Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

FYI - No warrant needed to search cell phonePosted: Tuesday, January 4 2011 at 05:45 pm CT by Bob Sullivan - The next time you're in California, you might not want to bring your cell phone with you. The California Supreme Court ruled Monday that police can search the cell phone of a person who's been arrested -- including text messages -- without obtaining a warrant, and use that data as evidence. http://redtape.msnbc.com/2011/01/court-cops-can-search-cell-phone-without-warrant.html

FYI - Visa strengthens its network fraud detection - Visa has enhanced the security of its electronic credit card authorization system, known as VisaNet, to improve the speed and accuracy of fraud detection, the card brand announced. http://www.scmagazineus.com/visa-strengthens-its-network-fraud-detection/article/193920/?DCMP=EMC-SCUS_Newswire

FYI - Crime ring instigates cyber attack against rival websites - A group of gangsters have been caught hiring hackers to make “cyber attacks” to shut down rival gambling websites, the first of its kind here. http://www.koreatimes.co.kr/www/news/nation/2011/01/113_79384.html

FYI - The data breach heard around the world - After WikiLeaks began publishing secret U.S. diplomatic cables in late November, a number of pundits asked how the federal government failed to detect and prevent the disclosure of the classified data. http://www.scmagazineus.com/wkileaks-fallout-the-data-breach-heard-around-the-world/article/193219/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Secret Service Joins EVG Fraud Probe; Suspect Photo Released - Total loss tops $82,000 with more than 280 area residents victimized. Feds assign agents to joint investigation. The ever expanding investigation into the credit and debit card fraud at Sierra Madre’s EVG gas station will now have the assistance of the Secret Service. http://sierramadre.patch.com/articles/secret-service-joins-evg-fraud-probe-suspect-photo-released

FYI - South African wireless traffic lights pillaged by SIM-card thieves - Don't stop at the lights unless you want free phone calls - The Johannesburg Road Agency is in talks with suppliers to try and stop thieves targeting its shiny new traffic lights for the SIM cards they contain. http://www.theregister.co.uk/2011/01/06/joburg_traffic_light_theft/

FYI - Alleged Miley Cyrus hacker arrested - The 21-year-old hacker who boasted about breaking into Miley Cyrus' Gmail account and posting racy photographs of the teenage star has been arrested in Tennessee on fraud charges. http://www.computerworld.com/s/article/9203498/Alleged_Miley_Cyrus_hacker_arrested?taxonomyId=82&pageNumber=1

FYI - Australian Privacy Commissioner to investigate Vodafone breach - Vodafone will open its doors to the Australian Privacy Commissioner, Timothy Pilgrim, in the wake of allegations the telecommunications giant made the personal information of four million customers available on its website. http://computerworld.co.nz/news.nsf/news/australian-privacy-commissioner-to-investigate-vodafone-breach

FYI - 2,000 hit by Fine Gael web hack - The statement on the new Fine Gael webiste said it was "professionally hacked" Hackers accessed the personal details of just under 2,000 people when they targeted a website for the Irish opposition party, Fine Gael. http://www.bbc.co.uk/news/uk-northern-ireland-12151724

FYI - Vegas vid-poker hackjackpot bonanza duo face charges - A duo who used a software bug in video poker machines to milk thousands in unearned jackpots have been charged with computer hacking and conspiracy offences. http://www.theregister.co.uk/2011/01/07/video_poker_hack_charges/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures/Notices (Part 1 of 2)

Several regulations require disclosures and notices to be given at specified times during a financial transaction. For example, some regulations require that disclosures be given at the time an application form is provided to the consumer. In this situation, institutions will want to ensure that disclosures are given to the consumer along with any application form. Institutions may accomplish this through various means, one of which may be through the automatic presentation of disclosures with the application form. Regulations that allow disclosures/notices to be delivered electronically and require institutions to deliver disclosures in a form the customer can keep have been the subject of questions regarding how institutions can ensure that the consumer can "keep" the disclosure. A consumer using certain electronic devices, such as Web TV, may not be able to print or download the disclosure. If feasible, a financial institution may wish to include in its on-line program the ability for consumers to give the financial institution a non-electronic address to which the disclosures can be mailed.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT

KEY RISK ASSESSMENT PRACTICES (2 of 2)

4)  Accountable Activities - The responsibility for performing risk assessments should reside primarily with members of management in the best position to determine the scope of the assessment, and the effectiveness of risk reduction techniques. For a mid - sized or large institution, that organization will likely be the business unit. The information security officer(s) are responsible for overseeing the performance of each risk assessment and the integration of the risk assessments into a cohesive whole. Senior management is accountable for abiding by the board of directors' guidance for risk acceptance and mitigation decisions.

5)  Documentation - Documentation of the risk assessment process and procedures assists in ensuring consistency and completeness, as well as accountability. Documentation of the analysis and results provides a useful starting point for subsequent assessments, potentially reducing the effort required in those assessments. Documentation of risks accepted and risk mitigation decisions is fundamental to achieving accountability for risk decisions.

6)  Enhanced Knowledge - Risk assessment increases management's knowledge of the institution's mechanisms for storing, processing, and communicating information, as well as the importance of those mechanisms to the achievement of the institution's objectives. Increased knowledge allows management to respond more rapidly to changes in the environment. Those changes can range from new technologies and threats to regulatory requirements.

7)  Regular Updates - Risk assessments should be updated as new information affecting information security risks are identified (e.g., a new threat, vulnerability, adverse test result, hardware change, software change or configuration change). At least once a year, senior management should review the entire risk assessment to ensure relevant information is appropriately considered.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Opt Out Notice

19. If the institution discloses nonpublic personal information about a consumer to a nonaffiliated third party, and the exceptions under §§13-15 do not apply, does the institution provide the consumer with a clear and conspicuous opt out notice that accurately explains the right to opt out? [§7(a)(1)]