A New Law That Protects Consumer Data - "Data breach" has become a
commonly used term in recent years. Although this phrase may be
interpreted in a variety of different ways, it evokes a common
reaction: Fear. Individuals whose personal information is
compromised by these events often fall victim to identity theft and
spend years attempting to reclaim their reputations. Companies
compromised by a breach are forever associated with these incidents
and suffer incalculable damage.
US cyber-security 'embarrassing' - America's cyber-security has been
described as "broken" by one industry expert and as "childlike" by
FTC extends Red Flags Rule enforcement three more months - The day
before the Federal Trade Commission (FTC) was to begin enforcing the
Red Flags Rules, the agency announced the deadline for compliance
will be extended for the second time, until Aug. 1.
GAO - Cyber Threats and Vulnerabilities Place Federal Systems at
Prolific spammers busted in the Midwest - A federal grand jury in
Kansas City has indicted four people, including two Missouri
brothers, in a nationwide email spamming case that involved the
illegal harvesting of eight million student email addresses from
more than 2,000 colleges.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Patient data loss forces Trusts to adopt encryption - Trusts agree
to encrypt mobile devices and prevent unauthorise downloading - Four
NHS trusts have agreed to encrypt all portable and mobile after
being found in breach of the Data Protection Act by the Information
Commissioner's Office (ICO).
USPS probes possible mass security breach - CBS News has learned of
another data breach potentially compromising the personal
information of thousands of people. Companies Lexis Nexis and
Investigative Professionals have sent up to 40,000 letters to
customers whose "sensitive and personally identifiable" information
may have been viewed by individuals who should not have had access.
Virginia Health Data Potentially Held Hostage - An extortion demand
seeks $10 million to return more than 8 million patient records
allegedly stolen from Virginia Department of Health Professions. An
extortion demand posted on WikiLeaks seeks $10 million to return
more than 8 million patient records and 35 million prescriptions
allegedly stolen from Virginia Department of Health Professions.
IT Director Pleads Guilty to Deleting Organ Donation Records - The
former IT director for a nonprofit organ and tissue donation center
pleaded guilty to a charge that she broke into the organization's
computer network and deleted organ donation database records,
invoice files, and database and accounting software.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
next few weeks, we will cover some of the issues discussed in the
"Risk Management Principles for Electronic Banking" published by the
Basel Committee on Bank Supervision.
Continuing technological innovation and competition among
existing banking organizations and new entrants have allowed for a
much wider array of banking products and services to become
accessible and delivered to retail and wholesale customers through
an electronic distribution channel collectively referred to as
e-banking. However, the rapid development of e-banking capabilities
carries risks as well as benefits.
The Basel Committee on Banking Supervision expects such risks to be
recognized, addressed and managed by banking institutions in a
prudent manner according to the fundamental characteristics and
challenges of e-banking services. These characteristics include the
unprecedented speed of change related to technological and customer
service innovation, the ubiquitous and global nature of open
electronic networks, the integration of e-banking applications with
legacy computer systems and the increasing dependence of banks on
third parties that provide the necessary information technology.
While not creating inherently new risks, the Committee noted that
these characteristics increased and modified some of the traditional
risks associated with banking activities, in particular strategic,
operational, legal and reputational risks, thereby influencing the
overall risk profile of banking.
Based on these conclusions, the Committee considers that while
existing risk management principles remain applicable to e-banking
activities, such principles must be tailored, adapted and, in some
cases, expanded to address the specific risk management challenges
created by the characteristics of e-banking activities. To this end,
the Committee believes that it is incumbent upon the Boards of
Directors and banks' senior management to take steps to ensure that
their institutions have reviewed and modified where necessary their
existing risk management policies and processes to cover their
current or planned e-banking activities. The Committee also believes
that the integration of e-banking applications with legacy systems
implies an integrated risk management approach for all banking
activities of a banking institution.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC interagency Information
AGREEMENTS: CONFIDENTIALITY, NON - DISCLOSURE, AND
Financial institutions should protect the confidentiality of
information about their customers and organization. A breach in
confidentiality could disclose competitive information, increase
fraud risk, damage the institution's reputation, violate customer
privacy and associated rights, and violate regulatory requirements.
Confidentiality agreements put all parties on notice that the
financial institution owns its information, expects strict
confidentiality, and prohibits information sharing outside of that
required for legitimate business needs. Management should obtain
signed confidentiality agreements before granting new employees and
contractors access to information technology systems.
Job descriptions, employment agreements, and policy awareness
acknowledgements increase accountability for security. Management
can communicate general and specific security roles and
responsibilities for all employees within their job descriptions.
Management should expect all employees, officers, and contractors to
comply with security and acceptable use policies and protect the
institution's assets, including information. The job descriptions
for security personnel should describe the systems and processes
they will protect and the control processes for which they are
responsible. Management can take similar steps to ensure contractors
and consultants understand their security responsibilities as well.
Financial institutions need to educate users regarding their
security roles and responsibilities. Training should support
security awareness and should strengthen compliance with the
security policy. Ultimately, the behavior and priorities of senior
management heavily influence the level of employee awareness and
policy compliance, so training and the commitment to security should
start with senior management. Training materials would typically
review the acceptable - use policy and include issues like desktop
security, log - on requirements, password administration guidelines,
etc. Training should also address social engineering, and the
policies and procedures that protect against social engineering
attacks. Many institutions integrate a signed security awareness
agreement along with periodic training and refresher courses.
the top of the newsletter
IT SECURITY QUESTION:
SOFTWARE DEVELOPMENT AND ACQUISITION
Inquire about how security requirements are determined for software,
whether internally developed or acquired from a vendor.
2. Determine whether management appropriately considers either
following a recognized security standard development process, or
reference to widely recognized industry standards.
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
6. Does the institution provide an annual privacy notice to each
customer whose loan the institution owns the right to service?