FYI - January 14, 2009 - Risk Management of Remote Deposit Capture - The Federal Financial Institutions Examination Council has issued the attached guidance, "Risk Management of Remote Deposit Capture," to assist financial institutions in identifying risks in their remote deposit capture systems and evaluating the adequacy of controls and applicable risk management practices. The guidance addresses the necessary elements of an RDC risk management process - risk identification, assessment, and mitigation - and the measurement and monitoring of residual risk exposure.
Press Release: www.fdic.gov/news/news/financial/2009/fil09004.html 
Press Release: www.ncua.gov/news/press_releases/2009/MR09-0115.htm 
Press Release: www.federalreserve.gov/boarddocs/srletters/2009/SR0902.htm 
Press Release: www.occ.treas.gov/ftp/bulletin/2009-4.html 
Press Release: http://www.ots.treas.gov/?p=PressReleases&ContentRecord_id=d5cba41c-1e0b-8562-ebbf-43fa30b599fb&ContentType_id=4c12f337-b5b6-4c87-b45c-838958422bf3

FYI - Clock ticking for gas stations to pump up data security - Visa requiring encryption of debit card PINs on new pumps now, existing ones by July 2010 - Lower gas prices aren't the only thing that's new at the pumps these days. Data encryption tools are also becoming part of the picture. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9125261&source=rss_topic17

FYI - Data Breaches Booming - The Identity Theft Resource Center says reported data breaches increased by 47% from 2007 to 2008. In a down year, data breaches went up, again. In 2008, according to the Identity Theft Resource Center, there were 656 reported data breaches, an increase of 47% from the 2007 total of 446. http://www.techweb.com/article/showArticle?articleID=212700890

FYI - TJX hacker gets 30-year prison sentence - A Ukrainian man was recently sentenced to 30 years in prison by a Turkish court on charges of cybercrime, according to reports. http://www.scmagazineus.com/TJX-hacker-gets-30-year-prison-sentence/article/123726/?DCMP=EMC-SCUS_Newswire

FYI - CWE/SANS TOP 25 Most Dangerous Programming Errors - Experts Announce Agreement on the 25 Most Dangerous Programming Errors - In Washington, DC, experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. http://www.sans.org/top25errors/

FYI - Financial firms' data security found wanting - New PwC research urges increased vigilance - Over half of global financial firms have no accurate record of where customer and employee data is collected, transmitted or stored, according to new research from consultancy PricewaterhouseCoopers. http://www.vnunet.com/vnunet/news/2233717/financial-firms-security-found

FYI - GAO - Continued Efforts Needed to Address Significant Weaknesses at IRS.
Release - http://www.gao.gov/cgi-bin/getrpt?GAO-09-136
Highlights - http://www.gao.gov/highlights/d09136high.pdf
Article - http://www.scmagazineus.com/Security-issues-continue-at-the-IRS/article/124001/?DCMP=EMC-SCUS_Newswire

FYI - Paris Hilton's website infects users with data-stealing trojan - Paris Hilton apparently has not fallen out of favor with cybercriminals. Months after the celebrity and hotel heiress' Sidekick phone and Facebook profile were hacked, attackers now have turned to her official website to spread malware and steal data. http://www.scmagazineus.com/Paris-Hiltons-website-infects-users-with-data-stealing-trojan/article/123951/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - CheckFree warns 5 million customers after hack - It's not sure how many customers may have been exposed to malware - CheckFree Corp. and some of the banks that use its electronic bill payment service are notifying more than 5 million customers that criminals took control of several of the company's Internet domains and redirected customer traffic to a malicious Web site hosted in the Ukraine. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9125078

FYI - Hack forces Twitter into 'full security review' - Analysts say breach could could force IT to rethink its use of the microblogging tool - Twitter Inc. has launched a comprehensive review of the defenses in its popular social network and microblogging service after hackers hijacked the accounts of several high-profile users. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9125239&intsrc=hm_list

FYI - Mysterious credit card charge may have hit millions of users - Several Internet complaint boards are filled with comments from credit card customers from coast to coast who have noticed a mysterious charge for about 25 cents on their statements. http://www.boston.com/business/personalfinance/articles/2009/01/11/mysterious_credit_card_charge_may_have_hit_millions_of_users/

FYI - FBI investigating U of R identity theft - The FBI is now investigating a security breach at the University of Rochester. The university is still trying to figure out how all the information was copied. Personal information for 450 current and former U of R students was stolen from a university database. http://www.whec.com/article/stories/S739036.shtml?cat=572

