Category: Regulations

In addition to the revised Information Security Booklet, the agencies also released an Executive Summary that contains high level synopses of each of the twelve booklets and describes the handbook development and maintenance processes.

FIEC – http://www.bankinfosecurity.com/html/ffiec-updated-information-security-booklet.html
The Offıce of Thrift Supervision (OTS) – http://www.bankinfosecurity.com/html/it_exam_handbook_updated.html
FDIC – http://www.bankinfosecurity.com/html/fdic-insurance-assessment-penalties.html

In January 2004, Stuart Romm traveled to Las Vegas to attend a training seminar for his new employer. Then, on Feb. 1, Romm continued the business trip by boarding a flight to Kelowna, British Columbia. Romm was denied entry by the Canadian authorities because of his criminal history. When he returned to the Seattle-Tacoma airport, he was interviewed by two agents of Homeland Security’s Immigration and Customs Enforcement division. They asked to search his laptop, and Romm agreed. Agent Camille Sugrue would later testify that she used the “EnCase” software to do a forensic analysis of Romm’s hard drive. That analysis and a subsequent one found some 42 child pornography images, which had been present in the cache used by Romm’s Web browser and then deleted. But because in most operating systems, only the directory entry is removed when a file is “deleted,” the forensic analysis was able to recover the actual files.

During the trial, Romm’s attorney asked that the evidence from the border search be suppressed. Romm was eventually sentenced to two concurrent terms of 10 and 15 years for knowingly receiving and knowingly possessing child pornography. The 9th Circuit refused to overturn his conviction, ruling that American citizens effectively enjoy no right to privacy when stopped at the border.

“We hold first that the ICE’s forensic analysis of Romm’s laptop was permissible without probable cause or a warrant under the border search doctrine,” wrote Judge Carlos Bea. Joining him in the decision were Judges David Thompson and Betty Fletcher.

“To be sure, the court today invokes precedent stating that neither probable cause nor a warrant ever have been required for border searches,” Brennan wrote. “If this is the law as a general matter, I believe it is time that we re-examine its foundations.” But Brennan and Marshall were outvoted by their fellow justices, who ruled that the drug war trumped privacy, citing a “veritable national crisis in law enforcement caused by smuggling of illicit narcotics.”

Today their decision means that laptop-toting travelers should expect no privacy either. As an aside, a report last year from a U.S.-based marijuana activist says U.S. border guards looked through her digital camera snapshots and likely browsed through her laptop’s contents. A London-based correspondent for The Economist magazine once reported similar firsthand experiences, and a 1998 article in The New York Times described how British customs scan laptops for sexual material.

Here are some tips on using encryption to protect your privacy. “First, we address whether the forensic analysis of Romm’s laptop falls under the border search exception to the warrant requirement…Under the border search exception, the government may conduct routine searches of persons entering the United States without probable cause, reasonable suspicion, or a warrant. For Fourth Amendment purposes, an international airport terminal is the “functional equivalent” of a border. Thus, passengers deplaning from an international flight are subject to routine border searches.

Romm argues he was not subject to a warrantless border search because he never legally crossed the U.S.-Canada border.

We have held the government must be reasonably certain that the object of a border search has crossed the border to conduct a valid border search….In all these cases, however, the issue was whether the person searched had physically crossed the border. There is no authority for the proposition that a person who fails to obtain legal entry at his destination may freely re-enter the United States; to the contrary, he or she may be searched just like any other person crossing the border. Nor will we carve out an “official restraint” exception to the border search doctrine, as Romm advocates. We assume for the sake of argument that a person who, like Romm, is detained abroad has no opportunity to obtain foreign contraband. Even so, the border search doctrine is not limited to those cases where the searching officers have reason to suspect the entrant may be carrying foreign contraband. Instead, ‘searches made at the border…are reasonable simply by virtue of the fact that they occur at the border.’

http://news.zdnet.com/2100-9595_22-6098939.html

In May, the Department of Veterans Affairs revealed that the names, social security numbers and birth dates of nearly 26.5 million veterans had been stored on a laptop and external hard drive that were stolen from an employee’s home.

