Revised Training Program for Information Technology Examiners - This
letter modifies the training program for information technology
examiners as approved by the Staff Development Subcommittee of the
Strategic Plan Steering Committee. Effective with the publication of
this SR letter, the revised training program applies to all
assistant IT examiners currently employed by the Federal Reserve
Banks, as well as to those hired in the future. Completion of this
program is a requirement for IT specialists to obtain commissioned
examiner status at the Federal Reserve Banks.
FYI - Boeing Says Laptop
with Employee info Stolen - A laptop computer containing names,
social security numbers and other sensitive information of 161,000
current and former employees of Boeing Co. was stolen recently, the
U.S. aerospace manufacturer said Friday.
FYI - How to Design a
Strategic Security Process - Implementing strategic security
policies and procedures enhances the protection of IT assets and
digital information, while reducing external and internal security
FYI - DOD to automate
deployment of security patches - The Defense Department recently
made it mandatory for computer users to deploy automated security
tools across the department to better protect networks from viruses.
FYI - Sony's Plan To Fix
Infected Copy Protection Only Makes Matters Worse - Sony's suggested
method for removing the program actually widens the security hole
the original software created, researchers say.
FYI - NEC Debuts Laptop Without
a Hard Disk - Aimed at corporate users, the PC Parafield reduces
risk of losing loads of sensitive data if notebook is lost.
FYI - Offshoring specialists are
using security certification to assure firms that data is safe -
When organisations allow outsourcers or other third parties -
whether local or offshore - to handle customers' information, they
will increasingly demand evidence that this data is protected while
offsite. One way to ensure good practices for security is to use
service providers certified to the BS7799 British security standard
- or its international equivalent ISO 17799 - designed to help firms
manage and minimise security risks.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
TRUTH IN SAVINGS ACT (REG DD)
Financial institutions that advertise deposit products and services
on-line must verify that proper advertising disclosures are made in
accordance with all provisions of the regulations. Institutions
should note that the disclosure exemption for electronic media does
not specifically address commercial messages made through an
institution's web site or other on-line banking system. Accordingly,
adherence to all of the advertising disclosure requirements is
Advertisements should be monitored for recency, accuracy, and
compliance. Financial institutions should also refer to OSC
regulations if the institution's deposit rates appear on third party
web sites or as part of a rate sheet summary. These types of
messages are not considered advertisements unless the depository
institution, or a deposit broker offering accounts at the
institution, pays a fee for or otherwise controls the publication.
Disclosures generally are required to be in writing and in a form
that the consumer can keep. Until the regulation has been reviewed
and changed, if necessary, to allow electronic delivery of
disclosures, an institution that wishes to deliver disclosures
electronically to consumers, would supplement electronic disclosures
with paper disclosures.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Access Rights Administration (2 of 5)
The enrollment process establishes the
user's identity and anticipated business needs to information and
systems. New employees, IT outsourcing relationships, and
contractors may also be identified, and the business need for access
determined during the hiring or contracting process.
During enrollment and thereafter, an authorization process
determines user access rights. In certain circumstances the
assignment of access rights may be performed only after the manager
responsible for each accessed resource approves the assignment and
documents the approval. In other circumstances, the assignment of
rights may be established by the employee's role or group
membership, and managed by pre - established authorizations for that
group. Customers, on the other hand, may be granted access based on
their relationship with the institution.
Authorization for privileged access should be tightly controlled.
Privileged access refers to the ability to override system or
application controls. Good practices for controlling privileged
! Identifying each privilege associated with each system component,
! Implementing a process to allocate privileges and allocating those
privileges either on a need - to - use or an event - by - event
basis,! Documenting the granting and administrative limits on
! Finding alternate ways of achieving the business objectives,
! Assigning privileges to a unique user ID apart from the one used
for normal business use,
! Logging and auditing the use of privileged access,
! Reviewing privileged access rights at appropriate intervals and
regularly reviewing privilege access allocations, and
! Prohibiting shared privileged access by multiple users.
the top of the newsletter
IT SECURITY QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
13. Review authenticator reissuance and reset procedures.
Determine whether controls adequately mitigate risks from:
• Social engineering
• Errors in the identification of the user
• Inability to re-issue on a large scale in the event of a mass
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Definitions and Key Concepts
In discussing the duties and limitations imposed by the
regulations, a number of key concepts are used. These concepts
include "financial institution"; "nonpublic personal
information"; "nonaffiliated third party"; the
"opt out" right and the exceptions to that right; and
"consumer" and "customer." Each concept is
briefly discussed below. A more complete explanation of each appears
in the regulations.
A "financial institution" is any institution the
business of which is engaging in activities that are financial in
nature or incidental to such financial activities, as determined by
section 4(k) of the Bank Holding Company Act of 1956. Financial
institutions can include banks, securities brokers and dealers,
insurance underwriters and agents, finance companies, mortgage
bankers, and travel agents.
Nonaffiliated Third Party:
A "nonaffiliated third party" is any person except
a financial institution's affiliate or a person employed jointly by
a financial institution and a company that is not the institution's
affiliate. An "affiliate" of a financial institution is
any company that controls, is controlled by, or is under common
control with the financial institution.