|
 |
 |
 |
 |
|
National Credit Union Administration (NCUA) Vice Chairman Rodney E. Hood participated in a Small Credit Union Workshop hosted by the National Credit Union Administration’s Office of Small Credit Union Initiatives in Charlotte, NC. This forum served as an opportunity for a frank discussion about current issues and challenges facing small credit unions and the impact of credit unions on the communities they serve.
The Office of Thrift Supervision (OTS) today urged thrifts in areas affected by Southern California wildfires to consider all reasonable steps to meet customers’ financial needs. OTS will work with thrifts to identify ways to assist in the recovery efforts of their customers and communities. To facilitate recovery efforts while maintaining standards of safety and soundness, OTS encourages all thrifts in affected areas
This GAO announcement has highlights of GAO-08-36, a report to congressional requesters. An outbreak of pandemic flu would require close cooperation between the public and private sectors to ensure the protection of our nation’s critical infrastructure, such as drinking water and electricity. Because over 85 percent of the nation’s critical infrastructure is owned and operated by the private sector, it is vital that both sectors effectively coordinate to successfully protect these assets. The Department of Homeland Security (DHS) is responsible for coordinating a national protection strategy and government and private sector councils have been created as a collaborating tool. GAO was asked to assess how the federal and private sectors are working together at a national level to protect the nation’s critical infrastructure in the event of a pandemic, the challenges they face, and opportunities for addressing these challenges. GAO reviewed 5 of the 17 critical infrastructure sectors. These 5 sectors are energy (electricity), food and agriculture, telecommunications, transportation (highway and motor carrier), and water.
The federal financial institution regulatory agencies and the Federal Trade Commission have sent to the Federal Register for publication final rules on identity theft “red flags” and address discrepancies. The final rules implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003. The final rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program) for combating identity theft
The National Credit Union Administration (NCUA) Region V office examiners stationed in California have contacted all credit unions located in the fire damaged areas of Southern California and at noon (Pacific time) today most credit unions have returned to operations as normal.
DRAFT SP 800-39, Managing Risk from Information Systems: An Organizational Perspective NIST announces the release of the initial public draft of Special Publication 800-39, Managing Risk from Information Systems: An Organizational Perspective.
The National Credit Union Administration (NCUA) has activated its disaster relief policy to assist credit unions and their members affected by the wildfires in California. President George W. Bush has declared an emergency exists in the state of California and ordered federal aid to supplement state and local response efforts.
Nearly All Participants Find Critical Gaps in Plans The Treasury Department, the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security, and the Securities Industry and Financial Management Association today released the preliminary results of the industry-wide pandemic flu exercise.
Consumers need to keep five tips in mind for managing their checking accounts and safeguarding their funds from unauthorized transfers by criminals, according to a new Federal Reserve Board publication.
The Office of the Comptroller of the Currency today issued a proclamation allowing national bank offices affected by the wildfires in southern California to close at their discretion.
Interfaces for Personal Identity Verification (4 parts): 1- Card Application Namespace, Data Model & Representation 2- Card Appl. Card Command Interface 3- Client Appl. Programming Interface 4- Transitional Interfaces & Data Model NIST Special Publication 800-73-2, Interfaces for Personal Identity Verification , is now available for a 30 day public comment period.
DRAFT NIST IR 7328: Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems NIST announces the release of draft NIST Interagency Report 7328, Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems.
What GAO Found The inherent problems of measuring the costs and benefits of regulation make it difficult to assess the extent to which regulations may be unduly burdensome to U.S. financial services firms, particularly in comparison to firms in other countries.
NIST announces the release of five publications: Draft SP 800-110, Information System Security Reference Model, Special Publication (SP) 800-44 version 2, Guidelines on Securing Public Web Servers, Draft SP 800-55 Revision 1, Performance Measurement Guide for Information Security, Draft SP 800-61 Revision 1, Computer Security Incident Handling Guide, and Draft SP 800-82, Guide to Industrial Control Systems (ICS) Security.
NIST announces the release of five publications: Draft SP 800-82, Guide to Industrial Control Systems (ICS) Security,Special Publication (SP) 800-44 version 2, Guidelines on Securing Public Web Servers, Draft SP 800-55 Revision 1, Performance Measurement Guide for Information Security, Draft SP 800-61 Revision 1, Computer Security Incident Handling Guide, and Draft SP 800-110, Information System Security Reference Model.
NIST announces the release of five publications: Computer Security Incident Handling Guide, Draft SP 800-82,Special Publication (SP) 800-44 version 2, Guidelines on Securing Public Web Servers, Draft SP 800-55 Revision 1, Performance Measurement Guide for Information Security, Draft SP 800-61 Revision 1, Guide to Industrial Control Systems (ICS) Security, and Draft SP 800-110, Information System Security Reference Model.
NIST announces the release of five publications: Draft SP 800-55 Revision 1, Performance Measurement Guide for Information Security, Draft SP 800-61 Revision 1, Computer Security Incident Handling Guide, Draft SP 800-82, Guide to Industrial Control Systems (ICS) Security, Draft SP 800-110, Information System Security Reference Model, and Special Publication (SP) 800-44 version 2, Guidelines on Securing Public Web Servers.
NIST announced the release of five publications: Special Publication (SP) 800-44 version 2, Guidelines on Securing Public Web Servers, Draft SP 800-55 Revision 1, Performance Measurement Guide for Information Security, Draft SP 800-61 Revision 1, Computer Security Incident Handling Guide, Draft SP 800-82, Guide to Industrial Control Systems (ICS) Security, and Draft SP 800-110, Information System Security Reference Model.
The federal bank and thrift agencies issued final rules on Friday expanding the range of small institutions eligible for an extended 18-month on-site examination cycle. The final rules allow well-capitalized and well-managed banks and savings associations with up to $500 million in total assets and a composite CAMELS rating of 1 or 2 to qualify for an 18-month (rather than a 12-month) on-site examination cycle.