Last year, the U.S. government received an average grade of D+ for computer security.

http://www.securityfocus.com/brief/256

“We hope that most FDIC-insured institutions will find our proposals reasonable and fair, and we look forward to receiving comments.”

Comments on the proposed rules are due within 60 days of publication in the Federal Register, which is expected to occur within a week.

In a related action, the FDIC Board also issued for comment a proposed new official sign for institutions to display at teller stations and elsewhere.

http://www.bankinfosecurity.com/regulations.php?reg_id=274&PHPSESSID=cfb4ec9e2060b1a75aa318ad04007258

The updated PCI standard will cover Web apps, third-party controls. VISA Inc. and MasterCard International Inc. will release new security rules in the next 30 to 60 days for all organizations that handle credit card data, a Visa official said this week. The rules will be the first major updates to the one-year-old Payment Card Industry (PCI) data security standard, which analysts said is slowly but surely being adopted. One set of PCI extensions is aimed at protecting credit card data from emerging Web application security threats, said Eduardo Perez, vice president of corporate risk and compliance at Foster City, Calif.-based Visa. Other new rules will require companies to ensure that any third parties that they deal with, such as hosting providers, have proper controls for securing credit card data.

SAS 70 (full name: Statement on Auditing Standards No. 70, Service Organizations) can indeed be very helpful in examining the quality of a potential business partner’s information security controls.

Sarbox requires that companies verify the accuracy of their financial statements, and establishes SAS 70 Type 2 audits as a way to verify that third-party providers meet those needs.

In her book Stepping Through the IS Audit, Bayuk includes a sample audit with a dozen ways to help verify the controls for systems security, including aspects like access controls, ways to report security breaches, and even big-ticket items like how to ensure IT security is aligned with business requirements.

In a SAS 70 audit, the service organization being audited must first prepare a written description of its goals and objectives. The auditor then examines the service organization’s description and says whether the auditor believes those goals are fairly stated, whether the controls are suitably designed to achieve the control objectives that the organization has stated for itself, whether the controls have been placed in operations (as opposed to existing only on paper), and in a Type 2 engagement, whether these controls are operating effectively.

The fact that a company has conducted a SAS 70 audit does not necessarily mean its systems are secure. In fact, a SAS 70 may confirm that a particular system is not secure, by design. “You can have control objectives to make any statement management may want to make,” says Robert Aanerud, chief risk officer and principal consultant at security consultancy HotSkills.

Defining security-related objectives is not simple, and wading through SAS 70 audits to see where they do and don’t cover what your firm needs to know takes substantial amounts of time. Because SAS 70 was meant to look at financial controls, a SAS 70 audit report may have plenty that has nothing to do with IT security.

What CSOs care about may be buried somewhere on a page or two in the middle of a SAS 70 report, which can run hundreds of pages. And CSOs must further read a SAS 70 in context of how their company would establish controls and compare those to how the potential service provider does.

Bear Stearns’ Bayuk says that in fact, SAS 70 audits generally are very revealing. “SAS 70s should not be used to replace due diligence on a vendor’s information security practices,” says Naidoo, who came to Northern Trust in early 2005 after four years at ABN Amro. Information security controls are much more granular, and you need to go deeper [than SAS 70],” she says. Companies, then, must also expect to invest a certain amount of time in reviewing SAS 70s—Naidoo says she’s seen 300-page SAS 70 write-ups, which makes for a challenging review.

The main challenge with a SAS 70 is that there is no standard way of defining controls. “I would never use an ISO 17799—you can have the best process to assess risk and identify vulnerability and have it on your queue to implement and never implement it,” she says.

Michael Scher, general counsel and compliance architect at Nexum, a security product and service provider, says his company is preparing to undergo its first SAS 70 audit. “If you have policies you want to maintain, the SAS 70 will check that you in fact met those policies and are compliant with them,” he says.

http://www.csoonline.com/read/110105/sas70.html