|
 |
 |
 |
 |
|
DRAFT SP 800-39, Managing Risk from Information Systems: An Organizational Perspective NIST announces the release of the initial public draft of Special Publication 800-39, Managing Risk from Information Systems: An Organizational Perspective.
The Financial Crimes Enforcement Network (FinCEN) has issued the eleventh edition (May 2007) of The SAR Activity Review - Trends, Tips & Issues.
Federal agencies have recently reported a spate of security incidents that put sensitive data at risk. Personally identifiable information about millions of Americans has been lost, stolen, or improperly disclosed, thereby exposing those individuals to loss of privacy, identity theft, and financial crimes.
On December 21, 2006, the Financial Crimes Enforcement Network (FinCEN) and the federal banking agencies announced that the format for the Suspicious Activity Report by Depository Institutions (SAR-DI) was revised. The revisions are the result of their continuing efforts to reduce paperwork and respondent burden. The form was revised and reformatted to standardize suspicious activity reports, enhance the clarity of instructions, allow for joint filing of Suspicious Activity Reports, and to improve the usefulness of the Suspicious Activity Report to law enforcement.
Highlights of GAO-07-351, a report to the Chief Financial Officer and Chief Operating Officer, Federal Deposit Insurance Corporation The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. As part of its audit of the calendar year 2006 financial statements, GAO assessed (1) the progress FDIC has made in correcting or mitigating information security weaknesses previously reported and (2) the effectiveness of FDIC’s system integrity controls to protect the confidentiality and availability of its financial information and information systems. To do this, GAO examined pertinent security policies, procedures, and relevant reports. In addition, GAO conducted tests and observations of controls
The Financial Crimes Enforcement Network (FinCEN) today filed a Federal Register notice announcing the delayed implementation of certain revised Suspicious Activity Report (SAR) forms that were scheduled to become effective on June 30, 2007. The agency is withdrawing this effective date for the revised SAR forms for depository institutions, casinos and card clubs, insurance companies, and the securities and futures industries. FinCEN will establish new effective and mandatory compliance dates for these revised forms in a future notice. The delay does not impact ongoing suspicious activity reporting, which will continue using the current forms.
Why GAO Did This Study For many years, GAO has reported that weaknesses in information security are a widespread problem with potentially devastating consequences—such as intrusions by malicious users, compromised networks, and the theft of personally identifiable information. In reports to Congress since 1997, GAO has identified information security as a governmentwide high-risk issue.
On December 21, 2006, the Financial Crimes Enforcement Network (FinCEN) and the federal banking agencies announced that the format for the Suspicious Activity Report by Depository Institutions (SAR-DI) was revised. The revisions are the result of their continuing efforts to reduce paperwork and respondent burden. The form was revised and reformatted to standardize suspicious activity reports, enhance the clarity of instructions, allow for joint filing of Suspicious Activity Reports, and to improve the usefulness of the Suspicious Activity Report to law enforcement.
The Office of the Comptroller of the Currency today announced its schedule of workshops for national community bank directors. This year the OCC has added a workshop for community bank directors entitled "A New Director’s Challenge: Mastering the Basics." This two-day program, scheduled in Washington D.C., April 16-18, is geared primarily to directors with less than three years of experience. The workshop should be particularly valuable to directors of new national banks, many of whom are also new to the industry.
Purpose and Scope This document outlines the Office of Thrift Supervision’s (OTS’s) supervisory expectations for savings associations’ gift card programs. The purpose of this guidance is to ensure adequate account administration, marketing, and consumer disclosure practices for gift card programs; to encourage more uniform practices among the thrift institutions that offer gift card programs; and to promote consumer protection while continuing to encourage product innovation. Background A gift card is a payment card with a preloaded value that one consumer typically gives to another as a gift. Like a gift certificate, a consumer may use a gift card to purchase goods or services from one or more merchants.
E-mails fraudulently claiming to be from the FDIC or VeriSign, Inc. are attempting to deceive financial institutions in to installing unknown software on their computer networks. The Federal Deposit Insurance Corporation (FDIC) has become aware of e-mails that appear to be sent from the FDIC or VeriSign, Inc. and ask recipients to run a "security guard script" to secure Web sites. Currently, the e-mails are purportedly from "FDIC Legal Information Technology," "FDIC Information Security," or "Verisign Inc." and the subject lines include the phrase "Regular Security Maintenance" or "Regular Hosting Security Maintenance." The e-mails are fraudulent and were not sent by the FDIC or VeriSign, Inc.
A wireless local area network (WLAN) enables access to computing resources for devices that are not physically connected to a network. WLANs typically operate over a fairly limited range, such as an office building or building campus, and usually are implemented as extensions to existing wired local area networks to enhance user mobility. This guide seeks to assist organizations in better understanding the most commonly used family of standards for WLANs—Institute of Electrical and Electronics Engineers (IEEE) 802.11—focusing on the security enhancements introduced in the IEEE 802.11i amendment. In particular, this guide explains the security features and provides specific recommendations to ensure the security of the operating environment.
Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion detection and prevention systems (IDPS)1 are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. In addition, organizations use IDPSs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPSs have become a necessary addition to the security infrastructure of nearly every organization.
Electronic mail (email) is perhaps the most popularly used system for exchanging business information over the Internet (or any other computer network). At the most basic level, the email process can be divided into two principal components: (1) mail servers, which are hosts that deliver, forward, and store email; and (2) mail clients, which interface with users and allow users to read, compose, send, and store email. This document addresses the security issues of mail servers and mail clients, including Web-based access to mail. Mail servers and user workstations running mail clients are frequently targeted by attackers. Because the computing and networking technologies that underlie email are ubiquitous and well-understood by many, attackers are able to develop attack methods to exploit security weaknesses. Mail servers are also targeted because they (and public Web servers) must communicate to some degree with untrusted third parties.
