The Top 10 Data Breaches of 2007 - Stolen hard drives,
websites infected with malware and Social Security numbers as
passwords--the most brilliant lunacy of a year full of security
Test feds' info security savvy, report suggests - A majority of
federal workers continue to violate information security policies
despite being aware of threats to agency systems and knowing the
importance of following data security policies, a survey by
Rogue servers point users to impostor sites - Researchers have
uncovered a large network of rogue servers that threatens end users
by silently feeding them counterfeit versions of trusted websites.
Data breach prompts Ohio pact with McAfee for SafeBoot - Still
reeling from a massive data breach caused by a stolen backup tape,
the state of Ohio is planning to provide government agencies and
schools with access to encryption software in 2008 to help protect
Commercial banking accounts targeted by Prg trojan variant - UpLevel,
a Russian criminal organization, and its German affiliates are using
a version of the Prg trojan to attack commercial banking clients,
according to anti-virus vendor SecureWorks.
Insurer gets record fine for ID theft disaster - $6.6 million lifted
by social engineers while firm did next to nothing - A U.K.
insurance house has been slapped with a record fine by the Financial
Services Authority (FSA) watchdog for incompetent customer account
Bank a/c hacker nabbed - In a major breakthrough, Karnataka's Cyber
Crime police of the Corps of Detectives (CoD) arrested seven
persons, who allegedly hacked various bank accounts (internet) and
siphoned off close to Rs 12 lakh.
The kingpin of the racket, Joseph, an unemployed techie hailing from
Virudunagar in Madurai district of Tamil Nadu, was nabbed from a
cyber cafe in Mahadevapura near Whitefield by the police on November
29. Six of his associates have also been nabbed.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
UK.gov loses driver ID data - Unencrypted computer discs containing
the names and addresses of 6,000 Northern Ireland motorists has gone
missing in the post.
Stolen laptop holds private information - Sutter Lakeside Hospital (SLH)
reported Monday that a laptop computer containing personal and
medical information of approximately 45,000 former patients,
employees and physicians has been stolen from the residence of a
contractor. It has not been recovered.
Deloitte partner, principal confidential information on stolen
laptop - A laptop containing the personal information of an
undisclosed number of Deloitte & Touche partners, principals and
other employees was stolen while in possession of a contractor
responsible for scanning the accounting firm's pension fund
documents, SCMagazineUS.com learned.
'Sensitive' security data is lost - Electronic details of the new
security system protecting Parliament have been lost, sparking a
Commons security alert.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Truth in Lending Act (Regulation Z)
The commentary to regulation Z was amended recently to clarify that
periodic statements for open-end credit accounts may be provided
electronically, for example, via remote access devices. The
regulations state that financial institutions may permit customers
to call for their periodic statements, but may not require them to
do so. If the customer wishes to pick up the statement and the plan
has a grace period for payment without imposition of finance
charges, the statement, including a statement provided by electronic
means, must be made available in accordance with the "14-day rule,"
requiring mailing or delivery of the statement not later than 14
days before the end of the grace period.
Provisions pertaining to advertising of credit products should be
carefully applied to an on-line system to ensure compliance with the
regulation. Financial institutions advertising open-end or
closed-end credit products on-line have options. Financial
institutions should ensure that on-line advertising complies with
the regulations. For on-line advertisements that may be deemed to
contain more than a single page, financial institutions should
comply with the regulations, which describe the requirements for
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
begin our series on the FFIEC interagency Information Security
Booklet. This booklet is required reading for anyone
involved in information systems security, such as the Network Administrator,
Information Security Officer, members of the IS Steering Committee,
and most important your outsourced network security consultants.
Your outsourced network security consultants can receive the
"Internet Banking News" by completing the subscription for
There is no charge for the e-newsletter.
Information security enables a financial institution to meet its
business objectives by implementing business systems with due
consideration of information technology (IT) - related
risks to the organization, business and trading partners, technology
service providers, and customers. Organizations meet this goal by
striving to accomplish the following objectives.
1) Availability - The
ongoing availability of systems addresses the processes, policies,
and controls used to ensure authorized users have prompt access to
information. This objective protects against intentional or
accidental attempts to deny legitimate users access to information
2) Integrity of Data or
Systems - System and data integrity relate to the processes,
policies, and controls used to ensure information has not been
altered in an unauthorized manner and that systems are free from
unauthorized manipulation that will compromise accuracy,
completeness, and reliability.
3) Confidentiality of
Data or Systems - Confidentiality covers the processes, policies,
and controls employed to protect information of customers and the
institution against unauthorized access or use.
4) Accountability -
Clear accountability involves the processes, policies, and controls
necessary to trace actions to their source. Accountability directly
supports non-repudiation, deterrence, intrusion prevention,
intrusion detection, recovery, and legal admissibility of records.
5) Assurance -
Assurance addresses the processes, policies, and controls used to
develop confidence that technical and operational security measures
work as intended. Assurance levels are part of the system design and
include availability, integrity, confidentiality, and
accountability. Assurance highlights the notion that secure systems
provide the intended functionality while preventing undesired
Appropriate security controls are necessary for financial
institutions to challenge potential customer or user claims that
they did not initiate a transaction. Financial institutions can
accomplish this by achieving both integrity and accountability to
produce what is known as non-repudiation. Non-repudiation occurs
when the financial institution demonstrates that the originators who
initiated the transaction are who they say they are, the recipient
is the intended counter party, and no changes occurred in transit or
storage. Non-repudiation can reduce fraud and promote the legal
enforceability of electronic agreements and transactions. While
non-repudiation is a goal and is conceptually clear, the manner in
which non-repudiation can be achieved for electronic systems in a
practical, legal sense may have to wait for further judicial
the top of the newsletter
IT SECURITY QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
the adequacy of policies and procedures for authentication and
access controls to manage effectively the risks to the financial
• Evaluate the processes that management uses to define access
rights and privileges (e.g., software and/or hardware systems
access) and determine if they are based upon business need
• Review processes that assign rights and privileges and ensure
that they take into account and provide for adequate segregation of
• Determine if access rights are the minimum necessary for
business purposes. If greater access rights are permitted, determine
why the condition exists and identify any mitigating issues or
• Ensure that access to operating systems is based on either a
need-to-use or an event-by-event basis.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
8) Do the initial, annual, and revised privacy notices include
each of the following, as applicable: (Part 2 of 2)
e) if the institution discloses nonpublic personal information
to a nonaffiliated third party under §13, and no exception under §14
or §15 applies, a separate statement of the categories of
information the institution discloses and the categories of third
parties with whom the institution has contracted; [§6(a)(5)]
f) an explanation of the opt out right, including the method(s)
of opt out that the consumer can use at the time of the notice; [§6(a)(6)]
g) any disclosures that the institution makes under §603(d)(2)(A)(iii)
of the Fair Credit Reporting Act (FCRA); [§6(a)(7)]
h) the institution's policies and practices with respect to
protecting the confidentiality and security of nonpublic personal
information; [§6(a)(8)] and
i) a general statement--with no specific reference to the
exceptions or to the third parties--that the institution makes
disclosures to other nonaffiliated third parties as permitted by
law? [§6(a)(9), (b)]