To USB or not to USB, well not in the DoD - what do you do? - The
DOD issued orders that USB drives and other removable devices are no
longer to be used. Through autorun features and the presence of some
nasty malware the decision was made to prohibit the use of the
devices in an attempt to contain a malware outbreak.
Massachusetts extends compliance deadline on new data-encryption
rules - Economic woes prompt state to give companies more time to
meet data security regulations - Companies that have to comply with
tough new regulations mandating the use of encryption and other
security controls for protecting the personal data of Massachusetts
residents are being given more time to do so.
Computer virus quarantines London Hospital for second day - IT staff
at three major London hospitals have spent a second day struggling
to restore IT systems following a major computer virus outbreak.
Network Security Breaches Plague NASA - Repeated attacks from abroad
on NASA computers and Web sites are causing consternation among
officials and stirring national security concerns.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Police officers among BNP members listed on web - The entire
membership list of the British National party has been posted on the
internet, identifying thousands of people as secret supporters of
the far right and exposing many to the risk of dismissal from work,
disciplinary action or vilification.
Obama's cell phone records breached - A number of Verizon Wireless
employees accessed and viewed President-elect Barack Obama's
personal cell phone account without authorization, Verizon Wireless
President and CEO, Lowell McAdam said in a statement.
Verizon cans workers who snooped Obama's cell phone, CNN reports
Verizon Wireless has fired an undisclosed number of employees who
snooped into the cell phone records of President-elect Barack Obama
earlier this year, according to a report by cable news channel CNN.
London Hospital back online after computer virus shutdown - Computer
systems at three major London hospitals are largely back online on
Friday morning, three days after a major computer virus outbreak
forced staff to disconnect the network.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
week begins our series on the FDIC's Supervisory Policy on Identity
(Part 4 of 6)
As a result of guidelines issued by the FDIC, together with other
federal agencies, financial institutions are required to develop and
implement a written program to safeguard customer information,
including the proper disposal of consumer information (Security
Guidelines).5 The FDIC considers this programmatic requirement to be
one of the foundations of identity theft prevention. In guidance
that became effective on January 1, 2007, the federal banking
agencies made it clear that they expect institutions to use stronger
and more reliable methods to authenticate the identity of customers
using electronic banking systems. Moreover, the FDIC has also issued
guidance stating that financial institutions are expected to notify
customers of unauthorized access to sensitive customer information
under certain circumstances. The FDIC has issued a number of other
supervisory guidance documents articulating its position and
expectations concerning identity theft. Industry compliance with
these expectations will help to prevent and mitigate the effects of
Risk management examiners trained in information technology (IT) and
the requirements of the Bank Secrecy Act (BSA) evaluate a number of
aspects of a bank's operations that raise identity theft issues. IT
examiners are well-qualified to evaluate whether banks are
incorporating emerging IT guidance into their Identity Theft
Programs and GLBA 501(b) Information Security Programs; responsibly
overseeing service provider arrangements; and taking action when a
security breach occurs. In addition, IT examiners will consult with
BSA examiners during the course of an examination to ensure that the
procedures institutions employ to verify the identity of new
customers are consistent with existing laws and regulations to
prevent financial fraud, including identity theft.
The FDIC has also issued revised examination procedures for the Fair
Credit Reporting Act (FCRA), through the auspices of the Federal
Financial Institutions Examination Council's (FFIEC) Consumer
Compliance Task Force. These procedures are used during
consumer compliance examinations and include steps to ensure that
institutions comply with the FCRA's fraud and active duty alert
provisions. These provisions enable consumers to place alerts on
their consumer reports that require users, such as banks, to take
additional steps to identify the consumer before new credit is
extended. The procedures also include reviews of institutions'
compliance with requirements governing the accuracy of data provided
to consumer reporting agencies. These requirements include the
blocking of data that may be the result of an identity theft.
Compliance examiners are trained in the various requirements of the
FCRA and ensure that institutions have effective programs to comply
with the identity theft provisions. Consumers are protected from
identity theft through the vigilant enforcement of all the
examination programs, including Risk Management, Compliance, IT and
The Fair and Accurate Credit Transactions Act directed the FDIC and
other federal agencies to jointly promulgate regulations and
guidelines that focus on identity theft "red flags" and customer
address discrepancies. As proposed, the guidelines would require
financial institutions and creditors to establish a program to
identify patterns, practices, and specific forms of activity that
indicate the possible existence of identity theft. The proposed
joint regulation would require financial institutions and creditors
to establish reasonable policies to implement the guidelines,
including a provision requiring debit and credit card issuers to
assess the validity of a request for a change of address. In
addition, the agencies proposed joint regulations that provide
guidance regarding reasonable policies and procedures that a user of
consumer reports must employ when the user receives a notice of
address discrepancy. When promulgated in final form, these joint
regulations and guidelines will comprise another element of the
FDIC's program to prevent and mitigate identity theft.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION - OPERATING SYSTEM ACCESS
(Part 2 of 2)
Additional operating system access controls include the following
! Ensure system administrators and security professionals have
adequate expertise to securely configure and manage the operating
! Ensure effective authentication methods are used to restrict
system access to both users and applications.
! Activate and utilize operating system security and logging
capabilities and supplement with additional security software where
supported by the risk assessment process.
! Restrict operating system access to specific terminals in
physically secure and monitored locations.
! Lock or remove external drives from system consoles or terminals
residing outside physically secure locations.
! Restrict and log access to system utilities, especially those with
data altering capabilities.
! Restrict access to operating system parameters.
! Prohibit remote access to sensitive operating system functions,
where feasible, and at a minimum require strong authentication and
encrypted sessions before allowing remote support.
! Limit the number of employees with access to sensitive operating
systems and grant only the minimum level of access required to
perform routine responsibilities.
! Segregate operating system access, where possible, to limit full
or root - level access to the system.
! Monitor operating system access by user, terminal, date, and time
! Update operating systems with security patches and using
appropriate change control mechanisms.
Return to the top of the
D. USER EQUIPMENT SECURITY
(E.G. WORKSTATION, LAPTOP, HANDHELD)
1. Determine whether new workstations are
prepared according to documented procedures for secure configuration
or replication and that vulnerability testing takes place prior to
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Financial Institution Duties ( Part 4 of 6)
Requirements for Notices (continued)
Notice Content. A privacy notice must contain specific
disclosures. However, a financial institution may provide to
consumers who are not customers a "short form" initial
notice together with an opt out notice stating that the
institution's privacy notice is available upon request and
explaining a reasonable means for the consumer to obtain it. The
following is a list of disclosures regarding nonpublic personal
information that institutions must provide in their privacy notices,
1) categories of information collected;
2) categories of information disclosed;
3) categories of affiliates and nonaffiliated third parties to
whom the institution may disclose information;
4) policies with respect to the treatment of former customers'
5) information disclosed to service providers and joint
marketers (Section 13);
6) an explanation of the opt out right and methods for opting
7) any opt out notices the institution must provide under the
Fair Credit Reporting Act with respect to affiliate information
8) policies for protecting the security and confidentiality of
9) a statement that the institution makes disclosures to other
nonaffiliated third parties as permitted by law (Sections 14 and