FYI - IT security is now a boardroom issue - Complying with regulations such as Sarbanes-Oxley Act, 2002 or European legislation is now the primary driver of information security in Irish and global businesses, for the first time surpassing worms and viruses as a motivator. As a result, says Ernst & Young, IT security is becoming a strategic boardroom issue in an increasing number of firms. http://www.siliconrepublic.com/news/news.nv?storyid=single5626

FYI - SEC - Online Brokerage Accounts: What You Can Do to Safeguard Your Money and Your Personal Information. http://www.sec.gov/investor/pubs/onlinebrokerage.htm

FYI - SAS 70, the auditing standard, is finding its way onto CSOs' desks. Used correctly, it's a nice start on verifying business partners' security controls. Unfortunately, some people aren't using it correctly. http://www.csoonline.com/read/110105/sas70.html

FYI - Stolen PC holds sensitive consumer data - A break-in and computer theft last month in an office of TransUnion credit monitoring service has left 3,600 consumers at risk of ID theft, the company said. http://news.com.com/2102-1029_3-5942424.html?tag=st.util.print

FYI - Sony rootkit prompts office clampdown on CD use - Sony's decision to include rootkit-like copy restrictions on some of its music CDs is prompting some companies to review whether they allow their staff to use personal CDs at work. http://news.com.com/2102-7355_3-5951177.html?tag=st.util.print

Return to the top of the newsletter

WEB SITE COMPLIANCE - Advertisements

Generally, Internet web sites are considered advertising by the regulatory agencies. In some cases, the regulations contain special rules for multiple-page advertisements. It is not yet clear what would constitute a single "page" in the context of the Internet or on-line text. Thus, institutions should carefully review their on-line advertisements in an effort to minimize compliance risk.

In addition, Internet or other systems in which a credit application can be made on-line may be considered "places of business" under HUD's rules prescribing lobby notices. Thus, institutions may want to consider including the "lobby notice," particularly in the case of interactive systems that accept applications. 

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

The goal of logical and administrative access control is to restrict access to system resources. Access should be provided only to authorized individuals whose identity is established, and their activities should be limited to the minimum required for business purposes. Authorized individuals (users) may be employees, TSP employees, vendors, contractors, customers, or visitors.

An effective control mechanism includes numerous controls to safeguard and limit access to key information system assets. This section addresses logical and administrative controls, including access rights administration and authentication through network, operating system, application, and remote access. A subsequent section addresses physical security controls.

ACCESS RIGHTS ADMINISTRATION (1 of 5)

Action Summary - Financial institutions should have an effective process to administer access rights. The process should include the following controls:

1)  Assign users and system resources only the access required to perform their required functions,

2)  Update access rights based on personnel or system changes,

3)  Periodically review users' access rights at an appropriate frequency based on the risk to the application or system, and

4)  Design appropriate acceptable-use policies and require users to sign them.

Return to the top of the newsletter

IT SECURITY QUESTION:  A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

11. Determine that biometric systems

• Have an adequately strong and reliable enrollment process,

• Adequately protect against the presentation of forged credentials (e.g. address replay attacks), and

• Are appropriately tuned for false accepts/false rejects.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Other Exceptions to Notice and Opt Out Requirements

50.  If the institution discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in §4(a)(2), opt out in §§7 and 10, revised notice in §8, and for service providers and joint marketers in §13, not apply because the institution makes the disclosure:

a.  with the consent or at the direction of the consumer; [§15(a)(1)]
b.
1.  to protect the confidentiality or security of records; [§15(a)(2)(i)]
2.  to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability; [§15(a)(2)(ii)]
3.  for required institutional risk control or for resolving consumer disputes or inquiries; [§15(a)(2)(iii)]
4.  to persons holding a legal or beneficial interest relating to the consumer; [§15(a)(2)(iv)] or
5.  to persons acting in a fiduciary or representative capacity on behalf of the consumer; [§15(a)(2)(v)]
c.  to insurance rate advisory organizations, guaranty funds or agencies, agencies rating the institution, persons assessing compliance, and the institution's attorneys, accountants, and auditors; [§15(a)(3)]
d.  in compliance with the Right to Financial Privacy Act, or to law enforcement agencies; [§15(a)(4)]
e.  to a consumer reporting agency in accordance with the FCRA or from a consumer report reported by a consumer reporting agency; [§15(a)(5)]
f.  in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit, if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; [§15(a)(6)]
g.  to comply with Federal, state, or local laws, rules, or legal requirements; [§15(a)(7)(i)]
h.  to comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, state, or local authorities; [§15(a)(7)(ii)] or
i.  to respond to judicial process or government regulatory authorities having jurisdiction over the institution for examination, compliance, or other purposes as authorized by law? [§15(a)(7)(iii)]

(Note: the regulation gives the following as an example of the exception described in section a of this question: "A consumer may specifically consent to [an institution's] disclosure to a nonaffiliated insurance company of the fact that the consumer has applied to [the institution] for a mortgage so that the insurance company can offer homeowner's insurance to the consumer.")