|
April 20, 2003
FYI- Lawyers see security suit-riddled future - At
the RSA Conference 2003, lawyers outlined a hypothetical scenario,
in which Harry the Hacker, angry because he's been fired, decides to
put his computing skills to work for nefarious purposes. http://news.com.com/2100-1009-996935.html?part=dht&tag=ntop
FYI- Security
is on every IT manager’s priority list, but what is security and
how can executives measure and promote their efforts? http://news.com.com/2100-1009-997231.html?tag=cd_mh
FYI- Three U.S. regulatory agencies have
released disaster recovery guidelines for financial institutions
notable for their lack of any recommended minimum distance between
primary and secondary data centers and their recognition that
achieving many of the goals could take years.
Article: http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,80262,00.html
White paper: http://www.sec.gov/news/studies/34-47638.htm
FYI
- Fake bank site part of Nigerian scam - They’re certainly
persistent. Another flavor of the well-known Nigerian scam has
popped up, this one even more elaborate than the familiar e-mail
solicitation. http://www.msnbc.com/news/900824.asp?vts=041820030250
INTERNET
COMPLIANCE - Disclosures/Notices (Part 1 of 2)
Several regulations require disclosures and notices to be given at
specified times during a financial transaction. For example, some
regulations require that disclosures be given at the time an
application form is provided to the consumer. In this situation,
institutions will want to ensure that disclosures are given to the
consumer along with any application form. Institutions may
accomplish this through various means, one of which may be through
the automatic presentation of disclosures with the application form.
Regulations that allow disclosures/notices to be delivered
electronically and require institutions to deliver disclosures in a
form the customer can keep have been the subject of questions
regarding how institutions can ensure that the consumer can
"keep" the disclosure. A consumer using certain electronic
devices, such as Web TV, may not be able to print or download the
disclosure. If feasible, a financial institution may wish to include
in its on-line program the ability for consumers to give the
financial institution a non-electronic address to which the
disclosures can be mailed.
INFORMATION SYSTEMS SECURITY
- We
continue our series on the FFIEC interagency Information Security
Booklet.
INFORMATION SECURITY RISK ASSESSMENT
Action Summary -Financial institutions must maintain an ongoing
information security risk assessment program that effectively
1) Gathers data
regarding the information and technology assets of the organization,
threats to those assets, vulnerabilities, existing security controls
and processes, and the current security standards and requirements;
2) Analyzes the
probability and impact associated with the known threats and
vulnerabilities to its assets; and
3) Prioritizes the risks present due to threats and vulnerabilities
to determine the appropriate level of training, controls, and
testing necessary for effective mitigation.
INFORMATION SECURITY
QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
- Access Rights Administration
6. Determine that, where appropriate and
feasible, programs do not run with greater access to other resources
than necessary. Programs
to consider include application programs, network administration
programs (e.g., DNS), and other programs.
7. Compare the access control rules establishment and assignment
processes to the access control policy for consistency.
PRIVACY
-We continue covering various issues in the "Privacy of Consumer Financial
Information" published by the financial regulatory agencies in
May 2001.
Other Matters
Fair Credit Reporting Act
The regulations do not modify, limit, or supersede the operation
of the Fair Credit Reporting Act.
State Law
The regulations do not supersede, alter, or affect any state
statute, regulation, order, or interpretation, except to the extent
that it is inconsistent with the regulations. A state statute,
regulation, order, etc. is consistent with the regulations if the
protection it affords any consumer is greater than the protection
provided under the regulations, as determined by the FTC.
Grandfathered Service Contracts
Contracts that a financial institution has entered into, on or
before July 1, 2000, with a nonaffiliated third party to perform
services for the financial institution or functions on its behalf,
as described in section 13, will satisfy the confidentiality
requirements of section 13(a)(1)(ii) until July 1, 2002, even if the
contract does not include a requirement that the third party
maintain the confidentiality of nonpublic personal information.
Guidelines Regarding Protecting Customer Information
The regulations require a financial institution to disclose its
policies and practices for protecting the confidentiality, security,
and integrity of nonpublic personal information about consumers
(whether or not they are customers). The disclosure need not
describe these policies and practices in detail, but instead may
describe in general terms who is authorized to have access to the
information and whether the institution has security practices and
procedures in place to ensure the confidentiality of the information
in accordance with the institution's policies.
The four federal bank and thrift regulators have published
guidelines, pursuant to section 501(b) of the Gramm-Leach-Bliley
Act, that address steps a financial institution should take in order
to protect customer information. The guidelines relate only to
information about customers, rather than all consumers. Compliance
examiners should consider the findings of a 501(b) inspection during
the compliance examination of a financial institution for purposes
of evaluating the accuracy of the institution's disclosure regarding
data security.
Next week we will start covering the examination objectives. |
