Are you ready for your IT examination?
The Weekly IT Security Review
provides a checklist of the IT security issues covered in the
FFIEC IT Examination Handbook, which will prepare you for the IT
information and to subscribe visit
FYI FOR BANKS - It has come to our
attention that the Temporary Liquidity Guarantee Program, if the
bank opted in, requires that notice is posted on the bank’s web site for noninterest - bearing transaction
accounts. Refer to
Section 370.5 (g) (5) for detailed information. Bank examiners are
sighting institutions for not have the require notice on the web.
In addition, the examiners would like the notice linked of the home
UK Kicks off Program to Recruit Security Gurus - The U.K. is
planning to hold computer security exercises later this year to
spark interest in the field and address a shortage of professionals
in the country, a program modeled after one started in the U.S.
EU plans IP address snatch to battle cybercrime - Alert Print Post
commentProposes new anti-cybercrime body - An international
cybercrime centre will be able to revoke domain names and IP
addresses under new proposals by European governments.
Journalist shield law may not halt iPhone probe - The criminal
investigation into Apple's errant iPhone prototype took a new twist
this week, when Gawker Media claimed that the warrant used by police
to search an editor's home was invalid.
Health worker is first HIPAA privacy violator to get jail time - A
former UCLA Health System employee, apparently disgruntled over an
impending firing, has been sentenced to four months in federal
prison after pleading guilty in January to illegally snooping into
patient records, mainly those belonging to celebrities.
Hacked US Treasury websites serve visitors malware - Websites
operated by the US Treasury Department are redirecting visitors to
websites that attempt to install malware on their PCs, a security
New China encryption rule could pose headaches for U.S. vendors-
Rule requires companies to share encryption codes with Chinese
authorities - Vendors of some technology products will soon face a
new hurdle when selling their products in China.
US Air Force phishing test transforms into a problem - Sorry Airman
Supershaggy, "Transformers 3" is not coming to Andersen Air Force
Base. And by the way, you've been phished.
Student found guilty of obstruction in Sarah Palin email trial - The
college student who used publicly available information to break in
to the Yahoo! Mail account of then-vice presidential candidate Sarah
Palin has been found guilty on two of the four charges filed against
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
U.S. organizations face the highest data breach costs -
Organizations in the United States incurred the highest costs
associated with data breaches last year compared to businesses
located in other countries.
IT contractor gets five years for $2M credit union theft - For the
second time this week, companies are getting a stark reminder of the
danger posed to enterprise networks and assets by insiders with
Kentucky psychiatric hospital loses sensitive flash drive - A flash
drive containing personal patient information recently went missing
from Our Lady of Peace, a 278-bed psychiatric hospital in
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Guidance on Safeguarding
Customers Against E-Mail and Internet-Related Fraudulent Schemes
(Part 2 of 3)
Risks Associated With E-Mail and Internet-Related Fraudulent
Internet-related fraudulent schemes present a substantial risk to
the reputation of any financial institution that is impersonated or
spoofed. Financial institution customers and potential customers may
mistakenly perceive that weak information security resulted in
security breaches that allowed someone to obtain confidential
information from the financial institution. Potential negative
publicity regarding an institution's business practices may cause a
decline in the institution's customer base, a loss in confidence or
In addition, customers who fall prey to e-mail and Internet-related
fraudulent schemes face real and immediate risk. Criminals will
normally act quickly to gain unauthorized access to financial
accounts, commit identity theft, or engage in other illegal acts
before the victim realizes the fraud has occurred and takes action
to stop it.
Educating Financial Institution Customers About E-Mail and
Internet-Related Fraudulent Schemes
Financial institutions should consider the merits of educating
customers about prevalent e-mail and Internet-related fraudulent
schemes, such as phishing, and how to avoid them. This may be
accomplished by providing customers with clear and bold statement
stuffers and posting notices on Web sites that convey the following
! A financial institution's Web page should never be accessed from
a link provided by a third party. It should only be accessed by
typing the Web site name, or URL address, into the Web browser or by
using a "book mark" that directs the Web browser to the financial
institution's Web site.
! A financial institution should not be sending e-mail messages
that request confidential information, such as account numbers,
passwords, or PINs. Financial institution customers should be
reminded to report any such requests to the institution.
! Financial institutions should maintain current Web site
certificates and describe how the customer can authenticate the
institution's Web pages by checking the properties on a secure Web
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
Over the next few weeks, we will cover the OCC
Bulletin about Infrastructure Threats and Intrusion Risks.
This bulletin provides guidance to financial institutions on how to
prevent, detect, and respond to intrusions into bank computer
systems. Intrusions can originate either inside or outside of the
bank and can result in a range of damaging outcomes, including the
theft of confidential information, unauthorized transfer of funds,
and damage to an institution's reputation.
The prevalence and risk of computer intrusions are increasing as
information systems become more connected and interdependent and as
banks make greater use of Internet banking services and other remote
access devices. Recent e-mail-based computer viruses and the
distributed denial of service attacks earlier this year revealed
that the security of all Internet-connected networks are
increasingly intertwined. The number of reported incidences of
intrusions nearly tripled from 1998 to 1999, according to Carnegie
Mellon University's CERT/CC.
Management can reduce a bank's risk exposure by adopting and
regularly reviewing its risk assessment plan, risk mitigation
controls, intrusion response policies and procedures, and testing
processes. This bulletin provides guidance in each of these critical
areas and also highlights information-sharing mechanisms banks can
use to keep abreast of current attack techniques and potential
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Financial Institution Duties ( Part 5 of 6)
Limitations on Disclosure of Account Numbers:
A financial institution must not disclose an account number or
similar form of access number or access code for a credit card,
deposit, or transaction account to any nonaffiliated third party
(other than a consumer reporting agency) for use in telemarketing,
direct mail marketing, or other marketing through electronic mail to
The disclosure of encrypted account numbers without an accompanying
means of decryption, however, is not subject to this prohibition.
The regulation also expressly allows disclosures by a financial
institution to its agent to market the institution's own products or
services (although the financial institution must not authorize the
agent to directly initiate charges to the customer's account). Also
not barred are disclosures to participants in private-label or
affinity card programs, where the participants are identified to the
customer when the customer enters the program.