Tonawanda man faces prison time, fine for hacking - A Tonawanda man
is facing prison time after pleading guilty Thursday to a felony
charge of computer hacking, federal officials said.
NCUA - Letters to Credit Unions 07-CU-13 - Supervisory
Letter-Evaluation Third Party Relationships.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Dormitory Authority hunts missing ID tapes - Data on hundreds of
current, former workers were lost in transit - Data tapes containing
Social Security numbers, phone numbers and addresses for up to 800
current and former employees of the state Dormitory Authority, many
of whom live in the Capital Region, are missing.
Manual catches 2 student hackers - Jefferson teachers toughen
passwords - Computer passwords will get tougher for thousands of
Jefferson County teachers, after two duPont Manual seniors were
involved in a scheme to hack into school computers to boost grades,
erase absences and post coming tests.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Generally, Internet web sites are considered advertising by the
regulatory agencies. In some cases, the regulations contain special
rules for multiple-page advertisements. It is not yet clear what
would constitute a single "page" in the context of the
Internet or on-line text. Thus, institutions should carefully review
their on-line advertisements in an effort to minimize compliance
In addition, Internet or other systems in which a credit application
can be made on-line may be considered "places of business"
under HUD's rules prescribing lobby notices. Thus, institutions may
want to consider including the "lobby notice,"
particularly in the case of interactive systems that accept
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
Booklet. This booklet is required reading for anyone
involved in information systems security, such as the Network Administrator,
Information Security Officer, members of the IS Steering Committee,
and most important your outsourced network security consultants.
Your outsourced network security consultants can receive the
"Internet Banking News" by completing the subscription for
There is no charge for the e-newsletter.
Action Summary - Financial institutions should implement an ongoing
security process, and assign clear and appropriate roles and
responsibilities to the board of directors, management, and
The security process is the method an organization uses to implement
and achieve its security objectives. The process is designed to
identify, measure, manage and control the risks to system and data
availability, integrity, and confidentiality, and ensure
accountability for system actions. The process includes five areas
that serve as the framework for this booklet:
Security Risk Assessment - A process to identify threats,
vulnerabilities, attacks, probabilities of occurrence, and outcomes.
2) Information Security
Strategy - A plan to mitigate risk that integrates technology,
policies, procedures and training. The plan should be reviewed and
approved by the board of directors.
3) Security Controls
Implementation - The acquisition and operation of technology, the
specific assignment of duties and responsibilities to managers and
staff, the deployment of risk - appropriate controls, and assurance
that management and staff understand their responsibilities and have
the knowledge, skills, and motivation necessary to fulfill their
4) Security Testing -
The use of various methodologies to gain assurance that risks are
appropriately assessed and mitigated. These testing methodologies
should verify that significant controls are effective and performing
5) Monitoring and
Updating - The process of continuously gathering and analyzing
information regarding new threats and vulnerabilities, actual
attacks on the institution or others combined with the effectiveness
of the existing security controls. This information is used to
update the risk assessment, strategy, and controls. Monitoring and
updating makes the process continuous instead of a one - time event.
Security risk variables include threats, vulnerabilities, attack
techniques, the expected frequency of attacks, financial institution
operations and technology, and the financial institution's
defensive posture. All of these variables change constantly.
Therefore, an institution's management of the risks requires an
the top of the newsletter
IT SECURITY QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
- Access Rights Administration
2. Determine if the
user registration and enrollment process
• Uniquely identifies the user,
• Verifies the need to use the system according to appropriate
• Enforces a unique user ID,
• Assigns and records the proper security attributes (e.g.,
• Enforces the assignment or selection of an authenticator that
agrees with the security policy,
• Securely distributes any initial shared secret authenticator or
• Obtains acknowledgement from the user of acceptance of the terms
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
9) Does the institution list the following categories of
nonpublic personal information that it collects, as applicable:
a) information from the consumer; [§6(c)(1)(i)]
b) information about the consumer's transactions with the
institution or its affiliates; [§6(c)(1)(ii)]
c) information about the consumer's transactions with
nonaffiliated third parties; [§6(c)(1)(iii)] and
d) information from a consumer reporting agency? [§6(c)(1)(iv)]