Are you ready for your IT examination?  The Weekly IT Security Review provides a checklist of the IT security issues covered in the FFIEC IT Examination Handbook, which will prepare you for the IT examination.   For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI FOR BANKS - It has come to our attention that the Temporary Liquidity Guarantee Program, if the bank opted in, requires that notice is posted on the bank’s web site for noninterest - bearing transaction accounts.  Refer to http://www.fdic.gov/regulations/laws/rules/2000-9200.html Section 370.5 (g) (5) for detailed information.  Bank examiners are sighting institutions for not have the require notice on the web.  In addition, the examiners would like the notice linked of the home page.

FYI - UK Kicks off Program to Recruit Security Gurus - The U.K. is planning to hold computer security exercises later this year to spark interest in the field and address a shortage of professionals in the country, a program modeled after one started in the U.S. http://www.pcworld.com/businesscenter/article/195057/uk_kicks_off_program_to_recruit_security_gurus.html

FYI - EU plans IP address snatch to battle cybercrime - Alert Print Post commentProposes new anti-cybercrime body - An international cybercrime centre will be able to revoke domain names and IP addresses under new proposals by European governments. http://www.theregister.co.uk/2010/04/27/eu_cybercrime/

FYI - Journalist shield law may not halt iPhone probe - The criminal investigation into Apple's errant iPhone prototype took a new twist this week, when Gawker Media claimed that the warrant used by police to search an editor's home was invalid. http://news.cnet.com/8301-13579_3-20003539-37.html?tag=mncol;txt

FYI - Health worker is first HIPAA privacy violator to get jail time - A former UCLA Health System employee, apparently disgruntled over an impending firing, has been sentenced to four months in federal prison after pleading guilty in January to illegally snooping into patient records, mainly those belonging to celebrities. http://www.scmagazineus.com/health-worker-is-first-hipaa-privacy-violator-to-get-jail-time/article/168894/

FYI - Hacked US Treasury websites serve visitors malware - Websites operated by the US Treasury Department are redirecting visitors to websites that attempt to install malware on their PCs, a security researcher warned. http://www.theregister.co.uk/2010/05/03/treasury_websites_attack/

FYI - New China encryption rule could pose headaches for U.S. vendors- Rule requires companies to share encryption codes with Chinese authorities - Vendors of some technology products will soon face a new hurdle when selling their products in China. http://www.computerworld.com/s/article/9176138/New_China_encryption_rule_could_pose_headaches_for_U.S._vendors?taxonomyId=145

FYI - US Air Force phishing test transforms into a problem - Sorry Airman Supershaggy, "Transformers 3" is not coming to Andersen Air Force Base. And by the way, you've been phished. http://www.computerworld.com/s/article/9176155/US_Air_Force_phishing_test_transforms_into_a_problem

FYI - Student found guilty of obstruction in Sarah Palin email trial - The college student who used publicly available information to break in to the Yahoo! Mail account of then-vice presidential candidate Sarah Palin has been found guilty on two of the four charges filed against him. http://www.theregister.co.uk/2010/04/30/palin_jury_convicts/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - U.S. organizations face the highest data breach costs - Organizations in the United States incurred the highest costs associated with data breaches last year compared to businesses located in other countries. http://www.scmagazineus.com/us-organizations-face-the-highest-data-breach-costs/article/169160/

FYI - IT contractor gets five years for $2M credit union theft - For the second time this week, companies are getting a stark reminder of the danger posed to enterprise networks and assets by insiders with privileged access. http://www.computerworld.com/s/article/9176154/IT_contractor_gets_five_years_for_2M_credit_union_theft?taxonomyId=82

FYI - Kentucky psychiatric hospital loses sensitive flash drive - A flash drive containing personal patient information recently went missing from Our Lady of Peace, a 278-bed psychiatric hospital in Louisville, Ky. http://www.scmagazineus.com/kentucky-psychiatric-hospital-loses-sensitive-flash-drive/article/169352/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 2 of 3)

Risks Associated With E-Mail and Internet-Related Fraudulent Schemes
Internet-related fraudulent schemes present a substantial risk to the reputation of any financial institution that is impersonated or spoofed. Financial institution customers and potential customers may mistakenly perceive that weak information security resulted in security breaches that allowed someone to obtain confidential information from the financial institution. Potential negative publicity regarding an institution's business practices may cause a decline in the institution's customer base, a loss in confidence or costly litigation.

In addition, customers who fall prey to e-mail and Internet-related fraudulent schemes face real and immediate risk. Criminals will normally act quickly to gain unauthorized access to financial accounts, commit identity theft, or engage in other illegal acts before the victim realizes the fraud has occurred and takes action to stop it.

Educating Financial Institution Customers About E-Mail and Internet-Related Fraudulent Schemes
Financial institutions should consider the merits of educating customers about prevalent e-mail and Internet-related fraudulent schemes, such as phishing, and how to avoid them. This may be accomplished by providing customers with clear and bold statement stuffers and posting notices on Web sites that convey the following messages:

!  A financial institution's Web page should never be accessed from a link provided by a third party. It should only be accessed by typing the Web site name, or URL address, into the Web browser or by using a "book mark" that directs the Web browser to the financial institution's Web site.
!  A financial institution should not be sending e-mail messages that request confidential information, such as account numbers, passwords, or PINs. Financial institution customers should be reminded to report any such requests to the institution.
!  Financial institutions should maintain current Web site certificates and describe how the customer can authenticate the institution's Web pages by checking the properties on a secure Web page.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - Over the next few weeks, we will cover the OCC Bulletin about Infrastructure Threats and Intrusion Risks. 

This bulletin provides guidance to financial institutions on how to prevent, detect, and respond to intrusions into bank computer systems. Intrusions can originate either inside or outside of the bank and can result in a range of damaging outcomes, including the theft of confidential information, unauthorized transfer of funds, and damage to an institution's reputation.

The prevalence and risk of computer intrusions are increasing as information systems become more connected and interdependent and as banks make greater use of Internet banking services and other remote access devices. Recent e-mail-based computer viruses and the distributed denial of service attacks earlier this year revealed that the security of all Internet-connected networks are increasingly intertwined. The number of reported incidences of intrusions nearly tripled from 1998 to 1999, according to Carnegie Mellon University's CERT/CC. 

Management can reduce a bank's risk exposure by adopting and regularly reviewing its risk assessment plan, risk mitigation controls, intrusion response policies and procedures, and testing processes. This bulletin provides guidance in each of these critical areas and also highlights information-sharing mechanisms banks can use to keep abreast of current attack techniques and potential vulnerabilities.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 5 of 6)

Limitations on Disclosure of Account Numbers:

A financial institution must not disclose an account number or similar form of access number or access code for a credit card, deposit, or transaction account to any nonaffiliated third party (other than a consumer reporting agency) for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.

The disclosure of encrypted account numbers without an accompanying means of decryption, however, is not subject to this prohibition. The regulation also expressly allows disclosures by a financial institution to its agent to market the institution's own products or services (although the financial institution must not authorize the agent to directly initiate charges to the customer's account). Also not barred are disclosures to participants in private-label or affinity card programs, where the participants are identified to the customer when the customer enters the program.