Summary: The Federal Deposit Insurance Corporation (FDIC) has announced a series of steps intended to provide regulatory relief to financial institutions and to facilitate recovery in areas of Illinois that suffered major damage from storms and flooding.
Summary: In an update to FIL-75-2007, the Federal Deposit Insurance Corporation (FDIC) has announced a series of steps intended to provide regulatory relief to financial institutions and to facilitate recovery in additional areas of Ohio and Wisconsin that are suffering from storms and flooding.
National Credit Union Administration (NCUA) Board Member Gigi Hyland participated in a podcast this week to address the latest best practices credit unions may consider in order to protect their members from data breaches and security risks.
Enhanced Due Diligence for Correspondent Accounts Maintained by Certain Foreign Banks The Financial Crimes Enforcement Network (FinCEN) announced the issuance of a final rule implementing a key provision of Section 312 of the USA PATRIOT Act, clarifying the risk-based procedures that U.S. financial institutions should use in tailoring their enhanced due diligence to assess the risks of some foreign banking relationships. “As international anti-money laundering standards improve globally, risk assessments for foreign banks should become easier to conduct. Common standards are increasingly protecting both sides of the international relationship,” said FinCEN Director James H. Freis, Jr. “U.S. banks can take comfort in the fidelity of their foreign customers and foreign banks will find it easier to process their U.S. transactions.”
NIST announces that the following draft Special Publications (SP) are now available for public comment: SP 800-113, Guide to SSL VPNs.
NIST announces that the following draft Special Publications (SP) are now available for public comment: SP 800-48 Revision 1, Wireless Network Security for IEEE 802.11a/b/g and Bluetooth.
NIST is pleased to announce the release of Special Publication 800-78-1, Cryptographic Algorithms and Key Sizes for Personal Identity Verification. The document has been modified to enhance interoperability, simplify the development of relying party applications, and enhance alignment with the National Security Agency's Suite B Cryptography.
The U.S. Treasury will sponsor a test of the financial services sector's ability to withstand a bird flu outbreak or other pandemic. The online exercise aims to bring together large and small credit unions and banks, brokers, insurers and other financial services firms to examine contingency plans for a number of areas, including continuity of operations, transportation, telecommunications, human resources and energy.
Computer interconnectivity has produced enormous benefits but has also enabled criminal activity that exploits this interconnectivity for financial gain and other malicious purposes, such as Internet fraud, child exploitation, identity theft, and terrorism. Efforts to address cybercrime include activities associated with protecting networks and information, detecting criminal activity, investigating crime, and prosecuting criminals.
The Federal Reserve, the Office of the Comptroller of the Currency, the Office of Thrift Supervision and the Federal Deposit Insurance Corporation reached an agreement today regarding the implementation of Basel II in the United States. The agreement resolves major outstanding issues and will now lead to finalization of a rule implementing the advanced approaches for computing large banks' risk-based capital requirements.
DHS has issued a national plan aimed at providing a consistent approach to critical infrastructure protection, ensured that all 17 sectors have organized to collaborate on protection efforts, and worked with government and private sector partners to complete all 17 sector-specific plans.Nevertheless, our work has shown that sectors vary in terms of how complete and comprehensive their plans are. Furthermore, DHS recognizes that the sectors, their councils, and their plans must continue to evolve. As they do, and as the plans are updated and annual implementation reports are provided that begin to show the level of protection achieved, it will be important that the plans and reports add value, both to the sectors themselves and to the government as a whole. This is critical because DHS is dependent on these plans and reports to meet its mandate to evaluate whether gaps exist in the protection of the nation’s most critical infrastructure and key resources and, if gaps exist, to work with the sectors to address them.
The following GAO report highlights GAO-07-737, a report to congressional requesters.In recent years, many entities in the private, public, and government sectors have reported the loss or theft of sensitive personal information.
National Credit Union Administration (NCUA) Chairman JoAnn Johnson announced today the availability of a financial education library on the NCUA website.
This letter transmits an exposure draft of Volume III of the Government Accountability Office (GAO) and the President’s Council on Integrity and Efficiency (PCIE) Financial Audit Manual (FAM)
The National Institute of Standards and Technology (NIST) announces the release of Draft Federal Information Processing Standard (FIPS) 180-3 Publication, Secure Hash Standard (SHS)
The National Institute of Standards and Technology (NIST) announces the release of Draft Federal Information Processing Standard (FIPS) 198-1 Publication, The Keyed-Hash Message Authentication Code (HMAC).
The Financial Crimes Enforcement Network issued today the latest edition of the SAR Activity Review – By The Numbers that introduces a number of visual enhancements aimed at providing financial institutions with more information on the geographical dispersion of the Suspicious Activity Report filings.
Federal agencies have recently reported a spate of security incidents that put sensitive data at risk. Personally identifiable information about millions of Americans has been lost, stolen, or improperly disclosed, thereby exposing those individuals to loss of privacy, identity theft, and financial crimes.
National Credit Union Administration (NCUA) Chairman JoAnn Johnson testified on June 7 at a hearing before the U.S. House of Representatives Subcommittee on Financial Institutions and Consumer Credit. Chairman Johnson was invited to share insights regarding the Federal Reserve Board’s proposed revisions to Regulation Z,
Hurricane Preparedness, Safety and Soundness of Credit Unions Discussed with Ranking Member of Financial Services Committee National Credit Union Administration (NCUA) Vice Chairman Rodney E. Hood met with Congressman Spencer Bachus last week on Capitol Hill. Congressman Bachus serves as the ranking member of the House Committee on Financial Services. In recognition of President Bush’s declaration of last week as National Hurricane Preparedness Week, the Vice Chairman and ranking member Bachus discussed the action taken by NCUA in order to prepare the credit union community for hurricanes and other weather related emergencies.
