|
February 2, 2003
VERY IMPORTANT FOR IS MANAGERS -
Federal Financial Regulators Release Information Security Booklet,
First In A Series - The Federal Financial Institutions Examination
Council today issued revised guidance for examiners and financial
institutions to use in identifying information security risks and
evaluating the adequacy of controls and applicable risk management
practices of financial institutions. www.ffiec.gov/press/pr012903.htm
OTS: www.ots.treas.gov/docs/77303.html
FYI - A massive Internet
outage that swept across Asia and slowed down service in the United
States and northern Europe subsided Sunday, caused by a so-called
"Slammer" message worm that could
easily have been avoided, experts said. See IN
CLOSING below.
Article: http://www.washtimes.com/upi-breaking/20030126-043023-3604r.htm
Another article: http://www.washingtonpost.com/wp-dyn/articles/A43267-2003Jan25.html
FYI- University of
Kansas officials discovered that a computer hacker downloaded
personal information gathered on 1,450 of its international
students. http://www.thekansascitychannel.com/education/1930636/detail.html
FYI- A
devastating firestorm raged through Canberra and its outskirts.
More than four hundred homes, and multiple business were destroyed,
along with the historic Mt Stromlo Observatory, which was
established in the 1920s.
Millions of units of data collected as part of its research over the
years, has been salvaged thanks to a comprehensive
disaster recovery plan
implemented by the Australian National University's (ANU) division
of information. http://www.zdnet.com.au/newstech/enterprise/story/0,2000025001,20271482,00.htm
FYI
- FTC sees surge in identity theft - Complaints about identity theft
have risen 73 percent from a year ago, according to a new report
from the Federal Trade Commission. http://zdnet.com.com/2100-1105-981489.html
FYI
- Rampant cordless keyboard strikes again
- Hewlett-Packard Norway will no longer
guarantee their cordless keyboards for security after yet another
report that they transmit keystrokes far afield.
http://www.aftenposten.no/english/local/article.jhtml?articleID=474623
INTERNET
COMPLIANCE - Record Retention
Record retention provisions apply to electronic delivery of
disclosures to the same extent required for non-electronic delivery
of information. For example, if the web site contains an
advertisement, the same record retention provisions that apply to
paper-based or other types of advertisements apply. Copies of such
advertisements should be retained for the time period set out in the
relevant regulation. Retention of electronic copies is acceptable.
INTERNET SECURITY - Over the next few weeks, we will
cover the FDIC's "Guidance
on Managing Risks Associated With Wireless Networks and Wireless
Customer Access."
Financial institutions are actively evaluating and implementing
wireless technology as a means to reach customers and reduce the
costs of implementing new networks. In light of this fast-developing
trend, the Federal Deposit Insurance Corporation (FDIC) is providing
financial institutions with the following information about the
risks associated with wireless technology and suggestions on
managing those risks. Please share this information with your Chief
Information Officer.
Wireless Technology and the Risks of Implementation
Wireless networks are rapidly becoming a cost-effective
alternative for providing network connectivity to financial
institution information systems. Institutions that are installing
new networks are finding the installation costs of wireless networks
competitive compared with traditional network wiring. Performance
enhancements in wireless technology have also made the adoption of
wireless networks attractive to institutions. Wireless networks
operate at speeds that are sufficient to meet the needs of many
institutions and can be seamlessly integrated into existing
networks. Wireless networks can also be used to provide connectivity
between geographically close locations without having to install
dedicated lines.
Wireless Internet access to banking applications is also becoming
attractive to financial institutions. It offers customers the
ability to perform routine banking tasks while away from the bank
branch, automated teller machines or their own personal computers.
Wireless Internet access is a standard feature on many new cellular
phones and hand-held computers.
Many of the risks that financial institutions face when implementing
wireless technology are risks that exist in any networked
environment (see FIL-67-2000, "Security Monitoring of Computer
Networks," dated October 3, 2000, and the 1996 FFIEC
Information Systems Examination Handbook, Volume 1, Chapter 15).
However, wireless technology carries additional risks that financial
institutions should consider when designing, implementing and
operating a wireless network. Common risks include the potential:
1) Compromise of customer information and transactions over
the wireless network;
2) Disruption of wireless service from radio transmissions of
other wireless devices;
3) Intrusion into the institution's network through wireless
network connections; and
4) Obsolescence of current systems due to rapidly changing
standards.
These risks could ultimately compromise the bank's computer system,
potentially causing:
1) Financial loss due to the execution of unauthorized
transactions;
2) Disclosure of confidential customer information, resulting
in - among other things - identity theft (see FIL-39-2001,
"Guidance on Identity Theft and Pretext Calling," dated
May 9, 2001, and FIL-22-2001, "Guidelines Establishing
Standards for Safeguarding Customer Information," dated March
14, 2001);
3) Negative media attention, resulting in harm to the
institution's reputation; and
4) Loss of customer confidence.
PRIVACY
- We continue our coverage of the various issues in the "Privacy of
Consumer Financial Information" published by the financial
regulatory agencies.
Nonpublic Personal Information:
"Nonpublic personal information" generally is any
information that is not publicly available and that:
1) a consumer provides to a financial institution to obtain a
financial product or service from the institution;
2) results from a transaction between the consumer and the
institution involving a financial product or service; or
3) a financial institution otherwise obtains about a consumer
in connection with providing a financial product or service.
Information is publicly available if an institution has a reasonable
basis to believe that the information is lawfully made available to
the general public from government records, widely distributed
media, or legally required disclosures to the general public.
Examples include information in a telephone book or a publicly
recorded document, such as a mortgage or securities filing.
Nonpublic personal information may include individual items of
information as well as lists of information. For example, nonpublic
personal information may include names, addresses, phone numbers,
social security numbers, income, credit score, and information
obtained through Internet collection devices (i.e., cookies).
There are special rules regarding lists. Publicly available
information would be treated as nonpublic if it were included on a
list of consumers derived from nonpublic personal information. For
example, a list of the names and addresses of a financial
institution's depositors would be nonpublic personal information
even though the names and addresses might be published in local
telephone directories because the list is derived from the fact that
a person has a deposit account with an institution, which is not
publicly available information.
However, if the financial institution has a reasonable basis to
believe that certain customer relationships are a matter of public
record, then any list of these relationships would be considered
publicly available information. For instance, a list of mortgage
customers where the mortgages are recorded in public records would
be considered publicly available information. The institution could
provide a list of such customers, and include on that list any other
publicly available information it has about the customers on that
list without having to provide notice or opt out.
IN CLOSING - Last weekend, the
massive Internet outage that swept across Asia and slowed down
service in the United States and northern Europe was caused by a
so-called "Slammer" message worm that could easily have
been avoided. This self-propagating worm is attacking
vulnerabilities in MS-SQL Server and is not detected by Anti-Virus
software. Our vulnerability-penetration study
has had detection signatures and links to verified remedies since
July 2002 for the MS-SQL vulnerabilities that are exploited by the
Worm. For
more information our vulnerability-penetration testing, visit http://www.internetbankingaudits.com/.
|
