FYI - GAO - Federal Reserve Banks: Areas for Improvement in Information Security Controls. http://www.gao.gov/new.items/d09722r.pdf

FYI - Savvis faces bank lawsuit over CardSystems data breach - Merrick Bank has launched a multi-million dollar lawsuit against Savvis, accusing the vendor of erroneously telling it that CardSystems Solutions complied with Visa and MasterCard security regulations less than a year before the payment processor's systems were hacked, compromising up to 40 million credit card accounts.
http://www.finextra.com/fullstory.asp?id=20067
http://www.digitaltransactions.net/newsstory.cfm?newsid=2221

FYI - Anti-U.S. Hackers Infiltrate Army Servers - Defense Department investigators subpoena records from Google, Microsoft, and Yahoo in connection with ongoing probe. A known computer hacking clan with anti-American leanings has successfully broken into at least two sensitive Web servers maintained by the U.S. Army, InformationWeek has learned exclusively. http://www.informationweek.com/news/government/federal/showArticle.jhtml?articleID=217700619

FYI - Privacy watchdog cracks down on NHS breaches - The Information Commissioner's Office is putting pressure on the NHS to improve data security at its facilities, following a string of breaches. http://news.zdnet.co.uk/security/0,1000000189,39656576,00.htm

FYI - Water utility auditor resigns, transfers $9m offshore - California and federal officials are searching for a former employee of a large water utility who is suspected of trying to transfer more than $9m to an offshore account after quitting the company. Abdirahman Ismail Abdi made the brazen transfers on April 27, just hours after resigning from the California Water Services Company, according to documents filed in federal court in Northern California. http://www.theregister.co.uk/2009/05/26/utility_transfer_heist/

FYI - Identity theft ring busted in New York - Using financial information purchased from crooked bank insiders, a ring of thieves compromised the checking accounts of nearly 350 New York-based corporations, religious institutions, hospitals and schools, as well as city and state government agencies, to steal millions of dollars, prosecutors said this week. http://www.scmagazineus.com/Identity-theft-ring-busted-in-New-York/article/137621/?DCMP=EMC-SCUS_Newswire

FYI - Study finds IT security pros cheat on audits- IT security professionals might think of auditing as a pain, but some are actually cheating to get audits passed, according to a study released by security vendor Tufin Technologies. http://www.scmagazineus.com/Study-finds-IT-security-pros-cheat-on-audits/article/137546/?DCMP=EMC-SCUS_Newswire

FYI - Feds quiz former worker over Texas power plant hack - A former employee at a Texas power utility was arrested late last week over accusations he crippled its energy forecast system after launching a hacking attack. http://www.theregister.co.uk/2009/06/01/texas_power_plant_hack/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Department of Interior Computers Missing, Report Finds - According to a report, the U.S. Department of Interior can't locate nearly 20 percent of the computers that are supposed to be in its care. The report also finds that many PCs are not encrypted, and the disposal process for computers is not uniform. http://www.eweek.com/c/a/Security/Department-of-Interior-Computers-Missing-Report-Finds-443176/

FYI - Lost laptop exposes thousands of pension records - A lost laptop containing the personal data of 109,000 Pensions Trust members has sparked the latest in a growing list of information security breach alerts. The missing machine was stolen from the offices of NorthgateArinso, suppliers of the Pensions Trust's computerised pensions administration system, where it was being used "as a database for development, training and performance testing." http://www.theregister.co.uk/2009/05/28/pension_data_breach_alert/

FYI - Aetna warns 65,000 about Web site data breach - Insurance company Aetna has contacted 65,000 current and former employees whose Social Security numbers (SSNs) may have been compromised in a Web site data breach. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133621

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Introduction 

Banking organizations have been delivering electronic services to consumers and businesses remotely for years. Electronic funds transfer, including small payments and corporate cash management systems, as well as publicly accessible automated machines for currency withdrawal and retail account management, are global fixtures. However, the increased world-wide acceptance of the Internet as a delivery channel for banking products and services provides new business opportunities for banks as well as service benefits for their customers. 