President Bush has declared May 20 through May 26 as National Hurricane Preparedness Week. This week is an opportunity to raise awareness of measures Americans can take to protect their families and finances in the event of these weather related emergencies.
NCUA is continually making strides to strengthen its readiness in the event of a hurricane. Recently, the agency improved its contingency processes for information reporting and communication based upon lessons learned from government-wide exercises, contingency operations, and cross-agency working groups. Additionally, the agency will continue to train its staff to ensure they are prepared, knowledgeable, and ready. NCUA updated its examination program last year to ensure all credit unions are prepared for potential emergencies.
FinCEN has issued a SAR Activity Review report for financial institutions to use. Click to read the ”“SAR Activity Review: Trends, Tips and Issues Update.”
United States Department of the Treasury Financial Crimes Enforcement Network FinCEN Advisory
Subject:Transactions Involving Nigeria
This Advisory is being issued to inform banks and other financial institutions operating in the United States that Financial Crimes Enforcement Network (FinCEN) Advisory Issue 32, regarding the Federal Republic of Nigeria, is hereby withdrawn.
Since the issuance of Advisory 32, and as reflected in its June 23, 2006 decision, the Financial Action Task Force on Money Laundering has removed Nigeria from its list of countries that are non-cooperative in the fight against money laundering, recognizing the progress Nigeria has made in implementing anti-money laundering reforms. Nigeria has enacted significant reforms to its counter-money laundering system, addressing the deficiencies listed in Advisory 32, and has taken concrete steps to bring these reforms into effect. Because of the enactment of new laws and the beginning of effective implementation, the enhanced scrutiny called for in Advisory 32 with respect to transactions invol
The U.S. Departments of Treasury, Justice, and Homeland Security joined together in issuing the 2007 National Money Laundering Strategy, a report detailing continued efforts to dismantle money laundering and terrorist financing networks and bring these criminals to justice. "The 2007 National Money Laundering Strategy is a direct result of close cooperation by the Departments of Justice, Treasury and Homeland Security, along with our foreign counterparts, and signifies our collective commitment to fight money laundering," said Assistant Attorney General Alice S. Fisher of the Justice Department's Criminal Division. "Implementation of this strategy will greatly assist in efforts to seize and forfeit millions in illegal proceeds that flow through the international financial system."
FINANCIAL MARKET PREPAREDNESS Significant Progress Has Been Made, but Pandemic Planning and Other Challenges Remain Highlights of GAO-07-399, a report to congressional requesters This is GAO’s third report since the September 11 terrorist attacks that assesses progress that market participants and regulators have made to ensure the security and resiliency of our securities markets. This report examined (1) actions taken to improve the markets’ capabilities to prevent and recover from attacks; (2) actions taken to improve disaster response and increase telecommunications resiliency; and (3) financial regulators’ efforts to ensure market resiliency. GAO inspected physical and electronic security measures and business continuity capabilities using regulatory, government, and industry-established criteria and discussed improvement efforts with broker dealers, banks, regulators, telecommunications carriers, and trade associations. What GAO Recommends To improve the readiness of the securities markets to withstand potential disease pandemics, securities and banking regulators should consider taking additional actions, including providing formal expectations that market participants’ plans address even severe pandemic outbreaks and setting a date by which such plans should be completed. Banking and securities regulators indicated they believe organizations are adequately addressing this risk, but will consider taking the recommended actions if progress lags. GAO believes that giving greater consideration now would better assure market readiness.
The Financial Crimes Enforcement Network (FinCEN) today filed a Federal Register notice announcing the delayed implementation of certain revised Suspicious Activity Report (SAR) forms that were scheduled to become effective on June 30, 2007. The agency is withdrawing this effective date for the revised SAR forms for depository institutions, casinos and card clubs, insurance companies, and the securities and futures industries. FinCEN will establish new effective and mandatory compliance dates for these revised forms in a future notice. The delay does not impact ongoing suspicious activity reporting, which will continue using the current forms.
President Bush's Identity Theft Task Force today released its strategic plan for combating identity theft, the top consumer fraud reported to the Federal Trade Commission. Treasury Deputy Assistant Secretary for Critical Infrastructure Protection and Compliance Policy D. Scott Parsons, who led the Department's efforts with the taskforce, released the following statement today.
Why GAO Did This Study For many years, GAO has reported that weaknesses in information security are a widespread problem with potentially devastating consequences—such as intrusions by malicious users, compromised networks, and the theft of personally identifiable information. In reports to Congress since 1997, GAO has identified information security as a governmentwide high-risk issue.
NCUA proposes to amend its regulations to address a federally-insured credit union’s obligation to maintain a records preservation program. The proposed rule draws from existing guidance to clarify requirements for preserving vital records and to suggest important items for consideration in restoring vital member services. NCUA believes the revised language and new appendix will facilitate the recovery of essential operations after a catastrophic act resulting in continued member confidence in the credit union system. The agency also proposes to amend its regulations to clarify the meaning of catastrophic act.
Because of the integration of voice and data in a single network, establishing a secure VOIP and data network is a complex process that requires greater effort than that required for data-only networks. In particular, start with these general guidelines, recognizing that practical considerations, such as cost or legal requirements, may require adjustments for the organization: 1. Develop appropriate network architecture. • Separate voice and data on logically different networks if feasible. Different subnets with separate RFC 1918 address blocks should be used for voice and data traffic, with separate DHCP servers for each, to ease the incorporation of intrusion detection and VOIP firewall protection
The government’s interest in using technology to detect terrorism and other threats has led to increased use of data mining. A technique for extracting useful information from large volumes of data, data mining offers potential benefits but also raises privacy concerns when the data include personal information. GAO was asked to review the development by the Department of Homeland Security (DHS) of a data mining tool known as ADVISE (Analysis, Dissemination, Visualization, Insight, and Semantic Enhancement). Specifically, GAO was asked to determine (1) the tool’s planned capabilities, uses, and associated benefits and (2) whether potential privacy issues could arise from using it to process personal information and how DHS has addressed any such issues. GAO reviewed program documentation and discussed these issues with DHS officials.
