FYI - DOUGH UNTO OTHERS
- BANK PUTS $QUEEZE ON ID VICTIM - Gloria Carlo of The Bronx says
she's the victim of $68,733 in fraudulent charges on her Bank of
America accounts. After identity thieves wiped out a Bronx mom's
life savings, her neighborhood bank sprung into action - by slapping
her with a lawsuit.
FYI - TK Maxx security
blunder will cost US$8.3B - 45 million customers' cards at an
estimated US$186 each. TJX, the owner of TK Maxx, claimed in an
earnings report today that the recent security blunder which exposed
the credit card details of 45 million customers has cost the company
FYI - HISD contractor
accused of computer thefts - A man HISD hired to fix its computers
was in jail Friday accused instead of stealing them. It didn't take
police long to make the arrest. In fact, within 48 hours of
receiving reports of stolen computer servers from several HISD
schools the HISD Police Department arrested a former employee.
FYI - Highland Hospital
Security Breach - Highland Hospital is warning patients of a
security breach. A hospital spokesperson said a computer containing
patient information was stolen from a business office last month.
Over 13,000 people are affected.
FYI - Teens fight off
hackers - They weathered the worst that hackers could throw at them,
and still kept their computer network running strong. Fueled by
pizzas and pop, 19 teams of high-school students pulled an
all-nighter over the weekend, during a computer security competition
aimed at rewarding kids for being the good guys rather than the bad
FYI - Los Alamos beefs
up security in wake of data breach - The theft of classified
information by a contractor's former employee has forced the Los
Alamos National Laboratory to implement a variety of tactical and
strategic security policies commonly found in a private enterprise.
FYI - Sensitive
information of 140,000 new Georgia parents compromised - Forms
containing the sensitive information of about 140,000 parents of
newborns are at risk for compromise after they were not shredded
upon disposal, the Georgia Department of Human Resources (DHR) has
told parents in a letter.
FYI - Alcatel-Lucent
Notifies Employees and Retirees of Former Lucent Technologies of
Missing Computer Disk Containing Personal Information -
Alcatel-Lucent was informed on May 7 by one of the company's vendors
that a computer disk containing personal information could not be
FYI - IBM loses tapes
with employee personal info - The tapes were "inadvertently" lost
Feb. 23 while a third-party vendor was transporting them from an IBM
location in Westchester County, N.Y. to a permanent storage
facility, company spokesman Fred McNeese told SCMagazine.com.
FYI - Virus compromises
200,000 records at Community College of Southern Nevada - The
personal records of nearly 200,000 students were compromised when a
virus attacked a Microsoft Windows 2003 Server at the Community
College of Southern Nevada.
FYI - Columbia Bank says
online hackers breached security - Columbia Bank, which has the
largest share of deposits in Fair Lawn, has notified its online
banking customers of a security breach that could make them
vulnerable to identity theft.
FYI - Thousands of
Illinois realtors, mortgage brokers warned of data compromise -
Alert prompted by May 3 breach of state agency server - The Illinois
Department of Financial and Professional Regulation (IDFPR) is
sending out letters to an estimated 300,000 licensees and applicants
informing them of a potential compromise of their names, Social
Security numbers and other personal data.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Disclosures/Notices (Part 2 of 2)
In those instances where an electronic form of communication is
permissible by regulation, to reduce compliance risk institutions
should ensure that the consumer has agreed to receive disclosures
and notices through electronic means. Additionally, institutions may
want to provide information to consumers about the ability to
discontinue receiving disclosures through electronic means, and to
implement procedures to carry out consumer requests to change the
method of delivery. Furthermore, financial institutions advertising
or selling non-deposit investment products through on-line systems,
like the Internet, should ensure that consumers are informed of the
risks associated with non-deposit investment products as discussed
in the "Interagency Statement on Retail Sales of Non Deposit
Investment Products." On-line systems should comply with this
Interagency Statement, minimizing the possibility of customer
confusion and preventing any inaccurate or misleading impression
about the nature of the non-deposit investment product or its lack
of FDIC insurance.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security Booklet.
SECURITY TESTING - INDEPENDENT DIAGNOSTIC TESTS
- This is the type of independent diagnostic testing that we perform. Please refer to
http://www.internetbankingaudits.com/ for information.)
Independent diagnostic tests include penetration tests, audits, and
assessments. Independence provides credibility to the test results.
To be considered independent, testing personnel should not be
responsible for the design, installation, maintenance, and operation
of the tested system, as well as the policies and procedures that
guide its operation. The reports generated from the tests should be
prepared by individuals who also are independent of the design,
installation, maintenance, and operation of the tested system.
Penetration tests, audits, and assessments can
use the same set of tools in their methodologies. The nature
of the tests, however, is decidedly different. Additionally, the
definitions of penetration test and assessment, in particular, are
not universally held and have changed over time.
Penetration Tests. A penetration test subjects a system to
the real - world attacks selected and conducted by the testing
personnel. The benefit of a penetration test is to identify the
extent to which a system can be compromised before the attack is
identified and assess the response mechanism's effectiveness.
Penetration tests generally are not a comprehensive test of the
system's security and should be combined with other independent
diagnostic tests to validate the effectiveness of the security
Audits. Auditing compares current practices against a set of
standards. Industry groups or institution management may create
those standards. Institution management is responsible for
demonstrating that the standards they adopt are appropriate for
Assessments. An assessment is a study to locate security
vulnerabilities and identify corrective actions. An assessment
differs from an audit by not having a set of standards to test
against. It differs from a penetration test by providing the tester
with full access to the systems being tested. Assessments may be
focused on the security process or the information system. They may
also focus on different aspects of the information system, such as
one or more hosts or networks.
the top of the newsletter
IT SECURITY QUESTION:
Determine whether appropriate provisions are made for the recovery
of data should a key be unusable.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Consumer and Customer:
The distinction between consumers and customers is
significant because financial institutions have additional
disclosure duties with respect to customers. All customers covered
under the regulation are consumers, but not all consumers are
A "consumer" is an individual, or that individual's legal
representative, who obtains or has obtained a financial product or
service from a financial institution that is to be used primarily
for personal, family, or household purposes.
A "financial service" includes, among other things, a
financial institution's evaluation or brokerage of information that
the institution collects in connection with a request or an
application from a consumer for a financial product or service. For
example, a financial service includes a lender's evaluation of an
application for a consumer loan or for opening a deposit account
even if the application is ultimately rejected or withdrawn.
Consumers who are not customers are entitled to an initial privacy
and opt out notice only if their financial institution wants to
share their nonpublic personal information with nonaffiliated third
parties outside of the exceptions.
A "customer" is a consumer who has a "customer
relationship" with a financial institution. A "customer
relationship" is a continuing relationship between a consumer
and a financial institution under which the institution provides one
or more financial products or services to the consumer that are to
be used primarily for personal, family, or household purposes.