FYI - California breach disclosure law covers medical records - California has extended its widely copied data breach notification law to encompass incidents including electronic medical and health insurance information. AB 1298, which took effect Tuesday, adds unencrypted medical histories and information on mental or physical conditions or diagnoses to the types of records covered by the Golden State's first-in-the-nation breach notification law. http://www.scmagazineus.com/California-data-breach-disclosure-law-extended-to-cover-medical-records/PrintArticle/100459/

FYI - Computer Forensics Faces Private Eye Competition - The Internet is boundless and cybercrime scenes stretch from personal desktops across the fiber networks that circle the globe. Digital forensic investigators like Harold Phipps, vice president of industry relations at Norcross Group in Norcross, Ga., routinely slip across conventional geographic jurisdictions in pursuit of digital evidence and wrongdoers. http://www.baselinemag.com/print_article2/0,1217,a=222483,00.asp

FYI - GAO - Information Security: IRS Needs to Address Pervasive Weaknesses.
Report - http://www.gao.gov/cgi-bin/getrpt?GAO-08-211
Highlights - http://www.gao.gov/highlights/d08211high.pdf

FYI - Boeing's New 787 May Be Vulnerable to Hacker Attack - Boeing's new 787 Dreamliner passenger jet may have a serious security vulnerability in its onboard computer networks that could allow passengers to access the plane's control systems, according to the U.S. Federal Aviation Administration.
http://www.wired.com/politics/security/news/2008/01/dreamliner_security
http://www.theregister.co.uk/2008/01/07/boeing_dreamliner_hacker_concerns/print.html

FYI - Pennsylvania state government Web site hacked - No evidence of damage; source tracked to domain registered in China - Hackers from China infiltrated the Web site of the Pennsylvania state government, but officials said they found no evidence of damage.
http://www.msnbc.msn.com/id/22509653/
http://www.scmagazineus.com/Pennsylvania-government-website-back-online-after-hacking-attack-traced-to-China/article/100492/

FYI - Sears admits to joining spyware biz - A Harvard researcher has accused one of America's biggest retailers of sneaking privacy-stealing spyware from ComScore onto customers' machines. http://www.theregister.co.uk/2008/01/03/sears_snoopware_disclosure/print.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Nato secrets USB stick lost in Swedish library - The discovery of a USB memory stick containing classified NATO information in a library in Stockholm has prompted a meeting between the Swedish Military Intelligence and Security Service and foreign defence officials. http://www.theregister.co.uk/2008/01/04/another_stick_with_military_secrets_found/print.html

FYI - Clarkson stung after bank prank - Jeremy Clarkson found himself unexpectedly donating to charity - TV presenter Jeremy Clarkson has lost money after publishing his bank details in his newspaper column. The Top Gear host revealed his account numbers after rubbishing the furore over the loss of 25 million people's personal details on two computer discs. http://news.bbc.co.uk/2/hi/entertainment/7174760.stm

FYI - Discount retail website Geeks.com hacked - The parent company of discount retail website Geeks.com has notified affected customers that a hacker may have accessed their credit card numbers and other personal information in a December incident. The website features the "hacker safe" notification from McAfee ScanAlert. http://www.scmagazineus.com/Discount-retail-website-Geekscom-hacked/article/100508/

Return to the top of the newsletter

WEB SITE COMPLIANCE - TRUTH IN SAVINGS ACT (REG DD)

Financial institutions that advertise deposit products and services on-line must verify that proper advertising disclosures are made in accordance with all provisions of the regulations. Institutions should note that the disclosure exemption for electronic media does not specifically address commercial messages made through an institution's web site or other on-line banking system. Accordingly, adherence to all of the advertising disclosure requirements is required.

Advertisements should be monitored for recency, accuracy, and compliance. Financial institutions should also refer to OSC regulations if the institution's deposit rates appear on third party web sites or as part of a rate sheet summary. These types of messages are not considered advertisements unless the depository institution, or a deposit broker offering accounts at the institution, pays a fee for or otherwise controls the publication.

Disclosures generally are required to be in writing and in a form that the consumer can keep. Until the regulation has been reviewed and changed, if necessary, to allow electronic delivery of disclosures, an institution that wishes to deliver disclosures electronically to consumers, would supplement electronic disclosures with paper disclosures.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants.  Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm.  There is no charge for the e-newsletter. 

ROLES AND RESPONSIBILITIES (2 of 2)

Senior management should enforce its security program by clearly communicating responsibilities and holding appropriate individuals accountable for complying with these requirements. A central authority should be responsible for establishing and monitoring the security program. Security management responsibilities, however, may be distributed throughout the institution from the IT department to various lines of business depending on the institution's size, complexity, culture, nature of operations, and other factors. The distribution of duties should ensure an appropriate segregation of duties between individuals or organizational groups.

Senior management also has the responsibility to ensure integration of security controls throughout the organization. To support integration, senior management should

1)  Ensure the security process is governed by organizational policies and practices that are consistently applied,
2)  Require that data with similar criticality and sensitivity characteristics be protected consistently regardless of where in the organization it resides,
3)  Enforce compliance with the security program in a balanced and consistent manner across the organization, and
4)  Coordinate information security with physical security.

Senior management should make decisions regarding the acceptance of security risks and the performance of risk mitigation activities using guidance approved by the board of directors.

Employees should know, understand, and be held accountable for fulfilling their security responsibilities. Institutions should define these responsibilities in their security policy. Job descriptions or contracts should specify any additional security responsibilities beyond the general policies. Financial institutions can achieve effective employee awareness and understanding through security training, employee certifications of compliance, self - assessments, audits, and monitoring.

Management also should consider the roles and responsibilities of external parties. Technology service providers (TSPs), contractors, customers, and others who have access to the institution's systems and data should have their security responsibilities clearly delineated and documented in contracts.

Return to the top of the newsletter

IT SECURITY QUESTION:  A. AUTHENTICATION AND ACCESS CONTROLS - Access Rights Administration

5. Evaluate the effectiveness and timeliness with which changes in access control privileges are implemented and the effectiveness of supporting policies and procedures.

• Review procedures and controls in place and determine whether access control privileges are promptly eliminated when they are no longer needed.  Include former employees, and temporary access for remote access and contract workers in the review.

• Assess the procedures and controls in place to change, when appropriate, access control privileges (e.g., changes in job responsibility and promotion).

• Determine whether access rights expire after a predetermined period of inactivity.

• Review and assess the effectiveness of a formal review process to periodically review the access rights to assure all access rights are proper.  Determine whether necessary changes made as a result of that review.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

11. Does the institution list the following categories of affiliates and nonaffiliated third parties to whom it discloses information, as applicable, and a few examples to illustrate the types of the third parties in each category:

a. financial service providers; [§6(c)(3)(i)]

b. non-financial companies; [§6(c)(3)(ii)] and

c. others? [§6(c)(3)(iii)]