FYI - Qwest threatens users with $5-per-spam charge - Qwest has added a new clause in its ISP contract that threatens to charge customers $5 for every spam message sent by their computer - even if they are not aware of it. http://www.techworld.com/security/news/index.cfm?RSS&NewsID=5116

FYI - Symantec owns up to 'rootkit' - Symantec went public with its own use of rootkit-like technology this week, offering users a fix and saying the bug posed only a "low" risk. Norton SystemWorks and SystemWorks Premier both contain a feature called the Norton "protected recycle bin" inside the Windows "recycler" directory. Within the bin, there is a directory called NProtect, hidden from Windows application program interface, which may not be examined during virus scans. http://www.scmagazine.com/us/news/article/535521/?n=us

FYI - U.K. banks off the hook for Indian data breach - British banks will not face any action over an alleged data breach in an Indian call center last year, the U.K.'s data protection watchdog has said. http://news.com.com/2102-1029_3-6027073.html?tag=st.util.print

FYI - More brands targeted as phishing attacks soar - Phishing attacks reached a new high at the end of 2005 after growing steadily all year, according to a study published Wednesday. The number of unique e-mail-based fraud attacks detected in November 2005 was 16,882, almost double the 8,975 attacks launched in November 2004, said the report, published by the Anti-Phishing Working Group, an industry consortium that provides information on phishing trends. http://news.com.com/2102-7349_3-6028338.html?tag=st.util.print

FYI - Spanish police arrest Navy hacker - The Spanish Civil Guard has arrested an 18-year-old man suspected of hacking into the computer systems of the U.S. Naval base. http://www.scmagazine.com/us/news/article/535874/?n=us

FYI - From SANS - Privacy Rights Clearinghouse List of Data Security Breaches - The Privacy Rights Clearing house has compiled a list of known data security breaches that have occurred since ChoicePoint's data breach acknowledgment on February 15, 2005. The list includes the dates the breaches were reported, the names of the institutions, the types of breach and the number of individuals affected in each breach. http://www.privacyrights.org/ar/ChronDataBreaches.htm

FYI - Editing tips from the NSA - Hiding confidential information with black marks works on printed copy, but not with electronic documents, the National Security Agency has warned government officials. http://news.com.com/2102-1029_3-6030745.html?tag=st.util.print

Return to the top of the newsletter

WEB SITE COMPLIANCE - Fair Housing Act

A financial institution that advertises on-line credit products that are subject to the Fair Housing Act must display the Equal Housing Lender logotype and legend or other permissible disclosure of its nondiscrimination policy if required by rules of the institution's regulator.

Home Mortgage Disclosure Act (Regulation C)

The regulations clarify that applications accepted through electronic media with a video component (the financial institution has the ability to see the applicant) must be treated as "in person" applications. Accordingly, information about these applicants' race or national origin and sex must be collected. An institution that accepts applications through electronic media without a video component, for example, the Internet or facsimile, may treat the applications as received by mail.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Public Key Infrastructure (Part 1 of 3)

Public key infrastructure (PKI), if properly implemented and maintained, may provide a strong means of authentication. By combining a variety of hardware components, system software, policies, practices, and standards, PKI can provide for authentication, data integrity, defenses against customer repudiation, and confidentiality. The system is based on public key cryptography in which each user has a key pair - a unique electronic value called a public key and a mathematically related private key. The public key is made available to those who need to verify the user's identity.

The private key is stored on the user's computer or a separate device such as a smart card. When the key pair is created with strong encryption algorithms and input variables, the probability of deriving the private key from the public key is extremely remote. The private key must be stored in encrypted text and protected with a password or PIN to avoid compromise or disclosure. The private key is used to create an electronic identifier called a digital signature that uniquely identifies the holder of the private key and can only be authenticated with the corresponding public key.

Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

B. NETWORK SECURITY

9. Evaluate the appropriateness of technical controls mediating access between security domains.  Consider:

• Firewall topology and architecture

• Type(s) of firewall(s) being utilized

• Physical placement of firewall components

• Monitoring of firewall traffic

• Firewall updating

• Responsibility for monitoring and updating firewall policy

• Contingency planning

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 3 of 6)

Requirements for Notices

Clear and Conspicuous. Privacy notices must be clear and conspicuous, meaning they must be reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice. The regulations do not prescribe specific methods for making a notice clear and conspicuous, but do provide examples of ways in which to achieve the standard, such as the use of short explanatory sentences or bullet lists, and the use of plain-language headings and easily readable typeface and type size. Privacy notices also must accurately reflect the institution's privacy practices.

Delivery Rules. Privacy notices must be provided so that each recipient can reasonably be expected to receive actual notice in writing, or if the consumer agrees, electronically. To meet this standard, a financial institution could, for example, (1) hand-deliver a printed copy of the notice to its consumers, (2) mail a printed copy of the notice to a consumer's last known address, or (3) for the consumer who conducts transactions electronically, post the notice on the institution's web site and require the consumer to acknowledge receipt of the notice as a necessary step to completing the transaction.

For customers only, a financial institution must provide the initial notice (as well as the annual notice and any revised notice) so that a customer may be able to retain or subsequently access the notice. A written notice satisfies this requirement. For customers who obtain financial products or services electronically, and agree to receive their notices on the institution's web site, the institution may provide the current version of its privacy notice on its web site.