FYI - GAO Information
Security: Federal Deposit Insurance Corporation Needs to Improve Its
Program.
Report -
http://www.gao.gov/cgi-bin/getrpt?GAO-06-620
Highlights -
http://www.gao.gov/highlights/d06620high.pdf
FYI - Xanga settles with FTC for
$1 million - The Federal Trade Commission on Thursday announced its
largest-ever settlement involving the Children Online Privacy
Protection Act. New York-based Xanga.com and its principals, Marc
Ginsburg and John Hiler, will pay a $1 million civil penalty to
settle accusations that the social networking Web site collected,
used and disclosed personal information from children under the age
of 13 without notifying and obtaining parental consent first,
according to the FTC.
http://seattlepi.nwsource.com/business/1700AP_Xanga_Settlement.html
FYI - Red storm rising -
DOD's efforts to stave off nation-state cyberattacks begin with
China - A growing band of civilian units inside China is writing
malicous code and training to launch cyberstrikes into enemy
systems. And for many of these units, the first enemy is the U.S.
Defense Department.
http://www.gcn.com/print/25_25/41716-1.html
FYI - Army to encrypt
computers - The Army is kicking off a pilot program to begin
encrypting data on notebook computers. Lt. Gen. Steven Boutelle,
Army CIO, said the service would also soon release a policy that
instructs Army personnel to perform an accounting of notebooks and
other mobile devices.
http://www.gcn.com/online/vol1_no1/41759-1.html?topic=security
FYI - Welfare spies
sacked - CENTRELINK has sacked or forced out more than 100 workers,
and disciplined hundreds more, for privacy breaches such as snooping
on the records of neighbours and former lovers. A two-year dragnet
of 25,000 Centrelink staff uncovered 790 cases of "inappropriate
access" to the records of welfare recipients since 2004.
http://australianit.news.com.au/articles/0,7204,20224186^15306^^nbv^,00.html
FYI - USC Online
Security Breach Could Affect 6,000 - Russ McKinney, a spokesman for
the University of South Carolina, says an online security breach
could affect as many as 6,000 current and former USC students.
McKinney said someone accessed USC's internal servers, causing a
security breach in a database.
http://www.wltx.com/news/story.aspx?storyid=41314
FYI - Hacker swipes
PortTix data - Credit card information for about 2,000 people who
ordered tickets online through PortTix, Merrill Auditorium's
ticketing agency, was stolen this week when someone hacked into the
PortTix Web site.
http://pressherald.mainetoday.com/news/local/060826tickethack.shtml
FYI - Compliance still a
struggle for most corporations - Most large corporations are not
sure whether they're in line with federal regulations and some are
not taking adequate steps to address compliance regulations,
according to a survey released this week. Seventy-two percent of
large corporations are not confident that they are complying with
applicable regulations, according to a survey released by
ControlPath.
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060828/589565/
FYI - Federal education
loan site exposes personal info of up to 21,000 - Count the
Department of Education as the latest federal agency to experience a
privacy breach after the personal information of as many as 21,000
student borrowers accidentally appeared on its loan website.
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060828/589315/
STOLEN COMPUTERS
FYI - Laptop with data
on 28,000 home care patients stolen in Detroit - An ID access code
and password were with it - A laptop containing home care
information on 28,000 patients has been stolen from the car of a
nurse who works for Royal Oak, Mich.-based Beaumont Hospitals,
according to a statement from the hospital. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002685
FYI - Aflac clients'
data stolen - Laptop taken from agent's car in S.C. Upstate -
Insurance giant Aflac said Monday that a laptop computer containing
personal information on hundreds of customers was stolen from an
agent's car in the Greenville area. The computer contained names,
addresses, Social Security numbers and birth dates of 612 policy
holders. http://www.charleston.net/assets/webPages/departmental/news/default_pf.aspx?NEWSID=103737
FYI - FMCSA laptop
stolen; 193 CDL holders' info included - In what appears to be a
growing occurrence in the news, a laptop belonging to the Federal
Motor Carrier Safety Administration was stolen from a
government-owned vehicle on Aug. 22 in Baltimore. The computer
contains personal information - including names, dates of birth, and CDL numbers - of 193 CDL holders from 40 motor carrier companies.
http://www.etrucker.com/apps/news/article.asp?id=55125
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 3 of 10)
A.
