Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
- Work E-Mail Not Protected by Attorney-Client Privilege, Court Says
- E-mails between a client and attorney are no longer considered
privileged and confidential if the client writes the messages from a
work e-mail account, a California court of appeals has ruled.
- Protecting the network from inside the firewall - 5 common
vulnerabilities that can compromise your network - Today's security
appliances do a great job patrolling the network perimeter, but what
do you do when the threat is coming from inside the building?
- Cybercrime migrating to mobile and Apple, Cisco report - The tide
in cybercrime is shifting away from attacks on Windows machines and
migrating to the mobile marketplace, according to a just released
yearly report from Cisco.
- Carberp banking malware upgrades itself - A piece of banking
malware that researchers have been keeping an eye on is adding more
sophisticated capabilities to stay hidden on victims' PCs.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- UK doctor loses unencrypted laptop containing patient data -
Sticks and stones may break my bones but data loss really riles me -
A UK doctor faces a disciplinary inquiry after an unencrypted laptop
containing confidential patient data was stolen from his home.
- Experi-Metal vs. Comerica Case Heads to Trial - A lawsuit headed
to court this week over the 2009 cyber theft of more than a
half-million dollars from a small metals shop in Michigan could help
draw brighter lines on how far banks need to go to protect their
business customers from account takeovers and fraud.
- Hackers steal $150,000 with malicious job application - Small
businesses have a new scam to worry about: criminal job applicants
who want to hack into online bank accounts. The U.S. Federal Bureau
of Investigation issued a warning about a new twist on a
long-running computer fraud technique, known as Automated Clearing
- Carbon trading registry suspends ops following hack attack -
Smokey and the bandits - A carbon emissions trading registry in
Austria has suspended operations until at least 21 January following
a hacking attack earlier this month.
- Two charged in AT&T-iPad data breach - Two men were charged with
computer crimes today for allegedly hacking into AT&T servers and
stealing e-mail addresses and other information of about 120,000
iPad users last summer.
- Speedy Drivers Can Hide From Cops, But Not Hackers - Millions of
people who use smartphone software to avoid police speed traps may
have fallen into a trap set by hackers instead. Trapster, a
GPS-based app that lets iPhone, Android and BlackBerry owners report
and view police speed traps on a map, alerted users this week that
their passwords may have been stolen in a massive security breach.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Expedited Funds Availability Act (Regulation CC)
Generally, the rules pertaining to the duty of an institution to
make deposited funds available for withdrawal apply in the
electronic financial services environment. This includes rules on
fund availability schedules, disclosure of policy, and payment of
interest. Recently, the FRB published a commentary that clarifies
requirements for providing certain written notices or disclosures to
customers via electronic means. Specifically, the commentary to the
regulations states that a financial institution satisfies the
written exception hold notice requirement, and the commentary to the
regulations states that a financial institution satisfies the
general disclosure requirement by sending an electronic version that
displays the text and is in a form that the customer may keep.
However, the customer must agree to such means of delivery of
notices and disclosures. Information is considered to be in a form
that the customer may keep if, for example, it can be downloaded or
printed by the customer. To reduce compliance risk, financial
institutions should test their programs' ability to provide
disclosures in a form that can be downloaded or printed.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY STRATEGY (2 of 2)
particular approach should consider: (1) policies, standards, and
procedures; (2) technology and architecture; (3) resource
dedication; (4) training; and (5) testing.
For example, an institution's management may be assessing the proper
strategic approach to intrusion detection for an Internet
environment. Two potential approaches were identified for
evaluation. The first approach uses a combination of network and
host intrusion detection sensors with a staffed monitoring center.
The second approach consists of daily access log review. The former
alternative is judged much more capable of detecting an attack in
time to minimize any damage to the institution and its data, albeit
at a much greater cost. The added cost is entirely appropriate when
customer data and institution processing capabilities are exposed to
an attack, such as in an Internet banking environment. The latter
approach may be appropriate when the primary risk is reputational
damage, such as when the only information being protected is an
information-only Web site, and the Web site is not connected to
other financial institution systems.
Strategies should consider the layering of controls. Excessive
reliance on a single control could create a false sense of
confidence. For example, a financial institution that depends solely
on a firewall can still be subject to numerous attack methodologies
that exploit authorized network traffic. Financial institutions
should design multiple layers of security controls and testing to
establish several lines of defense between the attacker and the
asset being attacked. To successfully attack the data, each layer
must be penetrated. With each penetration, the probability of
detecting the attacker increases.
Policies are the primary embodiment of strategy, guiding decisions
made by users, administrators, and managers, and informing those
individuals of their security responsibilities. Policies also
specify the mechanisms through which responsibilities can be met,
and provide guidance in acquiring, configuring, and auditing
information systems. Key actions that contribute to the success of a
security policy are:
1) Implementing through ordinary means, such as system
administration procedures and acceptable - use policies;
2) Enforcing policy through security tools and sanctions;
3) Delineating the areas of responsibility for users,
administrators, and managers;
4) Communicating in a clear, understandable manner to all
5) Obtaining employee certification that they have read and
understood the policy;
6) Providing flexibility to address changes in the environment; and
7) Conducting annually a review and approval by the board of
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
21. Does the institution provide the
consumer with the following information about
the right to opt out:
a. all the categories of nonpublic personal information that the
institution discloses or reserves the right to disclose; [§7(a)(2)(i)(A)]
b. all the categories of nonaffiliated third parties to whom the
information is disclosed; [§7(a)(2)(i)(A)];
c. that the consumer has the right to opt out of the disclosure of
that information; [§7(a)(2)(i)(A)] and
d. the financial products or services that the consumer obtains to
which the opt out direction would apply? [§7(a)(2)(i)(B)]