FYI - Keystrokes can be recovered remotely - Wired keyboards, like those found on desktop PCs, emit electromagnetic waves that can be read remotely, according two Swiss researchers. http://news.cnet.com/8301-1009_3-10072967-83.html?tag=mncol;title

FYI - GAO - Check 21 Act: Most Consumers Have Accepted and Banks Are Progressing Toward Full Adoption of Check Truncation.
Release - http://www.gao.gov/cgi-bin/getrpt?GAO-09-8
Highlights - http://www.gao.gov/highlights/d098high.pdf

FYI - FTC extends "Red Flags Rules" enforcement six months - The Federal Trade Commission is extending the deadline for enforcement of the identity theft prevention "Red Flags Rules" until May 1. The deadline was extended because many companies were not prepared to meet the original Nov. 1 deadline, an FTC news release said. http://www.scmagazineus.com/FTC-extends-Red-Flags-Rules-enforcement-six-months/article/119866/?DCMP=EMC-SCUS_Newswire

FYI - OMB backtracks on granting CIOs more authority - The Office of Management and Budget substantially edited a final memo outlining the role of federal chief information officers, removing from a draft version the responsibilities that would have given the technology executives more power within agencies. http://www.nextgov.com/nextgov/ng_20081024_5887.php

FYI - Several nations eyeing U.S. cyber targets - About two dozen nations have developed cyber-attack capabilities and have their eyes on targets inside the U.S. government or businesses, the top cybercrime law enforcement official in the U.S. said. http://www.intergovworld.com/article/24e239a7c0a8000600c26acd165c8672/pg0.htm

FYI - The coolest IT security jobs - SANS Institute to issue guide to most interesting IT security jobs. http://www.gcn.com/online/vol1_no1/47421-1.html?page=2

FYI - Your personal identity isn't worth quite as much as it used to be--at least to thieves willing to swipe it. According to experts who monitor such markets, the value of stolen credit card data may range from $3 to as little as 40 cents. http://www.forbes.com/2008/10/25/credit-card-theft-tech-security-cz_tb1024theft_print.html

FYI - Turkish hacker arrested by FBI made video giving tips for installing ATM skimmers - A Turkish hacker known as "Chao" and arrested as part of the FBI operation against underground forum DarkMarket produced his own training videos, researchers revealed this week at the RSA Europe conference in London. http://www.scmagazineus.com/Turkish-hacker-arrested-by-FBI-made-video-giving-tips-for-installing-ATM-skimmers/article/120035/?DCMP=EMC-SCUS_Newswire

FYI - Health care data security breaches in the U.S. - New laws and regulations regarding data security breaches and disclosure laws affect the way in which health care organizations do business. http://www.scmagazineus.com/Health-care-data-security-breaches-in-the-US/article/120069/?DCMP=EMC-SCUS_Newswire 

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - $5,000 Reward Offered in Computer Theft - Fresno Police Chief Jerry Dyer asks city employees not to panic after a computer loaded with vital records was stolen. The computer was stolen last week from KRM Risk Management. http://www.cbs47.tv/news/local/story.aspx?content_id=853f41c4-1055-44a8-b78c-05df4a7c80af

Return to the top of the newsletter

WEB SITE COMPLIANCE - We finish our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 10 of 10)  

B. RISK MANAGEMENT TECHNIQUES

Managing Service Providers

Financial institutions, especially smaller institutions, may choose to subcontract with a service provider to create, arrange, and manage their websites, including weblinks. The primary risks for these financial institutions are the same as for those institutions that arrange the links directly. However, if a financial institution uses a set of pre-established links to a large number of entities whose business policies or procedures may be unfamiliar, it may increase its risk exposure. This is particularly true in situations in which the institution claims in its published privacy policy that it maintains certain minimum information security standards at all times.

When a financial institution subcontracts weblinking arrangements to a service provider, the institution should conduct sufficient due diligence to ensure that the service provider is appropriately managing the risk exposure from other parties. Management should keep in mind that a vendor might establish links to third parties that are unacceptable to the financial institution. Finally, the written agreement should contain a regulatory requirements clause in which the service provider acknowledges that its linking activities must comply with all applicable consumer protection laws and regulations.

Financial institution management should consider weblinking agreements with its service provider to mitigate significant risks. These agreements should be clear and enforceable with descriptions of all obligations, liabilities, and recourse arrangements. These may include the institution's right to exclude from its site links the financial institution considers unacceptable. Such contracts should include a termination clause, particularly if the contract does not include the ability to exclude websites. Finally, a financial institution should apply its link monitoring policies discussed above to links arranged by service providers or other vendors.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Firewall Policy (Part 1 of 3)

A firewall policy states management's expectations for how the firewall should function and is a component of the overall security policy. It should establish rules for traffic coming into and going out of the security domain and how the firewall will be managed and updated. Therefore, it is a type of security policy for the firewall, and forms the basis for the firewall rules. The firewall selection and the firewall policy should stem from the ongoing security risk assessment process. Accordingly, management needs to update the firewall policy as the institution's security needs and the risks change. At a minimum, the policy should address:

! Firewall topology and architecture,
! Type of firewall(s) being utilized,
! Physical placement of the firewall components,
! Monitoring firewall traffic,
! Permissible traffic (generally based on the premise that all traffic not expressly allowed is denied, detailing which applications can traverse the firewall and under what exact circumstances such activities can take place),
! Firewall updating,
! Coordination with intrusion detection and response mechanisms,
! Responsibility for monitoring and enforcing the firewall policy,
! Protocols and applications permitted,
! Regular auditing of a firewall's configuration and testing of the firewall's effectiveness, and
! Contingency planning.

Financial institutions should also appropriately train and manage their staffs to ensure the firewall policy is implemented properly. Alternatively, institutions can outsource the firewall management, while ensuring that the outsourcer complies with the institution's specific firewall policy.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

11. Determine whether appropriate notification is made of authorized use, through banners or other means.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Consumer and Customer:

A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship between a consumer and a financial institution under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.

For example, a customer relationship may be established when a consumer engages in one of the following activities with a financial institution:

1)  maintains a deposit or investment account; 

2)  obtains a loan; 

3)  enters into a lease of personal property; or 

4)  obtains financial, investment, or economic advisory services for a fee.

Customers are entitled to initial and annual privacy notices regardless of the information disclosure practices of their financial institution.

There is a special rule for loans. When a financial institution sells the servicing rights to a loan to another financial institution, the customer relationship transfers with the servicing rights. However, any information on the borrower retained by the institution that sells the servicing rights must be accorded the protections due any consumer.

Note that isolated transactions alone will not cause a consumer to be treated as a customer. For example, if an individual purchases a bank check from a financial institution where the person has no account, the individual will be a consumer but not a customer of that institution because he or she has not established a customer relationship. Likewise, if an individual uses the ATM of a financial institution where the individual has no account, even repeatedly, the individual will be a consumer, but not a customer of that institution.