risk exposure. The frequency of review should be commensurate with the degree of risk presented by the linked site.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Firewall Services and Configuration

Firewalls may provide some additional services:

! Network address translation (NAT) - NAT readdresses outbound packets to mask the internal IP addresses of the network. Untrusted networks see a different host IP address from the actual internal address. NAT allows an institution to hide the topology and address schemes of its trusted network from untrusted networks.

! Dynamic host configuration protocol (DHCP) - DHCP assigns IP addresses to machines that will be subject to the security controls of the firewall.

! Virtual Private Network (VPN) gateways - A VPN gateway provides an encrypted tunnel between a remote external gateway and the internal network. Placing VPN capability on the firewall and the remote gateway protects information from disclosure between the gateways but not from the gateway to the terminating machines.  Placement on the firewall, however, allows the firewall to inspect the traffic and perform access control, logging, and malicious code scanning.

One common firewall implementation in financial institutions hosting Internet applications is a DMZ, which is a neutral Internet accessible zone typically separated by two firewalls. One firewall is between the institution's private network and the DMZ and then another firewall is between the DMZ and the outside public network. The DMZ constitutes one logical security domain, the outside public network is another security domain, and the institution's internal network may be composed of one or more additional logical security domains. An adequate and effectively managed firewall can ensure that an institution's computer systems are not directly accessible to any on the Internet. 

Financial institutions have a variety of firewall options from which to choose depending on the extent of Internet access and the complexity of their network. Considerations include the ease of firewall administration, degree of firewall monitoring support through automated logging and log analysis, and the capability to provide alerts for abnormal activity.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

10. Determine if vulnerability testing takes place after each configuration change.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Consumer and Customer:

The distinction between consumers and customers is significant because financial institutions have additional disclosure duties with respect to customers. All customers covered under the regulation are consumers, but not all consumers are customers.

A "consumer" is an individual, or that individual's legal representative, who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes.

A "financial service" includes, among other things, a financial institution's evaluation or brokerage of information that the institution collects in connection with a request or an application from a consumer for a financial product or service. For example, a financial service includes a lender's evaluation of an application for a consumer loan or for opening a deposit account even if the application is ultimately rejected or withdrawn.

Consumers who are not customers are entitled to an initial privacy and opt out notice only if their financial institution wants to share their nonpublic personal information with nonaffiliated third parties outside of the exceptions.

A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship between a consumer and a financial institution under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.