FYI - Federal Reserve Banks Announce Restructuring Schedule Changes As Electronic Check Processing Continues to Accelerate - The Federal Reserve Banks today announced modifications to the schedule for previously announced check processing infrastructure changes as consumers and businesses continue the shift from using paper checks toward electronic payments and as financial institutions rapidly adopt electronic check processing. www.federalreserve.gov/newsevents/press/other/20080331a.htm 

FYI - Agency Announces Settlement of Separate Actions Against Retailer TJX, and Data Brokers Reed Elsevier and Seisint for Failing to Provide Adequate Security for Consumers' Data - The settlements will require that the companies implement comprehensive information security programs and obtain audits by independent third-party security professionals every other year for 20 years. http://www.ftc.gov/opa/2008/03/datasec.shtm

FYI - Malware to blame in supermarket data breach - It turns out malware somehow found its way onto a Maine-based supermarket chain's servers, which led to the security breach announced earlier this month compromising up to 4.2 million credit cards.
http://www.news.com/8301-10784_3-9905991-7.html?tag=nefd.top
http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9073138

FYI - Supermarket Breach Calls PCI Compliance Into Question - Hannaford Bros. exposed millions of credit and debit card numbers. The latest exposure of millions of credit and debit card numbers by Hannaford Bros., a grocery chain with 271 locations in New England and Florida, raises new questions about the value of the credit card industry's controversial security rules, known as PCI. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=206904986

FYI - Hackers may have accessed Sony PlayStation network - Some users of the Sony PlayStation network may have had their passwords changed and personal information exposed through unauthorized access, the gaming platform provider has disclosed. http://www.scmagazineus.com/Hackers-may-have-accessed-Sony-PlayStation-network/article/108394/?DCMP=EMC-SCUS_Newswire

FYI - Consumer files lawsuit against LifeLock - An Arizona man filed a proposed class-action lawsuit against LifeLock, a Tempe-based company that claims to protect customers against identity theft. http://www.scmagazineus.com/Consumer-files-lawsuit-against-LifeLock/article/108443/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - CVs illegally downloaded in Jobs.ie security breach - A security breach occurred on job-seekers site Jobs.ie late on Thursday 27 March, when what the company described as a 'small number' of CVs were illegally downloaded by a third-party that hacked the site and gained access to the database. http://www.siliconrepublic.com/news/news.nv?storyid=single10628

FYI - Computer Breach Hits Antioch University - A computer system at Antioch University that contained personal information on about 70,000 people was breached by an unauthorized intruder three times last year, the school said. http://www.washingtonpost.com/wp-dyn/content/article/2008/03/28/AR2008032802398_pf.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - Expedited Funds Availability Act (Regulation CC)

Generally, the rules pertaining to the duty of an institution to make deposited funds available for withdrawal apply in the electronic financial services environment. This includes rules on fund availability schedules, disclosure of policy, and payment of interest. Recently, the FRB published a commentary that clarifies requirements for providing certain written notices or disclosures to customers via electronic means. Specifically, the commentary to the regulations states that a financial institution satisfies the written exception hold notice requirement, and the commentary to the regulations states that a financial institution satisfies the general disclosure requirement by sending an electronic version that displays the text and is in a form that the customer may keep. However, the customer must agree to such means of delivery of notices and disclosures. Information is considered to be in a form that the customer may keep if, for example, it can be downloaded or printed by the customer. To reduce compliance risk, financial institutions should test their programs' ability to provide disclosures in a form that can be downloaded or printed. 

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

Access Rights Administration (2 of 5)

System devices, programs, and data are system resources. Each system resource may need to be accessed by other system resources and individuals in order for work to be performed. Access beyond the minimum required for work to be performed exposes the institution's systems and information to a loss of confidentiality, integrity, and availability. Accordingly, the goal of access rights administration is to identify and restrict access to any particular system resource to the minimum required for work to be performed.  The financial institution's security policy should address access rights to system resources and how those rights are to be administered.

Management and information system administrators should critically evaluate information system access privileges and establish access controls to prevent unwarranted access.  Access rights should be based upon the needs of the applicable user or system resource to carry out legitimate and approved activities on the financial institution's information systems.  Policies, procedures, and criteria need to be established for both the granting of appropriate access rights and for the purpose of establishing those legitimate activities.  Formal access rights administration for users consists of four processes:

! An enrollment process to add new users to the system;

! An authorization process to add, delete, or modify authorized user access to operating systems, applications, directories, files, and specific types of information;

! An authentication process to identify the user during subsequent activities; and

! A monitoring process to oversee and manage the access rights granted to each user on the system.

Return to the top of the newsletter

IT SECURITY QUESTION:  A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

12.  Determine whether appropriate device and session authentication takes place, particularly for remote and wireless machines.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

23. If the institution delivers the opt out notice after the initial notice, does the institution provide the initial notice once again with the opt out notice? [§7(c)]

24. Does the institution provide an opt out notice, explaining how the institution will treat opt out directions by the joint consumers, to at least one party in a joint consumer relationship? [§7(d)(1)]