FYI - Risk Management Program Revised IT Officer's Questionnaire - The FDIC has updated its risk-focused Information Technology examination procedures for FDIC-supervised financial institutions. www.fdic.gov/news/news/financial/2007/fil07105.html

FYI - Visa fines Ohio bank in TJX data breach - Fifth Third Bancorp, the Ohio bank that was fined $880,000 by Visa for its role in the customer data security breach at TJX Cos., the largest ever, also paid fines and compensation totaling $1.4 million following the loss of data from BJ's Wholesale Club Inc. several years ago, a court filing shows. http://www.boston.com/business/globe/articles/2007/11/24/visa_fines_ohio_bank_in_tjx_data_breach/?page=full

FYI - Insider charged with hacking California canal system - A man has been charged with hacking a computer used to control water canals in California. A former employee of a small California canal system has been charged with installing unauthorized software and damaging the computer used to divert water from the Sacramento River. http://www.computerworld.com.au/index.php/id;511545055;fp;2;fpid;1

FYI - Should IT security workers become professionals? - Lawyers, doctors and engineers are professionals. Now, with public confidence in IT ebbing as data thefts dominate headlines, its time for security workers to debate becoming a self-managing group. http://www.itworld.com/Career/071123prof/

FYI - Visa and TJX Agree to Provide U.S. Issuers up to $40.9 Million for Data Breach Claims - U.S. Visa Issuers Eligible to Participate in Speedy, Alternative Recovery Program - Visa Inc. announced today it has negotiated an agreement with The TJX Companies, Inc. (TJX) and its U.S. acquirer to offer an alternative recovery program to U.S. issuers that may have been affected by the retailer's previously announced unauthorized computer intrusion(s). http://www.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20071130005355&newsLang=en

FYI - Hackers Launch Cyber Attack on Federal Lab - Oak Ridge National Laboratory Says Breach Could Have Compromised Visitor Information - A "sophisticated cyber attack" has been detected at Oak Ridge National Laboratory over the last several weeks that may have compromised the personal information of thousands of visitors to the lab, according to a communiqué sent to employees. http://abcnews.go.com/TheLaw/story?id=3966047

MISSING COMPUTERS/DATA

FYI - 30,000 Dutch Telsell-customer creditcard details stolen from Telsell computers - Telsell claims not their responsibility - Customers of the television-sales organization TelSell can not only tele-shop while relaxing in their lazy chair, they also have a good chance to be robbed, while in that same chair. http://www.first.org/newsroom/globalsecurity/176842.html

FYI - Tesco online store 'is infiltrated by insider card fraudster - Customers shopping at Britain's biggest Internet store - Tesco Direct - are feared to have had their card details stolen by a company insider. http://www.thisislondon.co.uk/news/article-23422816-details/Tesco+online+store+'is+infiltrated+by+insider+card+fraudster'/article.do

FYI - Massachusetts Data Breach Puts Seniors at Risk - Compromise of the state's insurance program could expose 150,000 residents to identity theft. The state of Massachusetts is warning 150,000 members of its Prescription Advantage insurance program that their personal information may have been snatched by an identity thief. http://www.pcworld.com/article/id,140206/article.html?tk=nl_dnxnws

Return to the top of the newsletter

WEB SITE COMPLIANCE - Equal Credit Opportunity Act (Regulation B)

The regulations clarifies the rules concerning the taking of credit applications by specifying that application information entered directly into and retained by a computerized system qualifies as a written application under this section. If an institution makes credit application forms available through its on-line system, it must ensure that the forms satisfy the requirements.

The regulations also clarify the regulatory requirements that apply when an institution takes loan applications through electronic media. If an applicant applies through an electronic medium (for example, the Internet or a facsimile) without video capability that allows employees of the institution to see the applicant, the institution may treat the application as if it were received by mail.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

Logical Access Controls (Part 2 of 2)

Tokens

Token technology relies on a separate physical device, which is retained by an individual, to verify the user's identity. The token resembles a small hand-held card or calculator and is used to generate passwords. The device is usually synchronized with security software in the host computer such as an internal clock or an identical time based mathematical algorithm. Tokens are well suited for one‑time password generation and access control. A separate PIN is typically required to activate the token.

Smart Cards

Smart cards resemble credit cards or other traditional magnetic stripe cards, but contain an embedded computer chip. The chip includes a processor, operating system, and both read only memory (ROM) and random access memory (RAM). They can be used to generate one-time passwords when prompted by a host computer, or to carry cryptographic keys. A smart card reader is required for their use.

Biometrics 

Biometrics involves identification and verification of an individual based on some physical characteristic, such as fingerprint analysis, hand geometry, or retina scanning. This technology is advancing rapidly, and offers an alternative means to authenticate a user.

Return to the top of the newsletter

IT SECURITY QUESTION:  Core application user access controls: (Part 1 of 2)

a. Is there a written procedure for password administration?
b. If a username is required, does the system automatically enter the username?
c. Is the password length six or greater?
d. Is the use of proper nouns and dictionary words discouraged?
e. Is the password required to include upper and lower case letters, special characters, and numbers?
f. Are passwords required to be changed at least every 30 days?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

6. Does the institution provide an annual privacy notice to each customer whose loan the institution owns the right to service? [§§5(c), 4(c)(2)]