Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

FYI - FDIC Issues Rule Including IOLTAs in Temporary Unlimited Deposit Insurance Coverage for Noninterest-Bearing Transaction Accounts - The Board of Directors of the Federal Deposit Insurance Corporation today approved a final rule to include Interest on Lawyer Trust Accounts in the temporary unlimited deposit coverage for noninterest-bearing transaction accounts. http://www.fdic.gov/news/news/financial/2011/fil11002.html  (Please read because it requires a posting on a bank's web site.)

FYI - FERC lacks the juice to enforce smart grid security, study finds - Security framework remains a work in progress, hampered by lack of regulatory oversight - A framework of standards is emerging for securing an intelligent energy grid, but it is not yet complete and federal overseers lack the authority to require industry compliance, according to a study by the Government Accountability Office. http://gcn.com/articles/2011/01/13/smart-grid-security.aspx?admgarea=TC_SECURITY

FYI - Palin e-mail hacker starts prison - A man who broke into Sarah Palin's e-mail has been imprisoned - despite being told he might be spared jail. http://www.bbc.co.uk/news/technology-12176463

FYI - FDIC phishing emails use Patriot Act scare tactic - Fraudulent emails claiming to come from the Federal Deposit Insurance Corp. (FDIC) are attempting to trick users into handing over their sensitive personal information, the agency said in a warning issued Wednesday to clients and customers. http://www.scmagazineus.com/fdic-phishing-emails-use-patriot-act-scare-tactic/article/194241/?DCMP=EMC-SCUS_Newswire

FYI - RIM to filter internet for BlackBerry users in Indonesia - Responding to pressure from Indonesia's government, Research In Motion (RIM) has decided to filter pornographic internet content for BlackBerry users in that country. http://www.scmagazineus.com/rim-to-filter-internet-for-blackberry-users-in-indonesia/article/194080/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Vodafone sacks staff over data breach - Vodafone has sacked several employees over the privacy leak that exposed up to four million customer records. http://www.zdnet.com.au/vodafone-sacks-staff-over-data-breach-339308574.htm

FYI - Disgruntled TSA data analyst sentenced for sabotage attempt - A former data analyst for the Transportation Security Administration was sentenced to two years in prison for planting code in a terrorist screening database server after he was told his position was going to be eliminated. http://www.theregister.co.uk/2011/01/12/tsa_employee_sabotage_attempt/

FYI - Men sentenced for role in international ATM skimming ring - Two men were sentenced to lengthy prison terms on Tuesday for their roles in an ATM skimming spree that authorities say targeted gas station pumps throughout the United States. http://www.theregister.co.uk/2011/01/12/atm_skimming_prison_senteces/

FYI - Hacked Laptops Lead Banks to Warn of Data Breaches - Recent data breaches at two banks underscore what's becoming a gnarly problem for companies that handle sensitive information: When does a hacked PC become a data breach? http://www.pcworld.com/businesscenter/article/216576/hacked_laptops_lead_banks_to_warn_of_data_breaches.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures/Notices (Part 2 of 2)

In those instances where an electronic form of communication is permissible by regulation, to reduce compliance risk institutions should ensure that the consumer has agreed to receive disclosures and notices through electronic means. Additionally, institutions may want to provide information to consumers about the ability to discontinue receiving disclosures through electronic means, and to implement procedures to carry out consumer requests to change the method of delivery. Furthermore, financial institutions advertising or selling non-deposit investment products through on-line systems, like the Internet, should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY STRATEGY (1 of 2)

Action Summary - Financial institutions should develop a strategy that defines control objectives and establishes an implementation plan. The security strategy should include

1)  Cost comparisons of different strategic approaches appropriate to the institution's environment and complexity,
2)  Layered controls that establish multiple control points between threats and organization assets, and
3)  Policies that guide officers and employees in implementing the security program.

An information security strategy is a plan to mitigate risks while complying with legal, statutory, contractual, and internally developed requirements. Typical steps to building a strategy include the definition of control objectives, the identification and assessment of approaches to meet the objectives, the selection of controls, the establishment of benchmarks and metrics, and the preparation of implementation and testing plans.

The selection of controls is typically grounded in a cost comparison of different strategic approaches to risk mitigation. The cost comparison typically contrasts the costs of various approaches with the perceived gains a financial institution could realize in terms of increased confidentiality, availability, or integrity of systems and data. Those gains could include reduced financial losses, increased customer confidence, positive audit findings, and regulatory compliance. Any particular approach should consider: (1) policies, standards, and procedures; (2) technology and architecture; (3) resource dedication; (4) training; and (5) testing.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

20. Does the opt out notice state:

a. that the institution discloses or reserves the right to disclose nonpublic personal information about the consumer to a nonaffiliated third party; [§7(a)(1)(i)]

b. that the consumer has the right to opt out of that disclosure; [§7(a)(1)(ii)] and

c. a reasonable means by which the consumer may opt out? [§7(a)(1)(iii)]