FYI - This week, I am attending the Network Security Conference sponsored by the Information Systems Audit and Control Association (ISACA) being held at Caesars Place in Las Vegas.  I look forward to meeting any of you that will also be in attendance. 

FYI - From September 24 through October 12, The Financial Banking Information Infrastructure Committee (FBIIC) and the Financial Services Sector Coordinating Council (FSSCC) will be conducting a pandemic flu exercise for the financial services sector in the United States. The exercise is sponsored by the US Department of the Treasury and the Securities Industry and Financial Markets Association. http://www.fspanfluexercise.com/

FYI - How the IT department can prep for the courtroom - There has been a steady increase in corporate litigation over the past decade, and those legal proceedings are having an unforeseen impact on IT managers. This trend has been accelerated by the recent changes in the Federal Rules of Civil Procedure (FRCP). http://scmagazine.com/us/news/article/733828/how-department-prep-courtroom/

FYI - Mobile Workers Think Security Is IT's Job, Study Reveals - Workers on the go are opening suspicious e-mails and hijacking neighbors' wireless connections, but 73% put the security responsibility on the IT department. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201801429

FYI - Unencrypted networks threaten data security - Open data traffic offering easy access to hackers - Almost 40 per cent of UK organisations admit to protecting less than a quarter of their network traffic. http://www.vnunet.com/vnunet/news/2197101/unencrypted-networks-data

FYI - Monster shuts down rogue server after data breach - Rogue server was used to gather personal details of job seekers, who were then sent e-mails with links to malicious software - Monster Worldwide, whose job-hunting sites suffered a massive data breach caused by hackers, has shut down a rogue server that had been used to gather personal details of job seekers.
http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/07/08/23/Monster-shuts-down-rogue-server_1.html
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070824/733524/

FYI - Wells Fargo recovering from computer crash - Wells Fargo is recovering from a systems outage that took down banking services. http://www.computerworld.com.au/index.php?id=618735096&eid=-180

FYI - Are data breach lawsuits just tilting at windmills? Personal data stolen? Go ahead, sue -- see what it gets you - The United States Court of Appeals for the Seventh Circuit on Thursday rejected a proposed class-action lawsuit against Evansville, Ind.-based Old National Bancorp (ONB) over a 2005 data-breach incident. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9032778&pageNumber=1

FYI - Security Manager's Journal: Security Crashes Into Productivity - Our manager didn't tell users that they could have laptops, but she's the one who has to tell them that they can't. Security can sometimes come crashing up against productivity, and when it does, security must prevail. That's because my state agency is a maintainer of records covered by HIPAA rules. One blunder, and we're front-page news. Not on my watch, thanks. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=300758&source=rss_topic17

FYI - Federal Security Officers Say Telecommuting Is Safe, But Want Better Mobile Security - A study reports that 83% of federal CISOs have strong interest in mobile endpoint certification for compliance with the Federal Information Security Management Act. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201802462

MISSING COMPUTERS/DATA

FYI - First California, now New York lets pensioner info slip - A laptop containing data on New York pensioners is missing - First, California's state pension fund office admitted to accidentally printing out Social Security numbers (SSNs) in the address pane of brochures it mailed out to some 485,000 retirees. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9032458&source=rss_topic17

FYI - Personal data for 35,000 vets stolen - Personal records including addresses and Social Security numbers of more than 35,000 veterans and their families were stolen this month from the offices of a POW support organization in Texas, officials announced.
http://www.estripes.com/article.asp?section=104&article=55899&archive=true
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070829/733792/

FYI - Breach puts information in perilRelated Links - Someone hacked into computers at three Oklahoma law enforcement agencies and may have stolen private information meant only for police use, the state Department of Public Safety announced. http://newsok.com/article/3110406/1187986334

FYI - Web worker stole 100,000 users' details - A Cable & Wireless employee was yesterday identified to Contractor UK as having stolen the personal details of 100,000 broadband customers who used the popular Bulldog service. http://www.contractoruk.com/news/003412.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 5 of 10)

B. RISK MANAGEMENT TECHNIQUES

Introduction

Management must effectively plan, implement, and monitor the financial institution's weblinking relationships. This includes situations in which the institution has a third-party service provider create, arrange, or manage its website. There are several methods of managing a financial institution's risk exposure from third-party weblinking relationships. The methods adopted to manage the risks of a particular link should be appropriate to the level of risk presented by that link as discussed in the prior section.

Planning Weblinking Relationships

In general, a financial institution planning the use of weblinks should review the types of products or services and the overall website content made available to its customers through the weblinks. Management should consider whether the links support the institution's overall strategic plan. Tools useful in planning weblinking relationships include:

1)  due diligence with respect to third parties to which the financial institution is considering links; and

2)  written agreements with significant third parties.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

Data Integrity 

Potentially, the open architecture of the Internet can allow those with specific knowledge and tools to alter or modify data during a transmission. Data integrity could also be compromised within the data storage system itself, both intentionally and unintentionally, if proper access controls are not maintained. Steps must be taken to ensure that all data is maintained in its original or intended form.  

Authentication 

Essential in electronic commerce is the need to verify that a particular communication, transaction, or access request is legitimate. To illustrate, computer systems on the Internet are identified by an Internet protocol (IP) address, much like a telephone is identified by a phone number. Through a variety of techniques, generally known as "IP spoofing" (i.e., impersonating), one computer can actually claim to be another. Likewise, user identity can be misrepresented as well. In fact, it is relatively simple to send email which appears to have come from someone else, or even send it anonymously. Therefore, authentication controls are necessary to establish the identities of all parties to a communication.

Return to the top of the newsletter

IT SECURITY QUESTION:  Regulations - ensuring compliance:

a. Does the IT department have the current regulatory IT press releases and bulletins?
b. Is the IT department following the intent of the regulatory IT press releases and bulletins?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13).  (Part 2 of 3)

B. Presentation, Content, and Delivery of Privacy Notices 

1)  Review the financial institution's initial, annual and revised notices, as well as any short-form notices that the institution may use for consumers who are not customers. Determine whether or not these notices:

a.  Are clear and conspicuous (§§3(b), 4(a), 5(a)(1), 8(a)(1));

b.  Accurately reflect the policies and practices used by the institution (§§4(a), 5(a)(1), 8(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

c.  Include, and adequately describe, all required items of information and contain examples as applicable (§6). Note that if the institution shares under Section 13 the notice provisions for that section shall also apply.

2)  Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written consumer records where available, determine if the institution has adequate procedures in place to provide notices to consumers, as appropriate. Assess the following:

a.  Timeliness of delivery (§§4(a), 7(c), 8(a)); and

b.  Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§9).

c.  For customers only, review the timeliness of delivery (§§4(d), 4(e), 5(a)), means of delivery of annual notice (§9(c)), and accessibility of or ability to retain the notice (§9(e)).