GRAY GHOST - Because of
scheduling problems, I was not able to go on the annual horseback
ride to northern New Mexico this year. I was able to go on a
cattle roundup this summer, and Gray Ghost was moved into new living
quarters. I posted some pictures that I hope you enjoy during
the Christmas season at
FYI - "The Top 10
Reasons Why Users Should Not Have Local Admin Rights." This was a
fun discussion on the NTSYSADMIN list that I thought was useful for
all of us: (Found on
Allows Malware to really *REALLY* hose the PC if it gets hit
Allows users to mess up their settings royally
Administrative nightmare to manage
Must spend more time ghosting machines because of 10, 9, and 8
Users get rather pissy about the loss of data stemming from 7
Any corporate software and mail policy can be easily broken
They can undermine anything administratively done to their machines
With only minor creativity in phrasing, local admin rights can
easily violate Sarbanes-Oxley and other pseudo-security legislation
Users can load any software, even illegal stuff...
Makes corporate security people laugh so hard, they can't
effectively do their jobs
FYI - Court Says
Interior Dept. Can Stay Online - The U.S. Interior Department can
keep its computers connected to the Internet despite the fact that
payments owed to American Indians are vulnerable to hackers, an
appeals court ruled.
FYI - Australia
Government launches anti-cyberterrorism campaign - The government is
seeking help from the IT community to help identify and plug
vulnerabilities in Australia's critical infrastructure to protect
citizens from cyber terrorism. Attorney-General Philip Ruddock
announced the government was going to spend more than AU$8 million
on the Computer Network Vulnerability Assessment (CNVA) program,
which will identify and plug any security vulnerabilities in the
"computer networks and systems that support the provision of
essential services to Australians."
FYI - S'pore pushes
business continuity, disaster recovery standard - A new
certification program has been developed in Singapore to help raise
the quality of business continuity and disaster recovery services,
and establish the island-state as a key destination for high-end
business process outsourcing services.
FYI - Tech firms, FBI to
fight phishing - A group of Internet companies and law-enforcement
agencies said Wednesday that they will work together to track down
online scam artists who pose as banks and other legitimate
businesses, a practice known as phishing.
FYI - Lowe's Hardware Hacker Gets Nine Years - One of three
Michigan men who hacked into the national computer system of Lowe's
hardware stores and tried to steal customers' credit card
information was sentenced Wednesday to nine years in federal prison.
Return to the top of the
COMPLIANCE - Disclosures/Notices (Part 2 of 2)
In those instances where an electronic form of communication is
permissible by regulation, to reduce compliance risk institutions
should ensure that the consumer has agreed to receive disclosures
and notices through electronic means. Additionally, institutions may
want to provide information to consumers about the ability to
discontinue receiving disclosures through electronic means, and to
implement procedures to carry out consumer requests to change the
method of delivery. Furthermore, financial institutions advertising
or selling non-deposit investment products through on-line systems,
like the Internet, should ensure that consumers are informed of the
risks associated with non-deposit investment products as discussed
in the "Interagency Statement on Retail Sales of Non Deposit
Investment Products." On-line systems should comply with this
Interagency Statement, minimizing the possibility of customer
confusion and preventing any inaccurate or misleading impression
about the nature of the non-deposit investment product or its lack
of FDIC insurance.
Return to the top of the
INFORMATION SYSTEMS SECURITY
continue our series on the FFIEC interagency Information Security
INSURANCE (Part 1 of 2)
Insurance coverage is rapidly evolving to meet the growing number of
security-related threats. Coverage varies by insurance company, but
currently available insurance products may include coverage for the
! Vandalism of financial institution Web sites,
! Denial - of - service attacks,
! Loss of income,
! Computer extortion associated with threats of attack or disclosure
! Theft of confidential information,
! Privacy violations,
! Litigation (breach of contract),
! Destruction or manipulation of data (including viruses),
! Fraudulent electronic signatures on loan agreements,
! Fraudulent instructions through e - mail,
! Third - party risk from companies responsible for security of
financial institution systems or information,
! Insiders who exceed system authorization, and
! Incident response costs related to the use of negotiators, public
relations consultants, security and computer forensic consultants,
programmers, replacement systems, etc.
Financial institutions can attempt to insure against these risks
through existing blanket bond insurance coverage added on to address
specific threats. It is important that financial institutions
understand the extent of coverage and the requirements governing the
reimbursement of claims. For example, financial institutions should
understand the extent of coverage available in the event of security
breaches at a third - party service provider. In such a case, the
institution may want to consider contractual requirements that
require service providers to maintain adequate insurance to cover
When considering supplemental insurance coverage for security
incidents, the institution should assess the specific threats in
light of the impact these incidents will have on its financial,
operational, and reputation risk profiles. Obviously, when a
financial institution contracts for additional coverage, it should
ensure that it is aware of and prepared to comply with any required
security controls both at inception of the coverage and over the
term of the policy.
Return to the top of the
1. Review the information security risk
assessment and identify those items and areas classified as
2. Evaluate the appropriateness of the criteria used to select the
type of encryption/cryptographic algorithms.
! Consider if cryptographic algorithms are both publicly known
and widely accepted (e.g. RSA, SHA, Triple DES, Blowfish, Twofish,
etc.) or banking industry standard algorithms.
! Note the basis for choosing key sizes (e.g., 40-bit,
128-bit) and key space.
! Identify management's understanding of cryptography and
expectations of how it will be used to protect data.
Return to the top of the
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Redisclosure of nonpublic personal information received from a
nonaffiliated financial institution outside of Sections 14 and 15.
A. Through discussions with management and review of the
institution's procedures, determine whether the institution has
adequate practices to prevent the unlawful redisclosure of the
information where the institution is the recipient of nonpublic
personal information (§11(b)).
B. Select a sample of data received from nonaffiliated financial
institutions and shared with others to evaluate the financial
institution's compliance with redisclosure limitations.
1. Verify that the institution's redisclosure of the
information was only to affiliates of the financial institution from
which the information was obtained or to the institution's own
affiliates, except as otherwise allowed in the step b below (§11(b)(1)(i)
2. If the institution shares information with entities other
than those under step a above, verify that the institution's
information sharing practices conform to those in the nonaffiliated
financial institution's privacy notice (§11(b)(1)(iii)).
3. Also, review the procedures used by the institution to
ensure that the information sharing reflects the opt out status of
the consumers of the nonaffiliated financial institution (§§10,
IN CLOSING - The FFIEC interagency
Internet guidelines require financial institution web sites to comply
with consumer compliance, advertising, notifications, weblinking, and other federal
regulations. We have identified 17 federal regulations and over 130 issues
that relate to an institution's web site. We also verify weblinks for
functionality and appropriateness. As a former bank examiner with
over 40 year experience, we audit web sites following the FFIEC Internet
guidelines for financial institutions across the country. Visit
and learn how we can assist your financial institution.