Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
- No warrant needed to search cell phonePosted: Tuesday, January 4
2011 at 05:45 pm CT by Bob Sullivan - The next time you're in
California, you might not want to bring your cell phone with you.
The California Supreme Court ruled Monday that police can search the
cell phone of a person who's been arrested -- including text
messages -- without obtaining a warrant, and use that data as
- Visa strengthens its network fraud detection - Visa has enhanced
the security of its electronic credit card authorization system,
known as VisaNet, to improve the speed and accuracy of fraud
detection, the card brand announced.
- Crime ring instigates cyber attack against rival websites - A
group of gangsters have been caught hiring hackers to make “cyber
attacks” to shut down rival gambling websites, the first of its kind
- The data breach heard around the world - After WikiLeaks began
publishing secret U.S. diplomatic cables in late November, a number
of pundits asked how the federal government failed to detect and
prevent the disclosure of the classified data.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Secret Service Joins EVG Fraud Probe; Suspect Photo Released - Total
loss tops $82,000 with more than 280 area residents victimized. Feds
assign agents to joint investigation. The ever expanding
investigation into the credit and debit card fraud at Sierra Madre’s
EVG gas station will now have the assistance of the Secret Service.
South African wireless traffic lights pillaged by SIM-card thieves -
Don't stop at the lights unless you want free phone calls - The
Johannesburg Road Agency is in talks with suppliers to try and stop
thieves targeting its shiny new traffic lights for the SIM cards
Alleged Miley Cyrus hacker arrested - The 21-year-old hacker who
boasted about breaking into Miley Cyrus' Gmail account and posting
racy photographs of the teenage star has been arrested in Tennessee
on fraud charges.
- Australian Privacy Commissioner to investigate Vodafone breach -
Vodafone will open its doors to the Australian Privacy Commissioner,
Timothy Pilgrim, in the wake of allegations the telecommunications
giant made the personal information of four million customers
available on its website.
- 2,000 hit by Fine Gael web hack - The statement on the new Fine
Gael webiste said it was "professionally hacked" Hackers accessed
the personal details of just under 2,000 people when they targeted a
website for the Irish opposition party, Fine Gael.
- Vegas vid-poker hackjackpot bonanza duo face charges - A duo who
used a software bug in video poker machines to milk thousands in
unearned jackpots have been charged with computer hacking and
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
(Part 1 of 2)
Several regulations require disclosures and notices to be given at
specified times during a financial transaction. For example, some
regulations require that disclosures be given at the time an
application form is provided to the consumer. In this situation,
institutions will want to ensure that disclosures are given to the
consumer along with any application form. Institutions may
accomplish this through various means, one of which may be through
the automatic presentation of disclosures with the application form.
Regulations that allow disclosures/notices to be delivered
electronically and require institutions to deliver disclosures in a
form the customer can keep have been the subject of questions
regarding how institutions can ensure that the consumer can "keep"
the disclosure. A consumer using certain electronic devices, such as
Web TV, may not be able to print or download the disclosure. If
feasible, a financial institution may wish to include in its on-line
program the ability for consumers to give the financial institution
a non-electronic address to which the disclosures can be mailed.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
KEY RISK ASSESSMENT PRACTICES (2 of 2)
4) Accountable Activities - The responsibility for performing risk
assessments should reside primarily with members of management in
the best position to determine the scope of the assessment, and the
effectiveness of risk reduction techniques. For a mid - sized or
large institution, that organization will likely be the business
unit. The information security officer(s) are responsible for
overseeing the performance of each risk assessment and the
integration of the risk assessments into a cohesive whole. Senior
management is accountable for abiding by the board of directors'
guidance for risk acceptance and mitigation decisions.
5) Documentation - Documentation of the risk assessment process and
procedures assists in ensuring consistency and completeness, as well
as accountability. Documentation of the analysis and results
provides a useful starting point for subsequent assessments,
potentially reducing the effort required in those assessments.
Documentation of risks accepted and risk mitigation decisions is
fundamental to achieving accountability for risk decisions.
6) Enhanced Knowledge - Risk assessment increases management's
knowledge of the institution's mechanisms for storing, processing,
and communicating information, as well as the importance of those
mechanisms to the achievement of the institution's objectives.
Increased knowledge allows management to respond more rapidly to
changes in the environment. Those changes can range from new
technologies and threats to regulatory requirements.
7) Regular Updates - Risk assessments should be updated as new
information affecting information security risks are identified
(e.g., a new threat, vulnerability, adverse test result, hardware
change, software change or configuration change). At least once a
year, senior management should review the entire risk assessment to
ensure relevant information is appropriately considered.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Opt Out Notice
19. If the institution discloses nonpublic personal information
about a consumer to a nonaffiliated third party, and the exceptions
under §§13-15 do not apply, does the institution provide the
consumer with a clear and conspicuous opt out notice that accurately
explains the right to opt out? [§7(a)(1)]