FYI - The Federal Financial Institutions Examination Council released an updated Business Continuity Planning Booklet, which replaces the version issued in March 2003. The Business Continuity Planning Booklet is one of 12 that, in total, comprise the FFIEC IT Examination Handbook. 
Press Release: www.occ.treas.gov/ftp/bulletin/2008-6.html 
Press Release: www.ots.treas.gov/docs/7/778011.html 
Press Release : www.ffiec.gov/press/pr031908.htm 
Press Release: www.ncua.gov/news/press_releases/2008/MR08-0319.htm 
Press Release: www.federalreserve.gov/boarddocs/srletters/2008/SR0803.htm 

FYI - Password-stealing hackers infect thousands of Web pages - McAfee is warning of a widespread Web attack aimed at gamers that has infected more than 10,000 Web pages - Hackers looking to steal passwords used in popular online games have infected more than 10,000 Web pages in recent days. http://www.computerworld.com.au/index.php/id;257178610

FYI - Pacemakers Vulnerable To Hacking - Three medical schools demonstrate the wireless dangers that can disturb an implantable cardioverter defibrillator like the Medtronic Maximo DR. Implantable medical devices like pacemakers seem secure, buried within one's body. But a team of researchers have demonstrated that's not the case.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=206903321
http://www.scmagazineus.com/Pacemakers-vulnerable-to-attack/article/107961/?DCMP=EMC-SCUS_Newswire

FYI - Four UK men accused of AU$475m bank heist - Four British men -- including a man believed to be a lord -- have been accused of trying to steal around AU$475.47 million by hacking into a Japanese bank's computer system, the Serious Organised Crime Agency (SOCA) said over the weekend. http://www.zdnet.com.au/news/software/soa/Four-UK-men-accused-of-AU-475m-bank-heist/0,130061733,339286878,00.htm

FYI - Breach of Britney Spears patient data highlights health care security shortfalls - Reports this week that the UCLA Medical Center has moved to fire 13 employees and suspended six others for unauthorized access to confidential medical records of pop star Britney Spears is a sign that training and regulations may not be working in some hospitals, experts told SCMagazineUS.com. http://www.scmagazineus.com/Breach-of-Britney-Spears-patient-data-highlights-health-care-security-shortfalls/article/108141/?DCMP=EMC-SCUS_Newswire

FYI - Experts try to make sense of Hannaford data breach - As the dust settles from one of the largest data breaches since TJX, few fresh details emerged one day after Hannaford Bros. supermarket chain revealed that intruders stole some 4.2 million credit and debit card numbers from its computer systems. http://www.scmagazineus.com/Experts-try-to-make-sense-of-Hannaford-data-breach/article/108134/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Harvard grad students hit in computer intrusion - Approximately 10,000 may have been affected - Harvard University's Graduate School of Arts and Sciences (GSAS) is notifying about 10,000 people that their personal information may have been compromised as a result of a computer intrusion that was discovered in February. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9068221&intsrc=hm_list

FYI - Police suffer memory loss - A POLICE memory stick containing confidential information about offenders known to the police has been found by a member of the public. http://www.thecomet.net/content/comet/news/story.aspx?brand=CMTOnline&category=News&tBrand=herts24&tCategory=newscomnew&itemid=WEED13%20Mar%202008%2010%3A22%3A10%3A867

FYI - HealthNow data goes missing as laptop vanishes - HealthNow members may be at risk - HealthNow New York has alerted 40,000 members in Western and Northeastern New York that they may be at risk for identity theft, after a former employee's laptop computer went missing with confidential information several months ago. http://www.buffalonews.com/145/story/296415.html

FYI - Breach Exposes 4.2M Credit, Debit Cards - East Coast Data Breach Exposes 4.2 Million Accounts, Causes 1,800 Known Cases of Fraud - A security breach at an East Coast supermarket chain exposed more than 4 million card numbers and led to 1,800 cases of fraud, the Hannaford Bros. grocery chain announced.
http://biz.yahoo.com/ap/080317/retail_data_breach.html?.v=5
http://wbztv.com/local/retail.data.breach.2.678784.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures/Notices (Part 1 of 2)

