FYI - Businesses fail to understand threats and fail to keep patches updated - Security attacks are growing in quantity and frequency, as well as having more impact on business operations.
http://www.scmagazineuk.com/Businesses-fail-to-understand-threats-and-fail-to-keep-patches-updated/article/149030/
http://www.sans.org/top-cyber-security-risks/

FYI - US healthcare data plan slammed for encryption get-out clause - New data breach rules for US healthcare providers have come under criticism from a security firm that specialises in encryption. http://www.theregister.co.uk/2009/09/17/healthcare_breach_disclosure/

FYI - Misdirected spyware infects Ohio hospital - It was a bad idea from the start, but even as bad ideas go, this one went horribly wrong. http://www.computerworld.com/s/article/9138208/Misdirected_spyware_infects_Ohio_hospital?source=rss_security

FYI - Sears told to destroy data gathered by online tracking software - Catalogue of snooping does not impress FTC - US retailer Sears has been ordered to destroy all the customer data it collected from a piece of online tracking software that consumer regulator the Federal Trade Commission (FTC) said was unfairly used. http://www.theregister.co.uk/2009/09/16/sears_to_destroy_tracking_software_data/

FYI - New Trojan virus poses online banking threat - Cyber criminals have created a highly sophisticated Trojan virus that steals online banking log-in details from infected computers. http://business.timesonline.co.uk/tol/business/industry_sectors/technology/article6841779.ece

FYI - Security considerations critical in the cloud - With the dragging economy as a driver, IT departments are increasingly realizing the benefits of cloud security, but business leaders must ask themselves a few questions before handing over control to a third-party. http://www.scmagazineus.com/Security-considerations-critical-in-the-cloud/article/149158/?DCMP=EMC-SCUS_Newswire

FYI - 2009 CRA & HMDA Data - The free FFIEC CRA and HMDA Data Entry Software, version 2009 for CY 2009 data due March 1, 2010, is only available by DOWNLOAD from the FFIEC CRA and HMDA web sites. www.ffiec.gov/software/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Bank Sends Sensitive E-mail to Wrong Gmail Address, Sues Google - Wyoming bank sent an e-mail containing sensitive customer data to the wrong Gmail account, and now wants Google to reveal the identity of the account holder who received the data.
http://www.wired.com/threatlevel/2009/09/bank-sues-google/
http://www.pcworld.com/businesscenter/article/172449/bank_sues_google_for_gmail_users_identity.html?tk=nl_dnx_t_crawl

FYI - Scammers gain access to Downeast Energy's cash, clients - The e-mail scam costs the company up to $150,000, and may have exposed customers' bank data. A sophisticated e-mail scam cost a Brunswick-based heating fuel company as much as $150,000 and potentially exposed hundreds of customers' checking account information, the company said Monday - a day when the U.S. Senate's Homeland Security Committee held hearings on cybersecurity. http://pressherald.mainetoday.com/story.php?id=283383&ac=PHnws

FYI - PBS' Curious George site hacked to serve malware - The website for the popular children's television show "Curious George" was compromised this week to serve malware to visitors, according to researchers at web security vendor Purewire. http://www.scmagazineus.com/PBS-Curious-George-site-hacked-to-serve-malware/article/149244/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 6: Banks should ensure that clear audit trails exist for all e-banking transactions.

Delivery of financial services over the Internet can make it more difficult for banks to apply and enforce internal controls and maintain clear audit trails if these measures are not adapted to an e-banking environment. Banks are not only challenged to ensure that effective internal control can be provided in highly automated environments, but also that the controls can be independently audited, particularly for all critical e-banking events and applications.

A bank's internal control environment may be weakened if it is unable to maintain clear audit trails for its e-banking activities. This is because much, if not all, of its records and evidence supporting e-banking transactions are in an electronic format. In making a determination as to where clear audit trails should be maintained, the following types of e-banking transactions should be considered:

1)  The opening, modification or closing of a customer's account.

2)  Any transaction with financial consequences.

3)  Any authorization granted to a customer to exceed a limit.

4)  Any granting, modification or revocation of systems access rights or privileges.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY -

We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY TESTING - TESTING CONCEPTS AND APPLICATION

Testing Risks to Data Integrity, Confidentiality, and Availability. Management is responsible for carefully controlling information security tests to limit the risks to data integrity, confidentiality, and system availability. Because testing may uncover nonpublic customer information, appropriate safeguards to protect the information must be in place. Contracts with third parties to provide testing services should require that the third parties implement appropriate measures to meet the objectives of section 501(b) of the GLBA. Management also is responsible for ensuring that employee and contract personnel who perform the tests or have access to the test results have passed appropriate background checks, and that contract personnel are appropriately bonded. Because certain tests may pose more risk to system availability than other tests, management is responsible for considering whether to require the personnel performing those tests to maintain logs of their testing actions. Those logs can be helpful should the systems react in an unexpected manner.

Confidentiality of Test Plans and Data. Since knowledge of test planning and results may facilitate a security breach, institutions should carefully limit the distribution of their testing information. Management is responsible for clearly identifying the individuals responsible for protecting the data and provide guidance for that protection, while making the results available in a useable form to those who are responsible for following up on the tests. Management also should consider requiring contractors to sign nondisclosure agreements and to return to the institution information they obtained in their testing.

Return to the top of the newsletter

IT SECURITY QUESTION:  ENCRYPTION

4. Determine whether adequate provision is made for different cryptographic keys for different uses and data.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

28. Does the institution refrain from requiring all joint consumers to opt out before implementing any opt out direction with respect to the joint account? [§7(d)(4)]

29. Does the institution comply with a consumer's direction to opt out as soon as is reasonably practicable after receiving it? [§7(e)]