FYI - GAO - Information on Selected Issues Concerning Banking Activities. http://www.gao.gov/cgi-bin/getrpt?GAO-07-593R

FYI - After myriad data breaches, feds to cut use of Social Security numbers - Amid an avalanche of federal data breaches, agencies have been ordered to eliminate the unnecessary collection of personal information, including Social Security numbers.
http://www.scmagazine.com/us/news/article/659814/after-myriad-data-breaches-feds-cut-use-social-security-numbers/
http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf

FYI - FBI network security still poor - The FBI has failed to fully implement its IT security program and as a result its critical networks for exchanging law enforcement information remain vulnerable to misuse or interruption, the Government Accountability Office said in a report issued today. http://www.gcn.com/online/vol1_no1/44340-1.html?topic=security&CMP=OTC-RSS

FYI - Security slips down IT department priorities - Goldman Sachs survey says spending will focus on server consolidation - IT executives in the next 12 months will be focusing their budgets on projects such as server consolidation and network upgrades, as previously high priorities such as security, risk management and compliance fall off their Top 10 lists. http://www.computerworlduk.com/management/it-business/it-department/news/index.cfm?RSS&newsid=3100

MISSING COMPUTERS/DATA

FYI - Unpatched Symantec flaw leads to U. of Colorado breach - Names and Social Security numbers of 45,000 at risk - An unpatched flaw in a Symantec Corp. anti-virus management console resulted in the compromise of a server containing the names and Social Security numbers of nearly 45,000 students at the University of Colorado at Boulder. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9021059&source=rss_topic17

FYI - DOT Security Breach Affects 25,000 Employees - A computer server holding the names and Social Security numbers of about 25,000 North Carolina Department of Transportation employees, contractors and other state employees had a security breach, officials announced. http://www.wral.com/news/local/story/1446009/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Expedited Funds Availability Act (Regulation CC)

Generally, the rules pertaining to the duty of an institution to make deposited funds available for withdrawal apply in the electronic financial services environment. This includes rules on fund availability schedules, disclosure of policy, and payment of interest. Recently, the FRB published a commentary that clarifies requirements for providing certain written notices or disclosures to customers via electronic means. Specifically, the commentary to the regulations states that a financial institution satisfies the written exception hold notice requirement, and the commentary to the regulations states that a financial institution satisfies the general disclosure requirement by sending an electronic version that displays the text and is in a form that the customer may keep. However, the customer must agree to such means of delivery of notices and disclosures. Information is considered to be in a form that the customer may keep if, for example, it can be downloaded or printed by the customer. To reduce compliance risk, financial institutions should test their programs' ability to provide disclosures in a form that can be downloaded or printed. 

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY TESTING - KEY FACTORS

Management is responsible for considering the following key factors in developing and implementing independent diagnostic tests:

Personnel. Technical testing is frequently only as good as the personnel performing and supervising the test. Management is responsible for reviewing the qualifications of the testing personnel to satisfy themselves that the capabilities of the testing personnel are adequate to support the test objectives.

Scope. The tests and methods utilized should be sufficient to validate the effectiveness of the security process in identifying and appropriately controlling security risks.

Notifications. Management is responsible for considering whom to inform within the institution about the timing and nature of the tests. The need for protection of institution systems and the potential for disruptive false alarms must be balanced against the need to test personnel reactions to unexpected activities.

Controls Over Testing. Certain testing can adversely affect data integrity, confidentiality, and availability. Management is expected to limit those risks by appropriately crafting test protocols. Examples of issues to address include the specific systems to be tested, threats to be simulated, testing times, the extent of security compromise allowed, situations in which testing will be suspended, and the logging of test activity. Management is responsible for exercising oversight commensurate with the risk posed by the testing.

Frequency. The frequency of testing should be determined by the institution's risk assessment. High - risk systems should be subject to an independent diagnostic test at least once a year. Additionally, firewall policies and other policies addressing access control between the financial institution's network and other networks should be audited and verified at least quarterly.  Factors that may increase the frequency of testing include the extent of changes to network configuration, significant changes in potential attacker profiles and techniques, and the results of other testing.
(FYI - This is the type of independent diagnostic testing that the VISTA pen-test study covers.  Please refer to http://www.internetbankingaudits.com/ for information.)

Proxy Testing. Independent diagnostic testing of a proxy system is generally not effective in validating the effectiveness of a security process. Proxy testing, by its nature, does not test the operational system's policies and procedures, or its integration with other systems. It also does not test the reaction of personnel to unusual events. Proxy testing may be the best choice, however, when management is unable to test the operational system without creating excessive risk.

Return to the top of the newsletter

IT SECURITY QUESTION:  ENCRYPTION

7. Determine if cryptographic keys are destroyed in a secure manner when they are no longer required.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Consumer and Customer:

A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship between a consumer and a financial institution under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.

For example, a customer relationship may be established when a consumer engages in one of the following activities with a financial institution:

1)  maintains a deposit or investment account; 

2)  obtains a loan; 

3)  enters into a lease of personal property; or 

4)  obtains financial, investment, or economic advisory services for a fee.

Customers are entitled to initial and annual privacy notices regardless of the information disclosure practices of their financial institution.

There is a special rule for loans. When a financial institution sells the servicing rights to a loan to another financial institution, the customer relationship transfers with the servicing rights. However, any information on the borrower retained by the institution that sells the servicing rights must be accorded the protections due any consumer.

Note that isolated transactions alone will not cause a consumer to be treated as a customer. For example, if an individual purchases a bank check from a financial institution where the person has no account, the individual will be a consumer but not a customer of that institution because he or she has not established a customer relationship. Likewise, if an individual uses the ATM of a financial institution where the individual has no account, even repeatedly, the individual will be a consumer, but not a customer of that institution.