FYI - This week I am attending the ISACA North America Computer Audit, Control and Security (CACS) Conference being held in Las Vegas, Nevada.  If you are attending the conference, I look forward to seeing you.  If you are not able to attend this conference, you may want to attend the ISACA Network Security Conference being held September 8-10, 2008 in Las Vegas, Nevada - http://www.isaca.org/Template.cfm?Section=Network_Security_Conference&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=14&ContentID=8493.

FYI - Black Hat SEO, part two: SEOwN3d!!1 - As search engine optimizers played fast and loose, a reaction from the search engine companies became inevitable. Now SEOs are forced to choose hats: black or white. (Part two in a series.) http://www.csoonline.com/article/print/205701

FYI - The New E-spionage Threat - A BusinessWeek probe of rising attacks on America's most sensitive computer networks uncovers startling security gaps. http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm

FYI - Call centre crook helped steal £33,000 - A CALL centre worker has been jailed for helping to siphon £33,500 from customers' accounts through his job at a Royal Bank of Scotland contact centre. http://www.manchestereveningnews.co.uk/news/s/1045113_call_centre_crook_helped_steal_33000

FYI - 50 000 patients' IDs sold - A man who worked in the admissions department at a prestigious Manhattan hospital has been charged with stealing and selling information on nearly 50 000 patients. http://www.news24.com/News24/World/News/0,,2-10-1462_2304983,00.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - WellPoint patient information exposed - Personal information, possibly including Social Security numbers and medical and pharmaceutical records, was exposed through a data breach at WellPoint, a large health benefits company. http://www.scmagazineus.com/WellPoint-patient-information-exposed/article/108840/

FYI - Insurance records of 71,000 Ga. families made public - Private records of up to 71,000 Georgia families who are members of health insurance programs for the poor or working poor were accidentally made available on the Internet for several days, and some of the data may have been viewed by unauthorized people, Tampa-based WellCare Health Plans Inc. said. http://www.ajc.com/metro/content/metro/stories/2008/04/08/breach_0409.html

FYI - More school computers hacked - Williamsville warns staff about data theft - Several current and former Williamsville North High School students are believed to have broken into the school district's computer system last month and copied secure files that included the personal information and Social Security numbers of school employees, authorities say. http://www.buffalonews.com/home/story/321395.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (2of 12)

The Importance of an Incident Response Program

A bank's ability to respond to security incidents in a planned and coordinated fashion is important to the success of its information security program. While IRPs are important for many reasons, three are highlighted in this article.

First, though incident prevention is important, focusing solely on prevention may not be enough to insulate a bank from the effects of a security breach. Despite the industry's efforts at identifying and correcting security vulnerabilities, every bank is susceptible to weaknesses such as improperly configured systems, software vulnerabilities, and zero-day exploits.  Compounding the problem is the difficulty an organization experiences in sustaining a "fully secured" posture. Over the long term, a large amount of resources (time, money, personnel, and expertise) is needed to maintain security commensurate with all potential vulnerabilities. Inevitably, an organization faces a point of diminishing returns whereby the extra resources applied to incident prevention bring a lesser amount of security value. Even the best information security program may not identify every vulnerability and prevent every incident, so banks are best served by incorporating formal incident response planning to complement strong prevention measures. In the event management's efforts do not prevent all security incidents (for whatever reason), IRPs are necessary to reduce the sustained damage to the bank.

Second, regulatory agencies have recognized the value of IRPs and have mandated that certain incident response requirements be included in a bank's information security program. In March 2001, the FDIC, the Office of the Comptroller of the Currency (OCC), the Office of Thrift Supervision (OTS), and the Board of Governors of the Federal Reserve System (FRB) (collectively, the Federal bank regulatory agencies) jointly issued guidelines establishing standards for safeguarding customer information, as required by the Gramm-Leach-Bliley Act of 1999.  These standards require banks to adopt response programs as a security measure. In April 2005, the Federal bank regulatory agencies issued interpretive guidance regarding response programs.  This additional guidance describes IRPs and prescribes standard procedures that should be included in IRPs. In addition to Federal regulation in this area, at least 32 states have passed laws requiring that individuals be notified of a breach in the security of computerized personal information.  Therefore, the increased regulatory attention devoted to incident response has made the development of IRPs a legal necessity.

Finally, IRPs are in the best interests of the bank. A well-developed IRP that is integrated into an overall information security program strengthens the institution in a variety of ways. Perhaps most important, IRPs help the bank contain the damage resulting from a security breach and lessen its downstream effect. Timely and decisive action can also limit the harm to the bank's reputation, reduce negative publicity, and help the bank identify and remedy the underlying causes of the security incident so that mistakes are not destined to be repeated.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

Access Rights Administration (4 of 5)

The access rights process programs the system to allow the users only the access rights they were granted. Since access rights do not automatically expire or update, periodic updating and review of access rights on the system is necessary. Updating should occur when an individual's business needs for system use changes. Many job changes can result in an expansion or reduction of access rights. Job events that would trigger a removal of access rights include transfers, resignations, and terminations. Institutions should take particular care to remove promptly the access rights for users who have remote access privileges, and those who administer the institution's systems.

Because updating may not always be accurate, periodic review of user accounts is a good control to test whether the access right removal processes are functioning, and whether users exist who should have their rights rescinded or reduced. Financial institutions should review access rights on a schedule commensurate with risk.

Access rights to new software and hardware present a unique problem. Typically, hardware and software are installed with default users, with at least one default user having full access rights. Easily obtainable lists of popular software exist that identify the default users and passwords, enabling anyone with access to the system to obtain the default user's access. Default user accounts should either be disabled, or the authentication to the account should be changed.  Additionally, access to these default accounts should be monitored more closely than other accounts.

Sometimes software installs with a default account that allows anonymous access. Anonymous access is appropriate, for instance, where the general public accesses an informational web server. Systems that allow access to or store sensitive information, including customer information, should be protected against anonymous access.

Return to the top of the newsletter

IT SECURITY QUESTION:  B. NETWORK SECURITY

1.  Evaluate the adequacy and accuracy of the network architecture.

a)  Obtain a schematic overview of the financial institution's network architecture.

b)  Review procedures for maintaining current information, including inventory reporting of how new hardware are added and old hardware is removed.

c)  Review audit and security reports that assess the accuracy of network architectureschematics and identify unreported systems.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

27. If each joint consumer may opt out separately, does the institution permit:

a. one joint consumer to opt out on behalf of all of the joint consumers; [§7(d)(3)]

b. the joint consumers to notify the institution in a single response; [§7(d)(5)] and

c. each joint consumer to opt out either for himself or herself, and/or for another joint consumer? [§7(d)(5)]