Brit pair convicted for high-tech bank heist gone bad - Two men have
been convicted for trying to steal £229m from the London branch of a
Japanese bank in an elaborate, high-tech scheme that would have been
Britain's biggest bank heist.
Obama names Kundra federal CIO - The administration's newly
appointed federal chief information officer, Vivek Kundra, said
today he plans to make the massive volumes of government data that
isn't sensitive available to the public through a new Web site. With
more data available to the public, he said more participant would be
helping to solve the nation's difficult challenges.
Are you addicted to pen testing? - The industry is ablaze with web
application security mania. Organizations should also be alert to
latent agendas and be wary of consultants who might use pen tests
purely as a means of driving the sale of technologies.
Data breaches hit 7.5 percent of all U.S. adults - Financial fraud
last year caused 7.5 percent of all adults in the United States to
lose money, largely because of data breaches.
Federal cybersecurity director quits, complains of NSA role - Rod
Beckstrom quit the post after less than a year - In a move that
highlights differences over who should be in charge of national
cybersecurity efforts, the director of a federal office set up to
protect civilian, military and intelligence networks has submitted
his resignation after less than a year in the job.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Spotify user details compromised in major hack - Online music
service warns its million-plus users to change their passwords -
Online music service Spotify has become the latest web firm to
suffer a major hack, after revealing yesterday that criminals may
have accessed user registration details.
Unencrypted police memory stick lost - A memory stick containing
information on hundreds of police investigations has been lost in
Two banks confirms card fraud from Bottle Domains hack - One bank
has confirmed fraud on some of the credit-cards whose details were
stolen in the theft of up to 60,000 customers records from Bottle
Domains. And another has confirmed it is watching a list of card
accounts at risk, a list sent to it by the Australian Federal
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Requirements of Depository Institutions (Regulation D)
Pursuant to the withdrawal and transfer restrictions imposed on
savings deposits, electronic transfers, electronic withdrawals (paid
electronically) or payments to third parties initiated by a
depositor from a personal computer are included as a type of
transfer subject to the six transaction limit imposed on passbook
savings and MMDA accounts.
Institutions also should note that, to the extent stored value or
other electronic money represents a demand deposit or transaction
account, the provisions of Regulation D would apply to such
Consumer Leasing Act (Regulation M)
The regulation provides examples of advertisements that clarify the
definition of an advertisement under Regulation M. The term
advertisement includes messages inviting, offering, or otherwise
generally announcing to prospective customers the availability of
consumer leases, whether in visual, oral, print, or electronic
media. Included in the examples are on-line messages, such as those
on the Internet. Therefore, such messages are subject to the general
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE
Financial institution system development, acquisition, and
maintenance functions should incorporate agreed upon security
controls into software prior to development and implementation.
Management should integrate consideration of security controls into
each phase of the system development process. For the purposes of
this section, system development could include the internal
development of customized systems, the creation of database systems,
or the acquisition of third-party developed software. System
development could include long-term projects related to large
mainframe-based software projects with legacy source code or rapid
Web-based software projects using fourth-generation programming. In
all cases, institutions need to prioritize security controls
SOFTWARE DEVELOPMENT AND ACQUISITION
Financial institutions should develop security control requirements
for new systems, system revisions, or new system acquisitions.
Management will define the security control requirements based on
their risk assessment process evaluating the value of the
information at risk and the potential impact of unauthorized access
or damage. Based on the risks posed by the system, management may
use a defined methodology for determining security requirements,
such as ISO 15408, the Common Criteria.23 Management may also refer
to published, widely recognized industry standards as a baseline for
establishing their security requirements. A member of senior
management should document acceptance of the security requirements
for each new system or system acquisition, acceptance of tests
against the requirements, and approval for implementing in a
Development projects should consider automated controls for
incorporation into the application and the need to determine
supporting manual controls. Financial institutions can implement
appropriate security controls with greater cost effectiveness by
designing them into the original software rather than making
subsequent changes after implementation. When evaluating purchased
software, financial institutions should consider the availability of
products that have either been independently evaluated or received
security accreditation through financial institution or information
technology-related industry groups.
Return to the top of the
F. PERSONNEL SECURITY
5. Determine if employees have an available and reliable
mechanism to promptly report security incidents, weaknesses, and
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Redisclosure of nonpublic personal information received from a
nonaffiliated financial institution outside of Sections 14 and 15.
A. Through discussions with management and review of the
institution's procedures, determine whether the institution has
adequate practices to prevent the unlawful redisclosure of the
information where the institution is the recipient of nonpublic
personal information (§11(b)).
B. Select a sample of data received from nonaffiliated financial
institutions and shared with others to evaluate the financial
institution's compliance with redisclosure limitations.
1. Verify that the institution's redisclosure of the
information was only to affiliates of the financial institution from
which the information was obtained or to the institution's own
affiliates, except as otherwise allowed in the step b below (§11(b)(1)(i)
2. If the institution shares information with entities other
than those under step a above, verify that the institution's
information sharing practices conform to those in the nonaffiliated
financial institution's privacy notice (§11(b)(1)(iii)).
3. Also, review the procedures used by the institution to
ensure that the information sharing reflects the opt out status of
the consumers of the nonaffiliated financial institution (§§10,