The Financial Crimes Enforcement Network (FinCEN) and the federal banking agencies announced Thursday that the format for the Suspicious Activity Report by Depository Institutions (SAR-DI) has been revised to support a new joint filing initiative, which will reduce the number of duplicate SARs filed for a single suspicious transaction. The revisions are the result of a joint effort by FinCEN and the federal banking agencies.
Eight federal regulators on Wednesday released a notice of proposed rulemaking (NPR) requesting comment on a model privacy form that financial institutions can use for their privacy notices to consumers required by the Gramm-Leach-Bliley Act (GLB Act). The privacy notices must describe an institution's information sharing practices, and, for certain types of sharing, consumers have the right to opt out. The notices must be provided when a consumer first becomes a customer of a financial institution and then annually for as long as the customer relationship lasts. Last October, President Bush signed into law the Financial Services Regulatory Relief Act of 2006, amending the GLB Act to require the agencies to propose a model form that is succinct and comprehensible to consumers, allows consumers easily to compare privacy practices of financial institutions, and uses easily readable type font.
Kmart Corporation has agreed to settle Federal Trade Commission charges that it engaged in deceptive practices in advertising and selling its Kmart gift card. As part of the settlement, Kmart will implement a refund program and publicize it on its Web site. This is the agency’s first law enforcement action involving gift cards. “Consumers have a right to know when gift cards come with strings attached,” FTC Chairman Deborah Platt Majoras said. “If fees or restrictions apply, gift card issuers must fully and clearly disclose them.”
National Credit Union Administration (NCUA) JoAnn Johnson has issued a Letter to Credit Unions regarding the upcoming change in schedule for Daylight Savings Time (DST), which in the United States will begin three weeks earlier and end one week later than in previous years. Credit unions may be exposed to a variety of risks if they do not prepare their systems to reflect this change. The Letter to Credit Unions recommends that credit union management should consider the following actions to ensure readiness for the new start of DST...
This Letter to Credit Unions reminds credit unions of the upcoming change in the schedule for Daylight Saving Time (DST). DST in the United States will begin three weeks earlier and end one week later than in previous years. Credit unions may be exposed to a variety of risks if they do not prepare their systems to reflect this change. BACKGROUND
Electronic mail (email) is perhaps the most popularly used system for exchanging business information over the Internet (or any other computer network). At the most basic level, the email process can be divided into two principal components: (1) mail servers, which are hosts that deliver, forward, and store email; and (2) mail clients, which interface with users and allow users to read, compose, send, and store email. This document addresses the security issues of mail servers and mail clients, including Web-based access to mail. Mail servers and user workstations running mail clients are frequently targeted by attackers. Because the computing and networking technologies that underlie email are ubiquitous and well-understood by many, attackers are able to develop attack methods to exploit security weaknesses. Mail servers are also targeted because they (and public Web servers) must communicate to some degree with untrusted third parties.
Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion detection and prevention systems (IDPS)1 are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. In addition, organizations use IDPSs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPSs have become a necessary addition to the security infrastructure of nearly every organization.
A wireless local area network (WLAN) enables access to computing resources for devices that are not physically connected to a network. WLANs typically operate over a fairly limited range, such as an office building or building campus, and usually are implemented as extensions to existing wired local area networks to enhance user mobility. This guide seeks to assist organizations in better understanding the most commonly used family of standards for WLANs—Institute of Electrical and Electronics Engineers (IEEE) 802.11—focusing on the security enhancements introduced in the IEEE 802.11i amendment. In particular, this guide explains the security features and provides specific recommendations to ensure the security of the operating environment.
The Homeland Security Presidential Directive HSPD-12 called for new standards to be adopted governing the interoperable use of identity credentials to allow physical and logical access to Federal government locations and systems. The Personal Identity Verification (PIV) standard for Federal Employees and Contractors, Federal Information Processing Standard (FIPS 201), was developed to establish standards for identity credentials. This document, Special Publication 800-76 (SP 800-76), is a companion document to FIPS 201. It describes technical acquisition and formatting specifications for the biometric credentials of the PIV system, including the PIV Card1 itself. It enumerates procedures and formats for fingerprints and facial images by restricting values and practices included generically in published biometric standards. The primary design objective behind these particular specifications is high performance universal interoperability. For the preparation of biometric data suitable for the Federal Bureau of Investigation (FBI) background check, SP 800-76 references FBI documentation, including the ANSI/NIST Fingerprint Standard and the Electronic Fingerprint Transmission Specification. This document does not preclude use of other biometric modalities in conjunction with the PIV card.
Hurricanes Katrina and Rita destroyed homes and displaced millions of individuals. While federal and state governments continue to respond to this disaster, GAO has identified significant control weaknesses-specifically in the Federal Emergency Management Agency (FEMA)'s Individuals and Households Program (IHP) and in Department of Homeland Security (DHS)'s purchase card program—resulting in significant fraud, waste, and abuse. In response to the numerous recommendations GAO made, DHS and FEMA have reported on numerous actions taken to address our recommendations. Lessons learned from GAO's prior work can serve as a framework for an effective fraud prevention system for federal and state governments as they consider spending billions more on disaster recovery. These lessons are particularly important because funding that is lost to fraud, waste, and abuse reduces the amount of money that could be delivered to victims in need.
The Federal Reserve Banks today announced plans to conduct another round of studies to determine the current composition of the nation's retail payments market, including checks, credit and debit cards, and automated clearing house (ACH) transactions. These two studies will build on information gained from similar studies published by the Reserve Banks in 2001 and 2004. "As the nation continues its migration from paper-based to electronic payments, we believe these studies will provide additional insight to help industry participants plan for the future," said Richard Oliver, an executive vice president with the Federal Reserve Bank of Atlanta and the Federal Reserve System's product manager for retail payments.
