You can rely on the Review to help you prepare for your IT examination.  Designed especially for IT management, The Weekly IT Security Review provides a analysis of IT security issues covered in the FFIEC IT Examination Handbook, which will help in preparing for your IT examination.  For more information and to subscribe visit http://www.yennik.com/it-review/. 

FYI - Critics not satisfied with partial revelation of secret cybersecurity plan - The Obama administration released an outline of the Comprehensive National Cybersecurity Initiative - The release of a summary of a classified cybersecurity program launched during the Bush era that continues to guide government computer security efforts was generally welcomed, but some say key questions about the government's strategy still need to be answered. http://fcw.com/articles/2010/03/03/web-declassification-cnci.aspx

FYI - Panel debates expectations of responsible disclosure of vulnerabilities - The term "responsible disclosure" of vulnerabilities is a misnomer, a phrase created by software vendors who often take so long to release a patch that they are the ones who act irresponsibly, a noted security researcher said this week at the RSA Conference. http://www.scmagazineus.com/rsa-conference-panel-debates-expectations-of-responsible-disclosure-of-vulnerabilities/article/165216/?DCMP=EMC-SCUS_Newswire

FYI - More than half of security pros got raises - Salaries rose in 2009 for more than half of some 3,000 security professionals polled by nonprofit certification provider (ISC)2, the organization announced Thursday. The "2010 Career Impact Survey" found that 52.8 percent of respondents received raises last year, while 11 percent saw their paychecks and/or benefits slashed. Just under 5 percent of respondents were laid off. (ISC)2 attributed the results to increasing corporate and government dependence on information security. http://www.scmagazineus.com/survey-more-than-half-of-security-pros-got-raises/article/165078/?DCMP=EMC-SCUS_Newswire

FYI - Health care information security pros discuss data security - Protecting health data becomes more difficult in a socially networked world, but blocking access to these popular sites is being met with dissent, a panel of health care CISOs said. http://www.scmagazineus.com/rsa-conference-health-care-information-security-pros-discuss-data-security/article/165040/?DCMP=EMC-SCUS_Newswire

FYI - Hackers have corrupted valuable data - Robert Mueller called the attacks a threat to the nation's security - Hackers breaking into businesses and government agencies with targeted attacks have not only stolen intellectual property, in some cases they have corrupted data too, the head of the U.S. Federal Bureau of Investigation said. http://www.computerworld.com/s/article/9166378/FBI_Director_Hackers_have_corrupted_valuable_data

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers took more than $120M in three months - Ongoing computer scams targeting small businesses cost U.S. companies $25 million in the third quarter of 2009, according to the U.S. Federal Deposit Insurance Corporation.
http://www.computerworld.com/s/article/9167598/FDIC_Hackers_took_more_than_120M_in_three_months?source=rss_news
http://www.krebsonsecurity.com/2010/03/cyber-crooks-leave-bank-robbers-in-the-dust/

FYI - Westin hotel in LA reports possible data breach - People who stayed at the Westin Bonaventure Hotel & Suites in Los Angeles last year and used their credit or debit card to eat there should keep a close eye on their bank statements.
http://www.computerworld.com/s/article/9166898/Westin_hotel_in_LA_reports_possible_data_breach?taxonomyId=17
http://www.scmagazineus.com/westin-hotels-point-of-sale-system-possibly-hacked/article/165348/?DCMP=EMC-SCUS_Newswire

FYI - Garda investigating cyber attacks on Irish businesses - Garda are investigating several cyber attacks on the computer systems of small businesses in the midlands and west of Ireland, where hackers have encrypted the business' data and demanded money for codes that would unlock the information. http://www.siliconrepublic.com/news/article/15466/cio/hackers-hit-irish-businesses

FYI - Arkansas National Guard external hard drive goes missing - An external hard drive containing the personal information about tens of thousands of Arkansas National Guard soldiers recently went missing. http://www.scmagazineus.com/arkansas-national-guard-external-hard-drive-goes-missing/article/165430/?DCMP=EMC-SCUS_Newswire