Continuing technological innovation and competition among existing banking organizations and new market entrants has allowed for a much wider array of electronic banking products and services for retail and wholesale banking customers. These include traditional activities such as accessing financial information, obtaining loans and opening deposit accounts, as well as relatively new products and services such as electronic bill payment services, personalized financial "portals," account aggregation and business-to-business market places and exchanges. 

Notwithstanding the significant benefits of technological innovation, the rapid development of e-banking capabilities carries risks as well as benefits and it is important that these risks are recognized and managed by banking institutions in a prudent manner. These developments led the Basel Committee on Banking Supervision to conduct a preliminary study of the risk management implications of e-banking and e-money in 1998. This early study demonstrated a clear need for more work in the area of e-banking risk management and that mission was entrusted to a working group comprised of bank supervisors and central banks, the Electronic Banking Group (EBG), which was formed in November 1999.

The Basel Committee released the EBG's Report on risk management and supervisory issues arising from e-banking developments in October 2000. This Report inventoried and assessed the major risks associated with e-banking, namely strategic risk, reputational risk, operational risk (including security and legal risks), and credit, market, and liquidity risks. The EBG concluded that e-banking activities did not raise risks that were not already identified by the previous work of the Basel Committee. However, it noted that e-banking increase and modifies some of these traditional risks, thereby influencing the overall risk profile of banking. In particular, strategic risk, operational risk, and reputational risk are certainly heightened by the rapid introduction and underlying technological complexity of e-banking activities.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

LOGGING AND DATA COLLECTION (Part 2 of 2)

When evaluating whether and what data to log, institutions should consider the importance of the related system or information, the importance of monitoring the access controls, the value of logged data in restoring a compromised system, and the means to effectively analyze the data. Generally, logs should capture source identification information; session ID; terminal ID; and the date, time, and the nature of the access attempt, service request, or process. Many hardware and software products come with logging disabled and may have inadequate log analysis and reporting capabilities. Institutions may have to enable the logging capabilities and then verify that logging remains enabled after rebooting. In some cases, additional software will provide the only means to analyze the log files effectively.

Many products such as firewall and intrusion detection software can simplify the security monitoring by automating the analysis of the logs and alerting the appropriate personnel of suspicious activity. Log files are critical to the successful investigation and prosecution of security incidents and can potentially contain sensitive information. Intruders will often attempt to conceal any unauthorized access by editing or deleting log files. Therefore, institutions should strictly control and monitor access to log files. Some considerations for securing the integrity of log files include:

! Encrypting log files that contain sensitive data or that are transmitting over the network,
! Ensuring adequate storage capacity to avoid gaps in data gathering,
! Securing backup and disposal of log files,
! Logging the data to a separate, isolated computer,
! Logging the data to write - only media like a write - once/read - many (WORM) disk or drive,
! Utilizing centralized logging, such as the UNIX "SYSLOG" utility, and
! Setting logging parameters to disallow any modification to previously written data.

The financial institution should have an effective means of tracing a security event through their system. Synchronized time stamps on network devices may be necessary to gather consistent logs and a consistent audit trail. Additionally, logs should be available, when needed, for incident detection, analysis and response.

When using logs to support personnel actions, management should consult with counsel about whether the logs are sufficiently reliable to support the action.

Return to the top of the newsletter

IT SECURITY QUESTION:  BUSINESS CONTINUITY-SECURITY

1. Determine if adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/taken to storage, stored, retrieved and loaded, and destroyed.

!  Review the risk assessment to identify key control points in a data set's life cycle.
!  Verify controls are in place consistent with the level of risk presented.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

10)  Does the institution list the following categories of nonpublic personal information that it discloses, as applicable, and a few examples of each, or alternatively state that it reserves the right to disclose all the nonpublic personal information that it collects:

a)  information from the consumer;

b)  information about the consumer's transactions with the institution or its affiliates;

c)  information about the consumer's transactions with nonaffiliated third parties; and

d)  information from a consumer reporting agency? [§6(c)(2)]