FYI - IG report: Secret Service suffers network security lapses - The Secret Service is falling short in its efforts to protect sensitive online data about its operations and in securing its IT networks, according to two new reports from Homeland Security Department Inspector General Richard L. Skinner. http://www.washingtontechnology.com/cgi-bin/udt/im.display.printable?client.id=wtdaily-test&story.id=27276

FYI - Visa and MasterCard combine security standards - Visa and MasterCard have launched free, self-assessment tools for merchants to test and validate the security of their e-commerce connections. http://www.techworld.com/security/news/index.cfm?RSS&NewsID=4650

FYI - A Peek at IE7's New Security - Microsoft has revealed some of the security changes to the upcoming Internet Explorer 7 and Windows Vista--changes that could cause trouble for some Web sites. One key change is that Explorer will disable SSLv2, an older version of the Secure Sockets Layer (SSL) protocol. http://www.pcworld.com/news/article/0,aid,123215,00.asp

FYI - Keeping out the data thieves - The digitization of virtually all of modern businesses' intellectual property puts us in a situation today where we are vulnerable to a new breed of security threat. High capacity digital storage devices, such as the USB flash drives, home broadband connections with VPN and the threat of malware are all mechanisms by which thieves can get their hands on your data. http://www.scmagazine.com/us/news/article/524444/

FYI - Navy Improves Network Security by Blocking Access to Commercial Webmail - The Navy has begun enforcing policies set forth in its Information Technology User Acknowledgement Form by blocking access to Web-based commercial e-mail sites (webmail) from Department of the Navy-funded networks. That means it's no longer possible for anyone using Navy information technology to access commercial webmail from providers such as Yahoo, Hotmail, AOL and others. http://www.navycompass.com/news/newsview.asp?c=171417

FYI - The Anti-Spyware Coalition offered up standard guidelines on Thursday for detecting, rating and protecting against unwelcome programs that have plagued Internet users in recent years. http://news.zdnet.com/2102-1009_22-5918113.html?tag=printthis

FYI - Security breach on CBD web site - The hacker accessed the CBD web site's admin system. Commercial Bank of Dubai (CBD) is ditching its web site provider following concerns about security for the site. The bank's move follows a hacking attack last month that saw the web site defaced after a hacker gained entry to the site's administration system. http://www.itp.net/news/details.php?id=18476&category=

FYI - Online banking too risky? Some say yes - Even as banks and regulators step up efforts to thwart identity theft over the Internet, the worry that fraudsters remain one step ahead is convincing many Americans that banking online is too risky. http://news.com.com/2102-1029_3-5941531.html?tag=st.util.print

FYI - Cyber crooks break into online accounts with ease - When he logged on to his Ameritrade account earlier this year, George Rodriguez caught a cybercrook in the act of cleaning out his retirement nest egg. http://www.usatoday.com/tech/news/computersecurity/2005-11-02-cybercrime-online-accounts_x.htm

Return to the top of the newsletter

WEB SITE COMPLIANCE - Truth in Lending Act (Regulation Z)

The commentary to regulation Z was amended recently to clarify that periodic statements for open-end credit accounts may be provided electronically, for example, via remote access devices. The regulations state that financial institutions may permit customers to call for their periodic statements, but may not require them to do so. If the customer wishes to pick up the statement and the plan has a grace period for payment without imposition of finance charges, the statement, including a statement provided by electronic means, must be made available in accordance with the "14-day rule," requiring mailing or delivery of the statement not later than 14 days before the end of the grace period.

Provisions pertaining to advertising of credit products should be carefully applied to an on-line system to ensure compliance with the regulation. Financial institutions advertising open-end or closed-end credit products on-line have options. Financial institutions should ensure that on-line advertising complies with the regulations. For on-line advertisements that may be deemed to contain more than a single page, financial institutions should comply with the regulations, which describe the requirements for multiple-page advertisements.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY STRATEGY (2 of 2)

Any particular approach should consider: (1) policies, standards, and procedures; (2) technology and architecture; (3) resource dedication; (4) training; and (5) testing.

For example, an institution's management may be assessing the proper strategic approach to intrusion detection for an Internet environment. Two potential approaches were identified for evaluation. The first approach uses a combination of network and host intrusion detection sensors with a staffed monitoring center. The second approach consists of daily access log review. The former alternative is judged much more capable of detecting an attack in time to minimize any damage to the institution and its data, albeit at a much greater cost. The added cost is entirely appropriate when customer data and institution processing capabilities are exposed to an attack, such as in an Internet banking environment. The latter approach may be appropriate when the primary risk is reputational damage, such as when the only information being protected is an information-only Web site, and the Web site is not connected to other financial institution systems.

Strategies should consider the layering of controls. Excessive reliance on a single control could create a false sense of confidence. For example, a financial institution that depends solely on a firewall can still be subject to numerous attack methodologies that exploit authorized network traffic. Financial institutions should design multiple layers of security controls and testing to establish several lines of defense between the attacker and the asset being attacked. To successfully attack the data, each layer must be penetrated. With each penetration, the probability of detecting the attacker increases.

Policies are the primary embodiment of strategy, guiding decisions made by users, administrators, and managers, and informing those individuals of their security responsibilities. Policies also specify the mechanisms through which responsibilities can be met, and provide guidance in acquiring, configuring, and auditing information systems. Key actions that contribute to the success of a security policy are:

1)  Implementing through ordinary means, such as system administration procedures and acceptable - use policies;

2)  Enforcing policy through security tools and sanctions;

3)  Delineating the areas of responsibility for users, administrators, and managers;

4)  Communicating in a clear, understandable manner to all concerned;

5)  Obtaining employee certification that they have read and understood the policy;

6)  Providing flexibility to address changes in the environment; and

7)  Conducting annually a review and approval by the board of directors.

Return to the top of the newsletter

IT SECURITY QUESTION:  A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

10. Determine whether PKI (Public Key Infrastructure)-based authentication mechanisms

• Securely issue and update keys,

• Securely unlock the secret key,

• Provide for expiration of keys at an appropriate time period,

• Ensure the certificate is valid before acceptance,

• Update the list of revoked certificates at an appropriate frequency,

• Employ appropriate measures to protect private and root keys, and

• Appropriately log use of the root key.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions

49.  If the institution uses a Section 14 exception as necessary to effect, administer, or enforce a transaction, is it :

a.  required, or is one of the lawful or appropriate methods to enforce the rights of the institution or other persons engaged in carrying out the transaction or providing the product or service; [§14(b)(1)] or

b.  required, or is a usual, appropriate, or acceptable method to:[§14(b)(2)]

  1.  carry out the transaction or the product or service business of which the transaction is a part, including recording, servicing, or maintaining the consumer's account in the ordinary course of business; [§14(b)(2)(i)]
  2.  administer or service benefits or claims; [§14(b)(2)(ii)]
  3.  confirm or provide a statement or other record of the transaction or information on the status or value of the financial service or financial product to the consumer or the consumer's agent or broker; [§14(b)(2)(iii)]
  4.  accrue or recognize incentives or bonuses; [§14(b)(2)(iv)]
  5.  underwrite insurance or for reinsurance or for certain other purposes related to a consumer's insurance; [§14(b)(2)(v)] or
  6.  in connection with:
      i.  the authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid by using a debit, credit, or other payment card, check, or account number, or by other payment means; [§14(b)(2)(vi)(A)]
      ii.  the transfer of receivables, accounts or interests therein; [§14(b)(2)(vi)(B)] or
      iii.  the audit of debit, credit, or other payment information? [§14(b)(2)(vi)(C)]