Heartland Data Breach: Visa Sets Deadline for Issuers to File Fraud
Claims - Heartland, RBS WorldPay Removed from Visa's Compliant
Service Providers List - Heartland Payment Systems (HPY) has been
removed from Visa's list of compliant service providers, and banking
institutions affected by the Heartland data breach have until May 19
to file their fraud claims with Visa.
As Jurors Turn to Web, Mistrials Are Popping Up - Last week, a juror
in a big federal drug trial in Florida admitted to the judge that he
had been doing research on the case on the Internet, directly
violating the judge's instructions and centuries of legal rules. But
when the judge questioned the rest of the jury, he got an even
FBI agent in NY accused of tipping off informant - An FBI agent in
New York has been accused of keeping in touch with an informant
after their professional relationship ended and then claiming that
he "squashed" a drug trafficking investigation involving the source,
according to a criminal complaint.
Obama CIO Vivek Kundra allowed back to work - FBI confirms that
Kundra is no longer under investigation - Kundra is now back in
charge of planning the national IT infrastructure, and the FBI has
arrested two suspects from the District of Columbia's Office of the
Chief Technology Officer.
IT contractor indicted over oil company computer intrusion - IT
contractor on charges he disrupted a computer system used, among
other purposes, to notify an energy company if its oil properties
Virtumundo, now a worm, spreading via USB stick - A long-standing
trojan that serves as a malware-distribution service has found a new
way to infect computers: via a USB stick or other removable device.
Most Organizations Hit by Cybercrime - A report released by Symantec
gauges the far reaching impact of cybercrime and finds most
organizations have dealt with a cyber attack of some kind in the
last two years.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Cybercrime server exposed through Google cache - A reported 22,000
card records have been exposed through cached copies of data stored
on a defunct cybercrime server.
'Cyberinvaders' crack into Sen. Bill Nelson's staff PCs -- twice -
Cyberinvaders, as a peeved Sen. Bill Nelson, D-Fla. called them
today, continue cracking into U.S. government systems with impunity.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
FDIC" Logo - When is it required?
The FDIC believes that every bank's home page is to some extent an
advertisement. Accordingly, bank web site home pages should contain
the official advertising statement unless the advertisement is
subject to exceptions such as advertisements for loans, securities,
trust services and/or radio or television advertisements that do not
exceed thirty seconds.
Whether subsidiary web pages require the official advertising
statement will depend upon the content of the particular page.
Subsidiary web pages that advertise deposits must contain the
official advertising statement.
Conversely, subsidiary web pages that relate to loans do not
require the official advertising statement.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE -
SOFTWARE DEVELOPMENT AND ACQUISITION
Development and Support
Development and support activities should ensure that new software
and software changes do not compromise security. Financial
institutions should have an effective application and system change
control process for developing, implementing, and testing changes to
internally developed software and purchased software. Weak change
control procedures can corrupt applications and introduce new
security vulnerabilities. Change control considerations relating to
security include the following:
! Restricting changes to authorized users,
! Reviewing the impact changes will have on security controls,
! Identifying all system components that are impacted by the
! Ensuring the application or system owner has authorized changes in
! Maintaining strict version control of all software updates, and
! Maintaining an audit trail of all changes.
Changes to operating systems may degrade the efficiency and
effectiveness of applications that rely on the operating system for
interfaces to the network, other applications, or data. Generally,
management should implement an operating system change control
process similar to the change control process used for application
changes. In addition, management should review application systems
following operating system changes to protect against a potential
compromise of security or operational integrity.
When creating and maintaining software, separate software libraries
should be used to assist in enforcing access controls and
segregation of duties. Typically, separate libraries exist for
development, test, and production.
Return to the top of the
G. APPLICATION SECURITY
1. Determine if operational software storage, program source, object
libraries and load modules are appropriately secured against
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
1) Does the institution provide a clear and conspicuous
notice that accurately reflects its privacy policies and practices
to all customers not later than when the customer relationship is
established, other than as allowed in paragraph (e) of section four
(4) of the regulation? [§4(a)(1))]?
(Note: no notice is required if nonpublic personal information is
disclosed to nonaffiliated third parties only under an exception in
Sections 14 and 15, and there is no customer relationship. [§4(b)]
With respect to credit relationships, an institution establishes a
customer relationship when it originates a consumer loan. If the
institution subsequently sells the servicing rights to the loan to
another financial institution, the customer relationship transfers
with the servicing rights. [§4(c)])