FYI - NIST issues final draft of IT security controls - The National Institute of Standards and Technology has released the final public draft of recommended security controls for federal systems, a fine-tuned version of a document that will become a mandatory Federal Information Processing Standard by the end of the year. http://www.gcn.com/vol1_no1/daily-updates/34930-1.html

FYI - Ex-AOL employee pleads guilty in spam case - A former AOL software engineer accused of stealing 92 million screen names has pleaded guilty to conspiracy and interstate transport of stolen property. http://www.cnn.com/2005/TECH/internet/02/04/aol.spam.plea/

FYI - California defense contractor warns employees following computer theft - Thieves stole several computers containing personal information on 45,000 current and former shareholders of defense contractor Science Applications International Corp., which began alerting those people on Thursday. http://www.securityfocus.com/printable/news/10419

FYI - Student Installs Device On Teacher's Computer To Sell Tests - A high school student is facing criminal charges for allegedly hooking a device up to a teacher's computer to steal test information to sell to other students, Local 2 reported Tuesday. http://www.click2houston.com/education/4152951/detail.html

FYI - Rowling to Potter fans: Watch out for phishing scams - Author J.K. Rowling is warning Harry Potter fans to watch out for Internet fraudsters claiming to be selling electronic copies of her latest wizard saga - they are trying to steal bank and credit card details. In the latest phishing scam, fans were asked to hand over financial information to pay for a supposed copy of Harry Potter and the Half-Blood Prince. http://www.computerworld.com/printthis/2005/0,4814,99442,00.html

FYI - NIST, NSA create security language - One of the best ways to strengthen IT security is to make sure all of the systems in an infrastructure conform to a set of security specifications. But that is often difficult and time-consuming. http://www.fcw.com/fcw/articles/2005/0131/web-nistnsa-02-04-05.asp

FYI - Linux Kernel Security is Lacking - During the disclosure of some recent vulnerabilities in the Linux kernel, I learned some things about Linux kernel security that was truly shocking. The way security in the Linux kernel is handled is broken, and it needs to be fixed right now. http://www.securityfocus.com/printable/columnists/296

FYI - Click! Online banking usage soars - The popularity of online banking continues to soar, according to a new survey by the Pew Internet & American Life Project. More than 50 million U.S. adults now bank online, a jump of 47 percent during the past two years. http://www.msnbc.msn.com/id/6936297/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 5 of 10)

B. RISK MANAGEMENT TECHNIQUES

Introduction

Management must effectively plan, implement, and monitor the financial institution's weblinking relationships. This includes situations in which the institution has a third-party service provider create, arrange, or manage its website. There are several methods of managing a financial institution's risk exposure from third-party weblinking relationships. The methods adopted to manage the risks of a particular link should be appropriate to the level of risk presented by that link as discussed in the prior section.

Planning Weblinking Relationships

In general, a financial institution planning the use of weblinks should review the types of products or services and the overall website content made available to its customers through the weblinks. Management should consider whether the links support the institution's overall strategic plan. Tools useful in planning weblinking relationships include:

1)  due diligence with respect to third parties to which the financial institution is considering links; and

2)  written agreements with significant third parties.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We conclude our series on the FFIEC interagency Information Security Booklet. 

MONITORING AND UPDATING - UPDATING

Financial institutions should evaluate the information gathered to determine the extent of any required adjustments to the various components of their security program. The institution will need to consider the scope, impact, and urgency of any new threat. Depending on the new threat or vulnerability, the institution will need to reassess the risk and make changes to its security process (e.g., the security strategy, the controls implementation, or the security testing requirements).

Institution management confronts routine security issues and events on a regular basis. In many cases, the issues are relatively isolated and may be addressed through an informal or targeted risk assessment embedded within an existing security control process. For example, the institution might assess the risk of a new operating system vulnerability before testing and installing the patch. More systemic events like mergers, acquisitions, new systems, or system conversions, however, would warrant a more extensive security risk assessment. Regardless of the scope, the potential impact and the urgency of the risk exposure will dictate when and how controls are changed.

Return to the top of the newsletter

IT SECURITY QUESTION:  DATA SECURITY

4. Determine whether, where appropriate, the system securely links the receipt of information with the originator of the information and other identifying information, such as date, time, address, and other relevant factors.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice  

8)  Do the initial, annual, and revised privacy notices include each of the following, as applicable:  (Part 1 of 2)

a)  the categories of nonpublic personal information that the institution collects; [§6(a)(1)]

b)  the categories of nonpublic personal information that the institution discloses; [§6(a)(2)]

c)  the categories of affiliates and nonaffiliated third parties to whom the institution discloses nonpublic personal information, other than parties to whom information is disclosed under an exception in §14 or §15; [§6(a)(3)]

d)  the categories of nonpublic personal information disclosed about former customers, and the categories of affiliates and nonaffiliated third parties to whom the institution discloses that information, other than those parties to whom the institution discloses information under an exception in §14 or §15; [§6(a)(4)]

IN CLOSING - The Gramm-Leach-Bliley Act, best practices, and examiners recommend a security test of your Internet  connection.   The Vulnerability Internet Security Test Audit (VISTA) is an independent external penetration study of {custom4}'s network connection to the Internet that meets the regulatory requirements.  We are trained information systems auditors that only work with financial institutions.  As auditors, we provide an independent review of the vulnerability test results and an audit letter to your Board of Directors certifying the test results.  For more information, visit http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.