FFIEC Guidance on Pandemic Planning - The Federal Financial
Institutions Examination Council issued guidance today for use by
financial institutions in identifying the continuity planning that
should be in place to minimize the potential adverse effects of a
pandemic. This guidance expands upon the contents of the Interagency
Advisory on Influenza Pandemic Preparedness issued in March 2006.
OMB directs agencies to close off most Internet links - The Office
of Management and Budget's Trusted Internet Connections (TIC)
initiative likely is to be the last publicized program in the Bush
administration's stepped-up focus on cybersecurity.
Security policies? Workers ignore them, survey says - It's one thing
to have a companywide information security policy in place. But it's
a whole different ballgame to get employees to actually follow the
policies -- even those that are IT types.
Privacy breach nuked in Canadian passport site - Red-faced Canadian
passport officials say they've closed a privacy breach on their
website that leaked the personal information of applicants,
including their driver's license numbers, birth dates - even whether
they owned a gun.
Wireless keyboards vulnerable to hacking via radio receivers -
Cybercriminals can log the keystrokes of end-users by cracking the
encryption of non-Bluetooth wireless keyboards from over 30 feet
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Lost data discs 'endanger protected witnesses' - Hundreds of people
in police witness protection programmes have been put at risk by the
loss of millions of child benefit records.
Hackers get data of federal lab visitors - The Oak Ridge National
Laboratory revealed on Thursday that a "sophisticated cyber attack"
over the last few weeks may have allowed personal information about
thousands of lab visitors to be stolen.
Forrester Loses Laptop Containing Personnel Data - The incident
appears to be a clear case of, "Do as I say, not as I do." Thieves
stole a laptop from the home of a Forrester Research employee during
the week of Nov. 26, potentially exposing the names, addresses and
Social Security numbers of an undisclosed number of current and
former employees and directors, the company said in a letter mailed
to those affected.
Stolen Laptop Had 268,000 Social Security Numbers - A Twin Cities
blood bank says a laptop computer with 268,000 names and Social
Security numbers has been stolen.
Community Blood Center affected by laptop theft - Community Blood
Center is the latest business to be notified that employees'
information was stored on a laptop stolen in October from a
Kettering auditing firm.
Tricare data breach affects 4,700 families - Letters are in the mail
to about 4,700 households who submitted claims through the Tricare
Europe office since 2004 about a data breach involving their
personal information - a month after the breach was reported.
Bank details on stolen laptop - Personal details of up to 60,000
people have been lost by Citizens Advice, it was revealed. Bank
account numbers, National Insurance numbers, names, addresses and
dates of birth were on a laptop stolen from a staff member's car in
Police launch hunt for bogus bobbies - A gang of robbers dressed as
police told staff at a data centre in London's King's Cross last
night they were investigating reports of people on the roof of the
building, before tying them up and making off with expensive
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Advertisement Of Membership
The FDIC and NCUA consider every insured depository institution's
online system top-level page, or "home page", to be an
advertisement. Therefore, according to these agencies'
interpretation of their rules, financial institutions subject to the
regulations should display the official advertising statement on
their home pages unless subject to one of the exceptions described
under the regulations. Furthermore, each subsidiary page of an
online system that contains an advertisement should display the
official advertising statement unless subject to one of the
exceptions described under the regulations. Additional information
about the FDIC's interpretation can be found in the Federal
Register, Volume 62, Page 6145, dated February 11, 1997.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - This
concludes the series from the
FDIC "Security Risks Associated with the Internet."
While this Financial Institution Letter was published in
December 1997, the issues still are relevant. Starting next
week, we will begin covering the OCC Bulletin about
Infrastructure Threats and Intrusion Risks dated May 15, 2000.
V. Security Flaws and Bugs
Because hardware and software continue to improve, the task of
maintaining system performance and security is ongoing. Products are
frequently issued which contain security flaws or other bugs, and
then security patches and version upgrades are issued to correct the
deficiencies. The most important action in this regard is to keep
current on the latest software releases and security patches. This
information is generally available from product developers and
vendors. Also important is an understanding of the products and
their security flaws, and how they may affect system performance.
For example, if there is a time delay before a patch will be
available to correct an identified problem, it may be necessary to
invoke mitigating controls until the patch is issued.
Reference sources for the identification of software bugs exist,
such as the Computer Emergency Response Team Coordination Center
(CERT/CC) at the Software Engineering Institute of Carnegie Mellon
University, Pittsburgh, Pennsylvania. The CERT/CC, among other
activities, issues advisories on security flaws in software
products, and provides this information to the general public
through subscription e‑mail, Internet newsgroups (Usenet), and
their Web site at www.cert.org.
Many other resources are freely available on the Internet.
Active Content Languages
Active content languages have been the subject of a number of recent
security discussions within the technology industry. While it is not
their only application, these languages allow computer programs to
be attached to Web pages. As such, more appealing and interactive
Web pages can be created, but this function may also allow
unauthorized programs to be automatically downloaded to a user's
computer. To date, few incidents have been reported of harm caused
by such programs; however, active content programs could be
malicious, designed to access or damage data or insert a
Security problems may result from an implementation standpoint, such
as how the languages and developed programs interact with other
software, such as Web browsers. Typically, users can disable the
acceptance of such programs on their Web browser. Or, users can
configure their browser so they may choose which programs to accept
and which to deny. It is important for users to understand how these
languages function and the risks involved, so that they make
educated decisions regarding their use. Security alerts concerning
active content languages are usually well publicized and should
receive prompt reviews by those utilizing the technology.
Because potentially malicious programs can be downloaded directly
onto a system from the Internet, virus protection measures beyond
the traditional boot scanning techniques may be necessary to
properly protect servers, systems, and workstations. Additional
protection might include anti-virus products that remain resident,
providing for scanning during downloads or the execution of any
program. It is also important to ensure that all system users are
educated in the risks posed to systems by viruses and other
malicious programs, as well as the proper procedures for accessing
information and avoiding such threats.
the top of the newsletter
IT SECURITY QUESTION:
Core application user access controls: (Part 2 of 2)
h. Is the user locked out after three unsuccessful attempts to enter
the correct password?
i. How long is the user locked out after entering an incorrect
j. Automatic timeout if left unattended? If so, how long?
k. Automatic lockout by time of day and day of week?
l. Is user access restricted by workstation?
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
8) Do the initial, annual, and revised privacy notices include
each of the following, as applicable: (Part 1 of 2)
a) the categories of nonpublic personal information that the
institution collects; [§6(a)(1)]
b) the categories of nonpublic personal information that the
institution discloses; [§6(a)(2)]
c) the categories of affiliates and nonaffiliated third
parties to whom the institution discloses nonpublic personal
information, other than parties to whom information is disclosed
under an exception in §14 or §15; [§6(a)(3)]
d) the categories of nonpublic personal information disclosed
about former customers, and the categories of affiliates and
nonaffiliated third parties to whom the institution discloses that
information, other than those parties to whom the institution
discloses information under an exception in §14 or §15; [§6(a)(4)]