Are you ready for your IT examination?  The Weekly IT Security Review provides a checklist of the IT security issues covered in the FFIEC IT Examination Handbook, which will prepare you for the IT examination.   For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - Irish Data Protection Commissioner introduces draft code of practice on breach notification - The theft or loss of personal data relating to more than 100 individuals now has to be reported to the Data Protection Commissioner under a draft code of practice in Ireland. http://www.scmagazineuk.com/irish-data-protection-commissioner-introduces-draft-code-of-practice-on-breach-notification/article/172079/

FYI - California Fines Five Hospitals For Failure To Protect Patient Data - Unauthorized access leads to stiff penalties, showing teeth behind new state law - The California Department of Public Health (CDPH) announced today that five California hospitals have been assessed administrative penalties and fines totaling $675,000 for failing to prevent unauthorized access to confidential patient medical information. http://www.darkreading.com/insiderthreat/security/government/showArticle.jhtml?articleID=225600466

FYI - ICO will not compel companies to report data losses - UK data watchdog declines to follow likely introduction of compulsory reporting in Ireland - The Information Commissioner's Office (ICO) has no plans to force companies to report data losses, despite the Irish data protection watchdog lobbying its government for such measures. http://www.v3.co.uk/v3/news/2264584/ico-tight-lipped-demand-changes

FYI - GAO - Continued Attention Is Needed to Protect Federal Information Systems from Evolving Threats.
Release - http://www.gao.gov/new.items/d10834t.pdf
Highlights - http://www.gao.gov/highlights/d10834thigh.pdf

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Bank of America insider admits he stole sensitive customer data - Account balances under $100,000 need not apply - An employee in one of Bank of America's customer call centers has admitted he stole sensitive account information and tried to sell it for cash. http://www.theregister.co.uk/2010/06/08/bank_insider_data_theft/

FYI - Crooks siphon $644,000 from school district's bank account - Unlimited e-transfers made simple - New York City's Department of Education was defrauded out of more than $644,000 by hackers who targeted an electronic bank account used to manage petty cash expenditures, investigators said. http://www.theregister.co.uk/2010/06/07/electronic_account_raided/

FYI - Weak web application could be to blame for iPad breach - A vulnerability on the AT&T website resulted in the exposure of email addresses belonging to some 114,000 Apple iPad users, including a number of A-list celebrities and politicians.
http://www.scmagazineus.com/weak-web-application-could-be-to-blame-for-ipad-breach/article/172162/?DCMP=EMC-SCUS_Newswire
http://www.computerworld.com/s/article/9178027/AT_T_dishonest_about_iPad_attack_threat_say_hackers?taxonomyId=17

FYI - Wall Street Journal, others, hit in mass SQL attack - Security researchers have discovered a widescale SQL injection attack that has compromised thousands of websites to spread malware, including pages belonging to the Wall Street Journal and the Jerusalem Post. http://www.scmagazineus.com/wall-street-journal-others-hit-in-mass-sql-attack/article/172153/?DCMP=EMC-SCUS_Newswire

FYI - Hacker charged with threatening US VP using neighbour's PC - Frame-up alleged - A hacker tried to frame his neighbour by tapping into his Wi-Fi and sending threatening emails to US vice president Joe Biden, according to search warrant affidavits unsealed last week. http://www.theregister.co.uk/2010/06/14/ardolf_charged/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 5 of 10)

B. RISK MANAGEMENT TECHNIQUES

Introduction

Management must effectively plan, implement, and monitor the financial institution's weblinking relationships. This includes situations in which the institution has a third-party service provider create, arrange, or manage its website. There are several methods of managing a financial institution's risk exposure from third-party weblinking relationships. The methods adopted to manage the risks of a particular link should be appropriate to the level of risk presented by that link as discussed in the prior section.

Planning Weblinking Relationships

In general, a financial institution planning the use of weblinks should review the types of products or services and the overall website content made available to its customers through the weblinks. Management should consider whether the links support the institution's overall strategic plan. Tools useful in planning weblinking relationships include:

1)  due diligence with respect to third parties to which the financial institution is considering links; and

2)  written agreements with significant third parties.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Gathering and Retaining Intrusion Information.

Particular care should be taken when gathering intrusion information. The OCC expects management to clearly assess the tradeoff between enabling an easier recovery by gathering information about an intruder and the risk that an intruder will inflict additional damage while that information is being gathered. Management should establish and communicate procedures and guidelines to employees through policies, procedures, and training. Intrusion evidence should be maintained in a fashion that enables recovery while facilitating subsequent actions by law enforcement. Legal chain of custody requirements must be considered. In general, legal chain of custody requirements address controlling and securing evidence from the time of the intrusion until it is turned over to law enforcement personnel. Chain of custody actions, and those actions that should be guarded against, should be identified and embodied in the bank's policies, procedures, and training.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Procedures (Part 3 of 3)

E. Ascertain areas of risk associated with the financial institution's sharing practices (especially those within Section 13 and those that fall outside of the exceptions ) and any weaknesses found within the compliance management program. Keep in mind any outstanding deficiencies identified in the audit for follow-up when completing the modules.

F. Based on the results of the foregoing initial procedures and discussions with management, determine which procedures if any should be completed in the applicable module, focusing on areas of particular risk. The selection of procedures to be employed depends upon the adequacy of the institution's compliance management system and level of risk identified. Each module contains a series of general instruction to verify compliance, cross-referenced to cites within the regulation. 
Additionally, there are cross-references to a more comprehensive checklist, which the examiner may use if needed to evaluate compliance in more detail.

G. Evaluate any additional information or documentation discovered during the course of the examination according to these procedures. Note that this may reveal new or different sharing practices necessitating reapplication of the Decision Trees and completion of additional or different modules.

H. Formulate conclusions.

1)  Summarize all findings.

2)  For violation(s) noted, determine the cause by identifying weaknesses in internal controls, compliance review, training, management oversight, or other areas.

3)  Identify action needed to correct violations and weaknesses in the institution's compliance system, as appropriate.

4)  Discuss findings with management and obtain a commitment for corrective action.