FYI - IT security policies unfair - Unfair policies prompt most employees to break company IT security rules. Unfair policies prompt most employees to break company IT security rules, and that could lead to lost customer data, a Cisco study found. http://www.computerworld.com.au/index.php/id;1866823251;fp;4;fpid;78268965

FYI - NIST on crypto keys, in IT life cycle security - More GCN IT security newsThe National Institute of Standards and Technology has released a draft version of guidelines for managing cryptographic keys and a final version of guidance for managing security in the information technology system life cycle. http://www.gcn.com/online/vol1_no1/47450-1.html?topic=security

FYI - London consumers trounce corporates in wireless security - London homeowners are more careful about defending their wireless networks against trespassers than their corporate counterparts. One in five business networks fail to use any form of wireless encryption while 90 per cent of Londoners use encryption of some kind at home. http://www.theregister.co.uk/2008/10/28/rsa_wireless_security_survey/

FYI - Lipstick on a pig and how it relates to IT security - As someone that has become totally engrossed in Tuesday's U.S. elections, Barack Obama's comment about lipstick on a pig resonated because in my opinion it just about sums up the approach to IT security in most enterprises today. http://www.scmagazineus.com/Lipstick-on-a-pig-and-how-it-relates-to-IT-security/article/120284/?DCMP=EMC-SCUS_Newswire

FYI - Texas Private Security Board Again Refuses To Exempt Computer Repair from Licensing Law - Board Passes on its Second Opportunity to Clarify Law - The Texas Private Security Board yesterday declined for a second time to adopt a rule that would end the justifiable confusion over whether computer repair technicians in the state must be government-licensed private investigators to continue solving their customers' computer problems. http://www.ij.org/index.php?option=com_content&task=view&id=2438&Itemid=129

FYI - The data discovery challenge - One of the biggest challenges facing IT organizations is pinpointing the location of critical data throughout the enterprise. As businesses grow, data and its use grow exponentially. http://www.scmagazineus.com/The-data-discovery-challenge/article/120467/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Government website briefly closed following USB loss - The Gateway site allowed people to register for tax forms and benefits and the stick was lost by an employee of Atos Origin, and later found in a car park in Cannock, Staffordshire. http://www.scmagazineuk.com/Government-website-briefly-closed-following-USB-loss/article/120275/

FYI - Memory device containing customer data lost by BoI - Bank of Ireland has in the last few minutes confirmed that a USB memory device has been mislaid. The memory device contained information including account numbers, first line of address and contact numbers in relation to 894 customers. http://www.breakingnews.ie/ireland/mhideygbkfsn/

FYI - 'Ruthless' Trojan horse steals 500k bank, credit card log-ons - Russian gang kept 'extraordinary' malware on the prowl for nearly three years - A sophisticated cybercrime group that has maintained an especially devious Trojan horse for nearly three years has stolen the log-ons to more than 300,000 online bank accounts and almost as many credit cards during that time, a security company said. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9118718&intsrc=hm_list

FYI - State Dept. warns of possible identity theft - Passport applications may have been accessed and used in fraud - The State Department said Friday it has warned nearly 400 passport applicants of a security breach in its records system that may have left them open to identity theft.
http://www.msnbc.msn.com/id/27475651/
http://www.washingtonpost.com/wp-dyn/content/article/2008/10/30/AR2008103004716_pf.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 1 of  6)

Supervisory Policy on Identity Theft

Identity theft is fraud committed or attempted by using the identifying information of another person without his or her authority. Identifying information may include such things as a Social Security number, account number, date of birth, driver's license number, passport number, biometric data and other unique electronic identification numbers or codes. As more financial transactions are done electronically and remotely, and as more sensitive information is stored in electronic form, the opportunities for identity theft have increased significantly.  This policy statement describes the characteristics of identity theft and emphasizes the FDIC's well-defined expectations that institutions under its supervision detect, prevent and mitigate the effects of identity theft in order to protect consumers and help ensure safe and sound operations.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Firewall Policy (Part 2 of 3)

Firewalls are an essential control for a financial institution with an Internet connection and provide a means of protection against a variety of attacks. Firewalls should not be relied upon, however, to provide full protection from attacks. Institutions should complement firewalls with strong security policies and a range of other controls. In fact, firewalls are potentially vulnerable to attacks including:

! Spoofing trusted IP addresses;
! Denial of service by overloading the firewall with excessive requests or malformed packets;
! Sniffing of data that is being transmitted outside the network;
! Hostile code embedded in legitimate HTTP, SMTP, or other traffic that meet all firewall rules;
! Attacks on unpatched vulnerabilities in the firewall hardware or software;
! Attacks through flaws in the firewall design providing relatively easy access to data or services residing on firewall or proxy servers; and
! Attacks against machines and communications used for remote administration.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

12. Determine whether authoritative copies of host configuration and public server content are maintained off line.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 1 of 6)

The regulations establish specific duties and limitations for a financial institution based on its activities. Financial institutions that intend to disclose nonpublic personal information outside the exceptions will have to provide opt out rights to their customers and to consumers who are not customers. All financial institutions have an obligation to provide an initial and annual notice of their privacy policies to their customers. All financial institutions must abide by the regulatory limits on the disclosure of account numbers to nonaffiliated third parties and on the redisclosure and reuse of nonpublic personal information received from nonaffiliated financial institutions.

A brief summary of financial institution duties and limitations appears below. A more complete explanation of each appears in the regulations.

Notice and Opt Out Duties to Consumers:

If a financial institution intends to disclose nonpublic personal information about any of its consumers (whether or not they are customers) to a nonaffiliated third party, and an exception does not apply, then the financial institution must provide to the consumer:

1)  an initial notice of its privacy policies;

2)  an opt out notice (including, among other things, a reasonable means to opt out); and

3)  a reasonable opportunity, before the financial institution discloses the information to the nonaffiliated third party, to opt out.

The financial institution may not disclose any nonpublic personal information to nonaffiliated third parties except under the enumerated exceptions unless these notices have been provided and the consumer has not opted out. Additionally, the institution must provide a revised notice before the financial institution begins to share a new category of nonpublic personal information or shares information with a new category of nonaffiliated third party in a manner that was not described in the previous notice.

Note that a financial institution need not comply with the initial and opt-out notice requirements for consumers who are not customers if the institution limits disclosure of nonpublic personal information to the exceptions.