FYI - Local credit card numbers stolen - Two men are in custody and under investigation by the FBI in an identity theft scheme that victimized 2,500 Cache County residents, Smithfield police officials said. http://hjnews.townnews.com/articles/2009/01/11/news/news02-01-11-09.txt

Return to the top of the newsletter

WEB SITE COMPLIANCE - Truth in Lending Act (Regulation Z)

The commentary to regulation Z was amended recently to clarify that periodic statements for open-end credit accounts may be provided electronically, for example, via remote access devices. The regulations state that financial institutions may permit customers to call for their periodic statements, but may not require them to do so. If the customer wishes to pick up the statement and the plan has a grace period for payment without imposition of finance charges, the statement, including a statement provided by electronic means, must be made available in accordance with the "14-day rule," requiring mailing or delivery of the statement not later than 14 days before the end of the grace period.

Provisions pertaining to advertising of credit products should be carefully applied to an on-line system to ensure compliance with the regulation. Financial institutions advertising open-end or closed-end credit products on-line have options. Financial institutions should ensure that on-line advertising complies with the regulations. For on-line advertisements that may be deemed to contain more than a single page, financial institutions should comply with the regulations, which describe the requirements for multiple-page advertisements.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS (Part 2 of 2)

Physical security for distributed IS, particularly LANs that are usually PC - based, is slightly different than for mainframe platforms. With a network there is often no centralized computer room. In addition, a network often extends beyond the local premises. There are certain components that need physical security. These include the hardware devices and the software and data that may be stored on the file servers, PCs, or removable media (tapes and disks). As with more secure IS environments, physical network security should prevent unauthorized personnel from accessing LAN devices or the transmission of data. In the case of wire - transfer clients, more extensive physical security is required.

Physical protection for networks as well as PCs includes power protection, physical locks, and secure work areas enforced by security guards and authentication technologies such as magnetic badge readers. Physical access to the network components (i.e., files, applications, communications, etc.) should be limited to those who require access to perform their jobs. Network workstations or PCs should be password protected and monitored for workstation activity.

Network wiring requires some form of protection since it does not have to be physically penetrated for the data it carries to be revealed or contaminated. Examples of controls include using a conduit to encase the wiring, avoiding routing through publicly accessible areas, and avoiding routing networking cables in close proximity to power cables. The type of wiring can also provide a degree of protection; signals over fiber, for instance, are less susceptible to interception than signals over copper cable.

Capturing radio frequency emissions also can compromise network security. Frequency emissions are of two types, intentional and unintentional. Intentional emissions are those broadcast, for instance, by a wireless network. Unintentional emissions are the normally occurring radiation from monitors, keyboards, disk drives, and other devices. Shielding is a primary control over emissions. The goal of shielding is to confine a signal to a defined area. An example of shielding is the use of foil-backed wallboard and window treatments. Once a signal is confined to a defined area, additional controls can be implemented in that area to further minimize the risk that the signal will be intercepted or changed.

Return to the top of the newsletter

IT SECURITY QUESTION:

E. PHYSICAL SECURITY

1. Determine whether physical security for information technology equipment and operations is coordinated with that of other institution organizations.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Procedures (Part 3 of 3)

E. Ascertain areas of risk associated with the financial institution's sharing practices (especially those within Section 13 and those that fall outside of the exceptions ) and any weaknesses found within the compliance management program. Keep in mind any outstanding deficiencies identified in the audit for follow-up when completing the modules.

F. Based on the results of the foregoing initial procedures and discussions with management, determine which procedures if any should be completed in the applicable module, focusing on areas of particular risk. The selection of procedures to be employed depends upon the adequacy of the institution's compliance management system and level of risk identified. Each module contains a series of general instruction to verify compliance, cross-referenced to cites within the regulation. 
Additionally, there are cross-references to a more comprehensive checklist, which the examiner may use if needed to evaluate compliance in more detail.

G. Evaluate any additional information or documentation discovered during the course of the examination according to these procedures. Note that this may reveal new or different sharing practices necessitating reapplication of the Decision Trees and completion of additional or different modules.

H. Formulate conclusions.

1)  Summarize all findings.

2)  For violation(s) noted, determine the cause by identifying weaknesses in internal controls, compliance review, training, management oversight, or other areas.

3)  Identify action needed to correct violations and weaknesses in the institution's compliance system, as appropriate.

4)  Discuss findings with management and obtain a commitment for corrective action.