FYI - Revised Training Program for Information Technology Examiners - This letter modifies the training program for information technology examiners as approved by the Staff Development Subcommittee of the Strategic Plan Steering Committee. Effective with the publication of this SR letter, the revised training program applies to all assistant IT examiners currently employed by the Federal Reserve Banks, as well as to those hired in the future. Completion of this program is a requirement for IT specialists to obtain commissioned examiner status at the Federal Reserve Banks. www.federalreserve.gov/boarddocs/SRLETTERS/2005/sr0522.htm 

FYI - Boeing Says Laptop with Employee info Stolen - A laptop computer containing names, social security numbers and other sensitive information of 161,000 current and former employees of Boeing Co. was stolen recently, the U.S. aerospace manufacturer said Friday. http://www.eweek.com/article2/0,1759,1889139,00.asp?kc=EWRSS03129TX1K0000614

FYI - How to Design a Strategic Security Process - Implementing strategic security policies and procedures enhances the protection of IT assets and digital information, while reducing external and internal security risks. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5669

FYI - DOD to automate deployment of security patches - The Defense Department recently made it mandatory for computer users to deploy automated security tools across the department to better protect networks from viruses. http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=37584

FYI - Sony's Plan To Fix Infected Copy Protection Only Makes Matters Worse - Sony's suggested method for removing the program actually widens the security hole the original software created, researchers say. http://www.informationweek.com/story/showArticle.jhtml?articleID=173603259

FYI - NEC Debuts Laptop Without a Hard Disk - Aimed at corporate users, the PC Parafield reduces risk of losing loads of sensitive data if notebook is lost. http://www.pcworld.com/news/article/0,aid,123737,tk,dn120105X,00.asp

FYI - Offshoring specialists are using security certification to assure firms that data is safe - When organisations allow outsourcers or other third parties - whether local or offshore - to handle customers' information, they will increasingly demand evidence that this data is protected while offsite. One way to ensure good practices for security is to use service providers certified to the BS7799 British security standard - or its international equivalent ISO 17799 - designed to help firms manage and minimise security risks. http://www.itweek.co.uk/itweek/analysis/2145504/offshoring-pushes-bs7799

Return to the top of the newsletter

WEB SITE COMPLIANCE - TRUTH IN SAVINGS ACT (REG DD)

Financial institutions that advertise deposit products and services on-line must verify that proper advertising disclosures are made in accordance with all provisions of the regulations. Institutions should note that the disclosure exemption for electronic media does not specifically address commercial messages made through an institution's web site or other on-line banking system. Accordingly, adherence to all of the advertising disclosure requirements is required.

Advertisements should be monitored for recency, accuracy, and compliance. Financial institutions should also refer to OSC regulations if the institution's deposit rates appear on third party web sites or as part of a rate sheet summary. These types of messages are not considered advertisements unless the depository institution, or a deposit broker offering accounts at the institution, pays a fee for or otherwise controls the publication.

Disclosures generally are required to be in writing and in a form that the consumer can keep. Until the regulation has been reviewed and changed, if necessary, to allow electronic delivery of disclosures, an institution that wishes to deliver disclosures electronically to consumers, would supplement electronic disclosures with paper disclosures.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

Access Rights Administration (2 of 5)

The enrollment process establishes the user's identity and anticipated business needs to information and systems. New employees, IT outsourcing relationships, and contractors may also be identified, and the business need for access determined during the hiring or contracting process.

During enrollment and thereafter, an authorization process determines user access rights. In certain circumstances the assignment of access rights may be performed only after the manager responsible for each accessed resource approves the assignment and documents the approval. In other circumstances, the assignment of rights may be established by the employee's role or group membership, and managed by pre - established authorizations for that group. Customers, on the other hand, may be granted access based on their relationship with the institution.

Authorization for privileged access should be tightly controlled. Privileged access refers to the ability to override system or application controls. Good practices for controlling privileged access include

! Identifying each privilege associated with each system component,

! Implementing a process to allocate privileges and allocating those privileges either on a need - to - use or an event - by - event basis,! Documenting the granting and administrative limits on privileges,

! Finding alternate ways of achieving the business objectives,

! Assigning privileges to a unique user ID apart from the one used for normal business use,

! Logging and auditing the use of privileged access,

! Reviewing privileged access rights at appropriate intervals and regularly reviewing privilege access allocations, and

! Prohibiting shared privileged access by multiple users.

Return to the top of the newsletter

IT SECURITY QUESTION:  A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

13.  Review authenticator reissuance and reset procedures. Determine whether controls adequately mitigate risks from:

• Social engineering

• Errors in the identification of the user

• Inability to re-issue on a large scale in the event of a mass compromise

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Definitions and Key Concepts

In discussing the duties and limitations imposed by the regulations, a number of key concepts are used. These concepts include "financial institution"; "nonpublic personal information"; "nonaffiliated third party"; the "opt out" right and the exceptions to that right; and "consumer" and "customer." Each concept is briefly discussed below. A more complete explanation of each appears in the regulations.

Financial Institution:

A "financial institution" is any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities, as determined by section 4(k) of the Bank Holding Company Act of 1956. Financial institutions can include banks, securities brokers and dealers, insurance underwriters and agents, finance companies, mortgage bankers, and travel agents.

Nonaffiliated Third Party:

A "nonaffiliated third party" is any person except a financial institution's affiliate or a person employed jointly by a financial institution and a company that is not the institution's affiliate. An "affiliate" of a financial institution is any company that controls, is controlled by, or is under common control with the financial institution.