Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FFIEC's "Interagency Guidelines Establishing Information Security Standards."  For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - Unlawful Internet Gambling Enforcement Act Examination Guidance and Procedures - The FDIC and the other federal banking, thrift and credit union regulatory agencies are issuing the attached guidance and examination procedures related to the Unlawful Internet Gambling Enforcement Act of 2006.  www.fdic.gov/news/news/financial/2010/fil10035.html (This requires the Bank to develop and implement policies and procedures, as appropriate, to ensure that transactions of this nature are not accepted.)

FYI - Senate Committee passes major cybersecurity legislation - A U.S. Senate committee on Thursday unanimously passed a controversial cybersecurity bill, which would grant the president emergency power over critical infrastructure networks, in addition to creating cybersecurity offices within the White House and U.S. Department of Homeland Security (DHS). http://www.scmagazineus.com/senate-committee-passes-major-cybersecurity-legislation/article/173297/

FYI - Scotland Yard cuffs teens for role in cybercrime forum - 65,000 stolen credit card numbers recovered - The pair were detained by appointment in central London on Wednesday by the Police Central e-Crime Unit (PCeU), a national unit based at Scotland Yard. http://www.theregister.co.uk/2010/06/24/teen_crime_forum/

FYI - Accused Hacker Who Balked at 2-Year Prison Deal Now Faces Decades - Hacks and Cracks - An alleged hacker who declined a 2-year plea deal is facing decades behind bars after federal authorities added multiple charges, including possession and distribution. http://www.wired.com/threatlevel/2010/06/hacker-faces-decades-imprisonment/

FYI - 700-Plus Credit Cards Stolen from Hotel - Hundreds of Thousands of Dollars Charged to Hotel Guests' Stolen Credit Cards Computer hackers targeting travelers at luxury hotels across the country made off with hundreds of thousands of dollars during the past three months by breaking into the computer system of a national hotel chain and stealing the guests' credit card information. http://abcnews.go.com/Travel/hundreds-credit-cards-stolen-hotel-computer-hack/story?id=11002822

FYI - Garage card scammer jailed - 35,000 card details snaffled - Hayes has been sentenced to four and a half years for his role in one of the UK's biggest chip and pin scams. http://www.theregister.co.uk/2010/06/23/chip_and_pin_thief/

FYI - Lafayette firm faces probation, $1M forfeiture over illegal exports - The chief executive of Rocky Mountain Instrument Co. pleaded guilty on behalf of the corporation Tuesday to exporting military optical prisms and data to foreign nations without permission from the U.S. State Department. http://www.denverpost.com/headlines/ci_15354394

FYI - GAO - Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing.
Release - http://www.gao.gov/new.items/d10513.pdf
Highlights - http://www.gao.gov/highlights/d10513high.pdf

FYI - GAO - Governmentwide Guidance Needed to Assist Agencies in Implementing Cloud Computing.
Release - http://www.gao.gov/new.items/d10855t.pdf
Highlights - http://www.gao.gov/highlights/d10855thigh.pdf

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Army intelligence analyst allegedly carried classified U.S. combat video out on CD - An Army intelligence analyst arrested for leaking classified U.S. combat videos and State Department records to WikiLeaks.org reportedly carried the secret data out of secure areas on CD-RWs. http://blogs.techrepublic.com.com/itdojo/?p=1860&tag=nl.e103

FYI - FBI Investigating Possible DSHS Hacker - The FBI is investigating whether a hacker broke into the state's confidential cancer registry, possibly holding personal information and medical records hostage. http://www.texastribune.org/texas-state-agencies/department-of-state-health-services/fbi-investigating-possible-dshs-hacker/

FYI - Spanish firm raided in logic-bomb backdoor probe - Alert Print Post commentAuto-fail programming alleged - Three managers at an unnamed Spanish software developer have been arrested over allegations they planted 'logic bombs' in software that meant clients were obliged to pay for disruptive repairs and extended maintenance contracts. http://www.theregister.co.uk/2010/06/25/spanish_logic_bomb_probe/

