FYI - Federal IT security recommendations released in final NIST draft - The National Institute of Standards and Technology has collaborated with the military and intelligence communities to produce the first set of security controls for all government information systems, including national security systems. http://gcn.com/Articles/2009/06/04/Cybersecurity-NIST-final-draft-SP-800-53.aspx

FYI - Data-sniffing trojans burrow into Eastern European ATMs - Security experts have discovered a family of data-stealing trojans that have burrowed into automatic teller machines in Eastern Europe over the past 18 months. http://www.theregister.co.uk/2009/06/03/atm_trojans/

FYI - 4 detained for hacking Internet servers - Chinese police have detained four suspects for online hacking activities which eventually led to temporary but widespread failure of Internet access in China on May 19, the Ministry of Public Security said. http://www.china.org.cn/china/news/2009-06/03/content_17878401.htm

FYI - Data watchdog issues new privacy guidance for businesses - Information Commissioner wants to ensure privacy controls are designed in to IT from the start. The Information Commissioner's Office (ICO) has launched a new guide to help businesses developing IT systems to consider the privacy impact on customers and employees. http://www.vnunet.com/computing/news/2243618/ico-issues-privacy-guidance

FYI - Rakuten sold online market users' personal info to vendors - Rakuten Inc., operator of popular online marketplace Rakuten Ichiba, sold users' credit card numbers, mail addresses and other private information to vendors on the market site, it has been learned.  http://mdn.mainichi.jp/mdnnews/news/20090606p2a00m0na015000c.html

FYI - Three local women sue state Department of Transportation - Three local women sued state Department of Transportation officials in federal court Thursday, alleging that the department illegally sold drivers' personal information to firms that made it available for sale on the Internet.   http://www.madison.com/wsj/home/local/453748

FYI - Safeguarding your mobile networks - Mobile security devices are one of the top ways critical data is either breached or lost today. One only has to look at some of the more recent data breach reports to learn that laptops, personal digital assistants and even thumb drives can cause huge problems for organizations. http://www.scmagazineus.com/Safeguarding-your-mobile-networks/article/138289/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Virginia patients warned about hacking of state drug Web site - State officials are notifying more than a half-million Virginians that their Social Security numbers may have been contained in a prescription drug database that was targeted by a computer hacker April 30. http://hamptonroads.com/2009/06/officials-hacker-may-have-stolen-social-security-numbers

FYI - Insurance giant coughs to malware-related data breach - The US arm of insurance giant Aviva has blamed a computer virus infection for the potential disclosure of sensitive personal information. http://www.theregister.co.uk/2009/06/03/aviva_data_breach/

FYI - List of U.S. nuclear facilities inadvertently posted on website - In an inadvertent security breach, a document that detailed information on nuclear sites was posted on the Government Printing Office's (GPO) website. http://www.scmagazineus.com/List-of-US-nuclear-facilities-inadvertently-posted-on-website/article/137958/?DCMP=EMC-SCUS_Newswire

FYI - Webhost hack wipes out data for 100,000 sites - A large internet service provider said data for as many as 100,000 websites was destroyed by attackers who targeted a zero-day vulnerability in a widely-used virtualization application. http://www.theregister.co.uk/2009/06/08/webhost_attack/

FYI - T-Mobile investigates alleged data breach -T-Mobile is investigating a claim that a massive amount of internal data has been stolen from the telecommunication operator's servers, a company spokesman said. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9134090&taxonomyId=17&intsrc=kc_top

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Risk management challenges

The Electronic Banking Group (EBG) noted that the fundamental characteristics of e-banking (and e-commerce more generally) posed a number of risk management challenges:

1.   The speed of change relating to technological and customer service innovation in e-banking is unprecedented. Historically, new banking applications were implemented over relatively long periods of time and only after in-depth testing. Today, however, banks are experiencing competitive pressure to roll out new business applications in very compressed time frames - often only a few months from concept to production. This competition intensifies the management challenge to ensure that adequate strategic assessment, risk analysis and security reviews are conducted prior to implementing new e-banking applications.

2.   Transactional e-banking web sites and associated retail and wholesale business applications are typically integrated as much as possible with legacy computer systems to allow more straight-through processing of electronic transactions. Such straight-through automated processing reduces opportunities for human error and fraud inherent in manual processes, but it also increases dependence on sound systems design and architecture as well as system interoperability and operational scalability.

3.  E-banking increases banks' dependence on information technology, thereby increasing the technical complexity of many operational and security issues and furthering a trend towards more partnerships, alliances and outsourcing arrangements with third parties, many of whom are unregulated. This development has been leading to the creation of new business models involving banks and non-bank entities, such as Internet service providers, telecommunication companies and other technology firms.

4)  The Internet is ubiquitous and global by nature. It is an open network accessible from anywhere in the world by unknown parties, with routing of messages through unknown locations and via fast evolving wireless devices. Therefore, it significantly magnifies the importance of security controls, customer authentication techniques, data protection, audit trail procedures, and customer privacy standards.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SERVICE PROVIDER OVERSIGHT

Many financial institutions outsource some aspect of their operations. Although outsourcing arrangements often provide a cost - effective means to support the institution's technology needs, the ultimate responsibility and risk rests with the institution. Financial institutions are required under Section 501(b) of the GLBA to ensure service providers have implemented adequate security controls to safeguard customer information. Supporting interagency guidelines require institutions to:

! Exercise appropriate due diligence in selecting service providers,
! Require service providers by contract to implement appropriate security controls to comply with the guidelines, and
! Monitor service providers to confirm that they are maintaining those controls when indicated by the institution's risk assessment.

Financial institutions should implement these same precautions in all TSP relationships based on the level of access to systems or data for safety and soundness reasons, in addition to the privacy requirements.

Financial institutions should determine the following security considerations when selecting or monitoring a service provider:
! Service provider references and experience,
! Security expertise of TSP personnel,
! Background checks on TSP personnel,
! Contract assurances regarding security responsibilities and controls,
! Nondisclosure agreements covering the institution's systems and data,
! Ability to conduct audit coverage of security controls or provisions for reports of security testing from independent third parties, and
! Clear understanding of the provider's security incidence response policy and assurance that the provider will communicate security incidents promptly to the institution when its systems or data were potentially compromised.

Return to the top of the newsletter

IT SECURITY QUESTION:  BUSINESS CONTINUITY-SECURITY

2. Determine if substitute processing facilities and systems undergo similar testing as production facilities and systems.

3. Determine if appropriate access controls and physical controls have been considered and planned for the former production system and networks when processing is transferred to a substitute facility.

4. Determine if the intrusion detection and response plan considers the resource availability and facility and systems changes that may exist when substitute facilities are placed in use.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

11. Does the institution list the following categories of affiliates and nonaffiliated third parties to whom it discloses information, as applicable, and a few examples to illustrate the types of the third parties in each category:

a. financial service providers; [§6(c)(3)(i)]

b. non-financial companies; [§6(c)(3)(ii)] and

c. others? [§6(c)(3)(iii)]