The Homeland Security Presidential Directive HSPD-12 called for new standards to be adopted governing the interoperable use of identity credentials to allow physical and logical access to Federal government locations and systems. The Personal Identity Verification (PIV) standard for Federal Employees and Contractors, Federal Information Processing Standard (FIPS 201), was developed to establish standards for identity credentials. This document, Special Publication 800-76 (SP 800-76), is a companion document to FIPS 201. It describes technical acquisition and formatting specifications for the biometric credentials of the PIV system, including the PIV Card1 itself. It enumerates procedures and formats for fingerprints and facial images by restricting values and practices included generically in published biometric standards. The primary design objective behind these particular specifications is high performance universal interoperability. For the preparation of biometric data suitable for the Federal Bureau of Investigation (FBI) background check, SP 800-76 references FBI documentation, including the ANSI/NIST Fingerprint Standard and the Electronic Fingerprint Transmission Specification. This document does not preclude use of other biometric modalities in conjunction with the PIV card.
The FDIC is notifying FDIC-supervised banks of the attached joint proposed rulemaking by the Securities and Exchange Commission (SEC) and the Board of Governors of the Federal Reserve System that would implement the statutory exceptions from the definition of "broker" contained in the Gramm-Leach-Bliley Act (GLBA). The proposed regulation was drafted in consultation with the FDIC, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, and is designed to protect investors in a manner that does not unduly disrupt current bank business practices. Comments are due to the SEC or the Federal Reserve by March 26, 2007.
Summary: The FDIC has revised its Compliance Examination Handbook. The new handbook contains the FDIC's compliance examination policies and procedures in effect as of June 2006. It also includes revised Community Reinvestment Act (CRA) examination procedures and performance evaluations. The handbook will be available in electronic format only and can be accessed on the FDIC's Web site at http://www.fdic.gov/regulations/compliance/handbook/index.html.
The Federal Reserve Banks today announced plans to conduct another round of studies to determine the current composition of the nation's retail payments market, including checks, credit and debit cards, and automated clearing house (ACH) transactions. These two studies will build on information gained from similar studies published by the Reserve Banks in 2001 and 2004. "As the nation continues its migration from paper-based to electronic payments, we believe these studies will provide additional insight to help industry participants plan for the future," said Richard Oliver, an executive vice president with the Federal Reserve Bank of Atlanta and the Federal Reserve System's product manager for retail payments.
The Federal Reserve Board on Friday approved changes to its Policy on Payments System Risk that revise the Board's expectations for systemically important payments and settlement systems subject to its authority and update and clarify the policy with regard to central counterparties. Under the revised policy, systemically important payments and settlement systems subject to the Board's authority are expected to complete and disclose publicly self-assessments against the principles and minimum standards in the policy. The self-assessment should be reviewed and approved by the system's senior management and board of directors upon completion and made readily available to the public. In addition, a self-assessment should be updated following material changes to the system or its environment and, at a minimum, reviewed by the system every two years.
As use of the Internet continues to expand, more credit unions are using it to offer products and services or otherwise enhance communications with members. The Internet offers the potential for safe, convenient new ways to shop for financial services and conduct credit union business, any day, any time. However, members need to make good on-line choices—decisions that may help avoid costly surprises or scams.
The Office of the Comptroller of the Currency issued guidance today warning of the risks posed by scams involving fraudulent bank cashier's checks and describing steps national banks should take to protect themselves and their customers. A cashier's check, which is issued by a bank and sold to a consumer or other purchaser, represents a direct obligation of the bank. The guidance was issued in response to a growing incidence of scams involving cashier's checks. In most of these cases, individuals receive a cashier's check and are asked to deposit the check into their account, wait until funds become available and then wire some part of the funds from their account to a third party, often in a foreign country.
How a financial institution can create an effective incident response program to mitigate a data security breach is reported in the FDIC's winter 2006 edition of Supervisory Insights, released today. Other topics covered in today's edition are: an update on CRE lending nationwide, with a look at best practices in CRE concentrations, particularly for identifying, monitoring and controlling risk in this lending area; the increasing number of unfair or deceptive acts or practices, and how examiners identify and address those violations; and highlights of recent USA PATRIOT Act changes and the types of Bank Secrecy Act (BSA)-related violations that examiners are citing.
On March 29, 2005, the Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System (Board), Federal Deposit Insurance Corporation (FDIC), and Office of Thrift Supervision (OTS) (collectively, the Agencies) published the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (70 FR 15736) (Guidance). The Guidance interprets the requirements of section 501(b) of the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. 6801, and the Interagency Guidelines Establishing Information Security Standards (Security Guidelines) 1 to include the development and implementation of a response program to address unauthorized access to or use of customer information that could result in substantial harm or inconvenience to a customer.
The Office of Thrift Supervision (OTS) announced that it expects publication in the Federal Register early next week of an interagency notice of proposed rulemaking (NPR) regarding potential revisions to the existing domestic risk-based capital framework (Basel IA). These changes would apply to U.S. banks, bank holding companies, and savings associations.
The selection and employment of appropriate security controls for an information system are important tasks that can have major implications on the operations4 and assets of an organization as well as the welfare of individuals. Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. There are several important questions that should be answered by organizational officials when addressing the security considerations for their information systems: • What security controls are needed to adequately protect the information systems that support the operations and assets of the organization in order for that organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals?
This document is a tool for financial institutions’ use in assessing and mitigating risks associated with implementation of Remote Deposit Image Capture (RDIC). This paper provides successful strategies that financial institutions (FIs) have employed for managing the risks with RDIC. It does not imply that all of these strategies are necessary for a successful program. This paper also does not address the specific technologies used to implement the RDIC process and/or mitigate the risk, as technology used will often be determined by other factors such as the compatibility of the clients’ and FIs’ equipment. This paper identifies potential risks as they pertain to product distribution, equipment and software, information system security, images and image quality, and processes.
Unauthorized access to sensitive customer information threatens to undermine customer confidence and the reputations of both individual financial institutions and the financial services industry. This threat is aggravated by the patchwork of state laws and federal regulations that govern unauthorized access or breach response incidents. Despite these challenges, financial institutions are strengthening data security programs and developing or improving customer notification programs. The “BITS/ABA Key Considerations for Responding to Unauthorized Access to Sensitive Customer Information” is a tool that may assist some financial institutions in developing and executing response programs when sensitive information is accessed and misused by unauthorized individuals.
This BITS Consumer Confidence Toolkit provides information to support consumer confidence in the safety, soundness and security of financial services. Originally published in September 2005, this is a revised and updated edition. This is intended to be an educational resource—whether for use by consumers, policy makers, financial institutions or others with interest in the subject matter. Special attention is placed on information security as well as online financial services transacted through the Internet. Data in support of the safety of online financial transactions is provided. Information about the proactive leadership of the financial services industry is included, as well as a description of the current environment and tips for consumers to help protect their financial security, including in the online environment. Recommendations for government agencies are also provided.
