FYI - I am back in the office.  This past week I attended the ISACA North America Computer Audit, Control and Security Conference.  It was good seeing old friends and meeting new ones. 

FYI - Mobile banking gaining traction among younger customers - Most Americans are still hesitant about banking with their cell phones and PDAs, but young people are increasingly coming around to the idea of mobile banking, according to a new survey. http://apnews.myway.com/article/20080421/D906GEH00.html

FYI - Stung by hackers, grocer encrypts customer data - The supermarket chain Hannaford Bros. Co. has spent millions of dollars on additional security measures since last month's revelation that hackers may have accessed up to 4.2 million credit and debit card numbers, it said. http://www.boston.com/business/articles/2008/04/23/stung_by_hackers_grocer_encrypts_customer_data/

FYI - GAO - Federal Agencies Face Challenges in Managing E-Mail.
Release - http://www.gao.gov/cgi-bin/getrpt?GAO-08-699T
Highlights - http://www.gao.gov/highlights/d08699thigh.pdf

FYI - NIST seeks comments on revision of risk management framework - Print this Email this Purchase a Reprint Link to this page The National Institute of Standards and Technology has released a second draft of Special Publication 800-39, titled "Managing Risk from Information Systems: An Organizational Perspective," for public comment. http://www.gcn.com/online/vol1_no1/46131-1.html?topic=security&CMP=OTC-RSS

FYI - A new study conducted by the Ponemon Institute shows that consumers are dissatisfied with the notification process used by companies following a data breach affecting their personal information. Sponsored by ID Experts, the Consumer's Report Card on Data Breach Notification revealed 63 percent of survey respondents said notification letters they received offered no direction on the steps the consumer should take to protect their personal information. http://www.marketwire.com/mw/release.do?id=844160

FYI - Pirates of the web - Employers must face the fact that much of this shopping takes place from the office. Two years ago, BusinessWeek reported that 58 percent of people do most of their online shopping at work, and I'm sure not much has changed since then. At the same time online retailers celebrate, so do online criminals. http://www.scmagazineus.com/Pirates-of-the-web/article/109190/?DCMP=EMC-SCUS_Newswire

FYI - Security Manager's Journal: Enough of being the bad guy - Security issues have a higher profile than they did a few short years ago, but too often, security managers still end up looking like the bad guy when they delay a project's go-live date. http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=316095

FYI - The legal implications of the PCI data security standard - While starting off as "just" an information security standard, the Payment Card Industry Data Security Standard, v. 1.1 ("PCI" or "PCI Standard") now presents serious legal challenges and risk for retailers. The PCI framework currently operates like a law without courts or regulators. http://www.scmagazineus.com/The-legal-implications-of-the-PCI-data-security-standard/article/109235/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - University of Miami admits to stolen medical records - The University of Miami disclosed on Friday that one of its storage vendors lost a number of back-up tapes containing the personal information of more than two million patients. http://www.scmagazineus.com/University-of-Miami-admits-to-stolen-medical-records/article/109195/?DCMP=EMC-SCUS_Newswire

FYI - Health data missing - HealthAlliance computer lost - The healthcare system Central New England HealthAlliance has sent letters to 384 patients notifying them that their personal information, including Social Security numbers and health insurance information, may be vulnerable because a hand-held computer used by a home health nurse is missing. http://www.telegram.com/article/20080419/NEWS/804190436/1116

FYI - The 10.000 web sites infection mystery solved - Back in January there were multiple reports about a large number of web sites being compromised and serving malware.
http://isc.sans.org/diary.html?storyid=4294
http://www.theregister.co.uk/2008/04/16/mystery_web_compromise_unpicked/

FYI - Coding error exposes sex offender personal data - A software security researcher has exploited a flaw in the sex offender registry webpage operated by the Oklahoma Department of Corrections. http://www.scmagazineus.com/Coding-error-exposes-sex-offender-personal-data/article/109109/