FYI - Wyndham Hotels suffers another data breach - Wyndham Hotels and Resorts (WHR) recently revealed that it was the victim of another data breach after hackers broke into its computer systems and stole customer payment card data and other sensitive information. http://www.scmagazineus.com/wyndham-hotels-suffers-another-data-breach/article/165345/?DCMP=EMC-SCUS_Newswire


Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (11 of 12)

Last week's best practices focused on the more common criteria that have been noted in actual IRPs, but some banks have developed other effective incident response practices. Examples of these additional practices are listed below. Organizations may want to review these practices and determine if any would add value to their IRPs given their operating environments.

Additional IRP Best Practices

1) Test the incident response plan (via walkthrough or tabletop exercises) to assess thoroughness.
2) Implement notices on login screens for customer information systems to establish a basis for disciplinary or legal action.
3) Develop an incident grading system that quantifies the severity of the incident, helps determine if the incident response plan needs to be activated, and specifies the extent of notification escalation.
4) Provide periodic staff awareness training on recognizing potential indicators of unauthorized activity and reporting the incident through proper channels. Some institutions have established phone numbers and e-mail distribution lists for reporting possible incidents.
5) Inform users about the status of any compromised system they may be using.
6) Establish a list of possible consultants, in case the bank does not have the expertise to handle or investigate the specific incident (especially regarding technical compromises).
7) Establish evidence-gathering and handling procedures aimed at preserving evidence of the incident and aiding in prosecution activities.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

SECURITY MEASURES

Certificate Authorities and Digital Certificates 

Certificate authorities and digital certificates are emerging to further address the issues of authentication, non‑repudiation, data privacy, and cryptographic key management.  A certificate authority (CA) is a trusted third party that verifies the identity of a party to a transaction . To do this, the CA vouches for the identity of a party by attaching the CA's digital signature to any messages, public keys, etc., which are transmitted.  Obviously, the CA must be trusted by the parties involved, and identities must have been proven to the CA beforehand.  Digital certificates are messages that are signed with the CA's private key.  They identify the CA, the represented party, and could even include the represented party's public key. 

The responsibilities of CAs and their position among emerging technologies continue to develop.  They are likely to play an important role in key management by issuing, retaining, or distributing  public/private key pairs. 

Implementation 

The implementation and use of encryption technologies, digital signatures, certificate authorities, and digital certificates can vary.  The technologies and methods can be used individually, or in combination with one another.  Some techniques may merely encrypt data in transit from one location to another.  While this keeps the data confidential during transmission, it offers little in regard to authentication and non-repudiation.  Other techniques may utilize digital signatures, but still require the encrypted submission of sensitive information, like credit card numbers.  Although protected during transmission, additional measures would need to be taken to ensure the sensitive information remains protected once received and stored. 

The protection afforded by the above security measures will be governed by the capabilities of the technologies, the appropriateness of the technologies for the intended use, and the administration of the technologies utilized.  Care should be taken to ensure the techniques  utilized are sufficient to meet the required needs of the institution.  All of the technical and  implementation differences should be explored when determining the most appropriate package.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Opt Out Right and Exceptions:

The Right

Consumers must be given the right to "opt out" of, or prevent, a financial institution from disclosing nonpublic personal information about them to a nonaffiliated third party, unless an exception to that right applies. The exceptions are detailed in sections 13, 14, and 15 of the regulations and described below.

As part of the opt out right, consumers must be given a reasonable opportunity and a reasonable means to opt out. What constitutes a reasonable opportunity to opt out depends on the circumstances surrounding the consumer's transaction, but a consumer must be provided a reasonable amount of time to exercise the opt out right. For example, it would be reasonable if the financial institution allows 30 days from the date of mailing a notice or 30 days after customer acknowledgement of an electronic notice for an opt out direction to be returned. What constitutes a reasonable means to opt out may include check-off boxes, a reply form, or a toll-free telephone number, again depending on the circumstances surrounding the consumer's transaction. It is not reasonable to require a consumer to write his or her own letter as the only means to opt out.