Why GAO Did This Study
This Regulatory Alert is to inform you about revisions to Part 748 of the NCUA Rules and Regulations. The revised rule describes in greater detail Suspicious Activity Report (SAR) reporting and filing requirements. The rule became effective November 27, 2006. There are six changes to Part 748 which are summarized below. 1. Notification to board of directors
A digital signature is an electronic analogue of a written signature; the digital signature can be used to provide assurance that the claimed signatory signed the information. In addition, a digital signature may be used to detect whether or not the information was modified after it was signed (i.e., to detect the integrity of the signed data). Each signatory has a public and private key and is the owner of that key pair. The private key is used by the owner to generate a digital signature; the public key is used in the signature verification process. Entities participating in the generation or verification of digital signatures depend on the authenticity of the process. This Recommendation specifies methods for obtaining the assurances necessary for valid digital signatures: assurance of domain parameter validity, assurance of public key validity, assurance that the key pair owner actually possesses the private key, and assurance of the identity of the key pair owner.
Computer security incident response has become an important component of information technology (IT) programs. Security-related threats have become not only more numerous and diverse but also more damaging and disruptive. New types of security-related incidents emerge frequently. Preventative activities based on the results of risk assessments can lower the number of incidents, but not all incidents can be prevented. An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computing services. To that end, this publication provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications.
The Federal Reserve Board on Tuesday released a draft interagency notice of proposed rulemaking that would revise the existing risk-based capital framework by giving the vast majority of banks, bank holding companies, and savings associations the option of either continuing to use the existing Basel I-based capital rule or adopting a more risk sensitive rule, known as Basel IA. However, as proposed, Basel IA would not be available to large, complex international banking organizations subject to the proposed Basel II advanced capital framework. "Basel IA is intended as an option for the wide range of institutions that will not be adopting the advanced approaches of Basel II," said Governor Susan S. Bies. "The goal is to improve the Basel I standards by making them somewhat more risk sensitive while at the same time retaining a relatively simple and straightforward approach suitable for all but the largest and most complex institutions."
Welcome to the seventh issue of The SAR Activity Review – By the Numbers, a compilation of numerical data gathered from Suspicious Activity Reports filed by depository institutions since April 1996, by certain money services businesses since January 2002, by casinos and card clubs since August 1996, and by certain segments of the securities and futures industries since January 2003. By the Numbers serves as a companion piece to The SAR Activity Review - Trends, Tips & Issues, which provides information about the preparation, use, and utility of Suspicious Activity Reports.
Why GAO Did This Study
GAO was asked to evaluate the extent to which agencies have adequately designed and effectively implemented policies for testing and evaluating their information security controls.
Why GAO Did This Study
Introduction This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program. Typically, the organization looks to the program for overall responsibility to ensure the selection and implementation of appropriate security controls and to demonstrate the effectiveness of satisfying their stated security requirements. The topics within this document were selected based on the laws and regulations relevant to information security, including the Clinger¬Cohen Act of 1996, the Federal Information Security Management Act (FISMA) of 2002, and Office of Management and Budget (OMB) Circular A-130. The material in this handbook can be referenced for general information on a particular topic or can be used in the decision-making process for developing an information security program. National Institute of Standards and Technology (NISTIR) Interagency Report 7298 provides a summary glossary for the basic security terms used throughout this document. While reading this handbook, please consider that the guidance is not specific to a particular agency. Agencies should tailor this guidance according to their security posture and business requirements.
Research and development (R&D) of cyber security technology is essential to creating a broader range of choices and more robust tools for building secure, networked computer systems in the federal government and in the private sector. The National Strategy to Secure Cyberspace identifies national priorities to secure cyberspace, including a federal R&D agenda. GAO was asked to identify the:
The Office of Thrift Supervision (OTS) is issuing updated versions of the Directors' Responsibility Guide and the Directors' Guide to Management Reports to highlight our supervisory expectation for a strong, consistent approach towards sound corporate governance practices, as well as the importance of strong, independent boards of directors.
The updated Director's Guide adds a new section on statutory and regulatory responsibility and clarifies the issue of blurred lines of responsibility between the board and management. We have also added a chart on the applicability of selected Sarbanes-Oxley requirements. The streamlined, restructured Guide to Management Reports consolidates some existing reports and adds additional red flags to monitor internal controls and financial performance.
The proposed information collection requirement described below has been submitted to the Office of Management and Budget (OMB) for review and approval, as required by the Paperwork Reduction Act of 1995. OTS is soliciting public comments on the proposal. DATES: Submit written comments on or before November 20, 2006.
NCUA is issuing a final rule to describe in greater detail the requirements for reporting and filing a Suspicious Activity Report (SAR) and to address prompt notification of the board of directors of SAR filings, the confidentiality of reports, and liability protection. NCUA also is changing the heading for this part so it more accurately describes its scope. NCUA seeks to enhance credit union compliance with SAR reporting requirements by providing greater detail in its rule on the thresholds and procedures for filing a SAR. DATES: This rule is effective [insert date 30 days after published in the FEDERAL REGISTER]. FOR FURTHER INFORMATION CONTACT: Linda K. Dent, Staff Attorney, Office of General Counsel, at (703) 518-6540.
"An ontology is an explicit specification of a conceptualization. The term is borrowed from philosophy, where Ontology is a systematic account of Existence. For Artificial Intelligence (AI) systems, what "exists" is that which can be represented. When the knowledge of a domain is represented in a declarative formalism, the set of objects that can be represented is called the universe of discourse. This set of objects, and the describable relationships among them, are reflected in the representational vocabulary with which a knowledge-based program represents knowledge. Thus, in the context of AI, we can describe the ontology of a program by defining a set of representational terms. In such an ontology, definitions associate the names of entities in the universe of discourse (e.g., classes, relations, functions, or other objects) with human-readable text describing what the names mean, and formal axioms that constrain the interpretation and well-formed use of these terms. Formally, an ontology is the statement of a logical theory. We use common ontologies to describe ontological commitments for a set of agents so that they can communicate about a domain of discourse without necessarily operating on a globally shared theory." [GRUBER]
GAO continues to have concerns about restatements to federal agencies' previously issued financial statements. During fiscal year 2005, at least 7 of the 24 Chief Financial Officers (CFO) Act agencies restated certain of their fiscal year 2004 financial statements to correct misstatements. To study this trend, GAO reviewed the nature and causes of the restatements made by certain CFO Act agencies in fiscal year 2004 to their fiscal year 2003 financial statements. Eleven CFO Act agencies had restatements for fiscal year 2003. Nine of those 11 received unqualified opinions on their originally issued fiscal year 2003 financial statements. GAO’s view is that users of federal agencies' financial statements and the related audit reports need to be provided at least a basic understanding of why a restatement was necessary and its effect on the agencies' previously issued financial statements and related audit reports. This report communicates GAO's observations on the transparency and timeliness of the 9 federal agencies' and their auditors' restatement disclosures.
