FYI - Businesses must do better on tech risk - It's a worrying trend, says KPMG. A significant proportion of corporate audit departments are failing to address IT risk sufficiently, leaving businesses vulnerable and open to security threats. http://software.silicon.com/security/0,39024655,39168530,00.htm

FYI - Man admits causing Cox phone outages in Louisiana - A former Cox Communications Inc. employee has pleaded guilty in federal court to hacking into the company's telecommunications system and causing phone service failures around the country, including Louisiana. http://www.shreveporttimes.com/apps/pbcs.dll/article?AID=/20070927/BREAKINGNEWS/70927009

FYI - Conn. AG Investigating Former Employee Link To Pfizer Data Breach - A former worker's new employer sent Pfizer a DVD containing Pfizer data. The information was allegedly found on the employee's computer at the new job. The Connecticut Attorney General is investigating a former Pfizer employee in connection with a data breach that compromised personally identifying employee information. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202101944

FYI - OU boosts IT security - Ohio University is trying to turn negative media attention over its computer security problems into an opportunity for change, said its chief information officer. http://thepost.baker.ohiou.edu/Articles/News/2007/09/28/21463/

FYI - Hospital's brand new server room goes up in smoke - An investigation has been launched at Leeds' famous St James' hospital after a server room disastrously overheated, permanently frying a new computer system for storing patient x-rays. http://www.theregister.co.uk/2007/09/27/leeds_server_overheat/print.html

FYI - St. Louis Fed Promotes Hart to Officer - Anna M. Hart has been promoted to officer in the Information Technology Services division of the Federal Reserve Bank of St. Louis. www.stlouisfed.org/news/releases/2007/09_28_07.htm

MISSING COMPUTERS/DATA

FYI - Woman arrested for hospital espionage - Police said yesterday they have uncovered a case of corporate espionage involving two of the country's top private hospitals. http://www.ekathimerini.com/4dcgi/_w_articles_politics_100014_29/09/2007_88365

FYI - Data for 800,000 job applicants stolen - A laptop containing unencrypted personal information for 800,000 people who applied for jobs with clothing retailer Gap Inc. has been stolen. http://www.theregister.co.uk/2007/09/28/gap_data_breach/print.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We finish our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 10 of 10)  

B. RISK MANAGEMENT TECHNIQUES

Managing Service Providers

Financial institutions, especially smaller institutions, may choose to subcontract with a service provider to create, arrange, and manage their websites, including weblinks. The primary risks for these financial institutions are the same as for those institutions that arrange the links directly. However, if a financial institution uses a set of pre-established links to a large number of entities whose business policies or procedures may be unfamiliar, it may increase its risk exposure. This is particularly true in situations in which the institution claims in its published privacy policy that it maintains certain minimum information security standards at all times.

When a financial institution subcontracts weblinking arrangements to a service provider, the institution should conduct sufficient due diligence to ensure that the service provider is appropriately managing the risk exposure from other parties. Management should keep in mind that a vendor might establish links to third parties that are unacceptable to the financial institution. Finally, the written agreement should contain a regulatory requirements clause in which the service provider acknowledges that its linking activities must comply with all applicable consumer protection laws and regulations.

Financial institution management should consider weblinking agreements with its service provider to mitigate significant risks. These agreements should be clear and enforceable with descriptions of all obligations, liabilities, and recourse arrangements. These may include the institution's right to exclude from its site links the financial institution considers unacceptable. Such contracts should include a termination clause, particularly if the contract does not include the ability to exclude websites. Finally, a financial institution should apply its link monitoring policies discussed above to links arranged by service providers or other vendors.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

SECURITY MEASURES

Encryption 

Encryption, or cryptography, is a method of converting information to an unintelligible code.  The process can then be reversed, returning the information to an understandable form. The information is encrypted (encoded) and decrypted (decoded) by what are commonly referred to as "cryptographic keys." These "keys" are actually values, used by a mathematical algorithm to transform the data. The effectiveness of encryption technology is determined by the strength of the algorithm, the length of the key, and the appropriateness of the encryption system selected.

Because encryption renders information unreadable to any party without the ability to decrypt it, the information remains private and confidential, whether being transmitted or stored on a system. Unauthorized parties will see nothing but an unorganized assembly of characters.  Furthermore, encryption technology can provide assurance of data integrity as some algorithms offer protection against forgery and tampering. The ability of the technology to protect the information requires that the encryption and decryption keys be properly managed by authorized parties.

Return to the top of the newsletter

IT SECURITY QUESTION:  Internal controls and procedures:  (Part 2 of 2)

i. Is there separation of duties for handling un-posted items?
j. Is there separation of duties for balancing final output?
k. Is there separation of duties for statement preparation?
l. Are there controls for non-dollar transactions? In writing?
m. Are master files changes required to be in writing?
n. Are source documents microfilmed before transportation?
o. Are official checks, which are computer processed, satisfactorily controlled?
p. Are employees prohibited from using computers for personal use?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Reuse & Redisclosure of nonpublic personal information received from a nonaffiliated financial institution under Sections 14 and/or 15.

A. Through discussions with management and review of the institution's procedures, determine whether the institution has adequate practices to prevent the unlawful redisclosure and reuse of the information where the institution is the recipient of nonpublic personal information (§11(a)).

B. Select a sample of data received from nonaffiliated financial institutions, to evaluate the financial institution's compliance with reuse and redisclosure limitations.

1.  Verify that the institution's redisclosure of the information was only to affiliates of the financial institution from which the information was obtained or to the institution's own affiliates, except as otherwise allowed in the step b below (§11(a)(1)(i) and (ii)).

2.  Verify that the institution only uses and shares the data pursuant to an exception in Sections 14 and 15 (§11(a)(1)(iii)).