Are you ready for your IT examination?  The Weekly IT Security Review provides a checklist of the IT security issues covered in the FFIEC IT Examination Handbook, which will prepare you for the IT examination.   For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - NHS top culprit as UK data breaches exceed 1,000 - More than 1,000 security breaches involving the loss of personal data have now been reported to the Information Commissioner's Office, with the list topped by the NHS, the privacy watchdog said. http://www.zdnet.co.uk/news/compliance/2010/06/01/nhs-top-culprit-as-uk-data-breaches-exceed-1000-40089098/

FYI - Top threat to U.S. power grid - Cyber attacks, pandemics and electromagnetic disturbances are the three top "high impact" risks to the U.S. and Canadian power-generation grids, according to a report from the North American Electric Reliability Corp. (NERC). http://www.csoonline.com/article/595729/cyberattacks-top-threat-to-u.s.-power-grid?source=CSONLE_nlt_update_2010-06-03

FYI - Nato warns of strike against cyber attackers - NATO is considering the use of military force against enemies who launch cyber attacks on its member states. http://www.timesonline.co.uk/tol/news/world/article7144856.ece

FYI - Appeals court absolves firm that exposed man's SSN - No harm, no foul - A man whose social security number and other personal data were exposed by a company that processed his job application has no legal claims because no actual damage resulted from the privacy breach, a federal appeals court has ruled. http://www.theregister.co.uk/2010/06/04/privacy_suit_absolution/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Using Windows for a Day Cost Mac User $100,000 - He normally only accessed his company's online bank account from his trusty Mac laptop. Then one day this April while he was home sick, he found himself needing to authorize a transfer of money out of his firm's account. Trouble was, he'd left his Mac at work. So he decided to log in to the company's bank account using his wife's Windows PC. http://krebsonsecurity.com/2010/06/using-windows-for-a-day-cost-mac-user-100000/

FYI - Welsh medical practice hit by ICO after losing unencrypted memory stick - The Information Commissioner's Office (ICO) has found Lampeter Medical Practice in Ceredigion, Wales, to be in breach of the Data Protection Act after it lost an unencrypted memory stick containing the personal details of 8,000 patients. http://www.scmagazineuk.com/welsh-medical-practice-hit-by-ico-after-losing-unencrypted-memory-stick/article/171692/

FYI - Digital River sues over data breach - The company suspects that hackers in India stole valuable marketing data during an upgrade of its computers in Eden Prairie. http://www.startribune.com/local/95584209.html

FYI - Insurer says it's not liable for University of Utah's $3.3M data breach - In lawsuit, Colorado Casualty says its policies do not obligate coverage - The University of Utah's attempts to be reimbursed for the more than $3.3 million it spent on a 2008 data breach caused by a third-party service provider could be delayed because of a recent lawsuit. http://www.networkworld.com/news/2010/060510-insurer-says-its-not-liable.html?source=nww_rss

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 4 of 10)

A. RISK DISCUSSION

Reputation Risk

Trade Names

If the third party has a name similar to that of the financial institution, there is an increased likelihood of confusion for the customer and increased exposure to reputation risk for the financial institution. For example, if customers access a similarly named broker from the financial institution's website, they may believe that the financial institution is providing the brokerage service or that the broker's products are federally insured.

Website Appearance

The use of frame technology and other similar technologies may confuse customers about which products and services the financial institution provides and which products and services third parties, including affiliates, provide. If frames are used, when customers link to a third-party website through the institution-provided link, the third-party webpages open within the institution's master webpage frame. For example, if a financial institution provides links to a discount broker and the discount broker's webpage opens within the institution's frame, the appearance of the financial institution's logo on the frame may give the impression that the financial institution is providing the brokerage service or that the two entities are affiliated. Customers may believe that their funds are federally insured, creating potential reputation risk to the financial institution in the event the brokerage service should fail or the product loses value.

Compliance Risk

The compliance risk to an institution linking to a third-party's website depends on several factors. These factors include the nature of the products and services provided on the third-party's website, and the nature of the institution's business relationship with the third party. This is particularly true with respect to compensation arrangements for links. For example, a financial institution that receives payment for offering advertisement-related weblinks to a settlement service provider's website should carefully consider the prohibition against kickbacks, unearned fees, and compensated referrals under the Real Estate Settlement Procedures Act (RESPA).

The financial institution has compliance risk as well as reputation risk if linked third parties offer less security and privacy protection than the financial institution. Third-party sites may have less secure encryption policies, or less stringent policies regarding the use and security of their customer's information. The customer may be comfortable with the financial institution's policies for privacy and security, but not with those of the linked third party. If the third-party's policies and procedures create security weaknesses or apply privacy standards that permit the third party to release confidential customer information, customers may blame the financial institution.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Intrusion Response Policies and Procedures.

Management should establish, document, and review the policies and procedures that guide the bank's response to information system intrusions. The review should take place at least annually, with more frequent reviews if the risk exposure warrants them. 

Policies and procedures should address the following:

1. The priority and sequence of actions to respond to an intrusion. Actions should address the containment and elimination of an intrusion and system restoration. Among other issues, containment actions include a determination of which business processes must remain operational, which systems may be disconnected as a precaution, and how to address authentication compromises (e.g., revealed passwords) across multiple systems.

2. Gathering and retaining intrusion information, as discussed below.

3. The employee's authority to act, whether by request or by pre-approval, and the process for escalating the intrusion response to progressively higher degrees of intensity and senior management involvement.

4. Availability of necessary resources to respond to intrusions. Management should ensure that contact information is available for those that are responsible for responding to intrusions.

5. System restoration tools and techniques, including the elimination of the intruder's means of entry and back doors, and the restoration of data and systems to the pre-intrusion state.

6. Notification and reporting to operators of other affected systems, users, regulators, incident response organizations, and law enforcement. Guidelines for filing a Suspicious Activity Report for suspected computer related crimes are discussed below, and in OCC Advisory Letter 97-9, "Reporting Computer Related Crimes" (November 19, 1997). 

7. Periodic testing, as discussed below.

8. Staff training resources and requirements. 

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Procedures (Part 2 of 3)

B. Use the information gathered from step A to work through the "Privacy Notice and Opt Out Decision Tree."  Identify which module(s) of procedures is (are) applicable.

C. Use the information gathered from step A to work through the Reuse and Redisclosure and Account Number Sharing Decision Trees, as necessary (Attachments B & C). Identify which module is applicable.

D. Determine the adequacy of the financial institution's internal controls and procedures to ensure compliance with the privacy regulation as applicable. Consider the following:

1)  Sufficiency of internal policies and procedures, and controls, including review of new products and services and controls over servicing arrangements and marketing arrangements;

2)  Effectiveness of management information systems, including the use of technology for monitoring, exception reports, and standardization of forms and procedures;

3)  Frequency and effectiveness of monitoring procedures;

4)  Adequacy and regularity of the institution's training program;

5)  Suitability of the compliance audit program for ensuring that: 

     a)  the procedures address all regulatory provisions as applicable; 
     b)  the work is accurate and comprehensive with respect to the institution's information sharing practices; 
     c)  the frequency is appropriate; 
     d)  conclusions are appropriately reached and presented to responsible parties; 
     e)  steps are taken to correct deficiencies and to follow-up on previously identified deficiencies; and

6)  Knowledge level of management and personnel.