FYI - Worker training key to data protection - An effective security awareness campaign doesn't make security experts out of company employees. It just makes them know who to call in case something happens. http://www.scmagazineus.com/SC-World-Congress-Worker-training-key-to-data-protection/article/152189/?DCMP=EMC-SCUS_Newswire

FYI - Recidivist stock fraud hacker pleads guilty to ID theft - A former stock fraud hacker has pleaded guilty to new fraud and identity theft charges. http://www.theregister.co.uk/2009/10/08/recidivist_hacker_pleads_guilty/

FYI - Stolen NHS laptops recovered - no data breach thanks to remote wiping - Four stolen laptops belonging to Lancashire Care NHS Foundation Trust, which provides mental health services, have been traced and recovered. According to the NHS Trust, no confidential data was compromised due to remote wiping. http://www.infosecurity-magazine.com/view/4508/stolen-nhs-laptops-recovered-no-data-breach-thanks-to-remote-wiping/

FYI - DHS Web sites vulnerable to hackers, IG says - Protocols are in place, but patch management is spotty - The Homeland Security Department's most popular Web sites appear to be vulnerable to hackers and could put department data at risk of loss or unauthorized use, according to a new report from DHS Inspector General Richard Skinner. http://fcw.com/Articles/2009/10/09/DHS-Web-sites-vulnerable-to-hackers-IG-says.aspx

FYI - GAO - Information Technology: Social Security Administration's Data Exchanges Support Current Programs, but Better Planning Is Needed to Meet Future Demands.
Report - http://www.gao.gov/new.items/d09966.pdf
Highlights - http://www.gao.gov/highlights/d09966high.pdf

FYI - GAO - Information Security: NASA Needs to Remedy Vulnerabilities in Key Networks.
Report - http://www.gao.gov/new.items/d104.pdf
Highlights - http://www.gao.gov/highlights/d104high.pdf

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Blue Cross Blue Shield Association affirms laptop breach - The Blue Cross Blue Shield Association (BCBSA) is reviewing its security practices after thieves stole an employee's computer that contained an unencrypted file with the personal information of nearly every doctor who accepts the popular health insurance plan. http://www.scmagazineus.com/Blue-Cross-Blue-Shield-Association-affirms-laptop-breach/article/151740/

FYI - T-Mobile sidelines Sidekick in wake of data debacle - T-Mobile USA Inc. has for the time being pulled all of its Sidekick phones off the market after the phones were hit by massive data outages. http://www.computerworld.com/s/article/9139261/T_Mobile_sidelines_Sidekick_in_wake_of_data_debacle?taxonomyId=1

FYI - IT analyst at NY Fed Reserve Bank pleads guilty to ID theft scheme - A former employee of the Federal Reserve Bank in New York, Curtis L. Wiltshire, pleaded guilty today to one count of bank fraud and one count of aggravated identity theft for having obtained student loans using stolen identities.
http://www.databreaches.net/?p=7702
http://www.courthousenews.com/2009/10/07/Former_Fed_Bank_Worker_Admits_to_ID_Theft.htm

FYI - Former DuPont researcher hit with federal data theft charges - Meng accused of wrongfully accessing a company computer - A former research scientist at DuPont USA who is already facing civil charges for allegedly attempting to steal corporate secrets from the company, has been hit with a federal criminal complaint on the same charges. http://www.computerworld.com/s/article/9139014/Former_DuPont_researcher_hit_with_federal_data_theft_charges?taxonomyId=17

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 9: Banks should take appropriate measures to ensure adherence to customer privacy requirements applicable to the jurisdictions to which the bank is providing e-banking products and services.

Maintaining a customer's information privacy is a key responsibility for a bank. Misuse or unauthorized disclosure of confidential customer data exposes a bank to both legal and reputation risk. To meet these challenges concerning the preservation of privacy of customer information, banks should make reasonable endeavors to ensure that:

1)  The bank's customer privacy policies and standards take account of and comply with all privacy regulations and laws applicable to the jurisdictions to which it is providing e-banking products and services.

2)  Customers are made aware of the bank's privacy policies and relevant privacy issues concerning use of e-banking products and services.

3)  Customers may decline (opt out) from permitting the bank to share with a third party for cross-marketing purposes any information about the customer's personal needs, interests, financial position or banking activity.

4)  Customer data are not used for purposes beyond which they are specifically allowed or for purposes beyond which customers have authorized.

5)  The bank's standards for customer data use must be met when third parties have access to customer data through outsourcing relationships.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY TESTING - KEY FACTORS

Management is responsible for considering the following key factors in developing and implementing independent diagnostic tests:

Personnel. Technical testing is frequently only as good as the personnel performing and supervising the test. Management is responsible for reviewing the qualifications of the testing personnel to satisfy themselves that the capabilities of the testing personnel are adequate to support the test objectives.

Scope. The tests and methods utilized should be sufficient to validate the effectiveness of the security process in identifying and appropriately controlling security risks.

Notifications. Management is responsible for considering whom to inform within the institution about the timing and nature of the tests. The need for protection of institution systems and the potential for disruptive false alarms must be balanced against the need to test personnel reactions to unexpected activities.

Controls Over Testing. Certain testing can adversely affect data integrity, confidentiality, and availability. Management is expected to limit those risks by appropriately crafting test protocols. Examples of issues to address include the specific systems to be tested, threats to be simulated, testing times, the extent of security compromise allowed, situations in which testing will be suspended, and the logging of test activity. Management is responsible for exercising oversight commensurate with the risk posed by the testing.

Frequency. The frequency of testing should be determined by the institution's risk assessment. High - risk systems should be subject to an independent diagnostic test at least once a year. Additionally, firewall policies and other policies addressing access control between the financial institution's network and other networks should be audited and verified at least quarterly.  Factors that may increase the frequency of testing include the extent of changes to network configuration, significant changes in potential attacker profiles and techniques, and the results of other testing.
(FYI - This is exactly the type of independent diagnostic testing that the VISTA pen-test study covers.  Please refer to http://www.internetbankingaudits.com/ for information.)

Proxy Testing. Independent diagnostic testing of a proxy system is generally not effective in validating the effectiveness of a security process. Proxy testing, by its nature, does not test the operational system's policies and procedures, or its integration with other systems. It also does not test the reaction of personnel to unusual events. Proxy testing may be the best choice, however, when management is unable to test the operational system without creating excessive risk.

Return to the top of the newsletter

IT SECURITY QUESTION:  ENCRYPTION

7. Determine if cryptographic keys are destroyed in a secure manner when they are no longer required.

Return to the top of the newsletter

INTERNET PRIVACY - e continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

33. Except as permitted by §§13-15, does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as described in the initial privacy notice provided to the consumer, unless:

a. the institution has provided the consumer with a clear and conspicuous revised notice that accurately describes the institution's privacy policies and practices; [§8(a)(1)]

b. the institution has provided the consumer with a new opt out notice; [§8(a)(2)]

c. the institution has given the consumer a reasonable opportunity to opt out of the disclosure, before disclosing any information; [§8(a)(3)] and

d. the consumer has not opted out? [§8(a)(4)]