FYI - 12 Steps to IT Security Compliance - Implementing
strategic IT security steps will help organizations comply with U.S.
government regulations, while securing their IT processes and
OCC Anti-Fraud Resources - OCC's new feature provides
Consumers and Bankers with information and resources to effectively
identify, report, and combat fraud.
FYI - Is System Lockdown
the Secret Weapon? - In the ongoing battle to fight internal and
external threats on the corporate desktop, IT staffers may be
forgetting one very potent weapon in their arsenal - system
FYI - Mobile email
threat to enterprises - Mobile email is on the verge of becoming
mainstream, according to a new survey. But experts warn that
enterprises must have strict policies in place to stop mobile
devices from spreading malware.
FYI - AIB (Allied Irish
Bank) beefs up online security - AIB has updated the access measures
for its online and telephone banking facility and has begun rolling
out a new security feature for certain money transfer functions.
FYI - European committee
approves extension to data storage law - An EU parliament committee
voted on Thursday to keep details of all EU-wide telephone calls and
Internet use for six months to a year to help combat terrorism and
FYI - Secure advice for
higher education - JSIC is targeting UK universities and colleges,
offering formal guidance on readdressing IT security. IT advisers
for the higher education sector are calling for a new approach to
information security. All colleges and universities in the UK have
been offered new guidance on IT security.
FYI - Backup encryption
failures leave data in peril - Potentially sensitive corporate data
is being placed unnecessarily at risk because less than a quarter of
companies currently encrypt their backup tapes, newly published
research has claimed.
FYI - Expert: audits not
enough - Corporations must do more than just conduct audits to
protect against evolving security threats, a security compliance
expert warned this week.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Flood Disaster Protection Act
The regulation implementing the National Flood Insurance Program
requires a financial institution to notify a prospective borrower
and the servicer that the structure securing the loan is located or
to be located in a special flood hazard area. The regulation also
requires a notice of the servicer's identity be delivered to the
insurance provider. While the regulation addresses electronic
delivery to the servicer and to the insurance provider, it does not
address electronic delivery of the notice to the borrower.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Access Rights Administration (4 of 5)
The access rights process programs the
system to allow the users only the access rights they were granted.
Since access rights do not automatically expire or update, periodic
updating and review of access rights on the system is necessary.
Updating should occur when an individual's business needs for
system use changes. Many job changes can result in an expansion or
reduction of access rights. Job events that would trigger a removal
of access rights include transfers, resignations, and terminations.
Institutions should take particular care to remove promptly the
access rights for users who have remote access privileges, and those
who administer the institution's systems.
Because updating may not always be accurate, periodic review of user
accounts is a good control to test whether the access right removal
processes are functioning, and whether users exist who should have
their rights rescinded or reduced. Financial institutions should
review access rights on a schedule commensurate with risk.
Access rights to new software and hardware present a unique problem.
Typically, hardware and software are installed with default users,
with at least one default user having full access rights. Easily
obtainable lists of popular software exist that identify the default
users and passwords, enabling anyone with access to the system to
obtain the default user's access. Default user accounts should
either be disabled, or the authentication to the account should be
changed. Additionally, access to these default accounts should
be monitored more closely than other accounts.
Sometimes software installs with a default account that allows
anonymous access. Anonymous access is appropriate, for instance,
where the general public accesses an informational web server.
Systems that allow access to or store sensitive information,
including customer information, should be protected against
the top of the newsletter
IT SECURITY QUESTION:
B. NETWORK SECURITY
the adequacy and accuracy of the network architecture.
a) Obtain a schematic overview of the financial institution's
b) Review procedures for maintaining current information,
including inventory reporting of
how new hardware are added and old hardware is removed.
c) Review audit and security reports that assess the accuracy
of network architectureschematics and identify unreported systems.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Nonpublic Personal Information:
"Nonpublic personal information" generally is any
information that is not publicly available and that:
1) a consumer provides to a financial institution to obtain a
financial product or service from the institution;
2) results from a transaction between the consumer and the
institution involving a financial product or service; or
3) a financial institution otherwise obtains about a consumer
in connection with providing a financial product or service.
Information is publicly available if an institution has a reasonable
basis to believe that the information is lawfully made available to
the general public from government records, widely distributed
media, or legally required disclosures to the general public.
Examples include information in a telephone book or a publicly
recorded document, such as a mortgage or securities filing.
Nonpublic personal information may include individual items of
information as well as lists of information. For example, nonpublic
personal information may include names, addresses, phone numbers,
social security numbers, income, credit score, and information
obtained through Internet collection devices (i.e., cookies).
There are special rules regarding lists. Publicly available
information would be treated as nonpublic if it were included on a
list of consumers derived from nonpublic personal information. For
example, a list of the names and addresses of a financial
institution's depositors would be nonpublic personal information
even though the names and addresses might be published in local
telephone directories because the list is derived from the fact that
a person has a deposit account with an institution, which is not
publicly available information.
However, if the financial institution has a reasonable basis to
believe that certain customer relationships are a matter of public
record, then any list of these relationships would be considered
publicly available information. For instance, a list of mortgage
customers where the mortgages are recorded in public records would
be considered publicly available information. The institution could
provide a list of such customers, and include on that list any other
publicly available information it has about the customers on that
list without having to provide notice or opt out.