The Federal Reserve Board on Friday approved changes to its Policy on Payments System Risk that revise the Board's expectations for systemically important payments and settlement systems subject to its authority and update and clarify the policy with regard to central counterparties. Under the revised policy, systemically important payments and settlement systems subject to the Board's authority are expected to complete and disclose publicly self-assessments against the principles and minimum standards in the policy. The self-assessment should be reviewed and approved by the system's senior management and board of directors upon completion and made readily available to the public. In addition, a self-assessment should be updated following material changes to the system or its environment and, at a minimum, reviewed by the system every two years.
The National Credit Union Administration and the Financial Crimes Enforcement Network today announced that they will jointly host a seminar over the web "BSA: A Year in Review and Setting the Table for 2007." The seminar, known as a webinar, will take place on Tuesday, February 6, 2007 and will be co-hosted by JoAnn Johnson, Chairman of the National Credit Union Administration (NCUA), and Jamal El-Hindi, Associate Director of the Regulatory Policy and Programs Division at the Financial Crimes Enforcement Network (FinCEN).
As use of the Internet continues to expand, more credit unions are using it to offer products and services or otherwise enhance communications with members. The Internet offers the potential for safe, convenient new ways to shop for financial services and conduct credit union business, any day, any time. However, members need to make good on-line choices—decisions that may help avoid costly surprises or scams.
The Agencies are adopting an Interagency Statement on Sound Practices Concerning Elevated Risk Complex Structured Finance Activities ("Final Statement"). The Final Statement pertains to national banks, state banks, bank holding companies (other than foreign banks), federal and state savings associations, savings and loan holding companies, U.S. branches and agencies of foreign banks, and SEC-registered broker-dealers and investment advisers (collectively, "financial institutions" or ("institutions") engaged in complex structured finance transactions ("CSFTs"). In May 2004, the Agencies issued and requested comment on a proposed interagency statement ("Initial Proposed Statement"). After reviewing the comments received on the Initial Proposed Statement, the Agencies in May 2006 issued and requested comment on a revised proposed interagency statement ("Revised Proposed Statement").
The selection and employment of appropriate security controls for an information system are important tasks that can have major implications on the operations4 and assets of an organization as well as the welfare of individuals. Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. There are several important questions that should be answered by organizational officials when addressing the security considerations for their information systems: • What security controls are needed to adequately protect the information systems that support the operations and assets of the organization in order for that organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals?
At the request of the Federal Trade Commission, a federal court has shut down a payment processing operation that allegedly helped fraudulent telemarketers take millions of dollars from consumers' bank accounts. According to the FTC's complaint, since at least January 2003 the operation has aided at least nine Canada-based, advance-fee credit card schemes that induce consumers to allow an electronic debit of several hundred dollars from their bank account in exchange for an unsecured credit card; but consumers never receive a credit card or, at best, they receive a "benefits package" containing relatively worthless items.
This document is a tool for financial institutions’ use in assessing and mitigating risks associated with implementation of Remote Deposit Image Capture (RDIC). This paper provides successful strategies that financial institutions (FIs) have employed for managing the risks with RDIC. It does not imply that all of these strategies are necessary for a successful program. This paper also does not address the specific technologies used to implement the RDIC process and/or mitigate the risk, as technology used will often be determined by other factors such as the compatibility of the clients’ and FIs’ equipment. This paper identifies potential risks as they pertain to product distribution, equipment and software, information system security, images and image quality, and processes.
Unauthorized access to sensitive customer information threatens to undermine customer confidence and the reputations of both individual financial institutions and the financial services industry. This threat is aggravated by the patchwork of state laws and federal regulations that govern unauthorized access or breach response incidents. Despite these challenges, financial institutions are strengthening data security programs and developing or improving customer notification programs. The “BITS/ABA Key Considerations for Responding to Unauthorized Access to Sensitive Customer Information” is a tool that may assist some financial institutions in developing and executing response programs when sensitive information is accessed and misused by unauthorized individuals.
This BITS Consumer Confidence Toolkit provides information to support consumer confidence in the safety, soundness and security of financial services. Originally published in September 2005, this is a revised and updated edition. This is intended to be an educational resource—whether for use by consumers, policy makers, financial institutions or others with interest in the subject matter. Special attention is placed on information security as well as online financial services transacted through the Internet. Data in support of the safety of online financial transactions is provided. Information about the proactive leadership of the financial services industry is included, as well as a description of the current environment and tips for consumers to help protect their financial security, including in the online environment. Recommendations for government agencies are also provided.
This Regulatory Alert is to inform you about revisions to Part 748 of the NCUA Rules and Regulations. The revised rule describes in greater detail Suspicious Activity Report (SAR) reporting and filing requirements. The rule became effective November 27, 2006. There are six changes to Part 748 which are summarized below. 1. Notification to board of directors
A digital signature is an electronic analogue of a written signature; the digital signature can be used to provide assurance that the claimed signatory signed the information. In addition, a digital signature may be used to detect whether or not the information was modified after it was signed (i.e., to detect the integrity of the signed data). Each signatory has a public and private key and is the owner of that key pair. The private key is used by the owner to generate a digital signature; the public key is used in the signature verification process. Entities participating in the generation or verification of digital signatures depend on the authenticity of the process. This Recommendation specifies methods for obtaining the assurances necessary for valid digital signatures: assurance of domain parameter validity, assurance of public key validity, assurance that the key pair owner actually possesses the private key, and assurance of the identity of the key pair owner.
Computer security incident response has become an important component of information technology (IT) programs. Security-related threats have become not only more numerous and diverse but also more damaging and disruptive. New types of security-related incidents emerge frequently. Preventative activities based on the results of risk assessments can lower the number of incidents, but not all incidents can be prevented. An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computing services. To that end, this publication provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications.
