Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT security as
required by the FFIEC's "Interagency Guidelines Establishing
Information Security Standards."
For more
information and to subscribe visit
http://www.yennik.com/it-review/.
FYI -
50 arrested in smartphone spyware dragnet - Cop, judge, and
parliamentarian among the suspects - Romanian authorities have
arrested 50 individuals accused of using off-the-shelf software to
monitor cellphone communications of their spouses, competitors, and
others, according to news reports.
http://www.theregister.co.uk/2010/07/01/romanian_spyware_arrests/
FYI -
HIPAA encryption: meeting today's regulations - If you work with an
organization that must adhere to the Health Insurance Portability
and Accountability (HIPAA), you know by now that encryption is now a
de facto primary aspect of HIPAA compliance after the passing of the
HITECH Act.
http://www.scmagazineus.com/hipaa-encryption-meeting-todays-regulations/article/173661/?DCMP=EMC-SCUS_Newswire
FYI -
IT staffer at New York bank pleads guilty to data theft, fraud -
Charged with using stolen employee data to steal $1 million-plus
from charities - A former IT staffer with the Bank of New York
Mellon pleaded guilty Thursday to stealing sensitive information
belonging to 2,000 bank employees and then using that data to steal
more than $1 million from charities.
http://www.computerworld.com/s/article/9178840/IT_staffer_at_New_York_bank_pleads_guilty_to_data_theft_fraud?taxonomyId=17
FYI -
Federal agencies lack
advisement on cloud security - A growing number of federal agencies
are running some form of cloud computing, but nearly all lack
policies around securing data hosted offsite, according to a new
report from the U.S. Government Accountability Office (GAO).
http://www.scmagazineus.com/gao-federal-agencies-lack-advisement-on-cloud-security/article/174041/?DCMP=EMC-SCUS_Newswire
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI -
WellPoint Breach Could Have Exposed Enrollees' Medical, Financial
Data - The insurer WellPoint recently notified 470,000 individual
policyholders that their medical records, Social Security numbers,
credit card information and other sensitive data might have been
exposed during a recent security breach.
http://www.californiahealthline.org/articles/2010/6/30/wellpoint-breach-could-have-exposed-enrollees-medical-financial-data.aspx
FYI -
Hackers compromise Destination Hotels' credit card system - Guests
at 21 Destination Hotels & Resorts' properties may have been
subjected to credit card theft after the chain discovered malware
installed in its credit card processing system.
http://www.scmagazineus.com/hackers-compromise-destination-hotels-credit-card-system/article/173670/?DCMP=EMC-SCUS_Newswire
FYI -
University of Maine student information exposed - Hackers recently
gained access to a pair of file servers containing the personal
information of University of Maine students who received counseling
services at the school for the past eight years.
http://www.scmagazineus.com/university-of-maine-student-information-exposed/article/173667/?DCMP=EMC-SCUS_Newswire
FYI -
Indiana restaurant chain in the US hit by credit card breach, after
hack of central processing system - Several restaurants have been
hit by a credit card breach following a hack of the processing
system.
http://www.scmagazineuk.com/indiana-restaurant-chain-in-the-us-hit-by-credit-card-breach-after-hack-of-central-processing-system/article/173951/
FYI -
New York hospital loses data on 130,000 via FedEx - Breach affects
130,495 patients - New York's Lincoln Medical and Mental Health
Center is notifying patients that their personal information may
have been compromised after seven CDs full of unencrypted data were
FedExed by a hospital contractor and then lost in transit.
http://www.computerworld.com.au/article/351659/new_york_hospital_loses_data_130_000_via_fedex/
FYI -
Mass. secretary of state's
office accidentally releases sensitive data - The Massachusetts
secretary of state's office earlier this year accidentally released
the confidential personal information of state-registered investment
advisers to a business publication.
http://www.scmagazineus.com/mass-secretary-of-states-office-accidentally-releases-sensitive-data/article/174098/?DCMP=EMC-SCUS_Newswire
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 8 of 10)
B. RISK MANAGEMENT TECHNIQUES
Implementing Weblinking Relationships
The strategy that financial institutions choose when
implementing weblinking relationships should address ways to avoid
customer confusion regarding linked third-party products and
services. This includes disclaimers and disclosures to limit
customer confusion and a customer service plan to address confusion
when it occurs.
Disclaimers and Disclosures
Financial institutions should use clear and conspicuous webpage
disclosures to explain their limited role and responsibility with
respect to products and services offered through linked third-party
websites. The level of detail of the disclosure and its prominence
should be appropriate to the harm that may ensue from customer
confusion inherent in a particular link. The institution might post
a disclosure stating it does not provide, and is not responsible
for, the product, service, or overall website content available at a
third-party site. It might also advise the customer that its privacy
polices do not apply to linked websites and that a viewer should
consult the privacy disclosures on that site for further
information. The conspicuous display of the disclosure, including
its placement on the appropriate webpage, by effective use of size,
color, and graphic treatment, will help ensure that the information
is noticeable to customers. For example, if a financial institution
places an otherwise conspicuous disclosure at the bottom of its
webpage (requiring a customer to scroll down to read it), prominent
visual cues that emphasize the information's importance should point
the viewer to the disclosure.
