FYI - Information Security:  Further Efforts Needed to Address Serious Weaknesses to USDA.
http://www.gao.gov/cgi-bin/getrpt?GAO-04-154, Highlights - http://www.gao.gov/highlights/d04154high.pdf

FYI  - Is password-lending a cybercrime?  According to Judge Buchwald in the Southern District of New York, Berkshire violated this law.  The court reasoned that using the userid and password in violation of a contractual provision was an unauthorized access.  http://www.securityfocus.com/columnists/222

FYI  - CIA to issue cyberterror intelligence estimate  - The CIA, working with the FBI, the Department of Homeland Security and the Pentagon, this week will publish the first-ever classified National Intelligence Estimate (NIE) on the threat of cyberterrorism against U.S. critical infrastructures.   http://www.computerworld.com/printthis/2004/0,4814,90448,00.html

FYI  - Security experts bemoan poor patching - Vulnerability assessment firm Qualys supported the statements, made during a panel discussion at the RSA Security Conference here, with data culled from monitoring its clients' networks. The data, collected over two years, shows that it takes a month to cut by half the number of vulnerable computers connected to the Internet.  http://news.com.com/2102-7355_3-5164650.html?tag=st.util.print

FYI  - E-mail ensnarls bank in privacy inquiry - Southern Commercial Bank may have compromised the privacy of more than 40,000 customers - and may have violated state and federal guidelines - by e-mailing unsecured personal data to an independent computer programmer.   http://www.stltoday.com/stltoday/business/stories.nsf/0/9D53CE21E23D8AB486256E430024A17A?OpenDocument&Headline=E-mail+ensnarls+bank+in+privacy+inquiry

FYI - Security vendor mass-mails worm to clients - Antivirus firm F-Secure has apologised for sending the Netsky.B virus to several thousand of its UK customers and partners via a mailing list.  http://www.vnunet.com/News/1153081

FYI - Rep. Adam Putnam is working on a Clinger-Cohen Act amendment to add cybersecurity and enterprise architecture requirements.   http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=25044

FYI - Should the Government Regulate Internet Security?  But after 2003 - which all acknowledge was the worst year ever for worms, viruses and security breaches that cost billions of dollars in lost productivity - some question whether the free market is capable of producing a safe and secure Internet.  http://www.eweek.com/print_article/0,1761,a=120346,00.asp

FYI - ISU student charged with hacking former roommate's e-mail - An Iowa State University student was in jail Wednesday, charged with hacking into his former roommate's e-mail and sending messages falsely informing friends and relatives that he was homosexual.   http://www.usatoday.com/tech/news/2004-02-26-gay-mail_x.htm

Return to the top of the newsletter

INTERNET COMPLIANCE - Electronic Fund Transfer Act, Regulation E (Part 1 of 2)

Generally, when online banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply.  A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep.  An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures.  Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated online. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - OPERATING SYSTEM ACCESS (Part 2 of 2)

Additional operating system access controls include the following actions:

! Ensure system administrators and security professionals have adequate expertise to securely configure and manage the operating system.
! Ensure effective authentication methods are used to restrict system access to both users and applications.
! Activate and utilize operating system security and logging capabilities and supplement with additional security software where supported by the risk assessment process.
! Restrict operating system access to specific terminals in physically secure and monitored locations.
! Lock or remove external drives from system consoles or terminals residing outside physically secure locations.
! Restrict and log access to system utilities, especially those with data altering capabilities.
! Restrict access to operating system parameters.
! Prohibit remote access to sensitive operating system functions, where feasible, and at a minimum require strong authentication and encrypted sessions before allowing remote support.
! Limit the number of employees with access to sensitive operating systems and grant only the minimum level of access required to perform routine responsibilities.
! Segregate operating system access, where possible, to limit full or root - level access to the system.
! Monitor operating system access by user, terminal, date, and time of access.
! Update operating systems with security patches and using appropriate change control mechanisms.

Return to the top of the newsletter

IT SECURITY QUESTION:

D. USER EQUIPMENT SECURITY (E.G. WORKSTATION, LAPTOP, HANDHELD)

1. Determine whether new workstations are prepared according to documented procedures for secure configuration or replication and that vulnerability testing takes place prior to deployment.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

35. Does the institution deliver the privacy and opt out notices, including the shortform notice, so that the consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically? [§9(a)]