California breach disclosure law covers medical records - California
has extended its widely copied data breach notification law to
encompass incidents including electronic medical and health
insurance information. AB 1298, which took effect Tuesday, adds
unencrypted medical histories and information on mental or physical
conditions or diagnoses to the types of records covered by the
Golden State's first-in-the-nation breach notification law.
Computer Forensics Faces Private Eye Competition - The Internet is
boundless and cybercrime scenes stretch from personal desktops
across the fiber networks that circle the globe. Digital forensic
investigators like Harold Phipps, vice president of industry
relations at Norcross Group in Norcross, Ga., routinely slip across
conventional geographic jurisdictions in pursuit of digital evidence
GAO - Information Security: IRS Needs to Address Pervasive
Report - http://www.gao.gov/cgi-bin/getrpt?GAO-08-211
Highlights - http://www.gao.gov/highlights/d08211high.pdf
Boeing's New 787 May Be Vulnerable to Hacker Attack - Boeing's new
787 Dreamliner passenger jet may have a serious security
vulnerability in its onboard computer networks that could allow
passengers to access the plane's control systems, according to the
U.S. Federal Aviation Administration.
Pennsylvania state government Web site hacked - No evidence of
damage; source tracked to domain registered in China - Hackers from
China infiltrated the Web site of the Pennsylvania state government,
but officials said they found no evidence of damage.
Sears admits to joining spyware biz - A Harvard researcher has
accused one of America's biggest retailers of sneaking
privacy-stealing spyware from ComScore onto customers' machines.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Nato secrets USB stick lost in Swedish library - The discovery of a
USB memory stick containing classified NATO information in a library
in Stockholm has prompted a meeting between the Swedish Military
Intelligence and Security Service and foreign defence officials.
Clarkson stung after bank prank - Jeremy Clarkson found himself
unexpectedly donating to charity - TV presenter Jeremy Clarkson has
lost money after publishing his bank details in his newspaper
column. The Top Gear host revealed his account numbers after
rubbishing the furore over the loss of 25 million people's personal
details on two computer discs.
Discount retail website Geeks.com hacked - The parent company of
discount retail website Geeks.com has notified affected customers
that a hacker may have accessed their credit card numbers and other
personal information in a December incident. The website features
the "hacker safe" notification from McAfee ScanAlert.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
TRUTH IN SAVINGS ACT (REG DD)
Financial institutions that advertise deposit products and services
on-line must verify that proper advertising disclosures are made in
accordance with all provisions of the regulations. Institutions
should note that the disclosure exemption for electronic media does
not specifically address commercial messages made through an
institution's web site or other on-line banking system. Accordingly,
adherence to all of the advertising disclosure requirements is
Advertisements should be monitored for recency, accuracy, and
compliance. Financial institutions should also refer to OSC
regulations if the institution's deposit rates appear on third party
web sites or as part of a rate sheet summary. These types of
messages are not considered advertisements unless the depository
institution, or a deposit broker offering accounts at the
institution, pays a fee for or otherwise controls the publication.
Disclosures generally are required to be in writing and in a form
that the consumer can keep. Until the regulation has been reviewed
and changed, if necessary, to allow electronic delivery of
disclosures, an institution that wishes to deliver disclosures
electronically to consumers, would supplement electronic disclosures
with paper disclosures.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
Booklet. This booklet is required reading for anyone
involved in information systems security, such as the Network Administrator,
Information Security Officer, members of the IS Steering Committee,
and most important your outsourced network security consultants.
Your outsourced network security consultants can receive the
"Internet Banking News" by completing the subscription for
There is no charge for the e-newsletter.
AND RESPONSIBILITIES (2 of 2)
Senior management should enforce its security program by clearly
communicating responsibilities and holding appropriate individuals
accountable for complying with these requirements. A central
authority should be responsible for establishing and monitoring the
security program. Security management responsibilities, however, may
be distributed throughout the institution from the IT department to
various lines of business depending on the institution's size,
complexity, culture, nature of operations, and other factors. The
distribution of duties should ensure an appropriate segregation of
duties between individuals or organizational groups.
Senior management also has the responsibility to ensure integration
of security controls throughout the organization. To support
integration, senior management should
1) Ensure the security
process is governed by organizational policies and practices that
are consistently applied,
2) Require that data
with similar criticality and sensitivity characteristics be
protected consistently regardless of where in the organization it
3) Enforce compliance
with the security program in a balanced and consistent manner across
the organization, and
Coordinate information security with physical security.
Senior management should make decisions regarding the acceptance of
security risks and the performance of risk mitigation activities
using guidance approved by the board of directors.
Employees should know, understand, and be held accountable for
fulfilling their security responsibilities. Institutions should
define these responsibilities in their security policy. Job
descriptions or contracts should specify any additional security
responsibilities beyond the general policies. Financial institutions
can achieve effective employee awareness and understanding through
security training, employee certifications of compliance, self -
assessments, audits, and monitoring.
Management also should consider the roles and responsibilities of
external parties. Technology service providers (TSPs), contractors,
customers, and others who have access to the institution's systems
and data should have their security responsibilities clearly
delineated and documented in contracts.
the top of the newsletter
IT SECURITY QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
- Access Rights Administration
5. Evaluate the
effectiveness and timeliness with which changes in access control
privileges are implemented and the effectiveness of supporting
policies and procedures.
• Review procedures and controls in place and determine whether
access control privileges are promptly eliminated when they are no
longer needed. Include former employees, and temporary access for remote
access and contract workers in the review.
• Assess the procedures and controls in place to change, when
appropriate, access control privileges (e.g., changes in job
responsibility and promotion).
• Determine whether access rights expire after a predetermined
period of inactivity.
• Review and assess the effectiveness of a formal review process
to periodically review the access rights to assure all access rights
are proper. Determine
whether necessary changes made as a result of that review.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
11. Does the institution list the following categories of
affiliates and nonaffiliated third parties to whom it discloses
information, as applicable, and a few examples to illustrate the
types of the third parties in each category:
a. financial service providers; [§6(c)(3)(i)]
b. non-financial companies; [§6(c)(3)(ii)] and
c. others? [§6(c)(3)(iii)]