In addition, the technology used to provide disclosures is
important. While many institutions may simply place a disclaimer
notice on applicable webpages, some institutions use "pop-ups," or
intermediate webpages called "speedbumps," to notify customers they
are leaving the institution's website. For the reasons described
below, financial institutions should use speedbumps rather than
pop-ups if they choose to use this type of technology to deliver
their online disclaimers.
A "pop up" is a screen generated by mobile code, for example Java or
Active X, when the customer clicks on a particular hyperlink. Mobile
code is used to send small programs to the user's browser.
Frequently, those programs cause unsolicited messages to appear
automatically on a user's screen. At times, the programs may be
malicious, enabling harmful viruses or allowing unauthorized access
to a user's personal information. Consequently, customers may
reconfigure their browsers or install software to block disclosures
delivered via mobile codes.
In contrast, an intermediate webpage, or "speedbump," alerts the
customer to the transition to the third-party website. Like a
pop-up, a speedbump is activated when the customer clicks on a
particular weblink. However, use of a speedbump avoids the problems
of pop-up technology, because the speedbump is not generated
externally using mobile code, but is created within the
institution's operating system, and cannot be disabled by the
customer.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
This completes our
review of the OCC Bulletin about Infrastructure Threats and
Intrusion Risks. This week we review Information Sharing.
Information sharing among reliable and reputable experts can help
institutions reduce the risk of information system intrusions. The
OCC encourages management to participate in information-sharing
mechanisms as part of an effort to detect and respond to intrusions
and vulnerabilities. Mechanisms for information sharing are being
developed by many different organizations, each with a different
mission and operation. In addition, many vendors offer information
sharing and analysis services. Three organizations that are
primarily involved with the federal government's national
information security initiatives are the Financial Services
Information Sharing and Analysis Center (FS/ISAC), the Federal
Bureau of Investigation (FBI), and Carnegie Mellon University's
CERT/CC.
The FS/ISAC was formed in response to Presidential Decision
Directive 63: Critical Infrastructure Protection (May 22, 1998),
which encourages the banking, finance, and other industries to
establish information-sharing efforts in conjunction with the
federal government. The FS/ISAC allows financial services entities
to report incidents anonymously. In turn, the FS/ISAC rapidly
distributes information about attacks to the FS/ISAC members. Banks
can contact FS/ISAC by telephone at (888) 660-0134, e-mail at admin@fsisac.com
or their Web site at http://www.fsisac.com.
The FBI operates the National Information Protection Center
Infraguard outreach effort. Since Infraguard supports law
enforcement efforts, Infraguard members submit two versions of an
incident report. One complete version is used by law enforcement and
contains information that identifies the reporting member. The other
version does not contain that identifying information, and is
distributed to other Infraguard members. Banks can contact the FBI
by contacting local FBI field offices or via e-mail at nipc@fbi.gov.
CERT/CC is part of a federally funded research and development
center at Carnegie Mellon University that helps organizations
identify vulnerabilities and recover from intrusions. It provides
up-to-date information on specific attacks (including viruses and
denial of service) and collates and shares information with other
organizations. CERT/CC does not require membership to report
problems. Banks can contact CERT/CC by phone at (412) 268-7090 or
e-mail at cert@cert.org.
Return to the top of
the newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 3 of 3)
C. Opt Out Right
1) Review the financial institution's opt out notices. An opt out
notice may be combined with the institution's privacy notices.
Regardless, determine whether the opt out notices:
a. Are clear and conspicuous (§§3(b) and 7(a)(1));
b. Accurately explain the right to opt out (§7(a)(1));
c. Include and adequately describe the three required items of
information (the institution's policy regarding disclosure of
nonpublic personal information, the consumer's opt out right, and
the means to opt out) (§7(a)(1)); and
d. Describe how the institution treats joint consumers (customers
and those who are not customers), as applicable (§7(d)).
2) Through discussions with management, review of the institution's
policies and procedures, and a sample of electronic or written
records where available, determine if the institution has adequate
procedures in place to provide the opt out notice and comply with
opt out directions of consumers (customers and those who are not
customers), as appropriate. Assess the following:
a. Timeliness of delivery (§10(a)(1));
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the consumer agrees; or as a necessary step
of a transaction) (§9).
c. Reasonableness of the opportunity to opt out (the time allowed
to and the means by which the consumer may opt out)
(§§10(a)(1)(iii), 10(a)(3)); and
d. Adequacy of procedures to implement and track the status of a
consumer's (customers and those who are not customers) opt out
direction, including those of former customers (§7(e), (f), (g)). |