Like any new technology, RFID presents new security and privacy risks that must be carefully mitigated through management, operational, and technical controls in order to realize the numerous benefits the technology has to offer. When practitioners adhere to sound security engineering principles, RFID technology can help a wide range of organizations and individuals realize substantial productivity gains and efficiencies. These organizations and individuals include hospitals and patients, retailers and customers, and manufacturers and suppliers throughout the supply chain. This guidance document provides an overview of RFID technology, the associated security and privacy risks, and recommended practices that will enable organizations to realize productivity improvements while safeguarding sensitive information and protecting the privacy of individuals. Radio frequency identification (RFID) is a form of automatic identification and data capture (AIDC) technology that uses electric or magnetic fields at radio frequencies to transmit information. An RFID system can be used to identify many types of objects, such as manufactured goods, animals, and people.
Organizations have information technology (IT) plans in place, such as contingency and computer security incident response plans, so that they can respond to and manage adverse situations involving IT. These plans should be maintained in a state of readiness, which should include having personnel trained to fulfill their roles and responsibilities within a plan, having plans exercised to validate their content, and having systems and system components tested to ensure their operability in an operational environment specified in a plan. These three types of events can be carried out efficiently and effectively through the development and implementation of a test, training, and exercise (TT&E) program. Organizations should consider having such a program in place because tests, training, and exercises are so closely related. For example, exercises and tests offer different ways of identifying deficiencies in IT plans, procedures, and training. This document provides guidance on designing, developing, conducting, and evaluating TT&E events so that organizations can improve their ability to prepare for, respond to, manage, and recover from adverse events that may affect their missions. The scope of this document is limited to TT&E events for single organizations, as opposed to large-scale events involving multiple organizations, involving internal IT operational procedures for emergencies.
A log is a record of the events occurring within an organization’s systems and networks. Logs are composed of log entries; each entry contains information related to a specific event that has occurred within a system or network. Many logs within an organization contain records related to computer security. These computer security logs are generated by many sources, including security software, such as antivirus software, firewalls, and intrusion detection and prevention systems; operating systems on servers, workstations, and networking equipment; and applications. The number, volume, and variety of computer security logs have increased greatly, which has created the need for computer security log management—the process for generating, transmitting, storing, analyzing, and disposing of computer security log data. Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems.
Why GAO Did This Study In the wake of the 2005 hurricanes in the Gulf Region, GAO and the Department of Homeland Security Office of Inspector General (DHS OIG) initiated a number of audits and investigations addressing the federal government's response to those events. On July 19, 2006, GAO testified on the results of its purchase card work. This report summarizes the testimony and provides recommendations. Department of Homeland Security (DHS) cardholders made thousands of transactions related to hurricane relief operations. GAO analyzed transactions between June and November of 2005 to determine if (1) DHS's control environment and management of purchase card usage were effective; (2) DHS's key internal control activities operated effectively and provided reasonable assurance that purchase cards were used appropriately; and (3) potentially fraudulent, improper, and abusive purchase card activity existed at DHS.
The purpose of this document is to present recommendations for Personal Identity Verification (PIV) card readers in the area of performance and communications characteristics to foster interoperability. This document is not intended to re-state or contradict requirements specifically identified in Federal Information Processing Standard 201 (FIPS 201) or its associated documents. It is intended to augment existing standards to enable agencies to achieve the interoperability goal of Homeland Security Presidential Directive 12 (HSPD-12). The document provides requirements that facilitate interoperability between any card and any reader. Specifically, the recommendations are for end-point cards and readers designed to read end-point cards.
E-mails fraudulently claiming to be from the FDIC are attempting to trick recipients into installing unknown software on personal computers. These e-mails falsely indicate that recipients should install software that was developed by the FDIC and other agencies. The software may be a form of spyware or malicious code and may collect personal or confidential information. The Federal Deposit Insurance Corporation (FDIC) is aware of e-mails appearing to be sent from the FDIC that are asking recipients to install unknown software on personal computers. Currently, the subject line of the e-mail includes the phrase "Urgent Notification - Security Reminder." The e-mail is fraudulent and was not sent by the FDIC.
In October 2005, the FFIEC agencies (agencies) issued guidance entitled Authentication in an Internet Banking Environment (guidance) . The guidance focuses on the risks of fraud and identity theft associated with Internet banking activities. The guidance states that financial institutions should perform a risk assessment, identify and strengthen control weaknesses, measure and evaluate customer awareness efforts, and implement any necessary corrective actions. National banks are expected to have achieved conformance with the guidance by year-end 2006. It is anticipated that there will be increased activity by fraudsters to send false communications with the intent of obtaining customer information for the purposes of fraud and identity theft. These communications may attempt to exploit the December 31, 2006, conformance date. For example, communications purporting to be from a national bank could inform customers that, due to the FFIEC guidance, the bank is required to change its security procedures and, as a result, request customers to re-register or provide personal information that would enable the bank to comply with the regulatory requirement.
On August 4, 2003, the agencies issued an advance notice of proposed rulemaking (ANPR) (68 FR 45900) that sought public comment on a new risk-based regulatory capital framework based on the Basel Committee on Banking Supervision (BCBS)2 April 2003 consultative paper entitled "The New Basel Capital Accord" (Proposed New Accord). The Proposed New Accord set forth a "three pillar" framework encompassing risk-based capital requirements for credit risk, market risk, and operational risk (Pillar 1); supervisory review of capital adequacy (Pillar 2); and market discipline through enhanced public disclosures (Pillar 3). The Proposed New Accord incorporated several methodologies for determining a bank's risk-based capital requirements for credit, market, and operational risk.
