FYI - EU tells members to get ready for disaster - The EU is pushing the development of a strategy to protect Europe from cyber-attacks and disruptions. The guidelines - which amount to a disaster recovery procedures for nations instead of individual corporate entities - are designed to cover incidences such as natural disasters, terrorist attacks, hackers, rupture of submarine telecom cables or hardware failure. http://www.theregister.co.uk/2009/03/31/eu_cyberattack_strategy/

FYI - Credit card data inadequately protected - The self-regulatory system credit card companies have created to protect consumer data sacrifices some consumer protections for the sake of conveniencing the credit card companies and their financial institution partners, retail representatives told Congress. http://news.cnet.com/8301-13578_3-10208827-38.html?part=rss&subj=news&tag=2547-1_3-0-20

FYI - Kaiser fires 15 workers for snooping in octuplet mom's medical records - Another eight hospital employees disciplined for improperly accessing Nadya Suleman's files - A Kaiser Permanente hospital located in a Los Angeles suburb has fired 15 employees and reprimanded eight others for improperly accessing the personal medical records of Nadya Suleman, the California woman who gave birth to octuplets in January. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9130827

FYI - FTC site helps meeting "Red Flags Rule" - With the Federal Trade Commission (FTC) promising to begin enforcing the "Red Flags Rules" on May 1, the FTC launched on Thursday a website aimed at helping entities adhere to the requirements. http://www.scmagazineus.com/FTC-site-helps-meeting-Red-Flags-Rule/article/130084/?DCMP=EMC-SCUS_Newswire

FYI - Financial crisis fuels identity theft fears - Most Americans believe the world financial crisis has increased their risk of identity theft or related crimes, according to the latest Unisys Security Index. http://www.scmagazineus.com/Survey-Financial-crisis-fuels-identity-theft-fears/article/130205/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Some UltraDNS customers knocked offline by attack - NeuStar confirmed that some of its UltraDNS managed DNS service customers were knocked offline for several hours Tuesday morning by a distributed denial of service attack. http://www.networkworld.com/news/2009/033109-ultradns-service-attacked.html

FYI - Stolen laptop contains pupils' data - A COMPUTER containing information about thousands of school children has been stolen from education headquarters. Burglars targeted Progress House, the main offices of Wigan Council's Children and Young People's Services, and took several laptop computers. http://www.leighjournal.co.uk/news/4255670.Stolen_laptop_contains_pupils__data/

FYI - Security breach under scrutiny at the Clark County auditor's office - Law enforcement has not been contacted - Concerns over applications installed on a computer in the Clark County auditor's office have prompted an internal investigation, but law enforcement officials have not been asked to get involved. http://www.newsandtribune.com/clarkcounty/local_story_094202804.html

FYI - 6,000 UW workers' personal information at risk - About 6,000 University of Washington employees were notified this week that their names and Social Security numbers were on a computer system that was hacked. http://seattletimes.nwsource.com/html/localnews/2008958501_uwdata01m.html

FYI - Paul McCartney's website hacked to distribute malware - The official website for former Beatle Paul McCartney was compromised to infect users through drive-by downloads. http://www.scmagazineus.com/Paul-McCartneys-website-hacked-to-distribute-malware/article/130330/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Non-Deposit Investment Products

Financial institutions advertising or selling non-deposit investment products on-line should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products."  On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION

Outsourced Development

Many financial institutions outsource software development to third parties. Numerous vendor management issues exist when outsourcing software development. The vendor management program established by management should address the following:

! Verifying credentials and contracting only with reputable providers;
! Evaluating the provider's secure development environment, including background checks on its employees and code development and testing processes;
! Obtaining fidelity coverage;
! Requiring signed nondisclosure agreements to protect the financial institution's rights to source code and customer data as appropriate;
! Establishing security requirements, acceptance criterion, and test plans;
! Reviewing and testing source code for security vulnerabilities, including covert channels or backdoors that might obscure unauthorized access into the system;
! Restricting any vendor access to production source code and systems and monitoring their access to development systems; and
! Performing security tests to verify that the security requirements are met before implementing the software in production.

Return to the top of the newsletter

IT SECURITY QUESTION:

G. APPLICATION SECURITY

3. Determine if appropriate message authentication takes place.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

3)  Does the institution provide to existing customers, who obtain a new financial product or service, an initial privacy notice that covers the customer's new financial product or service, if the most recent notice provided to the customer was not accurate with respect to the new financial product or service? [§4(d)(1)]