Why GAO Did This Study
Today's testimony will address whether FEMA provided improper and potentially fraudulent (1) rental assistance payments to registrants at the same time it was providing free housing via trailers and apartments; (2) duplicate assistance payments to individuals who claimed damages to the same property for both hurricanes Katrina and Rita; and (3) IHP payments to non-U.S. residents who did not qualify for IHP. This testimony will also discuss (1) the importance of fraud identification and prevention, and (2) the results of our investigation into property FEMA bought using DHS purchase cards.
The Honorable William M. Thomas Chairman, Committee on Ways and Means House of Representatives Dear Mr. Chairman: During recent congressional hearings and in public speeches, statements made by the National Credit Union Administration's (NCUA) Chairman and another board member raised congressional interest in the ability of NCUA to collect and objectively analyze data on credit union membership and executive compensation. More generally, these statements also raised issues about the agency's overall vigilance as a regulator and the independence and objectivity of NCUA's board and senior staff from the industry being regulated.
National Credit Union Administration (NCUA) Executive Director J. Leonard Skiles has selected John E. Kutchey as Director of Risk Management. As Director of Risk Management, Kutchey is responsible for overseeing NCUA's credit union problem resolution program. Kutchey graduated Magna Cum Laude from the University of Baltimore in 1990 with a Bachelor's Degree in Business Administration with an Accounting Concentration. Kutchey joined NCUA in 1990 as an Examiner in Baltimore, MD. During his career with NCUA, Kutchey has served as an Examiner; Problem Case Officer; Supervisory Examiner; and most recently the Director of Supervision in Region II.
Welcome to the seventh issue of The SAR Activity Review – By the Numbers, a compilation of numerical data gathered from Suspicious Activity Reports filed by depository institutions since April 1996, by certain money services businesses since January 2002, by casinos and card clubs since August 1996, and by certain segments of the securities and futures industries since January 2003. By the Numbers serves as a companion piece to The SAR Activity Review - Trends, Tips & Issues, which provides information about the preparation, use, and utility of Suspicious Activity Reports.
Why GAO Did This Study
GAO was asked to evaluate the extent to which agencies have adequately designed and effectively implemented policies for testing and evaluating their information security controls.
Why GAO Did This Study
The Federal Reserve Board announced the appointment of the chairmen and deputy chairmen of the twelve Federal Reserve Banks for 2007. Each Reserve Bank has a nine-member board of directors. The Board of Governors in Washington appoints three of these directors and each year designates one of its appointees as chairman and a second as deputy chairman.
Introduction This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program. Typically, the organization looks to the program for overall responsibility to ensure the selection and implementation of appropriate security controls and to demonstrate the effectiveness of satisfying their stated security requirements. The topics within this document were selected based on the laws and regulations relevant to information security, including the Clinger¬Cohen Act of 1996, the Federal Information Security Management Act (FISMA) of 2002, and Office of Management and Budget (OMB) Circular A-130. The material in this handbook can be referenced for general information on a particular topic or can be used in the decision-making process for developing an information security program. National Institute of Standards and Technology (NISTIR) Interagency Report 7298 provides a summary glossary for the basic security terms used throughout this document. While reading this handbook, please consider that the guidance is not specific to a particular agency. Agencies should tailor this guidance according to their security posture and business requirements.
Research and development (R&D) of cyber security technology is essential to creating a broader range of choices and more robust tools for building secure, networked computer systems in the federal government and in the private sector. The National Strategy to Secure Cyberspace identifies national priorities to secure cyberspace, including a federal R&D agenda. GAO was asked to identify the:
NCUA is issuing a final rule to describe in greater detail the requirements for reporting and filing a Suspicious Activity Report (SAR) and to address prompt notification of the board of directors of SAR filings, the confidentiality of reports, and liability protection. NCUA also is changing the heading for this part so it more accurately describes its scope. NCUA seeks to enhance credit union compliance with SAR reporting requirements by providing greater detail in its rule on the thresholds and procedures for filing a SAR. DATES: This rule is effective [insert date 30 days after published in the FEDERAL REGISTER]. FOR FURTHER INFORMATION CONTACT: Linda K. Dent, Staff Attorney, Office of General Counsel, at (703) 518-6540.
"An ontology is an explicit specification of a conceptualization. The term is borrowed from philosophy, where Ontology is a systematic account of Existence. For Artificial Intelligence (AI) systems, what "exists" is that which can be represented. When the knowledge of a domain is represented in a declarative formalism, the set of objects that can be represented is called the universe of discourse. This set of objects, and the describable relationships among them, are reflected in the representational vocabulary with which a knowledge-based program represents knowledge. Thus, in the context of AI, we can describe the ontology of a program by defining a set of representational terms. In such an ontology, definitions associate the names of entities in the universe of discourse (e.g., classes, relations, functions, or other objects) with human-readable text describing what the names mean, and formal axioms that constrain the interpretation and well-formed use of these terms. Formally, an ontology is the statement of a logical theory. We use common ontologies to describe ontological commitments for a set of agents so that they can communicate about a domain of discourse without necessarily operating on a globally shared theory." [GRUBER]
GAO continues to have concerns about restatements to federal agencies' previously issued financial statements. During fiscal year 2005, at least 7 of the 24 Chief Financial Officers (CFO) Act agencies restated certain of their fiscal year 2004 financial statements to correct misstatements. To study this trend, GAO reviewed the nature and causes of the restatements made by certain CFO Act agencies in fiscal year 2004 to their fiscal year 2003 financial statements. Eleven CFO Act agencies had restatements for fiscal year 2003. Nine of those 11 received unqualified opinions on their originally issued fiscal year 2003 financial statements. GAO’s view is that users of federal agencies' financial statements and the related audit reports need to be provided at least a basic understanding of why a restatement was necessary and its effect on the agencies' previously issued financial statements and related audit reports. This report communicates GAO's observations on the transparency and timeliness of the 9 federal agencies' and their auditors' restatement disclosures.