The agencies have published a joint notice of proposed rulemaking entitled Risk¬Based Capital Standards: Advanced Capital Adequacy Framework (the NPR). The NPR describes a new regulatory capital framework for U.S. banks that qualify for and adopt the advanced internal ratings-based (AIRB) approach for credit risk and the advanced measurement approach (AMA) for operational risk (together, the advanced approaches). Included within the NPR are requirements for public disclosure of certain information at the consolidated banking organization level as well as a reference to certain additional regulatory reporting requirements for depository institutions (DIs) and BHCs. The additional regulatory reporting requirements referenced within the NPR, and described more fully herein, comprise the agencies' proposed regulatory reporting requirements.
Electronic mail (email) is perhaps the most popularly used system for exchanging business information over the Internet (or any other computer network). At the most basic level, the email process can be divided into two principal components: (1) mail servers, which are hosts that deliver, forward, and store mail; (2) clients which interface with users and allow users to read, compose, send, and store email messages. This document addresses the security issues of both mail servers and mail clients. Mail servers and user workstations running mail clients are frequently targeted by attackers. Because the computing and networking technologies that underlie email are ubiquitous, it is well understood and attackers are able to develop attack methods to exploit the technology. Mail servers are also targeted because they (and public Web servers) must communicate to some degree with untrusted third parties. Additionally, email clients have been targeted as an effective means of inserting malware into machines and of propagating this code to other machines.
Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of potential incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Intrusion prevention is the process of performing intrusion detection and attempting to stop detected potential incidents. Intrusion detection and prevention (IDP) systems are primarily focused on identifying potential incidents, logging information about them, attempting to stop them, and reporting them to security administrators. In addition, organizations use IDPs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPs have become a necessary addition to the security infrastructure of nearly every organization. IDPs typically record information related to observed events, notify security administrators of important observed events, and produce reports. Many IDPs can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDP stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack’s content.
The advance of Web services technologies promises to have far-reaching effects on the Internet and enterprise networks. Web services based on the eXtensible Markup Language (XML), Simple Object Access Protocol (SOAP), and related open standards, and deployed in Service Oriented Architectures (SOA) allow data and applications to interact without human intervention through dynamic and ad hoc connections. Web services technology can be implemented in a wide variety of architectures, can co-exist with other technologies and software design approaches, and can be adopted in an evolutionary manner without requiring major transformations to legacy applications and databases. The security challenges presented by the Web services approach are formidable and unavoidable. Many of the features that make Web services attractive, including greater accessibility of data, dynamic application-to-application connections, and relative autonomy (lack of human intervention) are at odds with traditional security models and controls.
The federal bank and thrift regulatory agencies announced today that they will request public comment on a notice of proposed rulemaking (NPR) that would implement new risk-based capital requirements in the United States for large, internationally active banking organizations. The NPR details the agencies' plans for implementing the Basel Committee on Banking Supervision's (BCBS) new capital accord (Basel II) that was issued in 2004. The agencies also will request comment on proposed Basel II supervisory reporting templates. The Federal Reserve Board (Board), the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC) and the Office of Thrift Supervision (OTS) first adopted risk-based capital standards in 1989. Those standards were based on the Basel Capital Accord that the BCBS originally issued in 1988 (Basel I). For banking organizations that meet qualifying criteria, the Basel II NPR would replace U.S. rules implementing Basel I. The proposed framework would be mandatory for large, internationally active banking organizations and optional for others.
The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. The corporation relies extensively on computerized systems to support and carry out its financial and mission-related operations. As part of the audit of the calendar year 2005 financial statements, GAO assessed (1) the progress FDIC has made in correcting or mitigating information security weaknesses previously reported and (2) the effectiveness of the corporation's information system controls to protect the confidentiality, integrity, and availability of its key financial information and information systems.
The Federal Reserve System's Federal Reserve Banks (FRB) serve as fiscal agents of the U.S. government when they are directed to do so by the Secretary of the Treasury. In this capacity, the FRBs operate and maintain several mainframe and distributed-based systems-including the systems that support the Department of the Treasury's auctions of marketable securities-on behalf of the department's Bureau of the Public Debt (BPD). Effective security controls over these systems are essential to ensure that sensitive and financial information is adequately protected from inadvertent or deliberate misuse, disclosure, or destruction. In support of its audit of BPD's fiscal year 2005 Schedule of Federal Debt, GAO assessed the effectiveness of information system controls in protecting financial and sensitive auction information on key mainframe and distributed-based systems that the FRBs maintain and operate for BPD. To do this, GAO observed and tested FRBs' security controls.
The FDIC is enhancing the protection of examination information and other sensitive data, and has issued updated procedures to its examination staff on safeguarding this information. Highlights: The updated procedures provide additional protection to bank data that may be sensitive as defined by the Gramm-Leach-Bliley Act. The procedures specify minimum standards for the technical, physical and administrative safeguards used to protect examination information. The procedures provide guidance for the implementation of an Information Security Incident Response Program.
1.1 Background Federal agencies and organizations cannot protect the integrity, confidentiality, and availability of information in today's highly networked systems environment without ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them. The human factor is so critical to success that the Computer Security Act of 1987 (Public Law [P.L.] 100-235) required that, "Each agency shall provide for the mandatory periodic training in computer security awareness and accepted computer practices of all employees who are involved with the management, use, or operation of each Federal computer system within or under the supervision of that agency." In accordance with P.L. 100-235, the National Institute of Standards and Technology (NIST), working with the U.S. Office of Personnel Management (OPM), was charged with developing and issuing guidelines for Federal computer security training. This requirement was satisfied by NIST's issuance of "Computer Security Training Guidelines" (Special Publication [SP] 500¬172) in November 1989. In January 1992, OPM issued a revision to the Federal personnel regulations which made these voluntary guidelines mandatory. This regulation, 5 CFR Part 930, is entitled "Employees Responsible for the Management or Use of Federal Computer Systems" and requires Federal agencies to provide training as set forth in NIST guidelines.