FYI - Grandmother robbed by card conmen - Margaret Anderson had #1,000 taken from her account - A grandmother has told how she cried when she found her bank account had been stripped bare when she tried to take out money at an Edinburgh ATM. http://news.bbc.co.uk/2/hi/uk_news/scotland/edinburgh_and_east/7359067.stm

FYI - Data theft involving 10,000 bank records - Sensitive information regarding 10,000 Bank of Ireland customers has been stolen. The Data Protection Commissioner, Billy Hawkes, has told RTI News he is investigating the disappearance of four laptops. http://www.rte.ie/news/2008/0421/data.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (3of 12)

Elements of an Incident Response Program

Although the specific content of an IRP will differ among financial institutions, each IRP should revolve around the minimum procedural requirements prescribed by the Federal bank regulatory agencies. Beyond this fundamental content, however, strong financial institution management teams also incorporate industry best practices to further refine and enhance their IRP. In general, the overall comprehensiveness of an IRP should be commensurate with an institution's administrative, technical, and organizational complexity.

Minimum Requirements

The minimum required procedures addressed in the April 2005 interpretive guidance can be categorized into two broad areas: "reaction" and "notification." In general, reaction procedures are the initial actions taken once a compromise has been identified. Notification procedures are relatively straightforward and involve communicating the details or events of the incident to interested parties; however, they may also involve some reporting requirements.  Below lists the minimum required procedures of an IRP as discussed in the April 2005 interpretive guidance.

Develop reaction procedures for:

1) assessing security incidents that have occurred;
2) identifying the customer information and information systems that have been accessed or misused; and
3)containing and controlling the security incident.

Establish notification procedures for:

1) the institution's primary Federal regulator;
2) appropriate law enforcement agencies (and filing Suspicious Activity Reports [SARs], if necessary); and
3) affected customers.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

Access Rights Administration (5 of 5)

The access rights process also constrains user activities through an acceptable - use policy (AUP). Users who can access internal systems typically are required to agree to an AUP before using a system. An AUP details the permitted system uses and user activities and the consequences of noncompliance. AUPs can be created for all categories of system users, from internal programmers to customers. An AUP is a key control for user awareness and administrative policing of system activities. Examples of AUP elements for internal network and stand - alone users include:

! The specific access devices that can be used to access the network;

! Hardware and software changes the user can make to their access device;

! The purpose and scope of network activity;

! Network services that can be used, and those that cannot be used;

! Information that is allowable and not allowable for transmission using each allowable service;

! Bans on attempting to break into accounts, crack passwords, or disrupt service;

! Responsibilities for secure operation; and

! Consequences of noncompliance.

Depending on the risk associated with the access, authorized internal users should generally receive a copy of the policy and appropriate training, and signify their understanding and agreement with the policy before management grants access to the system.

Customers may be provided with a Web site disclosure as their AUP. Based on the nature of the Web site, the financial institution may require customers to demonstrate knowledge of and agreement to abide by the terms of the AUP. That evidence can be paper based or electronic.

Authorized users may seek to extend their activities beyond what is allowed in the AUP, and unauthorized users may seek to gain access to the system and move within the system. Network security controls provide the protection necessary to guard against those threats.

Return to the top of the newsletter

IT SECURITY QUESTION:  B. NETWORK SECURITY

2.  Evaluate controls that are in place to install new or change existing network infrastructure and to prevent unauthorized connections to the financial institution's network.

 Review network architecture policies and procedures to establish new, or change existing, network connections and equipment.

 Identify controls used to prevent unauthorized deployment of network connections and equipment.

 Review the effectiveness and timeliness of controls used to prevent and report unauthorized network connections and equipment.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

28. Does the institution refrain from requiring all joint consumers to opt out before implementing any opt out direction with respect to the joint account? ['7(d)(4)]

29. Does the institution comply with a consumer's direction to opt out as soon as is reasonably practicable after receiving it? ['7(e)]