|
March 30, 2003
FYI- Research just completed by the Computing Technology
Industry Association claims to show that human error is
the most frequent cause of IT security breaches. http://www.computerworld.com/careertopics/careers/training/story/0,10801,79485,00.html
FYI -
Telecommunications Service Priority (TSP) Program - Attached is the
Financial and Banking Information Infrastructure Committee policy
for the sponsorship of critical private sector entities' access to
the Telecommunication Service Priority Program administered by the
National Communications System. This document explains the
circumstances under which qualifying institutions may seek federal
sponsorship for the TSP Program.
Press release: www.occ.treas.gov/ftp/bulletin/2003-13.txt
Attachment: http://www.fbiic.gov/policies.htm
Attachment: http://www.occ.treas.gov/fr/fedregister/67fr72957.pdf
FYI
- States need cybersecurity focus - A new Zeichner Risk Analytics
LLC study found 36 state governments have failed to prepare, adopt
and implement acceptable cybersecurity policies, which could have
damaging consequences to citizen services, communication systems and
critical utilities if the nation were to undergo cyberattacks.
http://www.fcw.com/geb/articles/2003/0324/web-secure-03-24-03.asp
FYI
- The number of European consumers who bank online
will reach almost 60 million in 2003, nearly triple the number
three years ago, underscoring how important the Internet remains to
the financial industry, a new report says.
http://news.com.com/2100-1019-994496.html?tag=cd_mh
FYI - SECURITY TRAINING - If employees have
responsibility for security -- whether as system administrators or
as security officers, analysts, or consultants -- their employer
deserves to know that they have mastered the minimum set of
essential skills needed to do the job. Those are the skills covered
in the GIAC Security Essentials course (SANS Track 1) and
examinations. (Track 1
Boot Camp also includes the CISSP CBK.) If Track 1 is too advanced,
SANS Security+ (SANS Track 9) program is a great starting point.
Attend live training in ten cities, mentored training in thirty more
cities, or ask to schedule a course at your location. Details at http://www.sans.org
FYI
- Firewalls set to become illegal
in many American states - AN INTERESTING PIECE of news has surfaced
that will have sys admins fainting in disbelief. Eight states have
put forward bills that would have a devastating effect on network
security and even networks themselves if they come to pass. http://www.theinquirer.net/?article=8595
INTERNET
COMPLIANCE - "Member
FDIC" Logo - When is it required?
The FDIC believes that every bank's home page is to some extent an
advertisement. Accordingly, bank web site home pages should contain
the official advertising statement unless the advertisement is
subject to exceptions such as advertisements for loans, securities,
trust services and/or radio or television advertisements that do not
exceed thirty seconds.
Whether subsidiary web pages require the official advertising
statement will depend upon the content of the particular page.
Subsidiary web pages that advertise deposits must contain the
official advertising statement.
Conversely, subsidiary web pages that relate to loans do not
require the official advertising statement.
INFORMATION SYSTEMS SECURITY
- We
continue our series on the FFIEC interagency Information Security
Booklet. This booklet is required reading for anyone
involved in information systems security, such as the Network Administrator,
Information Security Officer, members of the IS Steering Committee,
and most important your outsourced network security consultants.
Your outsourced network security consultants can receive the
"Internet Banking News" by completing the subscription for
at https://yennik.com/newletter_page.htm.
There is no charge for the e-newsletter.
SECURITY PROCESS
Action Summary - Financial institutions should implement an ongoing
security process, and assign clear and appropriate roles and
responsibilities to the board of directors, management, and
employees.
OVERVIEW
The security process is the method an organization uses to implement
and achieve its security objectives. The process is designed to
identify, measure, manage and control the risks to system and data
availability, integrity, and confidentiality, and ensure
accountability for system actions. The process includes five areas
that serve as the framework for this booklet:
1) Information
Security Risk Assessment - A process to identify threats,
vulnerabilities, attacks, probabilities of occurrence, and outcomes.
2) Information Security
Strategy - A plan to mitigate risk that integrates technology,
policies, procedures and training. The plan should be reviewed and
approved by the board of directors.
3) Security Controls
Implementation - The acquisition and operation of technology, the
specific assignment of duties and responsibilities to managers and
staff, the deployment of risk - appropriate controls, and assurance
that management and staff understand their responsibilities and have
the knowledge, skills, and motivation necessary to fulfill their
duties.
4) Security Testing -
The use of various methodologies to gain assurance that risks are
appropriately assessed and mitigated. These testing methodologies
should verify that significant controls are effective and performing
as intended.
5) Monitoring and
Updating - The process of continuously gathering and analyzing
information regarding new threats and vulnerabilities, actual
attacks on the institution or others combined with the effectiveness
of the existing security controls. This information is used to
update the risk assessment, strategy, and controls. Monitoring and
updating makes the process continuous instead of a one - time event.
Security risk variables include threats, vulnerabilities, attack
techniques, the expected frequency of attacks, financial institution
operations and technology, and the financial institution’s
defensive posture. All of these variables change constantly.
Therefore, an institution’s management of the risks requires an
ongoing process.
INFORMATION SECURITY
QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
- Access Rights Administration
2. Determine if the
user registration and enrollment process
• Uniquely identifies the user,
• Verifies the need to use the system according to appropriate
policy,
• Enforces a unique user ID,
• Assigns and records the proper security attributes (e.g.,
authorization),
• Enforces the assignment or selection of an authenticator that
agrees with the security policy,
• Securely distributes any initial shared secret authenticator or
token, and
• Obtains acknowledgement from the user of acceptance of the terms
of use.
PRIVACY
- We continue our coverage of the various issues in the "Privacy of
Consumer Financial Information" published by the financial
regulatory agencies.
Financial Institution Duties ( Part 4 of 6)
Requirements for Notices (continued)
Notice Content. A privacy notice must contain specific
disclosures. However, a financial institution may provide to
consumers who are not customers a "short form" initial
notice together with an opt out notice stating that the
institution's privacy notice is available upon request and
explaining a reasonable means for the consumer to obtain it. The
following is a list of disclosures regarding nonpublic personal
information that institutions must provide in their privacy notices,
as applicable:
1) categories of information collected;
2) categories of information disclosed;
3) categories of affiliates and nonaffiliated third parties to
whom the institution may disclose information;
4) policies with respect to the treatment of former customers'
information;
5) information disclosed to service providers and joint
marketers (Section 13);
6) an explanation of the opt out right and methods for opting
out;
7) any opt out notices the institution must provide under the
Fair Credit Reporting Act with respect to affiliate information
sharing;
8) policies for protecting the security and confidentiality of
information; and
9) a statement that the institution makes disclosures to other
nonaffiliated third parties as permitted by law (Sections 14 and
15). |