NIST Special Publication 800-50, Building An Information Technology Security Awareness and Training Program, provides guidance for building an effective information technology (IT) security program and supports requirements specified in the Federal Information Security Management Act (FISMA) of 2002 and the Office of Management and Budget (OMB) Circular A-130, Appendix III. A strong IT securityprogram cannot be put in place without significant attention given to training agency IT users on securitypolicy, procedures, and techniques, as well as the various management, operational, and technical controls necessary and available to secure IT resources. In addition, those in the agency who manage the IT infrastructure need to have the necessary skills to carry out their assigned duties effectively. Failure to give attention to the area of security training puts an enterprise at great risk because security of agencyresources is as much a human issue as it is a technology issue.
The Office of Thrift Supervision (OTS), the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency have issued the attached FAQs to assist you and your technology service providers to conform with the Federal Financial Institutions Examination Council's (FFIEC's) guidance entitled Authentication in an Internet Banking Environment (the guidance) issued on October 12, 2005.
Purpose The staffs of the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision (the Agencies) have jointly developed the attached frequently asked questions (FAQs) to assist financial institutions and their technology service providers in understanding the Federal Financial Institutions Examination Council's (FFIEC's) guidance entitled Authentication in an Internet Banking Environment (the guidance). Overview The guidance, issued on October 12, 2005, updates the FFIEC's guidance entitled Authentication in an Electronic Banking Environment issued in 2001. It addresses the need for risk based assessments, customer awareness, and enhanced security measures to authenticate customers using Internet-based products and services that process high risk transactions involving access to customer information or the movement of funds to other parties. The attached FAQs are a representation of questions the Agencies have received from financial institutions, Agency examiners, and technology service providers and they address the scope of the guidance, risk assessments, the time frame for implementation, and other issues.
The mandatory dissemination of certain information by financial institutions is a key aspect of consumer protection law. It offers two significant advantages for consumer protection in the financial area over the alternative of direct government intervention into product pricing and content. First, information disclosure is compatible with competition, a significant market force already at work to protect consumers by keeping price rises in check. Because of competition, institutions already have incentives to make their products known, to reveal favorable pricing and product features, and to treat consumers fairly by keeping them generally informed about what they want and need to know. When a financial institution employs these strategies, it generates a good business reputation that will produce referrals and repeat customers. Actions that firms use to accomplish these goals include advertising their prices and supplying clients and potential customers with useful information about product prices and features. The requirements for disclosures assist in the dissemination of financial information by standardizing concepts and terminology, such as the finance charge and annual percentage rate under the Truth in Lending Act and the annual percentage yield under the Truth in Savings Act. Such standardization advances consumers; knowledge about pricing and features of the financial products and institutions and lowers consumers; transactions costs by making shopping easier. The standard format of required disclosures helps highlight the performance of the best institutions and exposes the inadequacies of the poorer ones. Well-informed shoppers help keep markets competitive, which benefits buyers of products and services by minimizing the spread between
producers’ production costs and market price.
THE NEED FOR SECURITY CONTROLS TO PROTECT INFORMATION SYSTEMS The selection and employment of appropriate security controls for an information system are important tasks that can have major implications on the operations and assets of an IT organization as well as the welfare of individuals. Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. There are several important questions that should be answered by organizational officials when addressing the security considerations for their information systems: - What security controls are needed to adequately protect the information systems that support the operations and assets of the organization in order for that organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals?
The Federal Financial Institutions Examination Council (FFIEC) today released the revised Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual (manual). The revised manual reflects the ongoing commitment of the federal banking agencies and the Financial Crimes Enforcement Network (FinCEN) to provide current and consistent guidance on risk-based policies, procedures, and processes for banking organizations to comply with the BSA and safeguard operations from money laundering and terrorist financing. The manual has been updated to further clarify supervisory expectations and incorporate regulatory changes since the manual's 2005 release. The revisions also draw upon feedback from the banking industry and examination staff.
The Federal Financial Institutions Examination Council today issued revised guidance for examiners and financial institutions to use in identifying information security risks and evaluating the adequacy of controls and applicable risk management practices of financial institutions. The Information Security Booklet is one of twelve that, in total, comprise the FFIEC IT Examination Handbook. In addition to the revised Information Security Booklet, the agencies also released an Executive Summary that contains high level synopses of each of the twelve booklets and describes the handbook development and maintenance processes. The security of financial institutions' systems and information is essential to maintaining the privacy of customer information and safe and sound operations. The Information Security Booklet describes how an institution should protect and secure the systems and facilities that process and maintain information. The booklet calls for financial institutions and technology service providers (TSPs) to maintain effective security programs tailored to the complexity of their operations.
The Offıce of Thrift Supervision (OTS), along with the other federal banking agencies, has released the revised Information Security Booklet and an Executive Summary of the Federal Financial Institutions Examination Council's (FFIEC) Information Technology Examination Handbook. The revised Information Security Booklet, which replaces the 2003 version of the booklet, provides updated guidance for examiners, savings associations, and technology service providers to use in identifying information security risks and evaluating the adequacy of controls and risk management practices. The revised guidance addresses changes in technology, risk assessments, mitigation strategies, and regulatory guidance.
FinCEN's primary function is to support and strengthen domestic and international anti-money laundering efforts through coordination and partnerships. Since its creation in 1990, FinCEN has been responsible for overseeing the management, processing, storage and dissemination of Bank Secrecy Act (BSA) data. In 2004, FinCEN embarked on a major initiative intended to improve the sharing of information reported under the Bank Secrecy Act. BSA Direct is an umbrella project intended to provide secure, user-friendly, web-based tools for accessing, analyzing, and filing BSA data. It is part of a broad effort to reengineer data management responsibilities and transition them from the IRS. During the early spring of 2006, it became clear to FinCEN that the Retrieval and Sharing component of the BSA Direct project (BSA Direct R&S) was not going to meet the critical implementation deadline of June 30, 2006. Objectives Because FinCEN has experienced problems with development and implementation of the BSA Direct R&S, you asked us about the project's current status and to provide observations on FinCEN's IT investment management practices. Our objectives were to (1) describe BSA Direct R&S and the project's current status; (2) examine FinCEN's application of information technology (IT) investment management processes to the BSA Direct R&S project; and (3) describe, at a high level, the range of options FinCEN may consider as it reexamines the BSA Direct R&S project.
