FYI - Federal Regulators Issue Final Model Privacy Notice Form - Eight federal regulatory agencies today released a final model privacy notice form that will make it easier for consumers to understand how financial institutions collect and share information about consumers. Under the Gramm-Leach-Bliley Act, institutions must notify consumers of their information-sharing practices and inform consumers of their right to opt out of certain sharing practices. The model form issued today can be used by financial institutions to comply with these requirements.
Press Release: www.federalreserve.gov/newsevents/press/bcreg/20091117a.htm 
Press Release: www.fdic.gov/news/news/press/2009/pr09209.html 
Press Release: www.fdic.gov/news/news/financial/2009/fil09065.html 
Press Release: www.occ.treas.gov/ftp/release/2009-142.htm 
Press release: www.ots.treas.gov/?p=PressReleases&ContentRecord_id=028c55b4-1e0b-8562-eb6e-38a3ebebc798&ContentType_id=4c12f337-b5b6-4c87-b45c-838958422bf3 
Press Release: www.ncua.gov/news/press_releases/2009/11-17GLBPrivacyRule-ModelForm.pdf 

FYI - Third of Agency Report Daily Cyber Incidents - Survey: 44% of Agencies Had More Security Incidents in Past Year - Nearly one-third of federal agencies report at least one cybersecurity incident each day, with more than half reporting such occurrences weekly, according to a survey released Tuesday of 300 federal information security professionals conducted by CDW-Government, a provider of IT wares. http://www.govinfosecurity.com/articles.php?art_id=1931

FYI - How to DDOS a federal wiretap - Researchers at the University of Pennsylvania say they've discovered a way to circumvent the networking technology used by law enforcement to tap phone lines in the U.S. http://www.computerworld.com/s/article/9140717/How_to_DDOS_a_federal_wiretap?taxonomyId=17

FYI - MoJ consults on £500k data breach fines - Companies that suffer serious data breaches could be fined up to £500,000 under government plans announced this week. http://news.zdnet.co.uk/security/0,1000000189,39875322,00.htm

FYI - Attack tool can hijack data off unlocked iPhones - Hackers can steal data off jailbroken iPhones by leveraging the same vulnerability that currently is being used to spread a mischievous worm. http://www.scmagazineus.com/attack-tool-can-hijack-data-off-unlocked-iphones/article/157587/?DCMP=EMC-SCUS_Newswire

FYI - GAO - Cybersecurity: Continued Efforts Are Needed to Protect Information Systems from Evolving Threats.
Release - http://www.gao.gov/new.items/d10230t.pdf
Highlights - http://www.gao.gov/highlights/d10230thigh.pdf

FYI - Little to Show for $45 MM Infosec Investment - GAO: Security Weaknesses at Los Alamos Lab's Classified Network - Los Alamos National Laboratory has spent $45 million to secure its classified computer network between fiscal years 2001 and 2008, according to a report issued Friday by the Government Accountability Office, yet significant weaknesses remain in safeguarding the confidentiality, integrity and availability of information stored on and transmitted over its classified computer network. http://www.govinfosecurity.com/articles.php?art_id=1937

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Indian police arrest company boss accused of selling medical records of British patients - The head of an Indian outsourcing company has been arrested for selling confidential medical records of patients treated at one of Britain's top private hospitals. http://www.dailymail.co.uk/news/worldnews/article-1226934/Indian-police-arrest-company-boss-accused-selling-medical-records-British-patients.html

FYI - Eight charged in $9.5m payment processor hack - Gone in 12 hours - Eight men connected to an international crime ring have been charged with hacking into Atlanta-based bank card processor RBS WorldPay and stealing more than $9m in 12 hours. http://www.theregister.co.uk/2009/11/10/rbs_breach_indictment/

FYI - Fraud 'hits' follow local data breach - School employees' Social Security, bank information stolen - Social Security numbers of Vancouver Public Schools' 3,000-plus employees are assumed to be stolen, district officials said. http://www.columbian.com/article/20091111/NEWS02/711119935

FYI - Blue Cross Blue Shield Data Breach Investigated - Connecticut's attorney general is looking for tougher protection for healthcare providers after records, which could be useful to identity thieves, were lost. Connecticut Attorney General Richard Blumenthal is investigating Blue Cross Blue Shield's loss of confidential information, including tax identification and Social Security numbers, for 800,000 healthcare providers nationwide. http://www.informationweek.com/news/healthcare/security-privacy/showArticle.jhtml?articleID=221601331

FYI - Gang sentenced for UK bank trojan - Alert Print Post commentAlmost £600,000 siphoned - A British court has sentenced four men to prison after they admitted they used sophisticated trojan software to steal almost £600,000 from bank accounts and send it to Eastern Europe. http://www.theregister.co.uk/2009/11/16/bank_trojan_gang_sentenced/

