FYI - St. Louis Fed's
Review: 1918 Influenza Pandemic and Its Modern-Day Implications; A
Comparison of Monetary Policy Rules; A Primer on the Empirical
Identification of Government Spending Shocks; In Memoriam: Anatol
"Ted" Balbach; Market Bailouts and the "Fed Put."
FYI - Google Readies
Google Health - The upcoming service is expected to look similar to
Google News and provide links to profile data, medical contacts,
health notices, and drug interaction warnings. Having more or less
recovered from Wall Street's infectious doubt about the health of
its ad business earlier this week, Google on Thursday offered a
glimpse of Google Health, its upcoming personal health records
FYI - UK 'Home Office'
disc wedged in laptop sold on eBay - A laptop containing what could
be sensitive Home Office data has been sold on eBay. The laptop was
bought by an unsuspecting consumer who subsequently took the
equipment to be fixed by Leapfrog computer repairs in Greater
Manchester. It was only as the laptop casing was opened that a disc
was discovered wedged beneath the keyboard.
FYI - Over 50% of
companies have fired workers for e-mail, Net abuse - Most employees
knew they were being monitored - Think you can get away with using
e-mail and the Internet in violation of company policy? Think again.
FYI - Tucson police bust
man at ATM, find 200 credit cards and $168,000 cash - The arrest of
a man using a Downtown ATM machine Saturday afternoon resulted in
the recovery of more than 200 credit cards and $176,000 in cash,
FYI - Judge Allows
Wikileaks Site to Re-Open - A federal judge who shuttered the
renegade Web site Wikileaks.org reversed the decision Friday and
allowed the site to re-open in the United States. In mid-February,
U.S. District Court Judge Jeffrey White issued an injunction against
Wikileaks after the Zurich-based Bank Julius Baer accused the site
of posting sensitive account information stolen by a disgruntled
FYI - Top Banks Named in
New Identity Theft Study - Report Examines Incidents at Major U.S.
Financial Institutions - Shockwaves rumbled through the US banking
industry this week with the release of a new report estimating the
annual incidents of Identity Theft associated with the nation's top
FYI - Lawyer admits
computer breach - Spying on firm may cost license - A Charleston
lawyer could be suspended from the State Bar after admitting that he
accessed another law firm's computer system because he suspected his
wife was having an affair.
FYI - Wheat trader for
MF Global loses $141.5 million in unauthorized trading - For nearly
two decades Evan Dooley quietly made a living trading commodities
like wheat in his home state, Tennessee, far from the hurly-burly of
Wall Street. But on Thursday, Dooley, 40, became the talk of the
financial markets when MF Global, the giant commodities brokerage,
accused him of making unauthorized trades that led to $141.5 million
in losses for the firm. Dooley, the firm said, wagered on wheat
futures with money he did not have.
FYI - Windows-based cash
machines 'easily hacked' - ATMs that rely on desktop PC
technology--and that's a lot of them--are at risk from worms, key
loggers, and denial-of-service attacks. Security experts have hacked
ATMs to show how easy it is to steal money and bank account details
from modern cash machines.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI - Finjan uncovers
database storing more than 8,700 stolen FTP credentials - Data
enables cybercriminals to upload malware to compromised systems more
easily - A fresh discovery by security vendor Finjan Inc. provides
yet another example of how easy it is becoming for almost anyone to
find the tools needed to break into, infect or steal data from
corporate Web sites.
FYI - NY laptop theft
breaches no data protection rules - The loss of a laptop containing
the files of up to 175,000 Irish blood donors, which was stolen
earlier this month in New York, does not constitute a breach of the
Data Protection Acts and the encryption on the laptop is sufficient
to protect the files, Ireland's Data Protection Commissioner said
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
A financial institution that advertises on-line credit products that
are subject to the Fair Housing Act must display the Equal Housing
Lender logotype and legend or other permissible disclosure of its
nondiscrimination policy if required by rules of the institution's
Home Mortgage Disclosure Act (Regulation C)
The regulations clarify that applications accepted through
electronic media with a video component (the financial institution
has the ability to see the applicant) must be treated as "in
person" applications. Accordingly, information about these
applicants' race or national origin and sex must be collected. An
institution that accepts applications through electronic media
without a video component, for example, the Internet or facsimile,
may treat the applications as received by mail.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
INFORMATION SECURITY RISK ASSESSMENT
KEY RISK ASSESSMENT PRACTICES (2
Activities - The responsibility for performing risk assessments
should reside primarily with members of management in the best
position to determine the scope of the assessment, and the
effectiveness of risk reduction techniques. For a mid - sized or
large institution, that organization will likely be the business
unit. The information security officer(s) are responsible for
overseeing the performance of each risk assessment and the
integration of the risk assessments into a cohesive whole. Senior
management is accountable for abiding by the board of directors'
guidance for risk acceptance and mitigation decisions.
5) Documentation -
Documentation of the risk assessment process and procedures assists
in ensuring consistency and completeness, as well as accountability.
Documentation of the analysis and results provides a useful starting
point for subsequent assessments, potentially reducing the effort
required in those assessments. Documentation of risks accepted and
risk mitigation decisions is fundamental to achieving accountability
for risk decisions.
6) Enhanced Knowledge -
Risk assessment increases management's knowledge of the
institution's mechanisms for storing, processing, and
communicating information, as well as the importance of those
mechanisms to the achievement of the institution's objectives.
Increased knowledge allows management to respond more rapidly to
changes in the environment. Those changes can range from new
technologies and threats to regulatory requirements.
7) Regular Updates -
Risk assessments should be updated as new information affecting
information security risks are identified (e.g., a new threat,
vulnerability, adverse test result, hardware change, software change
or configuration change). At least once a year, senior management
should review the entire risk assessment to ensure relevant
information is appropriately considered.
the top of the newsletter
IT SECURITY QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
7. Determine whether authentication error
feedback (i.e., reporting failure to successfully log-in) during the
authentication process provides a prospective attacker clues that
may allow them to hone their attack.
If so, obtain and evaluate a justification for such feedback.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Opt Out Notice
19. If the institution discloses nonpublic personal information
about a consumer to a nonaffiliated third party, and the exceptions
under §§13-15 do not apply, does the institution provide the
consumer with a clear and conspicuous opt out notice that accurately
explains the right to opt out? [§7(a)(1)]