Highlights of GAO-06-954T, a testimony before the Subcommittee on Management, Integration, and Oversight, Committee on Homeland Security, U.S. House of Representatives Why GAO Did This Study
The FDIC's Board of Directors today approved for public comment two proposed rules governing deposit insurance assessments under the Federal Deposit Insurance Reform Act of 2005. One proposal would create a new system that would more closely tie what banks pay for deposit insurance to the risks they pose. It also would adopt a new base schedule of rates that the FDIC Board could adjust up or down, depending upon the revenue needs of the insurance fund. The second proposal issued today would continue to set the designated reserve ratio (DRR) for the fund at 1.25 percent of estimated insured deposits. "The proposed new system of risk-based assessments would allow the FDIC to adhere more closely to sound insurance principles because the safer an institution is, the less it will pay for deposit insurance," said FDIC Chairman Sheila Bair. "We hope that most FDIC-insured institutions will find our proposals reasonable and fair, and we look forward to receiving comments."
"Operational risk management" increasingly viewed as distinct discipline due to growing complexity of the industry, recent large operational losses The increasing importance of banks' "operational risk management" (ORM) processes and how ORM is evolving as a distinct discipline are highlighted in the FDIC's summer 2006 issue of Supervisory Insights released today. Other topics covered include disaster planning for banks, with a look back at some of the challenges banks faced during the hurricane seasons of 2004 and 2005, and enforcement actions taken against individuals in 2005, with a particular focus on bank losses resulting from insider misconduct or fraud.
Before the U.S. House of Representatives Committee on Financial Services Subcommittee on Oversight and Investigations Thank you Chairwoman Kelly, Ranking Member Gutierrez, and Members of the Subcommittee. I appreciate the opportunity to speak to you about the Treasury Department's contribution to pandemic planning within the financial services sector. Though the Treasury's efforts are just a small part of the enormous Federal effort, we have been very active. President Bush stated, "Together we will confront this emerging threat and together, as Americans, we will be prepared to protect our families, our communities, this great Nation, and our world." I would like to begin my remarks by telling you about the sector's general state of preparedness and then tell you about the Treasury's leadership on pandemic planning within the financial services sector.
The tenth (May 2006) issue of The SAR Activity Review – Trends, Tips, & Issues, published by the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), is now available. Highlights: - On May 31, 2006, FinCEN released the tenth edition of The SAR Activity Review – Trends, Tips & Issues. This issue focuses on the money services business (MSB) industry. - Article topics include the use of Suspicious Activity Reports (SARs) to detect unregistered MSBs and guidance on registration and deregistration of a business as an MSB. - This issue also identifies current trends in mortgage loan fraud, as well as filing activity and detection of unlicensed/unregistered MSBs.
The Federal Reserve Board on Thursday requested comment on proposed revisions to Part I of its Policy on Payments System Risk (PSR policy), which addresses risk management in payments and settlement systems. The proposed revisions update and revise the policy in several ways. First, the Board is proposing to incorporate into its PSR policy the international risk management standards for central counterparties recently developed by the Committee on Payment and Settlement Systems (CPSS) of the central banks of the Group of Ten countries and the Technical Committee of the International Organization of Securities Commissions (IOSCO). These standards, published by the Bank for International Settlements in a report titled Recommendations for Central Counterparties (Recommendations for CCP), will serve as the Board's minimum standards for central counterparties identified as systemically important and subject to the Board's authority. This proposed change is consistent with past revisions that incorporated into the PSR policy the Core Principles for Systemically Important Payment Systems (Core Principles) and Recommendations for Securities Settlement Systems (Recommendations for SSS), developed by the CPSS and CPSS-IOSCO, respectively.
Why GAO Did This Study
GAO was asked to testify on VA's information security program, ways that agencies can prevent improper disclosures of personal information, and issues concerning notifications of privacy breaches. In preparing this testimony, GAO drew on its previous reports and testimonies, as well as on expert opinion provided in congressional testimony and other sources.
This publication is not from one of the Federal or State Banking Agencies, but given our extremely diverse audience, this will be of interest to organizations and individuals responsible for developing and maintaining security plans and programs. This Recommendation specifies techniques for the generation of random bits that may then be used directly or converted to random numbers when random values are required by applications using cryptography.
There are two fundamentally different strategies for generating random bits. One strategy is to produce bits non-deterministically, where every bit of output is based on a physical process that is unpredictable; this class of random bit generators (RBGs) is commonly known as non-deterministic random bit generators (NRBGs). The other strategy is to compute bits deterministically using an algorithm; this class of RBGs is known as Deterministic Random Bit Generators (DRBGs).
NIST is pleased to announce the release of draft Special Publication (SP) 800-97, Guide to IEEE 802.11i: Robust Security Networks. SP 800-97 provides detailed information on the Institute of Electrical and Electronics Engineers (IEEE) 802.11i standard for wireless local area network (WLAN) security. IEEE 802.11i provides security enhancements over the previous 802.11 security method, Wired Equivalent Privacy (WEP), which has several well-documented security deficiencies. IEEE 802.11i introduces a range of new security features that are designed to overcome the shortcomings of WEP. This document explains these security features and provides specific recommendations to ensure the security of the WLAN operating environment. It gives extensive guidance on protecting the confidentiality and integrity of WLAN communications, authenticating users and devices using several methods, and incorporating WLAN security considerations into each phase of the WLAN life cycle. The document complements, and does not replace, NIST SP 800-48, Wireless Network Security: 802.11, Bluetooth and Handheld Devices.
This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program. The purpose of this publication is to inform members of the information security management team [agency heads, chief information officers (CIO), senior agency information security officers (SAISO), and security managers] about various aspects of information security that they will be expected to implement and oversee in their respective organizations. In addition, the handbook provides guidance for facilitating a more consistent approach to information security programs across the federal government. Even though the terminology in this document is geared toward the federal sector, the handbook can also be used to provide guidance on a variety of other governmental, organizational, or institutional security requirements.
PREPARED REMARKS BY DEPUTY ASSISTANT SECRETARY DANIEL GLASER TERRORIST FINANCING AND FINANCIAL CRIMES -- BEFORE THE FINANCIAL CRIMES FORUM FOR ASIA/PACIFIC -- HONG KONG – I am pleased to be here speaking today at the Financial Crime Forum
on behalf of the Treasury Department of the United States. I want to
commend the organizers of this event for assembling professionals from
multiple sectors, as this parallels the strategy we take at Treasury
to engage all stakeholders: financial sector regulators, policy
makers, financial crimes investigators, financial sector specialists,
bankers, compliance officers, and others. It is only through our
collaborative efforts that we can create highly effective Anti-Money
Laundering/Counter-Financing of Terrorism (AML/CFT) regimes, and all
efforts that enhance our communication across these sectors help us
achieve our collective goals.