Minority banks can play an important role in serving the financial needs of historically underserved communities and growing populations of minorities. For this reason, the Financial Institutions, Reform, Recovery, and Enforcement Act of 1989 (FIRREA) established goals that the Federal Deposit Insurance Corporation (FDIC) and the Office of Thrift Supervision (OTS) must work toward to preserve and promote such institutions (support efforts). To evaluate their efforts, as well as those of the Office of the Comptroller of the Currency (OCC) and the Federal Reserve, GAO (1) reviewed the profitability of minority banks, (2) identified the regulators' support and assessment efforts, and (3) obtained the views of minority banks on the regulators' efforts.
Like any new technology, RFID presents new security and privacy risks that must be carefully mitigated through management, operational, and technical controls in order to realize the numerous benefits the technology has to offer. When practitioners adhere to sound security engineering principles, RFID technology can help a wide range of organizations and individuals realize substantial productivity gains and efficiencies. These organizations and individuals include hospitals and patients, retailers and customers, and manufacturers and suppliers throughout the supply chain. This guidance document provides an overview of RFID technology, the associated security and privacy risks, and recommended practices that will enable organizations to realize productivity improvements while safeguarding sensitive information and protecting the privacy of individuals. Radio frequency identification (RFID) is a form of automatic identification and data capture (AIDC) technology that uses electric or magnetic fields at radio frequencies to transmit information. An RFID system can be used to identify many types of objects, such as manufactured goods, animals, and people.
Organizations have information technology (IT) plans in place, such as contingency and computer security incident response plans, so that they can respond to and manage adverse situations involving IT. These plans should be maintained in a state of readiness, which should include having personnel trained to fulfill their roles and responsibilities within a plan, having plans exercised to validate their content, and having systems and system components tested to ensure their operability in an operational environment specified in a plan. These three types of events can be carried out efficiently and effectively through the development and implementation of a test, training, and exercise (TT&E) program. Organizations should consider having such a program in place because tests, training, and exercises are so closely related. For example, exercises and tests offer different ways of identifying deficiencies in IT plans, procedures, and training. This document provides guidance on designing, developing, conducting, and evaluating TT&E events so that organizations can improve their ability to prepare for, respond to, manage, and recover from adverse events that may affect their missions. The scope of this document is limited to TT&E events for single organizations, as opposed to large-scale events involving multiple organizations, involving internal IT operational procedures for emergencies.
A log is a record of the events occurring within an organization’s systems and networks. Logs are composed of log entries; each entry contains information related to a specific event that has occurred within a system or network. Many logs within an organization contain records related to computer security. These computer security logs are generated by many sources, including security software, such as antivirus software, firewalls, and intrusion detection and prevention systems; operating systems on servers, workstations, and networking equipment; and applications. The number, volume, and variety of computer security logs have increased greatly, which has created the need for computer security log management—the process for generating, transmitting, storing, analyzing, and disposing of computer security log data. Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems.
Adequate security of information and information systems is a fundamental management responsibility. Nearly all applications that deal with financial, privacy, safety, or defense include some form of access control. Access control is concerned with determining the allowed activities of legitimate users, mediating every attempt by a user to access a resource in the system. In some systems, complete access is granted after successful authentication of the user, but most systems require more sophisticated and complex control. In addition to the authentication mechanism (such as a password), access control is concerned with how authorizations are structured. In some cases, authorization may mirror the structure of the organization, while in others it may be based on the sensitivity level of various documents and the clearance level of the user accessing those documents. This publication explains some of the commonly used access control services available in information technology systems.
Why GAO Did This Study In the wake of the 2005 hurricanes in the Gulf Region, GAO and the Department of Homeland Security Office of Inspector General (DHS OIG) initiated a number of audits and investigations addressing the federal government's response to those events. On July 19, 2006, GAO testified on the results of its purchase card work. This report summarizes the testimony and provides recommendations. Department of Homeland Security (DHS) cardholders made thousands of transactions related to hurricane relief operations. GAO analyzed transactions between June and November of 2005 to determine if (1) DHS's control environment and management of purchase card usage were effective; (2) DHS's key internal control activities operated effectively and provided reasonable assurance that purchase cards were used appropriately; and (3) potentially fraudulent, improper, and abusive purchase card activity existed at DHS.
Alexandria, VA, September 27, 2006 - National Credit Union Administration (NCUA) Chairman JoAnn Johnson met recently with senior Administration officials to share recommendations with the President's Identity Theft Task Force. Based upon these recommendations, the Task Force will deliver a final strategic plan to President Bush in early November. During a September 19 Task Force meeting, Chairman Johnson joined U.S. Attorney General Alberto Gonzalez; Clay Johnson III, Deputy Director of the White House Office of Management and Budget, Michael Chertoff, Secretary of the Department of Homeland Security, Carlos M. Guiterrez, Secretary of Commerce; and other senior government officials to discuss recommendations to the President in key areas.
Why GAO Did This Study In 2005, Hurricanes Katrina and Rita caused unprecedented damage. FEMA’s Individuals and Households Program (IHP), provides direct assistance (temporary housing units) and financial assistance (grant funding for temporary housing and other disaster-related needs) to eligible individuals affected by disasters. Our objectives were to (1) compare the types and amounts of IHP assistance provided to Hurricanes Katrina and Rita victims to other recent hurricanes, (2) describe the challenges FEMA faced by the magnitude of the requests for assistance following Hurricanes Katrina and Rita, and (3) determine the vulnerability of the IHP program to fraud and abuse. GAO determined the extent to which the program was vulnerability to fraud and abuse, by conducting statistical sampling, data mining and undercover operations.
