FYI - The ISACA Information Security and Risk Management Conference in Las Vegas last week was a great success.  I enjoyed seeing old friends and meeting new ones.  I look forward to seeing you all next year.

FYI - Conn. Gets Tough on Insurance Breaches - Insurers Must Report Incidents Within 5 Days - All insurance companies doing business in Connecticut now must report information breaches to state authorities within five calendar days, even if the data involved was encrypted. http://www.govinfosecurity.com/articles.php?art_id=2880&rf=2010-09-01-eg

FYI - Discover to get $5M from Heartland for '08 data breach - Settlement marks final agreement with a card-brand, Heartland says - Heartland Payment Systems has agreed to pay $5 million to Discover to settle claims arising from the massive data breach disclosed by the payment processor last year. http://www.computerworld.com/s/article/9183259/Discover_to_get_5M_from_Heartland_for_08_data_breach?taxonomyId=17

FYI - Certain HP scanners can permit snooping and spying - Certain models of HP combination printer and scanner devices contain a feature that could allow for corporate espionage, according to researchers at web security firm. http://www.scmagazineus.com/certain-hp-scanners-can-permit-snooping-and-spying/article/178164/?DCMP=EMC-SCUS_Newswire

FYI - Feds Issue Smart Grid Cybersecurity Guidelines - Stuxnet served to catalyze concerns about smart grid security, which the 537-page "Guidelines for Smart Grid Cyber Security strives to address by providing security requirements and a risk assessment framework.  http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=227300159

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Russian cops cuff 10 ransomware Trojan suspects - Cybercrime gang allegedly raked in $16m - Russian police have arrested 10 suspected members of a ransomware gang who allegedly made millions via a locked computer malware scam. http://www.theregister.co.uk/2010/09/01/ransomware_trojan_suspects_cuffed/

FYI - Church Latest Victim of ACH Fraud - Over a weekend in August, the Catholic Diocese of Des Moines, Iowa, fell victim to a $600,000 ACH fraud theft and becomes another in the growing list of businesses and entities that have suffered huge losses as a result of these crimes. http://www.bankinfosecurity.com/articles.php?art_id=2888

FYI - USB stick with anti-terror training found outside police station - A memory stick containing anti-terror training manuals and other sensitive material was reportedly found on a street outside a Manchester police station. http://www.theregister.co.uk/2010/09/06/anti_terror_usb_stick_dumped/

FYI - Fifa in spotlight over passport identity theft claims - Newspaper claims fans' details were sold on to touts - An investigation is under way into allegations that the passport details of thousands of football fans were sold on the black market by an official linked to Fifa. http://www.guardian.co.uk/football/2010/sep/05/fifa-passports-claims

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the Federal Financial Institutions Examination Council Guidance on Electronic Financial Services and Consumer Compliance.

Electronic Fund Transfer Act, Regulation E  (Part 1 of 2)

Generally, when on-line banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign-up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures. Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

VULNERABILITY ASSESSMENT TOOLS

Vulnerability assessment tools, also called security scanning tools, assess the security of network or host systems and report system vulnerabilities. These tools can scan networks, servers, firewalls, routers, and applications for vulnerabilities. Generally, the tools can detect known security flaws or bugs in software and hardware, determine if the systems are susceptible to known attacks and exploits, and search for system vulnerabilities such as settings contrary to established security policies.

In evaluating a vulnerability assessment tool, management should consider how frequently the tool is updated to include the detection of any new weaknesses such as security flaws and bugs. If there is a time delay before a system patch is made available to correct an identified weakness, mitigating controls may be needed until the system patch is issued.

Generally, vulnerability assessment tools are not run in real-time, but they are commonly run on a periodic basis. When using the tools, it is important to ensure that the results from the scan are secure and only provided to authorized parties. The tools can generate both technical and management reports, including text, charts, and graphs. The vulnerability assessment reports can tell a user what weaknesses exist and how to fix them. Some tools can automatically fix vulnerabilities after detection.

FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail R Kinney Williams & Associates a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

3)  Does the institution provide to existing customers, who obtain a new financial product or service, an initial privacy notice that covers the customer's new financial product or service, if the most recent notice provided to the customer was not accurate with respect to the new financial product or service? [§4(d)(1)]