FYI - Student loan company settles with FTC over data mishandling - A student loan company has settled with the Federal Trade Commission (FTC) over charges it did not offer reliable security for its customers' personal information. http://www.scmagazineus.com/Student-loan-company-settles-with-FTC-over-data-mishandling/article/107705/

FYI - Gambling site brought to its knees by 'unstoppable' botnet - A major UK gambling business has warned that all commercial websites are at risk from a new type of unstoppable and undetectable botnet denial of service attack. http://software.silicon.com/security/0,39024655,39170296,00.htm

FYI - IBM Hit With $6 Million Software Fraud Suit - Internet retailer Harry & David claims IBM knowingly sold it e-commerce software that violated patents held by NCR and Charles Hill & Associates and IBM refused to back the merchant when those companies sued or complained. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=206902734

FYI - Is your laptop customs-proof? - If you travel across national borders, it's time to customs-proof your laptop. Customs officials have been stepping up electronic searches of laptops at the border, where travelers enjoy little privacy and have no legal grounds to object. http://www.news.com/8301-13578_3-9892897-38.html?tag=nefd.lede

FYI - GAO - Progress Reported, but Weaknesses at Federal Agencies Persist.
Aritcle: http://www.gao.gov/cgi-bin/getrpt?GAO-08-571T
Highlights - http://www.gao.gov/highlights/d08571thigh.pdf

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Laptop with 200 children's health records stolen - Kids in speech therapy at risk if memory stick breached - A laptop containing personal details of more than 200 children has been stolen from a Shropshire medical center. Telford and Wrekin Primary Care Trust (PCT) confirmed a laptop was stolen from the Madeley Health Centre, while one of its language therapists was running a clinic and had left the laptop in an adjacent room. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9066858&source=rss_topic17

FYI - MTV breach impacts 5,000 employees, successful social-engineering blamed - A socially-engineered attack could be to blame for a security breach at MTV Networks that has compromised the personal information of some 5,000 employees, security experts said. http://www.securecomputing.net.au/news/71787,mtv-breach-impacts-5000-employees-successful-socialengineering-blamed.aspx

Return to the top of the newsletter

WEB SITE COMPLIANCE - Non-Deposit Investment Products

Financial institutions advertising or selling non-deposit investment products on-line should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products."  On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY STRATEGY (1 of 2)

Action Summary - Financial institutions should develop a strategy that defines control objectives and establishes an implementation plan. The security strategy should include

1)  Cost comparisons of different strategic approaches appropriate to the institution's environment and complexity,
2)  Layered controls that establish multiple control points between threats and organization assets, and
3)  Policies that guide officers and employees in implementing the security program.

An information security strategy is a plan to mitigate risks while complying with legal, statutory, contractual, and internally developed requirements. Typical steps to building a strategy include the definition of control objectives, the identification and assessment of approaches to meet the objectives, the selection of controls, the establishment of benchmarks and metrics, and the preparation of implementation and testing plans.

The selection of controls is typically grounded in a cost comparison of different strategic approaches to risk mitigation. The cost comparison typically contrasts the costs of various approaches with the perceived gains a financial institution could realize in terms of increased confidentiality, availability, or integrity of systems and data. Those gains could include reduced financial losses, increased customer confidence, positive audit findings, and regulatory compliance. Any particular approach should consider: (1) policies, standards, and procedures; (2) technology and architecture; (3) resource dedication; (4) training; and (5) testing.

Return to the top of the newsletter

IT SECURITY QUESTION:  A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

8. Determine whether adequate controls exist to protect against replay attacks and hijacking.

9. Determine whether token-based authentication mechanisms adequately protect against token tampering, provide for the unique identification of the token holder, and employ an adequate number of authentication factors.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

20. Does the opt out notice state:

a. that the institution discloses or reserves the right to disclose nonpublic personal information about the consumer to a nonaffiliated third party; [§7(a)(1)(i)]

b. that the consumer has the right to opt out of that disclosure; [§7(a)(1)(ii)] and

c. a reasonable means by which the consumer may opt out? [§7(a)(1)(iii)]