RISK DISCUSSION
Reputation Risk
Customers may be confused about whether the financial institution or
a third party is supplying the product, service, or other website
content available through the link. The risk of customer confusion
can be affected by a number of factors:
- nature of the
third-party product or service;
- trade name of the third
party; and
- website appearance.
Nature of Product or
Service
When a financial institution provides links to third parties that
sell financial products or services, or provide information relevant
to these financial products and services, the risk is generally
greater than if third parties sell non-financial products and
services due to the greater potential for customer confusion. For
example, a link from a financial institution's website to a mortgage
bank may expose the financial institution to greater reputation risk
than a link from the financial institution to an online clothing
store.
The risk of customer confusion with respect to links to firms
selling financial products is greater for two reasons. First,
customers are more likely to assume that the linking financial
institution is providing or endorsing financial products rather than
non-financial products. Second, products and services from certain
financial institutions often have special regulatory features and
protections, such as federal deposit insurance for qualifying
deposits. Customers may assume that these features and protections
also apply to products that are acquired through links to
third-party providers, particularly when the products are financial
in nature.
When a financial institution links to a third party that is
providing financial products or services, management should consider
taking extra precautions to prevent customer confusion. For example,
a financial institution linked to a third party that offers
nondeposit investment products should take steps to prevent customer
confusion specifically with respect to whether the institution or
the third party is offering the products and services and whether
the products and services are federally insured or guaranteed by the
financial institution.
Financial institutions should recognize, even in the case of
non-financial products and services, that customers may have
expectations about an institution's due diligence and its selection
of third parties to which the financial institution links its
website. Should customers experience dissatisfaction as a result of
poor quality products or services, or loss as a result of their
transactions with those companies, they may consider the financial
institution responsible for the perceived deficiencies of the
seller.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY
- We continue our series on the FFIEC interagency Information
Security Booklet.
SECURITY CONTROLS -
IMPLEMENTATION
PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS (Part 2 of
2)
Physical security for distributed IS, particularly LANs that are
usually PC - based, is slightly different than for mainframe
platforms. With a network there is often no centralized computer
room. In addition, a network often extends beyond the local
premises. There are certain components that need physical security.
These include the hardware devices and the software and data that
may be stored on the file servers, PCs, or removable media (tapes
and disks). As with more secure IS environments, physical network
security should prevent unauthorized personnel from accessing LAN
devices or the transmission of data. In the case of wire - transfer
clients, more extensive physical security is required.
Physical protection for networks as well as PCs includes power
protection, physical locks, and secure work areas enforced by
security guards and authentication technologies such as magnetic
badge readers. Physical access to the network components (i.e.,
files, applications, communications, etc.) should be limited to
those who require access to perform their jobs. Network workstations
or PCs should be password protected and monitored for workstation
activity.
Network wiring requires some form of protection since it does not
have to be physically penetrated for the data it carries to be
revealed or contaminated. Examples of controls include using a
conduit to encase the wiring, avoiding routing through publicly
accessible areas, and avoiding routing networking cables in close
proximity to power cables. The type of wiring can also provide a
degree of protection; signals over fiber, for instance, are less
susceptible to interception than signals over copper cable.
Capturing radio frequency emissions also can compromise network
security. Frequency emissions are of two types, intentional and
unintentional. Intentional emissions are those broadcast, for
instance, by a wireless network. Unintentional emissions are the
normally occurring radiation from monitors, keyboards, disk drives,
and other devices. Shielding is a primary control over emissions.
The goal of shielding is to confine a signal to a defined area. An
example of shielding is the use of foil-backed wallboard and window
treatments. Once a signal is confined to a defined area, additional
controls can be implemented in that area to further minimize the
risk that the signal will be intercepted or changed.
Return to
the top of the newsletter
IT SECURITY QUESTION:
E. PHYSICAL
SECURITY
1. Determine whether physical security for
information technology equipment and operations is coordinated with
that of other institution organizations.
Return to the top of
the newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
14. Does the institution describe the following about its policies
and practices with respect to protecting the confidentiality and
security of nonpublic personal information:
a. who is authorized to have access to the information; and
[§6(c)(6)(i)]
b. whether security practices and policies are in place to ensure
the confidentiality of the information in accordance with the
institution's policy? [§6(c)(6)(ii)]
(Note: the
institution is not required to describe technical information about
the safeguards used in this respect.)
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
please visit
http://www.internetbankingaudits.com/internal_testing.htm. |
