Are you ready for your IT examination?  The Weekly IT Security Review provides a checklist of the IT security issues covered in the FFIEC IT Examination Handbook, which will prepare you for the IT examination.   For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - Employee-Attorney E-Mails Are Private - NJ Court Rules Company Violated Privacy Laws by Reading E-Mails Between Employee, Attorney - In a decision that could set new ground rules for Internet privacy in the workplace, New Jersey's Supreme Court has ruled an employer was wrong in retrieving e-mails between a former employee and her attorney, even though they were sent from a company computer. http://abcnews.go.com/Technology/wireStory?id=10248507

FYI - Yahoo targeted in China cyber attacks - The Yahoo e-mail accounts of foreign journalists based in China and Taiwan have been hacked, according to a Beijing-based press association. http://news.bbc.co.uk/2/hi/technology/8596410.stm

FYI - Law to allow banks to recoup breach losses - A new Washington state law set to go into effect July 1 will allow banks to recoup certain data breach losses from negligent businesses. http://www.scmagazineus.com/law-to-allow-banks-to-recoup-breach-losses/article/167367/?DCMP=EMC-SCUS_Newswire

FYI - Cloud computing: Moving up - Are organizations ready to move their most sensitive enterprise applications to the cloud? Dan Kaplan investigates. It is no secret that today's most opportune hackers consider web applications to be the preferred means to either load malware onto end-user PCs or to plunder the potential gold mine that are corporate databases. http://www.scmagazineus.com/cloud-computing-moving-up/article/165827/?DCMP=EMC-SCUS_Newswire

FYI - Boeing, U.S. Government Step Up Recruitment for 'Cyberwarriors' - Kyle makes a convincing technical support representative. After just a few phone calls, he's able to persuade the other party to download malicious software. http://www.bloomberg.com/apps/news?pid=20601100&sid=abmfWsuQyyk0

FYI - New Independent Study Reveals Enterprises are Under-Investing in the Protection of Corporate Secrets - Focus on Protecting Compliance-related Data Needs to Expand to More Valuable Intellectual Property.  http://www.rsa.com/go/press/RSATheSecurityDivisionofEMCNewsRelease_4510.html

FYI - GAO applauds DHS critical infrastructure protection plan - An updated plan from the U.S. Department of Homeland Security (DHS) for protecting the nation's critical infrastructure facilities earned high marks in a recent assessment by federal investigators for its emphasis on risk management, according to a report released. http://www.scmagazineus.com/gao-applauds-dhs-critical-infrastructure-protection-plan/article/167542/?DCMP=EMC-SCUS_Newswire

FYI - Most organizations falling short on cloud security policies - The vast majority of organizations fail to proactively safeguard sensitive business information that is being stored in the cloud, concluded a report released by the Ponemon Institute. http://www.scmagazineus.com/most-organizations-falling-short-on-cloud-security-policies/article/167415/?DCMP=EMC-SCUS_Newswire

FYI - Cloudy and a chance of threats - The term "cloud computing" puts both giddiness and fear in the hearts of IT managers around the world. Adopting cloud-based services gives organizations many benefits, but it also opens them up to many risks and vulnerabilities. http://www.scmagazineus.com/cloudy-and-a-chance-of-threats/article/165837/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Barnet council discovers 9000 reasons to encrypt data - The personal details of 9000 school pupils have been stolen from the home of a council employee, Barnet council has announced. http://www.infosecurity-magazine.com/view/8472/barnet-council-discovers-9000-reasons-to-encrypt-data/

FYI - Miami-Dade inmates hack into strangers' phone lines - Miami-Dade Corrections says it can do little about jail inmates who are racking up tens of thousands of dollars in collect calls billed to the fax lines of unwitting victims. http://www.miamiherald.com/2010/03/28/1552713/miami-dade-inmates-collect-call.html

FYI - 'Cyber Attack' Aimed At Texas Electricity Provider - Local 2 Investigates has uncovered details about a so-called "cyber attack" on one of Texas' largest electricity providers, KPRC Local 2 reported. http://www.click2houston.com/news/23046216/detail.html

FYI - Sensitive laptops stolen from California hospital system - Two laptops containing sensitive patient information recently were stolen from California-based hospital system John Muir Health. http://www.scmagazineus.com/sensitive-laptops-stolen-from-california-hospital-system/article/167523/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 3 of 5)

PROCEDURES TO ADDRESS SPOOFING - Information Gathering

After a bank has determined that it is the target of a spoofing incident, it should collect available information about the attack to enable an appropriate response.  The information that is collected will help the bank identify and shut down the fraudulent Web site, determine whether customer information has been obtained, and assist law enforcement authorities with any investigation.  Below is a list of useful information that a bank can collect.  In some cases, banks will require the assistance of information technology specialists or their service providers to obtain this information.

*  The means by which the bank became aware that it was the target of a spoofing incident (e.g., report received through Website, fax, telephone, etc.);
*  Copies of any e-mails or documentation regarding other forms of communication (e.g., telephone calls, faxes, etc.) that were used to direct customers to the spoofed Web sites;
*  Internet Protocol (IP) addresses for the spoofed Web sites along with identification of the companies associated with the IP addresses;
*  Web-site addresses (universal resource locator) and the registration of the associated domain names for the spoofed site; and
*  The geographic locations of the IP address (city, state, and country).

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

Product Certification and Security Scanning Products

Several organizations exist which independently assess and certify the adequacy of firewalls and other computer system related products. Typically, certified products have been tested for their ability to permit and sustain business functions while protecting against both common and evolving attacks.

Security scanning tools should be run frequently by system administrators to identify any new vulnerabilities or changes in the system. Ideally, the scan should be run both with and without the firewall in place so the firewall's protective capabilities can be fully evaluated. Identifying the susceptibility of the system without the firewall is useful for determining contingency procedures should the firewall ever go down. Some scanning tools have different versions with varying degrees of intrusion/attack attempts.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 1 of 6)

The regulations establish specific duties and limitations for a financial institution based on its activities. Financial institutions that intend to disclose nonpublic personal information outside the exceptions will have to provide opt out rights to their customers and to consumers who are not customers. All financial institutions have an obligation to provide an initial and annual notice of their privacy policies to their customers. All financial institutions must abide by the regulatory limits on the disclosure of account numbers to nonaffiliated third parties and on the redisclosure and reuse of nonpublic personal information received from nonaffiliated financial institutions.

A brief summary of financial institution duties and limitations appears below. A more complete explanation of each appears in the regulations.

Notice and Opt Out Duties to Consumers:

If a financial institution intends to disclose nonpublic personal information about any of its consumers (whether or not they are customers) to a nonaffiliated third party, and an exception does not apply, then the financial institution must provide to the consumer:

1)  an initial notice of its privacy policies;

2)  an opt out notice (including, among other things, a reasonable means to opt out); and

3)  a reasonable opportunity, before the financial institution discloses the information to the nonaffiliated third party, to opt out.

The financial institution may not disclose any nonpublic personal information to nonaffiliated third parties except under the enumerated exceptions unless these notices have been provided and the consumer has not opted out. Additionally, the institution must provide a revised notice before the financial institution begins to share a new category of nonpublic personal information or shares information with a new category of nonaffiliated third party in a manner that was not described in the previous notice.

Note that a financial institution need not comply with the initial and opt-out notice requirements for consumers who are not customers if the institution limits disclosure of nonpublic personal information to the exceptions.