FYI - Florida International University discovers sensitive database unsecured -The personal information of Florida International University students and faculty members was discovered in an unsecure database that may have been accessible to the public. http://www.scmagazineus.com/florida-international-university-discovers-sensitive-database-unsecured/article/173249/?DCMP=EMC-SCUS_Newswire

FYI - Personal data exposed on Anthem Blue Cross website - The personal information of hundreds of thousands of Blue Cross customers was recently exposed following a website glitch made by a third party. http://www.scmagazineus.com/personal-data-exposed-on-anthem-blue-cross-website/article/173238/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 7 of 10)

B. RISK MANAGEMENT TECHNIQUES

Planning Weblinking Relationships

Agreements

If a financial institution receives compensation from a third party as the result of a weblink to the third-party's website, the financial institution should enter into a written agreement with that third party in order to mitigate certain risks. Financial institutions should consider that certain forms of business arrangements, such as joint ventures, can increase their risk. The financial institution should consider including contract provisions to indemnify itself against claims by:

1)  dissatisfied purchasers of third-party products or services;

2)  patent or trademark holders for infringement by the third party; and

3)  persons alleging the unauthorized release or compromise of their confidential information, as a result of the third-party's conduct.

The agreement should not include any provision obligating the financial institution to engage in activities inconsistent with the scope of its legally permissible activities. In addition, financial institutions should be mindful that various contract provisions, including compensation arrangements, may subject the financial institution to laws and regulations applicable to insurance, securities, or real estate activities, such as RESPA, that establish broad consumer protections.

In addition, the agreement should include conditions for terminating the link. Third parties, whether they provide services directly to customers or are merely intermediaries, may enter into bankruptcy, liquidation, or reorganization during the period of the agreement. The quality of their products or services may decline, as may the effectiveness of their security or privacy policies. Also potentially just as harmful, the public may fear or assume such a decline will occur. The financial institution will limit its risks if it can terminate the agreement in the event the service provider fails to deliver service in a satisfactory manner.

Some weblinking agreements between a financial institution and a third party may involve ancillary or collateral information-sharing arrangements that require compliance with the Privacy Regulations.  For example, this may occur when a financial institution links to the website of an insurance company with which the financial institution shares customer information pursuant to a joint marketing agreement.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Testing.

Management should ensure that information system networks are tested regularly. The nature, extent, and frequency of tests should be proportionate to the risks of intrusions from external and internal sources. Management should select qualified and reputable individuals to perform the tests and ensure that tests do not inadvertently damage information systems or reveal confidential information to unauthorized individuals. Management should oversee the tests, review test results, and respond to deficiencies in a timely manner. In accordance with OCC's "Technology Risk Management: PC Banking," management should ensure that an objective, qualified source conducts a penetration test of Internet banking systems at least once a year or more frequently when appropriate.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13).  (Part 2 of 3)

B. Presentation, Content, and Delivery of Privacy Notices 

1)  Review the financial institution's initial, annual and revised notices, as well as any short-form notices that the institution may use for consumers who are not customers. Determine whether or not these notices:

a.  Are clear and conspicuous (§§3(b), 4(a), 5(a)(1), 8(a)(1));

b.  Accurately reflect the policies and practices used by the institution (§§4(a), 5(a)(1), 8(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

c.  Include, and adequately describe, all required items of information and contain examples as applicable (§6). Note that if the institution shares under Section 13 the notice provisions for that section shall also apply.

2)  Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written consumer records where available, determine if the institution has adequate procedures in place to provide notices to consumers, as appropriate. Assess the following:

a.  Timeliness of delivery (§§4(a), 7(c), 8(a)); and

b.  Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§9).

c.  For customers only, review the timeliness of delivery (§§4(d), 4(e), 5(a)), means of delivery of annual notice (§9(c)), and accessibility of or ability to retain the notice (§9(e)).