FYI - DOD moves to improve software assurance - The Defense Department is planning acquisition policy changes aimed at improving the quality and security of the software it buys from vendors.
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=26178

FYI - UCLA laptop theft exposes ID info - Representatives of the University of California, Los Angeles, are warning 145,000 blood donors they could be at risk for identity theft due to a stolen university laptop. http://zdnet.com.com/2102-1105_2-5230662.html?tag=printthis

FYI - For sale by public auction: Juicy laptop secrets - Many lost or stolen laptops contain sensitive data that can be easily retrieved - Laptops containing sensitive financial details and all manner of corporate secrets can be snapped up at auctions for a pittance, a security firm said.  http://www.computerworld.com/printthis/2004/0,4814,93742,00.html

FYI - A commitment to business continuity planning and disaster recovery will pay dividends down the line - There are three areas that information security professionals tend to skimp on that sometimes come back to haunt them: Determining requirements for systems or software; reviewing service contracts for security requirements; and making sure disaster recovery and business resilience plans are updated against the current known threat level. Let's explore disaster recovery and business resilience to both physical and virtual threats. http://www.cyberdefensemag.com/articles2.php

FYI - Survey: Security efforts paying off - Companies working to harden their security have found that the efforts have resulted in fewer incidents of unauthorized computer use and a decline in damages from security incidents, a computer security group said in a report.
http://news.com.com/Survey%3A+Security+efforts+paying+off/2100-7355_3-5230787.html?tag=cd.top

FYI - Beware of keystroke-logging RATs! - Robbing a bank used to involve risk of serious physical harm. Now, bandits may develop carpal tunnel syndrome, but that's about it. Without leaving the house, a criminal hacker, or cracker, can create a Trojan horse to clear thousands of dollars in fraudulent bank transactions.
http://reviews-zdnet.com.com/AnchorDesk/4520-7297_16-5138146.html

FYI - Company secrets leak via e-mail - Sending an e-mail by mistake is easily done - Confidential information is leaking out of companies due to careless e-mail use, a survey has found. http://news.bbc.co.uk/2/hi/technology/3809025.stm

FYI - The Federal Reserve Board has announced amendments to Appendix A of Regulation CC that reflect the restructuring of the Federal Reserve's check processing operations in the Fourth, Fifth, and Eighth Districts. www.federalreserve.gov/boarddocs/press/bcreg/2004/200406222/default.htm 

Return to the top of the newsletter

INTERNET COMPLIANCE -  We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." 

A. RISK DISCUSSION

Reputation Risk

Trade Names

If the third party has a name similar to that of the financial institution, there is an increased likelihood of confusion for the customer and increased exposure to reputation risk for the financial institution. For example, if customers access a similarly named broker from the financial institution's website, they may believe that the financial institution is providing the brokerage service or that the broker's products are federally insured.

Website Appearance

The use of frame technology and other similar technologies may confuse customers about which products and services the financial institution provides and which products and services third parties, including affiliates, provide. If frames are used, when customers link to a third-party website through the institution-provided link, the third-party webpages open within the institution's master webpage frame. For example, if a financial institution provides links to a discount broker and the discount broker's webpage opens within the institution's frame, the appearance of the financial institution's logo on the frame may give the impression that the financial institution is providing the brokerage service or that the two entities are affiliated. Customers may believe that their funds are federally insured, creating potential reputation risk to the financial institution in the event the brokerage service should fail or the product loses value.

Compliance Risk

The compliance risk to an institution linking to a third-party's website depends on several factors. These factors include the nature of the products and services provided on the third-party's website, and the nature of the institution's business relationship with the third party. This is particularly true with respect to compensation arrangements for links. For example, a financial institution that receives payment for offering advertisement-related weblinks to a settlement service provider's website should carefully consider the prohibition against kickbacks, unearned fees, and compensated referrals under the Real Estate Settlement Procedures Act (RESPA).

The financial institution has compliance risk as well as reputation risk if linked third parties offer less security and privacy protection than the financial institution. Third-party sites may have less secure encryption policies, or less stringent policies regarding the use and security of their customer's information. The customer may be comfortable with the financial institution's policies for privacy and security, but not with those of the linked third party. If the third-party's policies and procedures create security weaknesses or apply privacy standards that permit the third party to release confidential customer information, customers may blame the financial institution.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION

Security Controls in Application Software

Application development should incorporate appropriate security controls, audit trails, and activity logs. Typical application access controls are addressed in earlier sections. Application security controls should also include validation controls for data entry and data processing. Data entry validation controls include access controls over entry and changes to data, error checks, review of suspicious or unusual data, and dual entry or additional review and authorization for highly sensitive transactions or data. Data processing controls include: batch control totals; hash totals of data for comparison after processing; identification of any changes made to data outside the application (e.g., data-altering utilities); and job control checks to ensure programs run in correct sequence (see the booklet "Computer Operations" for additional considerations).

Some applications will require the integration of additional authentication and encryption controls to ensure integrity and confidentiality of the data. As customers and merchants originate an increasing number of transactions, authentication and encryption become increasingly important to ensure non-repudiation of transactions.

Return to the top of the newsletter

IT SECURITY QUESTION:

F. PERSONNEL SECURITY

6. Determine if an appropriate disciplinary process for security violations exists and is functioning.

Return to the top of the newsletter

INTERNET PRIVACY - With this issues, we begin our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies in May 2001.

On November 12, 1999, President Clinton signed into law the Gramm-Leach-Bliley Act (the "Act"). Title V, Subtitle A of the Act governs the treatment of nonpublic personal information about consumers by financial institutions. Section 502 of the Subtitle, subject to certain exceptions, prohibits a financial institution from disclosing nonpublic personal information about a consumer to nonaffiliated third parties, unless the institution satisfies various notice and opt-out requirements, and provided that the consumer has not elected to opt out of the disclosure. Section 503 requires the institution to provide notice of its privacy policies and practices to its customers. Section 504 authorizes the issuance of regulations to implement these provisions.

Accordingly, on June 1, 2000, the four federal bank and thrift regulators published substantively identical regulations implementing provisions of the Act governing the privacy of consumer financial information. The regulations establish rules governing duties of a financial institution to provide particular notices and limitations on its disclosure of nonpublic personal information, as summarized below. 

1)  A financial institution must provide a notice of its privacy policies, and allow the consumer to opt out of the disclosure of the consumer's nonpublic personal information, to a nonaffiliated third party if the disclosure is outside of the exceptions in sections 13, 14 or 15 of the regulations.

2)  Regardless of whether a financial institution shares nonpublic personal information, the institution must provide notices of its privacy policies to its customers.

3)  A financial institution generally may not disclose customer account numbers to any nonaffiliated third party for marketing purposes.

4)  A financial institution must follow reuse and redisclosure limitations on any nonpublic personal information it receives from a nonaffiliated financial institution.

IN CLOSING - The FFIEC interagency Internet guidelines require financial institution web sites to comply with consumer compliance, advertising, notifications, weblinking, and other federal regulations.  We have identified 17 federal regulations and over 130 issues that relate to an institution's web site.  We also verify weblinks for functionality and appropriateness.  As a former bank examiner with over 40 year experience, we audit web sites following the FFIEC Internet guidelines for financial institutions across the country.  Visit http://www.bankwebsiteaudits.com and learn how we can assist.