FYI  - Homeland Security offers guidelines for handling, reporting cyberpests and threats.  http://www.pcworld.com/resource/printable/article/0,aid,115955,00.asp

FYI  - IT auditors coveted, hard to find - Looming deadlines for Sarbanes-Oxley Act compliance have led accounting firms and other companies that are scrambling to comply with the financial-reporting law to ramp up their recruiting of workers who have essential IT auditing experience.   http://www.computerworld.com/printthis/2004/0,4814,92819,00.html

FYI - Mobile flaws expose executives to bugging - EXECUTIVES at some of Britain’s biggest companies are using mobile phones that can be secretly tracked and bugged, despite a series of Times investigations demonstrating gaping holes in handset security.   http://business.timesonline.co.uk/article/0,,8209-1092789,00.html

FYI  - Barnesandnoble.com hit with fine for online security breach - Barnesandnoble.com will pay $60,000 in costs and penalties and establish an information security program to protect personal information; establish management oversight and employee training programs; and hire an external auditor to monitor compliance with the security program.  http://www.computerworld.com/printthis/2004/0,4814,92804,00.html

FYI  - Training boosts enterprise security - Enterprises that invest in security training and certification are less likely to experience major security breaches, according to a recent study by Computing Technology Industry Association.  http://www.idg.com.hk/cw/printstory.asp?aid=20040428001

FYI - U.S. hit by rise in 'phishing' attacks - An estimated one in five Americans were the target of a "phishing" attack in the past year, as the number of such Internet scams rose dramatically. 
http://news.com.com/2100-7355_3-5207297.html?tag=nefd.top

FYI - The Federal Reserve Board on Tuesday announced amendments to Appendix A of Regulation CC, effective July 10, 2004, that reflect the restructuring of the Federal Reserve's check processing operations in the Eleventh District. www.federalreserve.gov/boarddocs/press/bcreg/2004/20040504/default.htm

FYI - New Guidance for Examiners, Financial Institutions and Technology Service Providers on Retail Payment Systems - The Federal Financial Institutions Examination Council has issued a booklet with guidance on evaluating retail payment systems. The booklet is the seventh in a series of updates, which will eventually replace the 1996 FFIEC Information Systems Examination Handbook and comprise the new FFIEC Information Technology Examination Handbook. www.fdic.gov/news/news/financial/2004/fil4804.html

Return to the top of the newsletter

INTERNET COMPLIANCE -  Expedited Funds Availability Act (Regulation CC)

Generally, the rules pertaining to the duty of an institution to make deposited funds available for withdrawal apply in the electronic financial services environment. This includes rules on fund availability schedules, disclosure of policy, and payment of interest. Recently, the FRB published a commentary that clarifies requirements for providing certain written notices or disclosures to customers via electronic means. Specifically, the commentary to the regulations states that a financial institution satisfies the written exception hold notice requirement, and the commentary to the regulations states that a financial institution satisfies the general disclosure requirement by sending an electronic version that displays the text and is in a form that the customer may keep. However, the customer must agree to such means of delivery of notices and disclosures. Information is considered to be in a form that the customer may keep if, for example, it can be downloaded or printed by the customer. To reduce compliance risk, financial institutions should test their programs' ability to provide disclosures in a form that can be downloaded or printed. 

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

ENCRYPTION - HOW ENCRYPTION WORKS

In general, encryption functions by taking data and a variable, called a "key," and processing those items through a fixed algorithm to create the encrypted text. The strength of the encrypted text is determined by the entropy, or degree of uncertainty, in the key and the algorithm. Key length and key selection criteria are important determinants of entropy. Greater key lengths generally indicate more possible keys. More important than key length, however, is the potential limitation of possible keys posed by the key selection criteria. For instance, a 128-bit key has much less than 128 bits of entropy if it is selected from only certain letters or numbers. The full 128 bits of entropy will only be realized if the key is randomly selected across the entire 128-bit range.

The encryption algorithm is also important. Creating a mathematical algorithm that does not limit the entropy of the key and testing the algorithm to ensure its integrity are difficult. Since the strength of an algorithm is related to its ability to maximize entropy instead of its secrecy, algorithms are generally made public and subject to peer review. The more that the algorithm is tested by knowledgeable worldwide experts, the more the algorithm can be trusted to perform as expected. Examples of public algorithms are AES, DES and Triple DES, HSA - 1, and RSA.

Return to the top of the newsletter

IT SECURITY QUESTION:

E. PHYSICAL SECURITY

3. Determine whether:
• Authorization for physical access to critical or sensitive information - processing facilities is granted according to an appropriate process;
• Authorizations are enforceable by appropriate preventive, detective, and corrective controls; and
• Authorizations can be revoked in a practical and timely manner.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

44.  If the institution receives information from a nonaffiliated financial institution under an exception in §14 or §15, does the institution refrain from using or disclosing the information except:

a.  to disclose the information to the affiliates of the financial institution from which it received the information; [§11(a)(1)(i)]

b.  to disclose the information to its own affiliates, which are in turn limited by the same disclosure and use restrictions as the recipient institution; [§11(a)(1)(ii)] and

c.  to disclose and use the information pursuant to an exception in §14 or §15 in the ordinary course of business to carry out the activity covered by the exception under which the information was received? [§11(a)(1)(iii)]

(Note: the disclosure or use described in section c of this question need not be directly related to the activity covered by the applicable exception. For instance, an institution receiving information for fraud-prevention purposes could provide the information to its auditors. But "in the ordinary course of business" does not include marketing. [§11(a)(2)])

IN CLOSING - The FFIEC interagency Information Security Booklet states in part that financial institutions should have at least an annual independent penetration test.  Did you know that there are over 3,300 known vulnerabilities with approximately 25 new vulnerabilities added every week?  As IS auditors, we can provide the independent penetration-vulnerability testing to help protect {custom4} from unauthorized external access.  Why should you use the VISTA security testing services instead of another company?  For more information, please visit our web site at http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.