The Federal Trade Commission (FTC) is responsible for economic issues that affect both consumers and businesses. Its primary function is to help maintain a competitive market environment that benefits both sides and in this respect, identity theft is seen as negatively affecting both consumers and businesses. In an effort to combat this problem, the FTC provides information and resources that enables the development of effective countermeasures against identity theft. The FTC has developed a website that gives information on how to deter the threat of identity theft, which it refers to as a "one stop national resource" to learn about identity theft. The website provides material that defines identity theft and procedures to deal with it if it occurs.
The purpose of this document is to present recommendations for Personal Identity Verification (PIV) card readers in the area of performance and communications characteristics to foster interoperability. This document is not intended to re-state or contradict requirements specifically identified in Federal Information Processing Standard 201 (FIPS 201) or its associated documents. It is intended to augment existing standards to enable agencies to achieve the interoperability goal of Homeland Security Presidential Directive 12 (HSPD-12). The document provides requirements that facilitate interoperability between any card and any reader. Specifically, the recommendations are for end-point cards and readers designed to read end-point cards.
Electronic mail (email) is perhaps the most popularly used system for exchanging business information over the Internet (or any other computer network). At the most basic level, the email process can be divided into two principal components: (1) mail servers, which are hosts that deliver, forward, and store mail; (2) clients which interface with users and allow users to read, compose, send, and store email messages. This document addresses the security issues of both mail servers and mail clients. Mail servers and user workstations running mail clients are frequently targeted by attackers. Because the computing and networking technologies that underlie email are ubiquitous, it is well understood and attackers are able to develop attack methods to exploit the technology. Mail servers are also targeted because they (and public Web servers) must communicate to some degree with untrusted third parties. Additionally, email clients have been targeted as an effective means of inserting malware into machines and of propagating this code to other machines.
Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of potential incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Intrusion prevention is the process of performing intrusion detection and attempting to stop detected potential incidents. Intrusion detection and prevention (IDP) systems are primarily focused on identifying potential incidents, logging information about them, attempting to stop them, and reporting them to security administrators. In addition, organizations use IDPs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPs have become a necessary addition to the security infrastructure of nearly every organization. IDPs typically record information related to observed events, notify security administrators of important observed events, and produce reports. Many IDPs can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDP stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack’s content.
The advance of Web services technologies promises to have far-reaching effects on the Internet and enterprise networks. Web services based on the eXtensible Markup Language (XML), Simple Object Access Protocol (SOAP), and related open standards, and deployed in Service Oriented Architectures (SOA) allow data and applications to interact without human intervention through dynamic and ad hoc connections. Web services technology can be implemented in a wide variety of architectures, can co-exist with other technologies and software design approaches, and can be adopted in an evolutionary manner without requiring major transformations to legacy applications and databases. The security challenges presented by the Web services approach are formidable and unavoidable. Many of the features that make Web services attractive, including greater accessibility of data, dynamic application-to-application connections, and relative autonomy (lack of human intervention) are at odds with traditional security models and controls.
The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. The corporation relies extensively on computerized systems to support and carry out its financial and mission-related operations. As part of the audit of the calendar year 2005 financial statements, GAO assessed (1) the progress FDIC has made in correcting or mitigating information security weaknesses previously reported and (2) the effectiveness of the corporation's information system controls to protect the confidentiality, integrity, and availability of its key financial information and information systems.
The Federal Reserve System's Federal Reserve Banks (FRB) serve as fiscal agents of the U.S. government when they are directed to do so by the Secretary of the Treasury. In this capacity, the FRBs operate and maintain several mainframe and distributed-based systems-including the systems that support the Department of the Treasury's auctions of marketable securities-on behalf of the department's Bureau of the Public Debt (BPD). Effective security controls over these systems are essential to ensure that sensitive and financial information is adequately protected from inadvertent or deliberate misuse, disclosure, or destruction. In support of its audit of BPD's fiscal year 2005 Schedule of Federal Debt, GAO assessed the effectiveness of information system controls in protecting financial and sensitive auction information on key mainframe and distributed-based systems that the FRBs maintain and operate for BPD. To do this, GAO observed and tested FRBs' security controls.
1.1 Background Federal agencies and organizations cannot protect the integrity, confidentiality, and availability of information in today's highly networked systems environment without ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them. The human factor is so critical to success that the Computer Security Act of 1987 (Public Law [P.L.] 100-235) required that, "Each agency shall provide for the mandatory periodic training in computer security awareness and accepted computer practices of all employees who are involved with the management, use, or operation of each Federal computer system within or under the supervision of that agency." In accordance with P.L. 100-235, the National Institute of Standards and Technology (NIST), working with the U.S. Office of Personnel Management (OPM), was charged with developing and issuing guidelines for Federal computer security training. This requirement was satisfied by NIST's issuance of "Computer Security Training Guidelines" (Special Publication [SP] 500¬172) in November 1989. In January 1992, OPM issued a revision to the Federal personnel regulations which made these voluntary guidelines mandatory. This regulation, 5 CFR Part 930, is entitled "Employees Responsible for the Management or Use of Federal Computer Systems" and requires Federal agencies to provide training as set forth in NIST guidelines.
NIST Special Publication 800-50, Building An Information Technology Security Awareness and Training Program, provides guidance for building an effective information technology (IT) security program and supports requirements specified in the Federal Information Security Management Act (FISMA) of 2002 and the Office of Management and Budget (OMB) Circular A-130, Appendix III. A strong IT securityprogram cannot be put in place without significant attention given to training agency IT users on securitypolicy, procedures, and techniques, as well as the various management, operational, and technical controls necessary and available to secure IT resources. In addition, those in the agency who manage the IT infrastructure need to have the necessary skills to carry out their assigned duties effectively. Failure to give attention to the area of security training puts an enterprise at great risk because security of agencyresources is as much a | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
