FYI - Disabled Middle East Cables Under Repair - Two out of the three communications lines could be up and running this weekend as the network operator looks at alternate cable routes through the Mediterranean. Repairs are underway to the undersea communications cables that have been cut in recent days, according to company and media reports. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=206106041

FYI - Lilly's $1 Billion E-Mailstrom - A secret memo meant for a colleague lands in a Times reporter's in-box. One of its outside lawyers at Philadelphia-based Pepper Hamilton had mistakenly emailed confidential information on the talks to Times reporter Alex Berenson instead of Bradford Berenson, her co-counsel at Sidley Austin. http://www.portfolio.com/news-markets/top-5/2008/02/05/Eli-Lilly-E-Mail-to-New-York-Times

FYI - Conn. police sergeant charged with computer crime - A Hartford, Conn., police sergeant has been charged with a computer crime after he allegedly disclosed information from a national law enforcement database to a female friend. http://www.scmagazineus.com/Conn-police-sergeant-charged-with-computer-crime/article/105085/

FYI - PCI council streamlines merchant self-assessment - A swifter assessment process may soon await merchants and service providers trying to demonstrate compliance with Payment Card Industry (PCI) standards. http://www.scmagazineus.com/PCI-council-streamlines-merchant-self-assessment/article/105063/

FYI - ID theft instances down, cost per incident up - Despite a nationwide decline, identity theft is still a major concern of consumers because criminals have become more creative in how they steal personal information, according to a report released by Javelin Strategy and Research. http://www.scmagazineus.com/ID-theft-instances-down-cost-per-incident-up-Javelin/article/105212/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Soccer league's online shoppers get kicked by security breach - A series of SQL injection attacks on servers hosted by a third-party service provider has compromised the personal data of an unspecified number of individuals who had shopped on Major League Soccer's MLSgear.com Web site. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=internet_business&articleId=9061858&taxonomyId=71&intsrc=kc_top

FYI - Memorial Hospital loses laptop containing sensitive employee data - Memorial Hospital has notified employees that it has lost a laptop containing the personal information of 4,300 full- and part-time employees and retirees. http://www.wsbt.com/news/local/15408791.html

FYI - Deputy fired for looking up personal information - Two employees from the Collier County Sheriff's Office are out of a job after looking up personal information about other deputies, their families and even an FBI agent. http://www.winknews.com/news/local/15408931.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - Reserve Requirements of Depository Institutions (Regulation D)

Pursuant to the withdrawal and transfer restrictions imposed on savings deposits, electronic transfers, electronic withdrawals (paid electronically) or payments to third parties initiated by a depositor from a personal computer are included as a type of transfer subject to the six transaction limit imposed on passbook savings and MMDA accounts.

Institutions also should note that, to the extent stored value or other electronic money represents a demand deposit or transaction account, the provisions of Regulation D would apply to such obligations. 

Consumer Leasing Act (Regulation M)

The regulation provides examples of advertisements that clarify the definition of an advertisement under Regulation M. The term advertisement includes messages inviting, offering, or otherwise generally announcing to prospective customers the availability of consumer leases, whether in visual, oral, print, or electronic media. Included in the examples are on-line messages, such as those on the Internet. Therefore, such messages are subject to the general advertising requirements.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT

ANALYZE INFORMATION (2 of 2)

Since specific scenarios can become too numerous for financial institutions to address individually, various techniques are used to generalize and extend the scenarios. For instance, one technique starts with a specific scenario and looks at additional damage that could occur if the attacker had different knowledge or motivation. This technique allows the reviewers to see the full extent of risk that exists from a given vulnerability. Another technique aggregates scenarios by high-value system components.

Scenarios should consider attacks against the logical security, physical security, and combinations of logical and physical attacks. In addition, scenarios could consider social engineering, which involves manipulation of human trust by an attacker to obtain access to computer systems. It is often easier for an attacker to obtain access through manipulation of one or more employees than to perform a logical or physical intrusion.

The risk from any given scenario is a function of the probability of the event occurring and the impact on the institution. The probability and impact are directly influenced by the financial institution's business profile, the effectiveness of the financial institution's controls, and the relative strength of controls when compared to other industry targets.

The probability of an event occurring is reflected in one of two ways. If reliable and timely probability data is available, institutions can use it. Since probability data is often limited, institutions can assign a qualitative probability, such as frequent, occasional, remote, and improbable.

Frequently, TSPs perform some or all of the institution's information processing and storage. Reliance on a third party for hosting systems or processing does not remove the institution's responsibility for securing the information. It does change how the financial institution will fulfill its role. Accordingly, risk assessments should evaluate the sensitivity of information accessible to or processed by TSPs, the importance of the processing conducted by TSPs, communications between the TSP's systems and the institution, contractually required controls, and the testing of those controls. Additional vendor management guidance is contained in the FFIEC's statement on "Risk Management of Outsourced Technology Services," dated November 28, 2000.

Return to the top of the newsletter

IT SECURITY QUESTION:  A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

4. Determine if all authenticators (e.g., passwords, shared secrets) are protected while in storage and during transmission to prevent disclosure.

• Identify processes and areas where authentication information may be available in clear text and evaluate the effectiveness of compensating risk management controls.

• Identify the encryption used and whether one-way hashes are employed to secure the clear text from anyone, authorized or unauthorized, who accesses the authenticator storage area.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

16. If the institution provides a short-form initial privacy notice according to §6(d)(1), does the short-form initial notice:

a. conform to the definition of "clear and conspicuous"; [§6(d)(2)(i)]

b. state that the institution's full privacy notice is available upon request; [§6(d)(2)(ii)] and

c. explain a reasonable means by which the consumer may obtain the notice?  [§6(d)(2)(iii)]

(Note: the institution is not required to deliver the full privacy notice with the shortform initial notice. [§6(d)(3)])