Several regulations require disclosures and notices to be given at specified times during a financial transaction. For example, some regulations require that disclosures be given at the time an application form is provided to the consumer. In this situation, institutions will want to ensure that disclosures are given to the consumer along with any application form. Institutions may accomplish this through various means, one of which may be through the automatic presentation of disclosures with the application form. Regulations that allow disclosures/notices to be delivered electronically and require institutions to deliver disclosures in a form the customer can keep have been the subject of questions regarding how institutions can ensure that the consumer can "keep" the disclosure. A consumer using certain electronic devices, such as Web TV, may not be able to print or download the disclosure. If feasible, a financial institution may wish to include in its on-line program the ability for consumers to give the financial institution a non-electronic address to which the disclosures can be mailed.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY STRATEGY (2 of 2)

Any particular approach should consider: (1) policies, standards, and procedures; (2) technology and architecture; (3) resource dedication; (4) training; and (5) testing.

For example, an institution's management may be assessing the proper strategic approach to intrusion detection for an Internet environment. Two potential approaches were identified for evaluation. The first approach uses a combination of network and host intrusion detection sensors with a staffed monitoring center. The second approach consists of daily access log review. The former alternative is judged much more capable of detecting an attack in time to minimize any damage to the institution and its data, albeit at a much greater cost. The added cost is entirely appropriate when customer data and institution processing capabilities are exposed to an attack, such as in an Internet banking environment. The latter approach may be appropriate when the primary risk is reputational damage, such as when the only information being protected is an information-only Web site, and the Web site is not connected to other financial institution systems.

Strategies should consider the layering of controls. Excessive reliance on a single control could create a false sense of confidence. For example, a financial institution that depends solely on a firewall can still be subject to numerous attack methodologies that exploit authorized network traffic. Financial institutions should design multiple layers of security controls and testing to establish several lines of defense between the attacker and the asset being attacked. To successfully attack the data, each layer must be penetrated. With each penetration, the probability of detecting the attacker increases.

Policies are the primary embodiment of strategy, guiding decisions made by users, administrators, and managers, and informing those individuals of their security responsibilities. Policies also specify the mechanisms through which responsibilities can be met, and provide guidance in acquiring, configuring, and auditing information systems. Key actions that contribute to the success of a security policy are:

1)  Implementing through ordinary means, such as system administration procedures and acceptable - use policies;

2)  Enforcing policy through security tools and sanctions;

3)  Delineating the areas of responsibility for users, administrators, and managers;

4)  Communicating in a clear, understandable manner to all concerned;

5)  Obtaining employee certification that they have read and understood the policy;

6)  Providing flexibility to address changes in the environment; and

7)  Conducting annually a review and approval by the board of directors.

Return to the top of the newsletter

IT SECURITY QUESTION:  A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

10. Determine whether PKI (Public Key Infrastructure)-based authentication mechanisms

• Securely issue and update keys,

• Securely unlock the secret key,

• Provide for expiration of keys at an appropriate time period,

• Ensure the certificate is valid before acceptance,

• Update the list of revoked certificates at an appropriate frequency,

• Employ appropriate measures to protect private and root keys, and

• Appropriately log use of the root key.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

21. Does the institution provide the consumer with the following information about the right to opt out:

a. all the categories of nonpublic personal information that the institution discloses or reserves the right to disclose; [§7(a)(2)(i)(A)]

b. all the categories of nonaffiliated third parties to whom the information is disclosed; [§7(a)(2)(i)(A)];

c. that the consumer has the right to opt out of the disclosure of that information; [§7(a)(2)(i)(A)] and

d. the financial products or services that the consumer obtains to which the opt out direction would apply? [§7(a)(2)(i)(B)]