FYI - Settlement OK'd over hacking into financial firm - A federal judge approved a settlement Thursday in a class action lawsuit against D.A. Davidson & Co. over clients' information that was compromised by a computer hacker almost two years ago. http://billingsgazette.com/news/local/crime-and-courts/article_6341f994-d00d-11de-bfda-001cc4c03286.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Practices for Managing Outsourced E-Banking Systems and Services (Part 2 of 3)

3. Banks should adopt appropriate procedures for ensuring the adequacy of contracts governing e-banking. Contracts governing outsourced e-banking activities should address, for example, the following:

a)  The contractual liabilities of the respective parties as well as responsibilities for making decisions, including any sub-contracting of material services are clearly defined.

b)   Responsibilities for providing information to and receiving information from the service provider are clearly defined. Information from the service provider should be timely and comprehensive enough to allow the bank to adequately assess service levels and risks. Materiality thresholds and procedures to be used to notify the bank of service disruptions, security breaches and other events that pose a material risk to the bank should be spelled out.

c)   Provisions that specifically address insurance coverage, the ownership of the data stored on the service provider's servers or databases, and the right of the bank to recover its data upon expiration or termination of the contract should be clearly defined.

d)   Performance expectations, under both normal and contingency circumstances, are defined. 

e)  Adequate means and guarantees, for instance through audit clauses, are defined to insure that the service provider complies with the bank's policies. 

f)   Provisions are in place for timely and orderly intervention and rectification in the event of substandard performance by the service provider.

g)   For cross-border outsourcing arrangements, determining which country laws and regulations, including those relating to privacy and other customer protections, are applicable.

h)  The right of the bank to conduct independent reviews and/or audits of security, internal controls and business continuity and contingency plans is explicitly defined.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - Over the next few weeks, we will cover the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Financial institutions are actively evaluating and implementing wireless technology as a means to reach customers and reduce the costs of implementing new networks. In light of this fast-developing trend, the Federal Deposit Insurance Corporation (FDIC) is providing financial institutions with the following information about the risks associated with wireless technology and suggestions on managing those risks. Please share this information with your Chief Information Officer.

Wireless Technology and the Risks of Implementation

Wireless networks are rapidly becoming a cost-effective alternative for providing network connectivity to financial institution information systems. Institutions that are installing new networks are finding the installation costs of wireless networks competitive compared with traditional network wiring. Performance enhancements in wireless technology have also made the adoption of wireless networks attractive to institutions. Wireless networks operate at speeds that are sufficient to meet the needs of many institutions and can be seamlessly integrated into existing networks. Wireless networks can also be used to provide connectivity between geographically close locations without having to install dedicated lines.

Wireless Internet access to banking applications is also becoming attractive to financial institutions. It offers customers the ability to perform routine banking tasks while away from the bank branch, automated teller machines or their own personal computers. Wireless Internet access is a standard feature on many new cellular phones and hand-held computers.

Many of the risks that financial institutions face when implementing wireless technology are risks that exist in any networked environment (see FIL-67-2000, "Security Monitoring of Computer Networks," dated October 3, 2000, and the 1996 FFIEC Information Systems Examination Handbook, Volume 1, Chapter 15). However, wireless technology carries additional risks that financial institutions should consider when designing, implementing and operating a wireless network. Common risks include the potential:

1)  Compromise of customer information and transactions over the wireless network;

2)  Disruption of wireless service from radio transmissions of other wireless devices;

3)  Intrusion into the institution's network through wireless network connections; and

4)  Obsolescence of current systems due to rapidly changing standards.

These risks could ultimately compromise the bank's computer system, potentially causing:

1)  Financial loss due to the execution of unauthorized transactions;

2)  Disclosure of confidential customer information, resulting in - among other things - identity theft (see FIL-39-2001, "Guidance on Identity Theft and Pretext Calling," dated May 9, 2001, and FIL-22-2001, "Guidelines Establishing Standards for Safeguarding Customer Information," dated March 14, 2001);

3)  Negative media attention, resulting in harm to the institution's reputation; and

4)  Loss of customer confidence.

Return to the top of the newsletter

IT SECURITY QUESTION:  Auditing:

Does the institution have an internal auditor?
Does internal auditor audit the IT operations?
Does the institution have an external financial auditor?
Does the institution have an external IT auditor?
Does the auditor report IT auditing activities to the Board of Directors or a committee thereof?
Does the internal auditor have any conflicting duties?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

38. For customers only, does the institution ensure that the initial, annual, and revised notices may be retained or obtained later by the customer in writing, or if the customer agrees, electronically? [§9(e)(1)]