Procedures for Cooperation Between the Federal Financial Institution Regulatory Agencies and the Department of Labor in the Enforcement of the Employee Retirement Income Security Act of 1974 The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency and Office of Thrift Supervision (the federal financial institution regulatory agencies) as part of their supervision of the institutions regulated by them, conduct examinations and perform other functions which occasionally disclose possible violations of the Employee Retirement Income Security Act of 1974 (ERISA). The Department of Labor (DOL) is charged with the administration, interpretation and enforcement of standards of conduct and responsibility of fiduciaries of employee benefit plans under ERISA.
The Federal Financial Institutions Examination Council (FFIEC) Task Force on Consumer Compliance has approved the attached examination procedures to assess compliance with the medical information regulations that became effective on April 1, 2006. The regulations implement the Protection of Medical Information provisions of the Fair Credit Reporting Act (FCRA), as amended by the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). The new procedures are effective with the issuance of this FIL. Highlights: - The attached examination procedures for the medical information regulations are the first in a series of amendments to FCRA examination procedures that were released with FIL-18-2006 on February 22, 2006.
The FDIC Board of Directors is seeking comment on the attached three proposed rules governing deposit insurance assessments under the Deposit Insurance Reform Act of 2005. The proposed rules would implement a one-time assessment credit, dividends, and procedural and operational changes to the assessment regulations. The Reform Act requires the FDIC to prescribe the credit and dividend regulations by November 5, 2006. Comments on the three proposed rules are due by July 17, 2006. Highlights: - One-Time Assessment Credit: The Reform Act mandates a one-time assessment credit of approximately $4.7 billion to be allocated to each "eligible insured depository institution" or its "successor" to acknowledge contributions by institutions to build up the Bank Insurance Fund (BIF) and the Savings Association Insurance Fund (SAIF). The first proposed rule would define "successor" as the resulting institution in a merger or consolidation involving an institution that was eligible for the one-time credit. The proposed rule also seeks comment on alternative definitions of successor. The FDIC has developed a Web-based search tool, accessible through www.fdic.gov/deposit/insurance/reform.html, which allows an institution to find its preliminary estimated one-time assessment credit amount based on the notice of proposed rulemaking.
The Internet is the world's largest computing network, with hundreds of millions of users. From the perspective of a user, each node or resource on this network is identified by a unique name - the domain name - such as www.nist.gov. However, from the perspective of network equipment that routes communications across the Internet, the unique identifier for a resource is an Internet Protocol (IP) address, such as 172.30.128.27. To access Internet resources by user-friendly domain names rather than IP addresses, users need a system that translates domain anme to IP addresses and back. This translation is the primary task of the Domain Name System (DNS).
The DNS infrastructure is made up of computing and communication entities that are geographically distributed throughout the world. There are more than 250 top-level domains, such as .gov and .com, and several million second-level domains, such as nist.gov and ietf.org. Accordinaly, there are many name servers in the DNS infrastructure, which each contain information about a small portion of the domain name space. The DNS infrastructure functions through collaboration among the various entities involved. The domain name data provded by DNS is intended to be available to any computer located anywhere in the Internet.
This publication focuses on developing and implementing information security metrics for an information security program. The processes and methodologies described in this guidance link information security performance to agency performance by leveraging agency-level strategic planning processes. The performance metrics developed according to this guide will enhance the ability of agencies to respond to a variety of federal government mandates and initiatives, including the Federal Information Security Management Act (FISMA) and the President's Management Agenda (PMA).
The goal of each agency information security program is to provide the appropriate level of protection to the agency's information resources. Information security has become an essential business function, critical to enabling agencies to conduct their operations and eliver services to the public. Each agency's information security pgrogram provides direct support to the agency mission. Information security performance metrics provide a means for the monitoring and reporting of agency implementation of security controls. They also help assess the effectiveness of these controls in appropriately protecting agency information resources in support of the agency's mission.
Interagency Advance Notice of Proposed Rulemaking: Procedures to Enhance the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies Under Section 312 of the Fair and Accurate Credit Transactions Act. Summary
The OCC, Board, FDIC, OTS, NCUA, and FTC (the Agencies) request comment to gather information useful for developing the guidelines and regulations required by section 312 of the Fair and Accurate Credit Transactions Act (FACT Act). Pursuant to section 312, the Agencies, acting in consultation and coordination, must: Establish guidelines for use by persons that furnish information to consumer reporting agencies (furnishers) regarding the accuracy and integrity of the consumer information that they furnish to those agencies; and prescribe regulations that require furnishers to establish resonable policies and procedures for implementing the guidelines. Section 312 also requires the Agencies jointly to prescribe regulations that identify the circumstances under which a furnisher shall be required to reinvestigate a dispute concerning the accuracy of information contained in a consumer report on a consumer based on a direct request of the consumer.
Federally Insured Credit Unions are increasingly offering a variety of Internet banking services ranging from simple inquiry to complex e-Commerce activities for their members. In parallel, the number of members using transactional sites grew significantly. As e-Commerce services increase in volume and complexity, criminals are using more sophisticated methods for account fraud and identity theft. You should become more diligent to safeguard member information, to prevent money laundering and terrorist financing, to reduce fraud, and to inhibit identity theft. One of the effective security measures to mitigate these risks is to implement an effective and reliable authentication system. Authentication is the process of verifying a member’s identity using a variety of methodologies and technologies before the member gains access to the system. It is a way to ensure members are who they say they are. A single-factor authentication such as user name and password used as a security control mechanism may not be adequate for high-risk transactions involving access to member information or fund transfers.
The FDIC, the other federal financial institution regulatory agencies and the Federal Trade Commission have jointly published the attached Advance Notice of Proposed Rulemaking (ANPR) inviting comment to gather information that is useful for developing guidelines and regulations to implement section 312 of the Fair and Accurate Credit Transactions Act (FACT Act). Comments are due by | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
