FYI - Feds file new felonies against alleged Palin hacker - A University of Tennessee student accused of illegally breaking into the email account of Alaska governor Sarah Palin has been hit with three new felony charges in connection with the case. http://www.theregister.co.uk/2009/03/09/palin_hacker_recharged/

FYI - Heartland, RBS WorldPay no longer PCI compliant - Visa announced on Friday that it has removed Heartland Payment Systems and RBS WorldPay -- two payment processors that have announced massive data breaches in recent months -- from its list of service providers compliant with payment industry guidelines. http://www.scmagazineus.com/Visa-Heartland-RBS-WorldPay-no-longer-PCI-compliant/article/128762/?DCMP=EMC-SCUS_Newswire

FYI - Cybersecurity expert says preparation key to business survival - The world is more interconnected than ever before, with an estimated one billion devices connected to the internet, and in the next three to five years, that figure will double. http://www.scmagazineus.com/InfoSec-Cybersecurity-expert-says-preparation-key-to-business-survival/article/128810/?DCMP=EMC-SCUS_Newswire

FYI - Finland approves email snooping law - Finnish President Tarja Halonen on Friday ratified a controversial new law giving employers the right to monitor employees' emails where wrongdoing is suspected. http://www.ioltechnology.co.za/article_page.php?iSectionId=2883&iArticleId=4889373

FYI - GAO Preliminary Observations on Assistance Provided to AIG.
Report - http://www.gao.gov/new.items/d09490t.pdf
Highlights - http://www.gao.gov/highlights/d09490thigh.pdf

FYI - Companies get checklist on PCI security rules - The organization that administers the credit card industry's data security rules has released a new set of compliance guidelines -- a move that reinforces the widespread perception that efforts to comply are going slowly at many companies. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=335844&source=rss_topic17

FYI - GAO - Securities and Exchange Commission Needs to Consistently Implement Effective Controls.
Report - http://www.gao.gov/new.items/d09203.pdf
Highlights - http://www.gao.gov/highlights/d09203high.pdf

FYI - Web apps account for 80 percent of internet vulnerabilities - Vulnerabilities in web applications made up 80 percent of all web-related flaws in the second half of 2008 and rose in prevalence by about eight percent from the first half of the year. http://www.scmagazineus.com/Web-apps-account-for-80-percent-of-internet-vulnerabilities/article/129027/?DCMP=EMC-SCUS_Newswire

FYI - People are still the biggest security vulnerability - There is an old saying in the security world stating that people are the weakest link in the security chain. Here is a bit of data that reinforces this ancient security adage. http://news.cnet.com/8301-1009_3-10199331-83.html

FYI - Review of Regulators' Oversight of Risk Management Systems at a Limited Number of Large, Complex Financial Institutions.
Report - http://www.gao.gov/new.items/d09499t.pdf
Highlights - http://www.gao.gov/highlights/d09499thigh.pdf

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Army database may have been breached - An Army database that contains personal information about nearly 1,600 soldiers may have been penetrated by unauthorized users, Army officials have announced. Soldiers who registered with, or participated in, the Army-sponsored Operation Tribute to Freedom program during the past five years may be affected by the security breach, Army officials said. http://fcw.com/Articles/2009/03/12/Army-breach.aspx

FYI - Former Minnesota Sen. Norm Coleman's donor database exposed on Wikileaks - In a brewing controversy, whistle-blower site Wikileaks.org has published personal information belonging to more than 51,000 donors and supporters of former U.S. Sen. Norm Coleman that it says were leaked because the Minnesota Republican's campaign Web site was not properly secured. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9129460&intsrc=hm_list

FYI - Employee Stole Customer Data - Sprint is warning several thousand customers that a former employee sold or otherwise provided their account data without permission. In letters sent via snail mail to some customers, Sprint urged recipients to contact customers service and change their existing personal identification number and security question. http://voices.washingtonpost.com/securityfix/2009/03/sprint_employee_stole_customer.html

FYI - Passwords of Comcast Customers Exposed - A list of user names and passwords for customers of Comcast, one of the nation's largest Internet service providers, sat unprotected on the Web for the last two months. http://bits.blogs.nytimes.com/2009/03/16/passwords-of-8000-comcast-customers-exposed/

FYI - Consultant who exposed flaw on Coleman site fires back - I did it for all the right reasons,' says Adria Richards
By Jaikumar Vijayan A Minneapolis-based IT consultant is defending her decision to post details of a security weakness she found on former Minnesota Sen. Norm Coleman's campaign Web site in January, a flaw that later resulted in a donor database on the site being compromised. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9129631&source=rss_topic17

Return to the top of the newsletter

WEB SITE COMPLIANCE - The Role Of Consumer Compliance In Developing And Implementing Electronic Services from FDIC:

When violations of the consumer protection laws regarding a financial institution's electronic services have been cited, generally the compliance officer has not been involved in the development and implementation of the electronic services.  Therefore, it is suggested that management and system designers consult with the compliance officer during the development and implementation stages in order to minimize compliance risk.  The compliance officer should ensure that the proper controls are incorporated into the system so that all relevant compliance issues are fully addressed.  This level of involvement will help decrease an institution's compliance risk and may prevent the need to delay deployment or redesign programs that do not meet regulatory requirements.

The compliance officer should develop a compliance risk profile as a component of the institution's online banking business and/or technology plan.  This profile will establish a framework from which the compliance officer and technology staff can discuss specific technical elements that should be incorporated into the system to ensure that the online system meets regulatory requirements.  For example, the compliance officer may communicate with the technology staff about whether compliance disclosures/notices on a web site should be indicated or delivered by the use of "pointers" or "hotlinks" to ensure that required disclosures are presented to the consumer.  The compliance officer can also be an ongoing resource to test the system for regulatory compliance.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION

Security Controls in Application Software

Application development should incorporate appropriate security controls, audit trails, and activity logs. Typical application access controls are addressed in earlier sections. Application security controls should also include validation controls for data entry and data processing. Data entry validation controls include access controls over entry and changes to data, error checks, review of suspicious or unusual data, and dual entry or additional review and authorization for highly sensitive transactions or data. Data processing controls include: batch control totals; hash totals of data for comparison after processing; identification of any changes made to data outside the application (e.g., data-altering utilities); and job control checks to ensure programs run in correct sequence (see the booklet "Computer Operations" for additional considerations).

Some applications will require the integration of additional authentication and encryption controls to ensure integrity and confidentiality of the data. As customers and merchants originate an increasing number of transactions, authentication and encryption become increasingly important to ensure non-repudiation of transactions.

Return to the top of the newsletter

IT SECURITY QUESTION:

F. PERSONNEL SECURITY

6. Determine if an appropriate disciplinary process for security violations exists and is functioning.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Account number sharing

A. If available, review a sample of telemarketer scripts used when making sales calls to determine whether the scripts indicate that the telemarketers have the account numbers of the institution's consumers (§12).

B. Obtain and review a sample of contracts with agents or service providers to whom the financial institution discloses account numbers for use in connection with marketing the institution's own products or services. Determine whether the institution shares account numbers with nonaffiliated third parties only to perform marketing for the institution's own products and services. Ensure that the contracts do not authorize these nonaffiliated third parties to directly initiate charges to customer's accounts (§12(b)(1)).

C. Obtain a sample of materials and information provided to the consumer upon entering a private label or affinity credit card program. Determine if the participants in each program are identified to the customer when the customer enters into the program (§12(b)(2)).