Keystrokes can be recovered remotely - Wired keyboards, like those
found on desktop PCs, emit electromagnetic waves that can be read
remotely, according two Swiss researchers.
GAO - Check 21 Act: Most Consumers Have Accepted and Banks Are
Progressing Toward Full Adoption of Check Truncation.
FTC extends "Red Flags Rules" enforcement six months - The Federal
Trade Commission is extending the deadline for enforcement of the
identity theft prevention "Red Flags Rules" until May 1. The
deadline was extended because many companies were not prepared to
meet the original Nov. 1 deadline, an FTC news release said.
OMB backtracks on granting CIOs more authority - The Office of
Management and Budget substantially edited a final memo outlining
the role of federal chief information officers, removing from a
draft version the responsibilities that would have given the
technology executives more power within agencies.
Several nations eyeing U.S. cyber targets - About two dozen nations
have developed cyber-attack capabilities and have their eyes on
targets inside the U.S. government or businesses, the top cybercrime
law enforcement official in the U.S. said.
The coolest IT security jobs - SANS Institute to issue guide to most
interesting IT security jobs.
Your personal identity isn't worth quite as much as it used to
be--at least to thieves willing to swipe it. According to experts
who monitor such markets, the value of stolen credit card data may
range from $3 to as little as 40 cents.
Turkish hacker arrested by FBI made video giving tips for installing
ATM skimmers - A Turkish hacker known as "Chao" and arrested as part
of the FBI operation against underground forum DarkMarket produced
his own training videos, researchers revealed this week at the RSA
Europe conference in London.
Health care data security breaches in the U.S. - New laws and
regulations regarding data security breaches and disclosure laws
affect the way in which health care organizations do business.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
$5,000 Reward Offered in Computer Theft - Fresno Police Chief Jerry
Dyer asks city employees not to panic after a computer loaded with
vital records was stolen. The computer was stolen last week from KRM
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We finish our review of the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 10 of 10)
B. RISK MANAGEMENT TECHNIQUES
Managing Service Providers
Financial institutions, especially smaller institutions, may
choose to subcontract with a service provider to create, arrange,
and manage their websites, including weblinks. The primary risks for
these financial institutions are the same as for those institutions
that arrange the links directly. However, if a financial institution
uses a set of pre-established links to a large number of entities
whose business policies or procedures may be unfamiliar, it may
increase its risk exposure. This is particularly true in situations
it maintains certain minimum information security standards at all
When a financial institution subcontracts weblinking arrangements to
a service provider, the institution should conduct sufficient due
diligence to ensure that the service provider is appropriately
managing the risk exposure from other parties. Management should
keep in mind that a vendor might establish links to third parties
that are unacceptable to the financial institution. Finally, the
written agreement should contain a regulatory requirements clause in
which the service provider acknowledges that its linking activities
must comply with all applicable consumer protection laws and
Financial institution management should consider weblinking
agreements with its service provider to mitigate significant risks.
These agreements should be clear and enforceable with descriptions
of all obligations, liabilities, and recourse arrangements. These
may include the institution's right to exclude from its site links
the financial institution considers unacceptable. Such contracts
should include a termination clause, particularly if the contract
does not include the ability to exclude websites. Finally, a
financial institution should apply its link monitoring policies
discussed above to links arranged by service providers or other
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION -
Firewall Policy (Part 1 of 3)
A firewall policy states management's expectations for how the
firewall should function and is a component of the overall security
policy. It should establish rules for traffic coming into and going
out of the security domain and how the firewall will be managed and
updated. Therefore, it is a type of security policy for the
firewall, and forms the basis for the firewall rules. The firewall
selection and the firewall policy should stem from the ongoing
security risk assessment process. Accordingly, management needs to
update the firewall policy as the institution's security needs and
the risks change. At a minimum, the policy should address:
! Firewall topology and architecture,
! Type of firewall(s) being utilized,
! Physical placement of the firewall components,
! Monitoring firewall traffic,
! Permissible traffic (generally based on the premise that all
traffic not expressly allowed is denied, detailing which
applications can traverse the firewall and under what exact
circumstances such activities can take place),
! Firewall updating,
! Coordination with intrusion detection and response mechanisms,
! Responsibility for monitoring and enforcing the firewall policy,
! Protocols and applications permitted,
! Regular auditing of a firewall's configuration and testing of the
firewall's effectiveness, and
! Contingency planning.
Financial institutions should also appropriately train and manage
their staffs to ensure the firewall policy is implemented properly.
Alternatively, institutions can outsource the firewall management,
while ensuring that the outsourcer complies with the institution's
specific firewall policy.
Return to the top of the
C. HOST SECURITY
11. Determine whether appropriate notification is
made of authorized use, through banners or other means.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Consumer and Customer:
A "customer" is a consumer who has a "customer
relationship" with a financial institution. A "customer
relationship" is a continuing relationship between a consumer
and a financial institution under which the institution provides one
or more financial products or services to the consumer that are to
be used primarily for personal, family, or household purposes.
For example, a customer relationship may be established when a
consumer engages in one of the following activities with a financial
1) maintains a deposit or investment account;
2) obtains a loan;
3) enters into a lease of personal property; or
4) obtains financial, investment, or economic advisory
services for a fee.
Customers are entitled to initial and annual privacy notices
regardless of the information disclosure practices of their
There is a special rule for loans. When a financial institution
sells the servicing rights to a loan to another financial
institution, the customer relationship transfers with the servicing
rights. However, any information on the borrower retained by the
institution that sells the servicing rights must be accorded the
protections due any consumer.
Note that isolated transactions alone will not cause a consumer to
be treated as a customer. For example, if an individual purchases a
bank check from a financial institution where the person has no
account, the individual will be a consumer but not a customer of
that institution because he or she has not established a customer
relationship. Likewise, if an individual uses the ATM of a financial
institution where the individual has no account, even repeatedly,
the individual will be a consumer, but not a customer of that